[Samba] unification of logon
Paulo Gonçalves
pgoncalves at ci.uminho.pt
Mon Feb 11 07:59:57 GMT 2002
hi,
i´m unificating the logon betwen w2k and linux.
i want to create user in Active directory in win2k domain and enter in a
linux machina without having to open a local acount.
i have foloewd the intructions ( obove ), and i have achived god results ,
with "wbinf -u " i see all the user locals plus users in w2k domain, "wbinfo
-g " for groups ... etc
when i do "getent passwd" i get a list that looks like /etc/passwd but when
i try to log in the system i only get in the linux machine with a local
acount.
i don´t know wath to do more ...
___________________________________Instructions ____________________
The configuration and compilation of SAMBA is pretty straightforward. The
first three steps may not be necessary depending upon whether or not you
have previously built the Samba binaries.
root# autoconf
root# make clean
root# rm config.cache
root# ./configure --with-winbind
root# make
root# make install
This will, by default, install SAMBA in /usr/local/samba. See the main SAMBA
documentation if you want to install SAMBA somewhere else. It will also
build the winbindd executable and libraries.
----------------------------------------------------------------------------
----
Configure nsswitch.conf and the winbind libraries
The libraries needed to run the winbindd daemon through nsswitch need to be
copied to their proper locations, so
root# cp ../samba/source/nsswitch/libnss_winbind.so /lib
I also found it necessary to make the following symbolic link:
root# ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2
Now, as root you need to edit /etc/nsswitch.conf to allow user and group
entries to be visible from the winbindd daemon. My /etc/nsswitch.conf file
look like this after editing:
passwd: files winbind
shadow: files
group: files winbind
The libraries needed by the winbind daemon will be automatically entered
into the ldconfig cache the next time your system reboots, but it is faster
(and you don't need to reboot) if you do it manually:
root# /sbin/ldconfig -v | grep winbind
This makes libnss_winbind available to winbindd and echos back a check to
you.
----------------------------------------------------------------------------
----
Configure smb.conf
Several parameters are needed in the smb.conf file to control the behavior
of winbindd. Configure smb.conf These are described in more detail in the
winbindd(8) man page. My smb.conf file was modified to include the following
entries in the [global] section:
[global]
<...>
# separate domain and username with '+', like DOMAIN+username
winbind separator = +
# use uids from 10000 to 20000 for domain users
winbind uid = 10000-20000
# use gids from 10000 to 20000 for domain groups
winbind gid = 10000-20000
# allow enumeration of winbind users and groups
winbind enum users = yes
winbind enum groups = yes
# give winbind users a real shell (only needed if they have telnet
access)
template homedir = /home/winnt/%D/%U
template shell = /bin/bash
----------------------------------------------------------------------------
----
Join the SAMBA server to the PDC domain
Enter the following command to make the SAMBA server join the PDC domain,
where DOMAIN is the name of your Windows domain and Administrator is a
domain user who has administrative privileges in the domain.
root# /usr/local/samba/bin/smbpasswd -j DOMAIN -r PDC -U Administrator
The proper response to the command should be: "Joined the domain DOMAIN"
where DOMAIN is your DOMAIN name.
----------------------------------------------------------------------------
----
Start up the winbindd daemon and test it!
Eventually, you will want to modify your smb startup script to automatically
invoke the winbindd daemon when the other parts of SAMBA start, but it is
possible to test out just the winbind portion first. To start up winbind
services, enter the following command as root:
root# /usr/local/samba/bin/winbindd
I'm always paranoid and like to make sure the daemon is really running...
root# ps -ae | grep winbindd
This command should produce output like this, if the daemon is running
3025 ? 00:00:00 winbindd
Now... for the real test, try to get some information about the users on
your PDC
root# /usr/local/samba/bin/wbinfo -u
This should echo back a list of users on your Windows users on your PDC. For
example, I get the following response:
CEO+Administrator
CEO+burdell
CEO+Guest
CEO+jt-ad
CEO+krbtgt
CEO+TsInternetUser
Obviously, I have named my domain 'CEO' and my winbind separator is '+'.
You can do the same sort of thing to get group information from the PDC:
root# /usr/local/samba/bin/wbinfo -g
CEO+Domain Admins
CEO+Domain Users
CEO+Domain Guests
CEO+Domain Computers
CEO+Domain Controllers
CEO+Cert Publishers
CEO+Schema Admins
CEO+Enterprise Admins
CEO+Group Policy Creator Owners
The function 'getent' can now be used to get unified lists of both local and
PDC users and groups. Try the following command:
root# getent passwd
You should get a list that looks like your /etc/passwd list followed by the
domain users with their new uids, gids, home directories and default shells.
