Re Samba, joining NT Domain, & NT Auth recipe
bgmilne at cae.co.za
Thu Nov 15 00:56:37 GMT 2001
You will notice that I have already put documentation for this on Mandrakeuser.org (http://mandrakeuser.org/connect/csamba5.html), and there are accompanying RPMs of samba-2.2.2 with nss_wins and samba-winbind packages, which should get you working with virtually no effort. After installing the RPMs on Mandrake 8.1 or Mandrake 8.0, you will need to do:
1)Edit /etc/samba/smb.conf and enable the first two winbind entries (see /etc/samba/smb.conf.rpmnew if you previously had samba installed)
2)# chkconfig winbind on
3) smbpasswd -j <domain> -U<admin_user>
4)Copy the /etc/pam.d/systhem-auth-winbind to /etc/pam.d/system-auth (keep a backup please) or replace system-auth with system-auth-winbind in all the pam.d files you want to allow access to via winbind
5)# service winbind start
I haven't yet got around to announcing this on samba-ntdom or samba-binaries yet because we are waiting to see if there will be official updates from samba-2.2.1a to samba-2.2.2 for Mandrake 8.1 (although they will not include winbind).
There is also update docs on http://mandrakeuser.org/connect/csamba6.html for running a domain controller on Mandrake, with screenshots of joining a samba domain from winxp (my updated copy which hasn't been put onto Mandrakeuser .org has animated screenshots of Win2k and Winnt joining a samba domain also, see http://ranger.dnsalias.com/mandrake/muo/connect/csamba6.html).
There is also a post on Mandrakeforum, http://mandrakeforum.com/article.php?sid=1376&lang=en, covering all the changes between 2.0.x as shipped with Mandrake 8.0 and the current samba-2.2.2. packages.
Since I don't have a windows domain controller, I can't make screenshots of adding an account for a windows box in AD or server manager for domains, if you have time, I will add them to the MUO docs.
Also, if you look in the packaging/Mandrake directory, you will see a start-up script for winbind, the system-auth-winbind file and all other associated packaging files, which would have made this easier.
(as somene on Mandrakeforum noted, the best samba packages know to man ;-)
File that was attached to your original post
Since I have had a good deal of trouble getting NT Domain
Authentication to work reliably, I figured lots of other
folks might benefit from my struggles. So, I've documented
a method that works consistently. Please feel free to
let me know if you have problems with what I've written here.
Many thanks to Stephan Scheufen who's assistance was
invaluable and who also has posted many useful tidbits here.
Setting the Stage
Samba 2.2.2 on Linux with a 2.4.2 or later kernel (I've
tested RedHat 7.1/7.2 and Mandrake 7.2/8.1 as well as
kernels up through 2.4.10).
The Linux Samba server is NOT a PDC, but only an NT
Domain client that serves up file and print resources
and wants to authenticate NT Domain/Active Directory
users and groups.
My PDC is W2K. I haven't tested an NT PDC.
Steps to Get Linux Authenticating Domain Users
1. Kill all running samba daemons on the Linux Samba system.
This includes all instances
of smbd, nmbd, and (if you're already running it) winbind. If
you've got run control scripts (RedHat, Mandrake, and the like),
then you can execute:
# /etc/init.d/smb stop
Also, and this is VERY important, remove the two files:
# rm -f secrets.tdb
# rm -f MACHINE.SID
These files will be located in /etc or in the Samba config directory.
If you don't know where that is, use find or slocate. Also, these
two files MUST be removed before you rejoin a domain or a join a new
domain. Note that MACHINE.SID may not exist (don't think it will
if you've never attempted to join a domain), but if you've run
smbd before, secrets.tdb will. In any event, if they exist, you
must remove them both.
2. On the W2K primary domain controller, add the Linux computer
as a pre-Windows 2000 computer. You can accomplish this in the
A Window will pop-up from which you select "Administrative Tools."
Another window pops-up from which you select "Active Directory
Users and Computers."
Yet another window pops-up. Select computers and then click on
The "New Object - Computer" window pops-up. Type in the hostname
of the Linux Samba system. Click on the "Change" button and select
the "Pre-Windows 2000 Compatible Access" group. Check the box next
to "Allow pre-Windows 2000 computers to access this account." Click
3. On the Linux Samba system, build Samba:
# cd /somedir
# tar zxvf samba-2.2.2.tar.gz
# cd samba-2.2.2/source
# ./configure --with-pam --with-winbind --with-acl-support
# make && make install
# cd nsswitch
# cp pam_winbind.so /lib/security
# cp libnss_winbind.so /lib
# ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.1
# ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2
NB: The options to ./configure are for PAM, winbind (nt auth), and ACL support.
You may want other -- options to configure, see ./configure --help.
