[Samba] unification of logon

Paulo Gonçalves pgoncalves at ci.uminho.pt
Mon Feb 11 07:59:57 GMT 2002

i´m unificating the logon betwen w2k and linux.
i want to create user in Active directory in win2k domain and enter in a
linux machina without having to open a local acount.

i have foloewd the intructions ( obove ), and i have achived god results ,
with "wbinf -u " i see all the user locals plus users in w2k domain, "wbinfo
-g " for groups ... etc

when i do "getent passwd" i get a list that looks like /etc/passwd but when
i try to log in the system i only get in the linux machine with a local

i don´t know wath to do more ...

___________________________________Instructions ____________________
The configuration and compilation of SAMBA is pretty straightforward. The
first three steps may not be necessary depending upon whether or not you
have previously built the Samba binaries.

root# autoconf
root# make clean
root# rm config.cache
root# ./configure --with-winbind
root# make
root# make install

This will, by default, install SAMBA in /usr/local/samba. See the main SAMBA
documentation if you want to install SAMBA somewhere else. It will also
build the winbindd executable and libraries. 


Configure nsswitch.conf and the winbind libraries
The libraries needed to run the winbindd daemon through nsswitch need to be
copied to their proper locations, so

root# cp ../samba/source/nsswitch/libnss_winbind.so /lib

I also found it necessary to make the following symbolic link:

root# ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2

Now, as root you need to edit /etc/nsswitch.conf to allow user and group
entries to be visible from the winbindd daemon. My /etc/nsswitch.conf file
look like this after editing:

	passwd:     files winbind
	shadow:     files 
	group:      files winbind

The libraries needed by the winbind daemon will be automatically entered
into the ldconfig cache the next time your system reboots, but it is faster
(and you don't need to reboot) if you do it manually:

root# /sbin/ldconfig -v | grep winbind

This makes libnss_winbind available to winbindd and echos back a check to


Configure smb.conf
Several parameters are needed in the smb.conf file to control the behavior
of winbindd. Configure smb.conf These are described in more detail in the
winbindd(8) man page. My smb.conf file was modified to include the following
entries in the [global] section:

     # separate domain and username with '+', like DOMAIN+username
     winbind separator = +
     # use uids from 10000 to 20000 for domain users
     winbind uid = 10000-20000
     # use gids from 10000 to 20000 for domain groups
     winbind gid = 10000-20000
     # allow enumeration of winbind users and groups
     winbind enum users = yes
     winbind enum groups = yes
     # give winbind users a real shell (only needed if they have telnet
     template homedir = /home/winnt/%D/%U
     template shell = /bin/bash


Join the SAMBA server to the PDC domain
Enter the following command to make the SAMBA server join the PDC domain,
where DOMAIN is the name of your Windows domain and Administrator is a
domain user who has administrative privileges in the domain.

root# /usr/local/samba/bin/smbpasswd -j DOMAIN -r PDC -U Administrator

The proper response to the command should be: "Joined the domain DOMAIN"
where DOMAIN is your DOMAIN name.


Start up the winbindd daemon and test it!
Eventually, you will want to modify your smb startup script to automatically
invoke the winbindd daemon when the other parts of SAMBA start, but it is
possible to test out just the winbind portion first. To start up winbind
services, enter the following command as root:

root# /usr/local/samba/bin/winbindd

I'm always paranoid and like to make sure the daemon is really running...

root# ps -ae | grep winbindd

This command should produce output like this, if the daemon is running

3025 ? 00:00:00 winbindd

Now... for the real test, try to get some information about the users on
your PDC

root# /usr/local/samba/bin/wbinfo -u

This should echo back a list of users on your Windows users on your PDC. For
example, I get the following response:


Obviously, I have named my domain 'CEO' and my winbind separator is '+'.

You can do the same sort of thing to get group information from the PDC:

root# /usr/local/samba/bin/wbinfo -g
CEO+Domain Admins
CEO+Domain Users
CEO+Domain Guests
CEO+Domain Computers
CEO+Domain Controllers
CEO+Cert Publishers
CEO+Schema Admins
CEO+Enterprise Admins
CEO+Group Policy Creator Owners

The function 'getent' can now be used to get unified lists of both local and
PDC users and groups. Try the following command:

root# getent passwd

You should get a list that looks like your /etc/passwd list followed by the
domain users with their new uids, gids, home directories and default shells.

