[Samba] unification of logon
m.o.tigchelaar at kpn.com
m.o.tigchelaar at kpn.com
Mon Feb 11 08:16:00 GMT 2002
Hi there,
You probably followed the instructions as contained in the file
"winbindd.html" or "Samba Appliance". Those instructions only enable the use
of Winbind for SMB logon validation, NOT for telnet or console logons.
There is some more information somewhere in the docs on how to enable the
use of Winbind for telnet and console logons. It has to do with your PAM
configuration, but i do not remember exactly what it was. Maybe i'll look it
up for you...
Good luck
Met vriendelijke groet,
Martijn Olivier Tigchelaar
Systems Management
KPN Services Online DATA
E-mail: m.o.tigchelaar at kpn.com
Junior IT Consultant
Flex Information Technology
e-mail: m.tigchelaar at flex-it.nl
> -----Original Message-----
> From: Paulo Gonçalves [SMTP:pgoncalves at ci.uminho.pt]
> Sent: Monday, February 11, 2002 16.49
> To: 'samba at lists.samba.org'
> Cc: 'mark at mmebs.co.uk'; 'nkelly at tarsus.co.uk'
> Subject: [Samba] unification of logon
>
> hi,
> i´m unificating the logon betwen w2k and linux.
> i want to create user in Active directory in win2k domain and enter in a
> linux machina without having to open a local acount.
>
> i have foloewd the intructions ( obove ), and i have achived god results ,
> with "wbinf -u " i see all the user locals plus users in w2k domain,
> "wbinfo
> -g " for groups ... etc
>
> when i do "getent passwd" i get a list that looks like /etc/passwd but
> when
> i try to log in the system i only get in the linux machine with a local
> acount.
>
> i don´t know wath to do more ...
>
>
>
>
>
> ___________________________________Instructions ____________________
> The configuration and compilation of SAMBA is pretty straightforward. The
> first three steps may not be necessary depending upon whether or not you
> have previously built the Samba binaries.
>
>
> root# autoconf
> root# make clean
> root# rm config.cache
> root# ./configure --with-winbind
> root# make
> root# make install
>
> This will, by default, install SAMBA in /usr/local/samba. See the main
> SAMBA
> documentation if you want to install SAMBA somewhere else. It will also
> build the winbindd executable and libraries.
>
>
> --------------------------------------------------------------------------
> --
> ----
>
> Configure nsswitch.conf and the winbind libraries
> The libraries needed to run the winbindd daemon through nsswitch need to
> be
> copied to their proper locations, so
>
> root# cp ../samba/source/nsswitch/libnss_winbind.so /lib
>
> I also found it necessary to make the following symbolic link:
>
> root# ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2
>
> Now, as root you need to edit /etc/nsswitch.conf to allow user and group
> entries to be visible from the winbindd daemon. My /etc/nsswitch.conf file
> look like this after editing:
>
>
> passwd: files winbind
> shadow: files
> group: files winbind
>
> The libraries needed by the winbind daemon will be automatically entered
> into the ldconfig cache the next time your system reboots, but it is
> faster
> (and you don't need to reboot) if you do it manually:
>
> root# /sbin/ldconfig -v | grep winbind
>
> This makes libnss_winbind available to winbindd and echos back a check to
> you.
>
>
> --------------------------------------------------------------------------
> --
> ----
>
> Configure smb.conf
> Several parameters are needed in the smb.conf file to control the behavior
> of winbindd. Configure smb.conf These are described in more detail in the
> winbindd(8) man page. My smb.conf file was modified to include the
> following
> entries in the [global] section:
>
>
> [global]
> <...>
> # separate domain and username with '+', like DOMAIN+username
> winbind separator = +
> # use uids from 10000 to 20000 for domain users
> winbind uid = 10000-20000
> # use gids from 10000 to 20000 for domain groups
> winbind gid = 10000-20000
> # allow enumeration of winbind users and groups
> winbind enum users = yes
> winbind enum groups = yes
> # give winbind users a real shell (only needed if they have telnet
> access)
> template homedir = /home/winnt/%D/%U
> template shell = /bin/bash
>
>
> --------------------------------------------------------------------------
> --
> ----
>
> Join the SAMBA server to the PDC domain
> Enter the following command to make the SAMBA server join the PDC domain,
> where DOMAIN is the name of your Windows domain and Administrator is a
> domain user who has administrative privileges in the domain.
