[Samba] SUMMARY: Samba + KDE + winbind + home directories mounted
off the Samba PDC - it can almost be done !! (as of September
30th 2003)
Przemyslaw Tokarski
przemek at zpk.u.lodz.pl
Tue Sep 30 06:57:50 GMT 2003
Hello Samba list !!
This is my original posting that I sent to the list about two months ago.
The summary is below.
------------------------------------------------------------------------------------
------------------------------------------------------------------------------------
Hello !!
Has anybody successfully implemented the similar setup ?
1. R.H. 7.2 (production kernel - 2.4.7-10) + Samba PDC (2.2.8a) with unix
extensions enabled
2. Samba client (2.2.8a) running R.H. Linux 7.2 (kernel 2.4.18 patched for
cifs) + winbind + pam_mount
3. KDE + home directories mounted off the Samba PDC.
...points 1-2 work OK, still unable to figure out how to implement point
3. Users always get authenticated againt SAMBA PDC and home directories
get mounted (when I log into FVWM desktop), but when I try to log into KDE
it almost immediately kicks me out. I tracked down the problem to (I
guess) symbolic links (and maybe other filesystem features also) not
present in smbfs and I tried to utilize cifs - this did not help either -
cifs as of today can not create symbolic links either. Does a patch (for
smbmount e.g.) exist that enables processes/users to create symbolic links
on a smbfs mounted share ? I`d like very much to hear from people who made
it all work together.
Best regards
Przemyslaw Tokarski
Lodz, Poland
I will summarize, of course.
---------------------------------------------------------------------------------
------------------------------------------------------------------------------------
and here is the promised summary:
As an introduction I`d like to point out that I "almost" did it, but not
to discourage the reader I also should say that the ultimate goal specified
in the mail subject is not that far away.
1. The following source code should be downloaded:
- samba-2.2.8a.tar.gz (from www.samba.org or from one of the mirrors)
- pam_mount.tar (this is actually pam_mount-0.9.2, but I found it under
pam_mount.tar source tarball name - I don`t remember where I got it
from)
- linux-2.4.18.tar (from www.kernel.org or from one of the mirrors)
- John Newbigin`s 'ensure_link_is_safe' samba patch (from
http://uranus.it.swin.edu.au/~jn/linux/smbfs/samba.diff6)
- John Newbigin`s kernel patch
(from http://uranus.it.swin.edu.au/~jn/linux/smbfs/smbfs-cifs8.patch)
2. Serwer configuration
- I tested my configuration on a stock R.H. Linux 7.2 distribution.
- We should uninstall all the samba packages present on the system:
rpm -qa | grep -i samba
rpm -e .... here the output of the previous command ...
- Now, we patch and build our samba binaries
gzip -d samba-2.2.8a.tar.gz
tar -xf samba-2.2.8a.tar
cp samba.diff6 samba-2.2.8a
cd samba-2.2.8a
patch -p0 < samba.diff6
cd source
./configure
make
make install (by default samba binaries and configuration files
install under '/usr/local/samba' directory)
- then we create the samba configuration file
'/usr/local/samba/lib/smb.conf'. Below is the configuration file that I
use on the serwer.
