[Samba] Authenticating from Windows domains via winbind the easy way

[Buchan Milne]

Sorry if this sounds like an advertisement, but in the past 6 weeks or so 
there have probably been close on 100 questions on getting Winbind 
working.

For those of you who are new to linux/samba, you may want to consider 
using Mandrake 9.0 for your first implementation, since *everything* (ok, 
there is one bug which I will mention) is taken care of for you.

When installed in expert mode, you get the chance to choose your 
authentication method, one of LDAP/NIS/Windows Domain. If you choose 
Windows domain, it will setup winbind, and if you configure your network 
during installation, join the domain for you.

On Mandrake 9.0, ACLs work out-the-box on XFS via samba, and on ext2/3 if 
you mount the filesystems with the'acl' mount option. On our production 
servers, we have been using ACLs since Mandrake 8.2 on XFS, with no 
stabilty problems. Mandrake 9.1 ships with kernel 2.4.21-pre, in which 
ACLs are not enabled, so if you want to use 9.1 with ACLs, use the updates 
kernel for 9.0.

By default, when setup for winbind, all pam-enabled services will 
authenticate against the domain (via pam_winbind), including 
KDE,gdm,ssh,imap,pop3 etc. Local logins will also auto-create home 
directories, as will a connection to samba running on the machine.

Caveats on 9.0:
-When entering the information on your domain during installation, enter 
your domain name (the NETBIOS domain name for AD users) in caps

Caveats on 9.0 and 9.1:
-kscreensaver pam file is incorrect, copy the one from xscreensaver which 
is correct:
# cp -f /etc/pam.d/screensaver /etc/pam.d/kscreensaver3
otherwise you will lock yourself out of your desktop.

Unfortunately I have not thoroughly tested joining of 9.1 to a domain, and 
have yet to have someone confirm that it works, but if it does not work, 
all that is required is a join of the domain post-install.

So, if you don't want to battle through a week of understanding all the 
issues in attemtping to get winbind running, you may want to consider 
trying Mandrake 9.0. I demonstrated this at a local conference, and in the 
allotted 30 minutes could do a (minimal with KDE) installation, joining 
the machine during installation, log into KDE and console with a domain 
account on first boot with no changes, browse the newly created home 
directory from a windows machine via samba and use ACLs, and run CVS over 
SSH from the windows client using TortoiseCVS.

For more information on the implementation, see:
http://ranger.dnsalias.com/mandrake/samba
http://ranger.dnsalias.com/mandrake/samba/Integrating%20Linux%20into%20Windows%20Networks.tar.gz
http://ranger.dnsalias.com/mandrake/samba/Integrating%20Linux%20into%20Windows%20Networks.pdf
http://ranger.dnsalias.com/mandrake/samba/Integrating%20Linux%20into%20Windows%20Networks-handouts.pdf

The tarball includes sample config files, including for Redhat 8.0

Finally, if someone has managed to setup Mandrake 9.1, and got joining 
working during instalaltion, please let me know.

Regards,
Buchan

-- 
|----------------Registered Linux User #182071-----------------|
Buchan Milne                Mechanical Engineer, Network Manager
Cellphone * Work            +27 82 472 2231 * +27 21 8828820x121
Stellenbosch Automotive Engineering         http://www.cae.co.za
GPG Key                   http://ranger.dnsalias.com/bgmilne.asc
1024D/60D204A7 2919 E232 5610 A038 87B1 72D6 AC92 BA50 60D2 04A7