[Samba] Comments / suggestions wanted - Winbind, 2K, and user Homes

Mon Jul 15 04:11:02 GMT 2002

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

| Message: 15
| Date: Fri, 12 Jul 2002 14:06:44 -0500
| From: Edward Yantis <yantis at hyperhog.net>
| To: samba at lists.samba.org
| Subject: [Samba] Comments / suggestions wanted - Winbind, 2K, and user
Homes
|
| I have a single AD domain with 4 domain controllers (win2k-not native
mode).  I want all
| users to login to AD (clients from 98 to XP - no linux clients yet).
|
| This is a school network with 4 campuses connected by wireless links
(hence the 4 domain
| controllers) and I would like to put a samba server at each location
for student home
| directories (basically a NAS setup to start with).  There will be no
need to access win2k
| shares from linux machines.
|
| Can Samba/winbind create the user's home directories automatically
with out creating a
| linux account on the samba server?  I have about 1400 accounts that I
have to manage by
| myself and do not want to have to deal with accounts on multiple systems.

Yes, see pam_mkhomedir, which you will need to add a session section for
each service that should be able to create home directories in the
services /etc/pam.d/ file (/etc/pam.d/samba for samba). You will also
need to add "obey pam restrictions = yes" to your smb.conf to make samba
use the entry.

A sample system-auth-winbind (suitable to replace /etc/pam.d/system-auth
for use for full authentication via winbind, or you can replace
"service=system-auth" with "service=system-auth-winbind" selectively) is
available in the packaging/Mandrake directory of the samba source. It
includes a pam_mkhomedir example, and should work if your existing
/etc/pam.d/samba file uses pam_stack with service=system-auth.

|
| (assuming samba/winbind can create the home directories or they can be
created via a
| script) Since all users are in the same AD domain, how can I ensure
that only the home
| directories for a particular campus get created on the corresponding
server?  I have the
| users separated in the AD with an OU for each campus.
|

This I think would only be possible with seperate domains, as
pam_mkhomedir does not create parent directories, so you could create a
parent directory for the domain you want to support.

I don't know if it is possible with different OUs in AD, though
definitely not via winbind. You may be able to access your AD domian via
nss_ldap or pam_ldap, and use a filter on each machine.

Thus, you would be doing user/group enumeration by LDAP and
authentication via winbind. I am not how well that works with AD, but
this is what we do with a samba PDC and openldap. You might need the
unix extensions for AD, but then you have no reason to use LDAP (which
does uidNumber/gidNumber<->rid, which has no purpose if you store
uidNumber/gidNumber in AD.

Buchan

- --
|----------------Registered Linux User #182071-----------------|
Buchan Milne                Mechanical Engineer, Network Manager
Cellphone * Work            +27 82 472 2231 * +27 21 8828820x202
Stellenbosch Automotive Engineering         http://www.cae.co.za
GPG Key                   http://ranger.dnsalias.com/bgmilne.asc
1024D/60D204A7 2919 E232 5610 A038 87B1 72D6 AC92 BA50 60D2 04A7
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQE9Mq18rJK6UGDSBKcRAh9YAKCCJTj9JlvLL7n9obR1ehykblv96wCfQV6v
A3+kQMkMyA2wXCfegxtkgMI=
=o17+
-----END PGP SIGNATURE-----