The same thing can be done for groups with the command

root# getent group


Fix the /etc/rc.d/init.d/smb startup files
The winbindd daemon needs to start up after the smbd and nmbd daemons are
running. To accomplish this task, you need to modify the /etc/init.d/smb
script to add commands to invoke this daemon in the proper sequence. My
/etc/init.d/smb file starts up smbd, nmbd, and winbindd from the
/usr/local/samba/bin directory directly. The 'start' function in the script
looks like this:

start() {
        echo -n $"Starting $KIND services: "
        daemon /usr/local/samba/bin/smbd $SMBDOPTIONS
        echo -n $"Starting $KIND services: "
        daemon /usr/local/samba/bin/nmbd $NMBDOPTIONS
        echo -n $"Starting $KIND services: "
        daemon /usr/local/samba/bin/winbindd
        [ $RETVAL -eq 0 -a $RETVAL2 -eq 0 -a $RETVAL3 -eq 0 ] && touch
/var/lock/subsys/smb || \
        return $RETVAL

The 'stop' function has a corresponding entry to shut down the services and
look s like this:

stop() {
        echo -n $"Shutting down $KIND services: "
        killproc smbd
        echo -n $"Shutting down $KIND services: "
        killproc nmbd
        echo -n $"Shutting down $KIND services: "
        killproc winbindd
        [ $RETVAL -eq 0 -a $RETVAL2 -eq 0 -a $RETVAL3 -eq 0 ] && rm -f
        echo ""
        return $RETVAL

If you restart the smbd, nmbd, and winbindd daemons at this point, you
should be able to connect to the samba server as a domain member just as if
you were a local user.


Configure Winbind and PAM
If you have made it this far, you know that winbindd and samba are working
together. If you want to use winbind to provide authentication for other
services, keep reading. The pam configuration files need to be altered in
this step. (Did you remember to make backups of your original /etc/pam.d
files? If not, do it now.)

You will need a pam module to use winbindd with these other services. This
module will be compiled in the ../source/nsswitch directory by invoking the

root# make nsswitch/pam_winbind.so

from the ../source directory. The pam_winbind.so file should be copied to
the location of your other pam security modules. On my RedHat system, this
was the /lib/security directory.

root# cp ../samba/source/nsswitch/pam_winbind.so /lib/security

The /etc/pam.d/samba file does not need to be changed. I just left this
fileas it was:

auth    required        /lib/security/pam_stack.so service=system-auth
account required        /lib/security/pam_stack.so service=system-auth

The other services that I modified to allow the use of winbind as an
authentication service were the normal login on the console (or a terminal
session), telnet logins, and ftp service. In order to enable these services,
you may first need to change the entries in /etc/xinetd.d (or
/etc/inetd.conf). RedHat 7.1 uses the new xinetd.d structure, in this case
you need to change the lines in /etc/xinetd.d/telnet and
/etc/xinetd.d/wu-ftp from 

enable = no


enable = yes

For ftp services to work properly, you will also need to either have
individual directories for the domain users already present on the server,
or change the home directory template to a general directory for all domain
users. These can be easily set using the smb.conf global entry template

The /etc/pam.d/ftp file can be changed to allow winbind ftp access in a
manner similar to the samba file. My /etc/pam.d/ftp file was changed to look
like this:

auth       required     /lib/security/pam_listfile.so item=user sense=deny
file=/etc/ftpusers onerr=succeed
auth       sufficient   /lib/security/pam_winbind.so
auth       required     /lib/security/pam_stack.so service=system-auth
auth       required     /lib/security/pam_shells.so
account    sufficient   /lib/security/pam_winbind.so
account    required     /lib/security/pam_stack.so service=system-auth
session    required     /lib/security/pam_stack.so service=system-auth

The /etc/pam.d/login file can be changed nearly the same way. It now looks
like this:

auth       required     /lib/security/pam_securetty.so
auth       sufficient   /lib/security/pam_winbind.so
auth       sufficient   /lib/security/pam_unix.so use_first_pass
auth       required     /lib/security/pam_stack.so service=system-auth
auth       required     /lib/security/pam_nologin.so
account    sufficient   /lib/security/pam_winbind.so
account    required     /lib/security/pam_stack.so service=system-auth
password   required     /lib/security/pam_stack.so service=system-auth
session    required     /lib/security/pam_stack.so service=system-auth
session    optional     /lib/security/pam_console.so

In this case, I added the auth sufficient /lib/security/pam_winbind.so lines
as before, but also added the required pam_securetty.so above it, to
disallow root logins over the network. I also added a sufficient
/lib/security/pam_unix.so use_first_pass line after the winbind.so line to
get rid of annoying double prompts for passwords.

More information about the samba mailing list