[Samba] PAM, PDC and Winbind

Diego Rivera lrivera at racsa.co.cr
Thu Jan 9 23:12:35 GMT 2003 

Here are my configs for RedHat 7.2.

I also have them for Mandrake 8.2.

If you want, read them and we can later discuss portions you don't
understand.  There's a bunch of howto's out there on doing this.

Look for:

Samba+LDAP-Howto:
    (Samba docs)

Winbind-Howto:
    (Samba docs)

LDAP-Auth-Howto
    http://www.yolinux.com/TUTORIALS/LinuxTutorialLDAP-BindPW.html
There may (likely, are) others, but this is one off the top of my head

PAM-Docs

It works like this:

1) Configure your Linux to do LDAP authentication (using nss_ldap,
pam_ldap from http://www.padl.com).  Configuration files
(/etc/ldap.conf) are enclosed.

2) Configure Samba (at compile time) to have LDAPSAM backend, to use PAM
for password synchronization, and "unix password sync = yes", "pam
password change = yes" in smb.conf

3) Configure Samba to share the user database with the Linux user
database.  This achieves storing user information in the same LDAP
record for both Samba stuff and Linux (posix) stuff

4) Configure Samba as a PDC

5) set up the PAM module config for samba to do password changes using
all necessary modules EXCEPT the Samba modules (obviously, since samba
itself would take care of this)

6) Set up the regular password change mechanisms (non-samba) to synch
with all the necessary modules including the samba module.

7) Set up SSL certificates as necessary.

8) Gloat to your friends about your setup!  ;)

Key files to look at:

init.ldif   -> Used to initialize the LDAP tree (if not already done)
etc/ldap.conf
etc/nsswitch.conf
etc/smb-{pdc,client}.conf
etc/openldap/slapd.conf
etc/pam.d/password
etc/pam.d/samba
etc/pam.d/system-auth-{pdc,client}

This is a "cookie-cutter" config, and I'm very interested to see if you
can succeed in using it as such.  I have done no documentation on it, so
I'm very interested in your feedback to see what needs to be fixed, or
addressed.

The end result for me has been: Only one password per user for any
service, and password changes in one enviroment affects all others (some
concurrency limitations from my previous post apply).

Notes on client Linux machines: Winbind requires your machine to be
joined into a domain, so it's important you understand how to do that
(smbpasswd -j), and configure Samba for clients.  A file called
"smb-client.conf" is included for this purpose.  Feel free to use it as
a guideline.  For PDC, a file called "smb-pdc.conf" is also included.

Please don't pass these around just yet, as I want to get feedback
before I post these on a website accompanied by a HOWTO.

I used:

Samba 2.2.7
OpenLDAP 2.0.25
nss_ldap-202
pam_ldap-153

Best

Diego

PS/ One detail - the PAM configurations need to be optimized to provide
full failover, and other safety precautions.  Right now, it's very
basic, but it should allow you to: change passwords directly from
windows using the "Change Password" command, change passwords from the
Linux PDC using "passwd", change password from other linux clients using
"passwd" as well, and any other common password-change mechanisms from
Linux.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: redhat-distr-auth.tar.gz
Type: application/x-gzip
Size: 57352 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba/attachments/20030109/fcda57fc/redhat-distr-auth.tar.bin

More information about the samba mailing list