The same thing can be done for groups with the command
root# getent group
----------------------------------------------------------------------------
----
Fix the /etc/rc.d/init.d/smb startup files
The winbindd daemon needs to start up after the smbd and nmbd daemons are
running. To accomplish this task, you need to modify the /etc/init.d/smb
script to add commands to invoke this daemon in the proper sequence. My
/etc/init.d/smb file starts up smbd, nmbd, and winbindd from the
/usr/local/samba/bin directory directly. The 'start' function in the script
looks like this:
start() {
KIND="SMB"
echo -n $"Starting $KIND services: "
daemon /usr/local/samba/bin/smbd $SMBDOPTIONS
RETVAL=$?
echo
KIND="NMB"
echo -n $"Starting $KIND services: "
daemon /usr/local/samba/bin/nmbd $NMBDOPTIONS
RETVAL2=$?
echo
KIND="Winbind"
echo -n $"Starting $KIND services: "
daemon /usr/local/samba/bin/winbindd
RETVAL3=$?
echo
[ $RETVAL -eq 0 -a $RETVAL2 -eq 0 -a $RETVAL3 -eq 0 ] && touch
/var/lock/subsys/smb || \
RETVAL=1
return $RETVAL
}
The 'stop' function has a corresponding entry to shut down the services and
look s like this:
stop() {
KIND="SMB"
echo -n $"Shutting down $KIND services: "
killproc smbd
RETVAL=$?
echo
KIND="NMB"
echo -n $"Shutting down $KIND services: "
killproc nmbd
RETVAL2=$?
echo
KIND="Winbind"
echo -n $"Shutting down $KIND services: "
killproc winbindd
RETVAL3=$?
[ $RETVAL -eq 0 -a $RETVAL2 -eq 0 -a $RETVAL3 -eq 0 ] && rm -f
/var/lock/subsys/smb
echo ""
return $RETVAL
}
If you restart the smbd, nmbd, and winbindd daemons at this point, you
should be able to connect to the samba server as a domain member just as if
you were a local user.
----------------------------------------------------------------------------
----
Configure Winbind and PAM
If you have made it this far, you know that winbindd and samba are working
together. If you want to use winbind to provide authentication for other
services, keep reading. The pam configuration files need to be altered in
this step. (Did you remember to make backups of your original /etc/pam.d
files? If not, do it now.)
You will need a pam module to use winbindd with these other services. This
module will be compiled in the ../source/nsswitch directory by invoking the
command
root# make nsswitch/pam_winbind.so
from the ../source directory. The pam_winbind.so file should be copied to
the location of your other pam security modules. On my RedHat system, this
was the /lib/security directory.
root# cp ../samba/source/nsswitch/pam_winbind.so /lib/security
The /etc/pam.d/samba file does not need to be changed. I just left this
fileas it was:
auth required /lib/security/pam_stack.so service=system-auth
account required /lib/security/pam_stack.so service=system-auth
The other services that I modified to allow the use of winbind as an
authentication service were the normal login on the console (or a terminal
session), telnet logins, and ftp service. In order to enable these services,
you may first need to change the entries in /etc/xinetd.d (or
/etc/inetd.conf). RedHat 7.1 uses the new xinetd.d structure, in this case
you need to change the lines in /etc/xinetd.d/telnet and
/etc/xinetd.d/wu-ftp from
enable = no
to
enable = yes
For ftp services to work properly, you will also need to either have
individual directories for the domain users already present on the server,
or change the home directory template to a general directory for all domain
users. These can be easily set using the smb.conf global entry template
homedir.
The /etc/pam.d/ftp file can be changed to allow winbind ftp access in a
manner similar to the samba file. My /etc/pam.d/ftp file was changed to look
like this:
auth required /lib/security/pam_listfile.so item=user sense=deny
file=/etc/ftpusers onerr=succeed
auth sufficient /lib/security/pam_winbind.so
auth required /lib/security/pam_stack.so service=system-auth
auth required /lib/security/pam_shells.so
account sufficient /lib/security/pam_winbind.so
account required /lib/security/pam_stack.so service=system-auth
session required /lib/security/pam_stack.so service=system-auth
The /etc/pam.d/login file can be changed nearly the same way. It now looks
like this:
auth required /lib/security/pam_securetty.so
auth sufficient /lib/security/pam_winbind.so
auth sufficient /lib/security/pam_unix.so use_first_pass
auth required /lib/security/pam_stack.so service=system-auth
auth required /lib/security/pam_nologin.so
account sufficient /lib/security/pam_winbind.so
account required /lib/security/pam_stack.so service=system-auth
password required /lib/security/pam_stack.so service=system-auth
session required /lib/security/pam_stack.so service=system-auth
session optional /lib/security/pam_console.so
In this case, I added the auth sufficient /lib/security/pam_winbind.so lines
as before, but also added the required pam_securetty.so above it, to
disallow root logins over the network. I also added a sufficient
/lib/security/pam_unix.so use_first_pass line after the winbind.so line to
get rid of annoying double prompts for passwords.
More information about the samba
mailing list