In particular, you will want to set the --prefix and other dir
IMPORTANT: Be sure to read through all of the documents in
samba-2.2.2/docs. Especially read through
samba-2.2.2/docs/htmldocs/winbind.html. There's some useful
stuff in that latter document although I have never been able
to successfully get "smbpasswd -j DOMAIN -r PDC -U Admin%pw"
working. If I could, I would completetly avoid step #2 above.
4. Set up /etc/nsswitch.conf with the winbind stuff. Use something
passwd: files winbind nis
shadow: files winbind nis
group: files winbind nis
5. Set up PAM. There are lots of good examples in the other docs
about this (see the NB in step #3). I take advantage of the
pam_stack.so module and simply modify /etc/pam.d/system-auth as
shown below. I also am permitting NT Auth users full access to
the system, so it makes sense to configure my PAM this way.
You need to determine what your needs are, for example if you
want to allow NT Domain users access only to file shares, then
you would likely only modify /etc/pam.d/samba. Here's my
auth sufficient /lib/security/pam_winbind.so debug
auth sufficient /lib/security/pam_unix.so use_first_pass likeauth nullok md5 shadow
auth required /lib/security/pam_deny.so
account required /lib/security/pam_winbind.so
password required /lib/security/pam_cracklib.so retry=3
password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow
password required /lib/security/pam_deny.so
session required /lib/security/pam_limits.so
session required /lib/security/pam_unix.so
Note that I've got "debug" after pam_winbind.so for the auth stack.
This gives me some extra output in /var/log/auth.log. You may want
to remove that argument and reduce the log entries. Note also that
pam_windbind.so completely replaces pam_unix.so for the account
stack and still functions properly for NIS and local unix users.
6. This step may not be necessary depending upon your environment,
but it won't hurt and it makes name resolution simple.
In /etc/lmhosts (or wherever you configured Samba to put it
based on ./configure above), put
<IP address> <NT/W2K domainname>
Note that you use the domainname, not a hostname! The IP address
should match that of the PDC.
In /etc/hosts, put
<IP address> <Primary Domain Controller hostname>
172.16.0.1 my-pdc my-pdc.dns.domain.com
Arguably, this entry could also be put in lmhosts, but I
like having it available in /etc/hosts for resolution by
other processes. It is also resolvable, in my environment,
via DNS, but this is faster [;-)]
7. Now configure smb.conf. You will likely have a bunch of
other stuff in it, but this represents a minimal set for
NT Auth support.
netbios name = <Linux Samba hostname here>
workgroup = <NT/W2K DOMAIN name goes here>
security = domain
password server = <hostname of the PDC goes here>
encrypt passwords = yes
smb passwd file = /etc/smbpasswd
unix password sync = Yes
username map = /etc/smbusers
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
passwd program = /usr/bin/passwd %u
passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* %n\n *passwd:*all*authentication*tokens*updated*successfully*\n
winbind separator = +
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
template shell = /bin/bash
Be sure to replace the things inside <> appropriately. Also, be sure
to read the docs about these and other entries before you go into
8. You should now be able to join the domain.
# smbpasswd -j <DOMAIN>
where <DOMAIN> is the name of your NT/W2K domain.
On success, you will see the message "Joined domain <DOMAIN>."
On failure, you will see the message "Unable to join domain <DOMAIN>."
On failure, you will likely need to repeat all of the above
steps except for #3.
9. Start all of the samba daemons. This includes smbd, nmbd, and
winbindd. Make sure that your startup script includes the winbindd
invocation, if you are using one:
# /etc/init.d/smb start
10. Now check the exchanged secret:
# wbinfo -t
Secret is good
If you get "Secret is good", you are ready to go!
If you get "Error checking machine account", then winbindd is
If you get "Secret is bad", then you have a configuration error
and you need to kill the Samba daemons, remove secrets.tdb and
MACHINE.SID. Go to the W2K PDC, remove the entry from the Active
Directory, reboot the PDC (or wait for the entry to flush out
of the cache) and readd the machine entry to the
Active Directory (see step #2). Then rejoin the domain (step #8),
restart the daemons (step #9), and recheck the secret (step #10).
11. Try authenticating some NT users.
# telnet linuxsamba
Password: <ntuser's pw>
This should let you log in with a home directory of /home/DOMAIN/ntuser.
12. If you are having problems, try running winbindd -d 5. This sets
the debugging level to 5 and writes stuff out to /var/log/samba/log.winbindd.
If 5 is too much, try 3.
I hope this is useful to someone...again, any and all feedback is
|----------------Registered Linux User #182071-----------------|
Buchan Milne Mechanical Engineer, Network Manager
Cellphone * Work +27 82 472 2231 * +27 21 808 2497 ext 202
Stellenbosch Automotive Engineering http://www.cae.co.za
More information about the samba-ntdom