>
> root# /usr/local/samba/bin/smbpasswd -j DOMAIN -r PDC -U Administrator
>
> The proper response to the command should be: "Joined the domain DOMAIN"
> where DOMAIN is your DOMAIN name.
>
>
> --------------------------------------------------------------------------
> --
> ----
>
> Start up the winbindd daemon and test it!
> Eventually, you will want to modify your smb startup script to
> automatically
> invoke the winbindd daemon when the other parts of SAMBA start, but it is
> possible to test out just the winbind portion first. To start up winbind
> services, enter the following command as root:
>
> root# /usr/local/samba/bin/winbindd
>
> I'm always paranoid and like to make sure the daemon is really running...
>
> root# ps -ae | grep winbindd
>
> This command should produce output like this, if the daemon is running
>
> 3025 ? 00:00:00 winbindd
>
> Now... for the real test, try to get some information about the users on
> your PDC
>
> root# /usr/local/samba/bin/wbinfo -u
>
> This should echo back a list of users on your Windows users on your PDC.
> For
> example, I get the following response:
>
>
> CEO+Administrator
> CEO+burdell
> CEO+Guest
> CEO+jt-ad
> CEO+krbtgt
> CEO+TsInternetUser
>
> Obviously, I have named my domain 'CEO' and my winbind separator is '+'.
>
> You can do the same sort of thing to get group information from the PDC:
>
>
> root# /usr/local/samba/bin/wbinfo -g
> CEO+Domain Admins
> CEO+Domain Users
> CEO+Domain Guests
> CEO+Domain Computers
> CEO+Domain Controllers
> CEO+Cert Publishers
> CEO+Schema Admins
> CEO+Enterprise Admins
> CEO+Group Policy Creator Owners
>
> The function 'getent' can now be used to get unified lists of both local
> and
> PDC users and groups. Try the following command:
>
> root# getent passwd
>
> You should get a list that looks like your /etc/passwd list followed by
> the
> domain users with their new uids, gids, home directories and default
> shells.
>
> The same thing can be done for groups with the command
>
> root# getent group
>
>
> --------------------------------------------------------------------------
> --
> ----
>
> Fix the /etc/rc.d/init.d/smb startup files
> The winbindd daemon needs to start up after the smbd and nmbd daemons are
> running. To accomplish this task, you need to modify the /etc/init.d/smb
> script to add commands to invoke this daemon in the proper sequence. My
> /etc/init.d/smb file starts up smbd, nmbd, and winbindd from the
> /usr/local/samba/bin directory directly. The 'start' function in the
> script
> looks like this:
>
>
> start() {
> KIND="SMB"
> echo -n $"Starting $KIND services: "
> daemon /usr/local/samba/bin/smbd $SMBDOPTIONS
> RETVAL=$?
> echo
> KIND="NMB"
> echo -n $"Starting $KIND services: "
> daemon /usr/local/samba/bin/nmbd $NMBDOPTIONS
> RETVAL2=$?
> echo
> KIND="Winbind"
> echo -n $"Starting $KIND services: "
> daemon /usr/local/samba/bin/winbindd
> RETVAL3=$?
> echo
> [ $RETVAL -eq 0 -a $RETVAL2 -eq 0 -a $RETVAL3 -eq 0 ] && touch
> /var/lock/subsys/smb || \
> RETVAL=1
> return $RETVAL
> }
>
> The 'stop' function has a corresponding entry to shut down the services
> and
> look s like this:
>
>
> stop() {
> KIND="SMB"
> echo -n $"Shutting down $KIND services: "
> killproc smbd
> RETVAL=$?