------------------------------------------------------------------
#============== Global Settings ==========
[global]
netbios name = sc
workgroup = ADMN
server string = Samba ADMN PDC (sc)
name resolve order = host
dns proxy = no
os level = 65
preferred master = yes
domain master = yes
local master = yes
security = user
encrypt passwords = yes
smb passwd file = /usr/local/samba/lib/smbpasswd
add user script = /usr/sbin/useradd -d /dev/null -g 2000 -s /bin/false -M %u
restrict anonymous = no
admin users = root
domain admin group = root
domain logons = yes
follow symlinks = yes
wide links = yes
load printers = no
client code page = 852
log file = /usr/local/samba/var/%m.log
max log size = 0
unix extensions = yes
map archive = no
delete readonly = yes
create mask = 0755
case sensitive = yes
#========== Share Definitions ============
[netlogon]
comment = Netlogon service
path = /usr/local/samba/netlogon
read only = yes
write list = root
create mask = 0640
directory mode = 0750
browseable = no
[homes]
comment = Users` home directories - ADMN domain
writable = yes
create mask = 0640
directory mode = 0750
valid users = %S
invalid users = root
------------------------------------------------------------------
- create directories and files necessary for that setup to work:
mkdir /usr/local/samba/netlogon
touch /usr/local/samba/lib/smbpasswd (u=g=root,600)
- create samba start/stop script '/etc/init.d/samba.server'
(u=g=root,755). Below is one that I use:
------------------------------------------------------------------
#!/bin/sh
#ident "@(#)samba.server 1.0 96/06/19 TK" /* SVr4.0 1.1.13.1*/
#
# Please send info on modifications to knuutila at cs.utu.fi
#
# This file should have uid root, gid sys and chmod 744
#
if [ ! -d /usr/bin ]
then # /usr not mounted
exit
fi
killproc() { # kill the named process(es)
pid=`/bin/ps -e |
/bin/grep -w $1 |
/bin/sed -e 's/^ *//' -e 's/ .*//'`
[ "$pid" != "" ] && kill $pid
}
# Start/stop processes required for samba server
case "$1" in
'start')
#
# Edit these lines to suit your installation (paths, workgroup, host)
#
/usr/local/samba/bin/smbd -D -s/usr/local/samba/lib/smb.conf
/usr/local/samba/bin/nmbd -D -l/usr/local/samba/var -s/usr/local/samba/lib/smb.conf
;;
'stop')
killproc nmbd
killproc smbd
;;
*)
echo "Usage: /etc/init.d/samba.server { start | stop }"
;;
esac
------------------------------------------------------------------
- start the samba: /etc/init.d/samba.server start
- add at least 2 users to samba users` database (they must be present in
'/etc/passwd'):
/usr/local/samba/bin/smbpasswd -a root (give this root user password
different than the your "regular" root user has. This is for security
reasons.)
/usr/local/samba/bin/smbpasswd -a test1
- On the server I left the production kernel untouched.
3. Client configuration
- uncompress the kernel sources and patch it with John Newbigin`s
kernel patch. Remember to configure the kernel with the smbfs support
as well as the appropriate ethernet card driver etc... :
mv smbfs-cifs8.patch /usr/src/linux...
cd /usr/src/linux...
patch -p1 < smbfs-cifs8.patch
- compile and install the new kernel and then reboot.
- compile and install the samba exactly as you did on the server (but
do not start yet) with two exceptions: run 'configure' script with
options '--with-winbind' and '--with-winbind-auth-challenge'. The second
exception is a different configuration file which is below:
------------------------------------------------------------------
[global]
workgroup = ADMN
server string = Samba client
load printers = no
log file = /usr/local/samba/var/%m.log
max log size = 0
security = domain
password server = sc
encrypt passwords = yes
smb passwd file = /usr/local/samba/lib/smbpasswd
dns proxy = no
name resolve order = host
winbind separator = +
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
template homedir = /home/home_directories
template shell = /bin/bash
------------------------------------------------------------------
- configure nsswitch and the winbind libraries.
