[Samba] SUMMARY: Samba + KDE + winbind + home directories mounted off the Samba PDC - it can almost be done !! (as of September 30th 2003)

Przemyslaw Tokarski przemek at zpk.u.lodz.pl
Tue Sep 30 06:57:50 GMT 2003

Hello Samba list !!

This is my original posting that I sent to the list about two months ago.
The summary is below.

Hello !!

 Has anybody successfully implemented the similar setup ?

1. R.H. 7.2 (production kernel - 2.4.7-10) + Samba PDC (2.2.8a) with unix 
extensions enabled 
2. Samba client (2.2.8a) running R.H. Linux 7.2 (kernel 2.4.18 patched for 
cifs) + winbind + pam_mount
3. KDE + home directories mounted off the Samba PDC.

...points 1-2 work OK, still unable to figure out how to implement point
3. Users always get authenticated againt SAMBA PDC and home directories
get mounted (when I log into FVWM desktop), but when I try to log into KDE
it almost immediately kicks me out. I tracked down the problem to (I
guess) symbolic links (and maybe other filesystem features also) not
present in smbfs and I tried to utilize cifs - this did not help either -
cifs as of today can not create symbolic links either. Does a patch (for
smbmount e.g.) exist that enables processes/users to create symbolic links
on a smbfs mounted share ? I`d like very much to hear from people who made
it all work together. 

Best regards 
Przemyslaw Tokarski
Lodz, Poland

I will summarize, of course.

and here is the promised summary:

As an introduction I`d like to point out that I "almost" did it, but not 
to discourage the reader I also should say that the ultimate goal specified 
in the mail subject is not that far away.

1. The following source code should be downloaded:

- samba-2.2.8a.tar.gz (from www.samba.org or from one of the mirrors)
- pam_mount.tar (this is actually pam_mount-0.9.2, but I found it under 
  pam_mount.tar source tarball name - I don`t remember where I got it 
- linux-2.4.18.tar (from www.kernel.org or from one of the mirrors)
- John Newbigin`s 'ensure_link_is_safe' samba patch (from 
- John Newbigin`s kernel patch
  (from http://uranus.it.swin.edu.au/~jn/linux/smbfs/smbfs-cifs8.patch)

2. Serwer configuration

- I tested my configuration on a stock R.H. Linux 7.2 distribution.
- We should uninstall all the samba packages present on the system:
  rpm -qa | grep -i samba
  rpm -e .... here the output of the previous command ...
- Now, we patch and build our samba binaries
  gzip -d samba-2.2.8a.tar.gz
  tar -xf samba-2.2.8a.tar
  cp samba.diff6 samba-2.2.8a 
  cd samba-2.2.8a
  patch -p0 < samba.diff6 
  cd source
  make install (by default samba binaries and configuration files 
  install under '/usr/local/samba' directory)
- then we create the samba configuration file 
  '/usr/local/samba/lib/smb.conf'. Below is the configuration file that I 
  use on the serwer.


  #============== Global Settings ==========

   netbios name = sc
   workgroup = ADMN

   server string = Samba ADMN PDC (sc)

   name resolve order = host
   dns proxy = no

   os level = 65
   preferred master = yes
   domain master = yes
   local master = yes

   security = user
   encrypt passwords = yes
   smb passwd file = /usr/local/samba/lib/smbpasswd
   add user script = /usr/sbin/useradd -d /dev/null -g 2000 -s /bin/false -M %u
   restrict anonymous = no
   admin users = root
   domain admin group = root

   domain logons = yes

   follow symlinks = yes
   wide links = yes

   load printers = no

   client code page = 852

   log file = /usr/local/samba/var/%m.log
   max log size = 0

   unix extensions = yes
   map archive = no
   delete readonly = yes
   create mask = 0755
   case sensitive = yes

  #========== Share Definitions ============

   comment = Netlogon service
   path = /usr/local/samba/netlogon
   read only = yes
   write list = root
   create mask = 0640
   directory mode = 0750
   browseable = no


   comment = Users` home directories - ADMN domain
   writable = yes
   create mask = 0640
   directory mode = 0750
   valid users = %S
   invalid users = root


- create directories and files necessary for that setup to work:
  mkdir /usr/local/samba/netlogon
  touch /usr/local/samba/lib/smbpasswd (u=g=root,600)
- create samba start/stop script '/etc/init.d/samba.server' 
  (u=g=root,755). Below is one that I use:

  #ident  "@(#)samba.server 1.0   96/06/19 TK"    /* SVr4.0*/
  # Please send info on modifications to knuutila at cs.utu.fi
  # This file should have uid root, gid sys and chmod 744
  if [ ! -d /usr/bin ]
  then                    # /usr not mounted

  killproc() {            # kill the named process(es)
          pid=`/bin/ps -e |
               /bin/grep -w $1 |
               /bin/sed -e 's/^  *//' -e 's/ .*//'`
          [ "$pid" != "" ] && kill $pid

  # Start/stop processes required for samba server

  case "$1" in

  # Edit these lines to suit your installation (paths, workgroup, host)
     /usr/local/samba/bin/smbd -D -s/usr/local/samba/lib/smb.conf
     /usr/local/samba/bin/nmbd -D -l/usr/local/samba/var -s/usr/local/samba/lib/smb.conf
     killproc nmbd
     killproc smbd
     echo "Usage: /etc/init.d/samba.server { start | stop }"

- start the samba: /etc/init.d/samba.server start
- add at least 2 users to samba users` database (they must be present in 
  /usr/local/samba/bin/smbpasswd -a root (give this root user password 
  different than the your "regular" root user has. This is for security 
  /usr/local/samba/bin/smbpasswd -a test1

- On the server I left the production kernel untouched.
3. Client configuration

- uncompress the kernel sources and patch it with John Newbigin`s 
  kernel patch. Remember to configure the kernel with the smbfs support 
  as well as the appropriate ethernet card driver etc... :
  mv smbfs-cifs8.patch /usr/src/linux...
  cd /usr/src/linux...
  patch -p1 < smbfs-cifs8.patch

- compile and install the new kernel and then reboot.