> echo
> KIND="NMB"
> echo -n $"Shutting down $KIND services: "
> killproc nmbd
> RETVAL2=$?
> echo
> KIND="Winbind"
> echo -n $"Shutting down $KIND services: "
> killproc winbindd
> RETVAL3=$?
> [ $RETVAL -eq 0 -a $RETVAL2 -eq 0 -a $RETVAL3 -eq 0 ] && rm -f
> /var/lock/subsys/smb
> echo ""
> return $RETVAL
> }
>
> If you restart the smbd, nmbd, and winbindd daemons at this point, you
> should be able to connect to the samba server as a domain member just as
> if
> you were a local user.
>
>
> --------------------------------------------------------------------------
> --
> ----
>
> Configure Winbind and PAM
> If you have made it this far, you know that winbindd and samba are working
> together. If you want to use winbind to provide authentication for other
> services, keep reading. The pam configuration files need to be altered in
> this step. (Did you remember to make backups of your original /etc/pam.d
> files? If not, do it now.)
>
> You will need a pam module to use winbindd with these other services. This
> module will be compiled in the ../source/nsswitch directory by invoking
> the
> command
>
> root# make nsswitch/pam_winbind.so
>
> from the ../source directory. The pam_winbind.so file should be copied to
> the location of your other pam security modules. On my RedHat system, this
> was the /lib/security directory.
>
> root# cp ../samba/source/nsswitch/pam_winbind.so /lib/security
>
> The /etc/pam.d/samba file does not need to be changed. I just left this
> fileas it was:
>
>
> auth required /lib/security/pam_stack.so service=system-auth
> account required /lib/security/pam_stack.so service=system-auth
>
> The other services that I modified to allow the use of winbind as an
> authentication service were the normal login on the console (or a terminal
> session), telnet logins, and ftp service. In order to enable these
> services,
> you may first need to change the entries in /etc/xinetd.d (or
> /etc/inetd.conf). RedHat 7.1 uses the new xinetd.d structure, in this case
> you need to change the lines in /etc/xinetd.d/telnet and
> /etc/xinetd.d/wu-ftp from
>
>
> enable = no
>
> to
>
>
> enable = yes
>
> For ftp services to work properly, you will also need to either have
> individual directories for the domain users already present on the server,
> or change the home directory template to a general directory for all
> domain
> users. These can be easily set using the smb.conf global entry template
> homedir.
>
> The /etc/pam.d/ftp file can be changed to allow winbind ftp access in a
> manner similar to the samba file. My /etc/pam.d/ftp file was changed to
> look
> like this:
>
>
> auth required /lib/security/pam_listfile.so item=user sense=deny
> file=/etc/ftpusers onerr=succeed
> auth sufficient /lib/security/pam_winbind.so
> auth required /lib/security/pam_stack.so service=system-auth
> auth required /lib/security/pam_shells.so
> account sufficient /lib/security/pam_winbind.so
> account required /lib/security/pam_stack.so service=system-auth
> session required /lib/security/pam_stack.so service=system-auth
>
> The /etc/pam.d/login file can be changed nearly the same way. It now looks
> like this:
>
>
> auth required /lib/security/pam_securetty.so
> auth sufficient /lib/security/pam_winbind.so
> auth sufficient /lib/security/pam_unix.so use_first_pass
> auth required /lib/security/pam_stack.so service=system-auth
> auth required /lib/security/pam_nologin.so
> account sufficient /lib/security/pam_winbind.so
> account required /lib/security/pam_stack.so service=system-auth
> password required /lib/security/pam_stack.so service=system-auth
> session required /lib/security/pam_stack.so service=system-auth
> session optional /lib/security/pam_console.so
>
> In this case, I added the auth sufficient /lib/security/pam_winbind.so
> lines
> as before, but also added the required pam_securetty.so above it, to
> disallow root logins over the network. I also added a sufficient
> /lib/security/pam_unix.so use_first_pass line after the winbind.so line to
> get rid of annoying double prompts for passwords.
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: http://lists.samba.org/mailman/listinfo/samba
More information about the samba
mailing list