/etc/nsswitch.conf should contain the following lines:
-----------------------------------------
passwd: files winbind
shadow: files
group: files winbind
----------------------------------------
cd ...samba-2.2.8a/source/nsswitch
cp libnss_winbind.so /lib
chmod 755 /lib/libnss_winbind.so
ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2
- join the samba client to the samba server domain
/usr/local/samba/bin/smbpasswd -j ADMN -r sc -U root
- start up the samba and winbind
/etc/init.d/samba.server start
/usr/local/samba/bin/wibindd (you need to prepare winbind start-up
script by yourself)
- configure winbind and PAM
cd ...samba-2.2.8a/source
make nsswitch/pam_winbind.so
cp nsswitch/pam_winbind.so /lib/security
chmod 755 /lib/security/pam_winbind.so
- compile and install pam_mount
gzip -d pam_mount.tar.gz
tar -xf pam_mount.tar
cd pam_mount-0.9.2
./configure; make; make install
copy config/pam_mount.conf /etc/security
- edit /etc/security/pam_mount.conf. My '/etc/security/pam_mount.conf'
contains the following volume configuration line:
---------------------------------------------------------------------
volume * smb cs homes /home/home_directories uid=&,gid=zpk - -
---------------------------------------------------------------------
Options uid and gid are meaningless when unix extensions are enabled
on the server, but I left them here.
- configure kde login to work with PAM. Edit /etc/pam.d/kde like this:
---------------------------------------------------------------------
auth required pam_nologin.so
auth sufficient pam_winbind.so
auth required pam_pwdb.so use_first_pass shadow nullok
account required pam_winbind.so
auth required /usr/lib/security/pam_mount.so
password required pam_cracklib.so type=user retry=3
password required pam_pwdb.so use_authtok
session required pam_pwdb.so
session optional /usr/lib/security/pam_mount.so
---------------------------------------------------------------------
- it is also necessary to install two original Red Hat 7.2 samba packages
samba-common-2.2.1a-4.i386.rpm and samba-client-2.2.1a-4.i386.rpm.
samba-client-2.2.1a-4.i386.rpm contains utilities that enable 'mount -t
smbfs...' command to work, samba-common... is installed due to
dependency requirements. After you install these you should copy
'/usr/local/samba/lib/smb.conf' over to '/etc/samba/smb.conf' where the
original samba utilities expect to find it (I guess that a much better
idea than to build samba from tarball sources would be to download Red
Hat 9.0 samba-2.2.7a source packages and make our own patched binary packages).
As a result of this configuration you should be able to login via a graphical
login screen into kde or gnome with the 'test1' user that exists only on the
samba server (you do not create it on client - client is aware of that user`s
existence because winbid is being used), however there is a problem. As samba
now carries information about uids and gids (files and directories on samba
shares have uids and gids of users on the server) users that login in this
manner do not own their home directories because their uids and gids on the
client are different than that on the server - winbind maps uids and gids
user 'test1' has on the server to those he has on the client randomly (you
can see it when you issue the command 'getent passwd') - and this is the
fundamental reason why this whole setup does not work properly. I personally
decided to go Xfce way (fast and robust window manager). Xfce does not create
symbolic links in the user`s home directory and then I can disable 'unix
extensions' on the samba server and 'gid' and 'uid' options to the mount
command (volume line in /etc/security/pam_mount.conf) function properly, that
is, files and directories on the samba shares are owned by arbitrarily
specified uids and gids that can be uid and gid the test1 user has on the
client. It seems that it would be useful to redesign 'unix extensions' samba
feature in a way that it would still allow symbolic links to be created on
samba shares (a requirement for kde) and simultaneously retain the
aforementioned funcionality of 'uid' and gid' options to the mount command.
I`m planning to start the discussion on that subject on the samba-technical
mailing list quite soon.
This description (and the whole setup) is somewhat rough and might be
inaccurate and incomplete in some places, but I believe it points people who
might be interested in the setup in question in the right direction and
highlights problems that will certainly appear.
I`d like to espessialy thank the following pople who answered my query
for their help and support (order is random):
cj at itonsite.com.au (I don`t have the name, sorry :) )
Andrew Bartlett abartlet at samba.org
Buchan Milne <bgmilne at cae.co.za>
Ryan McConigley <ryan at csse.uwa.edu.au>
Steven French <sfrench at us.ibm.com>
John Newbigin <jn at it.swin.edu.au>
Best regards
Przemyslaw Tokarski
Lodz, Poland
More information about the samba
mailing list