[Samba] Samba 3.0 and Authentication

Robert Davis rdavisunr at sbcglobal.net
Mon Jan 6 19:24:01 GMT 2003 

Hello all.

I would like to be able to grant my windows users
access to the Samba Server, physically logging into
the box, ftp, ssh, telnet, etc.  Additionally, when
they are browsing the network I would like the Samba
Server to create them a home directory on the fly when
they browse to the Samba Server.  Here are all the
relevant configuration files.  I am running redhat 8.0
and win2k pdc.

*********SMB.CONF***********

# Global parameters
[global]
        workgroup = DOMAIN.COM
        netbios name = SAMBASERVER

        realm = PDC.DOMAIN.COM
        ADS server = pdc ip address
        server string = %L running Samba Server %v
        security = ADS
        password server = pdc name

        passwd program = /usr/bin/passwd %u

        unix password sync = Yes
        log file = /var/log/samba/log.%m
        max log size = 50
        socket options = TCP_NODELAY SO_RCVBUF=8192
SO_SNDBUF=8192
        preferred master = No
        local master = No
        domain master = No
        dns proxy = No
        ldap ssl = no
        winbind uid = 10000-20000
        winbind gid = 10000-20000
        template shell = /bin/bash
        winbind use default domain = No
        template homedir = /home/%U
        winbind separator = +

[homes]
        comment = Home Directories
        valid users = %D+%S
        read only = No
        create mask = 0664
        directory mask = 0775
        browseable = No

********/etc/nsswitch*********

contains these lines

passwd:     files winbind nisplus
shadow:     files winbind nisplus
group:      files winbind nisplus


*****krb5.conf*******

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 ticket_lifetime = 24000
 default_realm = DOMAIN.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false

[realms]
 DOMAIN.COM = {
  kdc = ipaddress
  default_domain = domain.com
 }

[domain_realm]
 .domain.com = DOMAIN.COM
 domain.com = DOMAIN.COM

[kdc]

profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }


******/etc/pam.d/samba

#%PAM-1.0

auth       sufficient   /lib/security/pam_winbind.so

auth       required     pam_nologin.so
auth       required     pam_stack.so
service=system-auth

account    sufficient   /lib/security/pam_winbind.so

account    required     pam_stack.so
service=system-auth

session    required     pam_mkhomedir.so umask=0022
session    required     pam_stack.so
service=system-auth
password   required     pam_stack.so
service=system-auth


****WINBINDD LOG FILE*****

[2003/01/06 11:05:57, 1] nsswitch/winbindd.c:main(817)
  winbindd version 3.0alpha21 started.
  Copyright The Samba Team 2000-2001
[2003/01/06 11:05:57, 1]
nsswitch/winbindd_util.c:add_trusted_domain(140)
  Added domain BIGFOOTSOFTWARE.COM
[2003/01/06 11:05:57, 1]
libsmb/clikrb5.c:krb5_mk_req2(56)
  krb5_cc_get_principal failed (No credentials cache
found)
[2003/01/06 11:05:57, 1]
nsswitch/winbindd_util.c:rescan_trusted_domains(167)
  scanning trusted domain list


So...I am able to join using net ads join and wbinfo
will return users groups and tells me the secret is
good.  I am just stuck with how to set up
authentication??? Can anyone point me in the right
direction????  Thanks

Rob

More information about the samba mailing list