[Samba] SUSE 9.3 Winbind+ PAM+AD
Guille
guillemw at hotmail.com
Wed Jul 13 06:07:29 GMT 2005
Hi Anthony,
Well, I will try and give you my quick and dirty setup for FC3. The
procedure should work with FC4 as well. I don't trust the Samba build Fedora
included with FC4 just yet because of output garbage I received on a
production server while joining the domain. Although the join was
successful, I was troubled by the message.
While I have been able to figure out some of the problems I have had in the
past, I still feel I am a semi-newbie at this stuff. So those who read this
please don't flame me if I am opening up holes in security or making some
other mistake.
My basic setup...
Windows 2000 Server running in Native mode I think (it has been a while).
Fedora core 3, Samba 3.0.14a running in ADS mode with Kerberos, and Pam for
automatic home directory creation.
I am assuming you already have Samba(FC4>client,common,swat,samba)installed
so....
Step 1 (Most likely accomplished)
Open the firewall ports tcp 139 & 445, udp 137 & 138, and include the
Windows server in your host file for proper name resolution.
Step 2 (Skip if you choose Server = Domain)
Configure Kerberos
Edit the following files /etc/krb.conf /etc/krb.realms /etc/krb5.conf
/var/kerberos/krb5kdc/kdc.conf and modify the example.com/EXAMPLE.COM domain
so that they match your Kerberos realm and server. You may only have to
modify krb5.conf and kdc.conf for Kerberos to work properly.
Step 3
Edit /etc/nsswitch.conf and add winbind to passwd and group.
passwd: files winbind
shadow: files
group: files winbind
Step 4
Modify pam.d files
/etc/pam.d/login
#%PAM-1.0
auth required pam_securetty.so
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
account sufficient pam_winbind.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_stack.so service=system-auth
session optional pam_console.so
# pam_selinux.so open should be the last session rule
session required pam_selinux.so multiple open
/etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_winbind.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
use_first_pass
auth required /lib/security/$ISA/pam_deny.so
account sufficient /lib/security/$ISA/pam_winbind.so
account required /lib/security/$ISA/pam_unix.so
account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
account required /lib/security/$ISA/pam_permit.so
password requisite /lib/security/$ISA/pam_cracklib.so retry=3
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok
md5 shadow
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
/etc/pam.d/samba
auth required /lib/security/pam_stack.so service=system-auth
# Automatic Home Directory Creation
session sufficient /lib/security/pam_mkhomedir.so skel=/etc/skel
umask=0022
session required /lib/security/pam_stack.so service=system-auth
account required /lib/security/pam_stack.so service=system-auth
password required /lib/security/pam_stack.so service=system-auth
Step 5
Edit smb.conf
[global]
workgroup = (Enter Windows Workgroup Name)
realm = (Enter REALM.NAME in caps)
server string = Samba Server
security = ADS
client schannel = No (Had to use NO after Windows 2004 SP4 Rollup)
obey pam restrictions = Yes
password server = (Enter Windows server FQDN)
log file = /var/log/samba/%m.log
max log size = 50
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
printcap name = /etc/printcap
logon path =
preferred master = No
local master = No
domain master = No
dns proxy = No
ldap ssl = no
idmap uid = 10000-20000
idmap gid = 10000-20000
template homedir = /home/%U
winbind use default domain = Yes
admin users = "@Domain Admins"
write list = "@Domain Admins"
cups options = raw
[homes]
comment = Home Directories
path = /home/%U
read only = No
create mask = 0760
browseable = No
[printers]
comment = All Printers
path = /var/spool/samba
printable = Yes
browseable = No
Step 6
Watch out for SELinux!!!
For testing purposes, go to console and > setenforce 0
This will disable SELinux (if enabled) for the time being so that the
winbind transactions aren't blocked. setenforce 1 to restart SELinux
protection. To permanently allow the winbind transactions, use the Security
Level program in Gnome/KDE and check the winbind_disable_trans setting.
Step 7
Join the Domain
net ads join -U Administrator
net join -U Administrator (if Server = Domain)
Step 8
Start smbd nmbd and winbindd
Step 9
If all went well you have successfully joined the Windows domain.
Test access to accounts
wbinfo -t
checking the trust secret via RPC calls succeeded (This is GOOD)
wbinfo -u
Should spew out usernames in Windows
Wbinfo -g
Should spew out groups in Windows
In the past I have needed to restart the Windows server at least once after
joining for it to allow lookups (Don't know why???).
Step 10
This is where Windows gets involved.
Make sure you add the linux host as a DNS entry in the Windows server.
Restart DNS.
Create a new user or modify a current user in AD for testing purposes and
change the Home Directory, eg. H: \\linux\home (probably not necessary
though).
Next, login with the username on a Windows 2K/XP Workstation that has
previously joined the domain. See if the share appears while browsing the
linux server, eg. \\linux\fred
My AD config is a bit more involved, as I use group policy, netlogon, and
such for control and mounts. All that info is way out of the scope of this
email so I won't go into that here.
Hopefully this helps. I am not an expert, but if you run into a problem that
I have seen before I might be able to help out.
Guille
-----Original Message-----
From: Anthony PEROT - Generation Unix [mailto:apero at generation-unix.net]
Sent: Tuesday, July 12, 2005 5:47 AM
To: Guille
Subject: RE: [Samba] SUSE 9.3 Winbind+ PAM+AD
Hi,
I'm running a few workstations on FC4 and I would like to find a way to
use AD users accounts and groups instead of local users, could you give me
your procedure ?
Thanks
Anthony
--
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.323 / Virus Database: 267.8.13/47 - Release Date: 7/12/2005
More information about the samba
mailing list