- compile and install the samba exactly as you did on the server (but 
  do not start yet) with two exceptions: run 'configure' script with 
  options '--with-winbind' and '--with-winbind-auth-challenge'. The second
  exception is a different configuration file which is below:



   workgroup = ADMN

   server string = Samba client

   load printers = no

   log file = /usr/local/samba/var/%m.log
   max log size = 0

   security = domain
   password server = sc
   encrypt passwords = yes
   smb passwd file = /usr/local/samba/lib/smbpasswd

   dns proxy = no
   name resolve order = host

   winbind separator = +
   winbind uid = 10000-20000
   winbind gid = 10000-20000
   winbind enum users = yes
   winbind enum groups = yes
   winbind use default domain = yes
   template homedir = /home/home_directories
   template shell = /bin/bash


- configure nsswitch and the winbind libraries.
  /etc/nsswitch.conf should contain the following lines:
  passwd:	files winbind
  shadow:	files
  group:	files winbind
  cd ...samba-2.2.8a/source/nsswitch
  cp libnss_winbind.so /lib
  chmod 755 /lib/libnss_winbind.so
  ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2

- join the samba client to the samba server domain
  /usr/local/samba/bin/smbpasswd -j ADMN -r sc -U root

- start up the samba and winbind
  /etc/init.d/samba.server start
  /usr/local/samba/bin/wibindd (you need to prepare winbind start-up
  script by yourself)

- configure winbind and PAM
  cd ...samba-2.2.8a/source
  make nsswitch/pam_winbind.so
  cp nsswitch/pam_winbind.so /lib/security
  chmod 755 /lib/security/pam_winbind.so

- compile and install pam_mount
  gzip -d pam_mount.tar.gz
  tar -xf pam_mount.tar
  cd pam_mount-0.9.2
  ./configure; make; make install
  copy config/pam_mount.conf /etc/security

- edit /etc/security/pam_mount.conf. My '/etc/security/pam_mount.conf'
  contains the following volume configuration line:
  volume * smb cs homes /home/home_directories uid=&,gid=zpk - -
  Options uid and gid are meaningless when unix extensions are enabled 
  on the server, but I left them here.

- configure kde login to work with PAM. Edit /etc/pam.d/kde like this:
  auth      required   pam_nologin.so
  auth      sufficient pam_winbind.so
  auth      required   pam_pwdb.so use_first_pass shadow nullok
  account   required   pam_winbind.so
  auth      required   /usr/lib/security/pam_mount.so
  password  required   pam_cracklib.so type=user retry=3
  password  required   pam_pwdb.so use_authtok
  session   required   pam_pwdb.so
  session   optional   /usr/lib/security/pam_mount.so

- it is also necessary to install two original Red Hat 7.2 samba packages
  samba-common-2.2.1a-4.i386.rpm and samba-client-2.2.1a-4.i386.rpm. 
  samba-client-2.2.1a-4.i386.rpm contains utilities that enable 'mount -t 
  smbfs...' command to work, samba-common... is installed due to 
  dependency requirements. After you install these you should copy
  '/usr/local/samba/lib/smb.conf' over to '/etc/samba/smb.conf' where the 
  original samba utilities expect to find it (I guess that a much better 
  idea than to build samba from tarball sources would be to download Red 
  Hat 9.0 samba-2.2.7a source packages and make our own patched binary packages).

As a result of this configuration you should be able to login via a graphical
login screen into kde or gnome with the 'test1' user that exists only on the
samba server (you do not create it on client - client is aware of that user`s
existence because winbid is being used), however there is a problem. As samba
now carries information about uids and gids (files and directories on samba
shares have uids and gids of users on the server) users that login in this
manner do not own their home directories because their uids and gids on the
client are different than that on the server - winbind maps uids and gids
user 'test1' has on the server to those he has on the client randomly (you
can see it when you issue the command 'getent passwd') - and this is the
fundamental reason why this whole setup does not work properly. I personally
decided to go Xfce way (fast and robust window manager). Xfce does not create
symbolic links in the user`s home directory and then I can disable 'unix
extensions' on the samba server and 'gid' and 'uid' options to the mount
command (volume line in /etc/security/pam_mount.conf) function properly, that
is, files and directories on the samba shares are owned by arbitrarily
specified uids and gids that can be uid and gid the test1 user has on the
client. It seems that it would be useful to redesign 'unix extensions' samba
feature in a way that it would still allow symbolic links to be created on
samba shares (a requirement for kde) and simultaneously retain the
aforementioned funcionality of 'uid' and gid' options to the mount command.
I`m planning to start the discussion on that subject on the samba-technical
mailing list quite soon. 

This description (and the whole setup) is somewhat rough and might be
inaccurate and incomplete in some places, but I believe it points people who
might be interested in the setup in question in the right direction and
highlights problems that will certainly appear. 

I`d like to espessialy thank the following pople who answered my query 
for their help and support (order is random):

cj at itonsite.com.au (I don`t have the name, sorry :) )
Andrew Bartlett abartlet at samba.org
Buchan Milne <bgmilne at cae.co.za>
Ryan McConigley <ryan at csse.uwa.edu.au>
Steven French <sfrench at us.ibm.com>
John Newbigin <jn at it.swin.edu.au>

Best regards 
Przemyslaw Tokarski
Lodz, Poland




More information about the samba mailing list