[Samba] Samba PDC linux authentication

John H Terpstra jht at samba.org
Mon Jan 16 03:40:56 GMT 2006

On Sunday 15 January 2006 19:58, Philip Washington wrote:
> John H Terpstra wrote:
> >On Sunday 15 January 2006 09:52, Philip Washington wrote:
> >>I have set up a Samba PDC and am trying to get my linux computers to use
> >>the PDC for authentication.  So far using Suse 10 or RHEL4 I have not
> >>been able to accomplish this.  I have been searching for 2 days looking
> >>for the information or the right combination of informationn and have
> >>not come up with a solution.   Does anyone here know of a howto which
> >>shows a setup for a linux desktop which can use a Samba PDC  so that
> >>users in a Domain can use their same logins to login to a linux desktop.
> >
> >Have you checked chapter 7, section If you have, what problems
> > are you experiencing? I'd really like to make sure that our documentation
> > is correct, so your help would be appreciated.
> >
> >http://www.samba.org/samba/docs/Samba3-ByExample.pdf
> >
> >- John T.
> Duh.  I bought the book but I didn't remember that part.    I went to
> the samba displayed in html form and checked the link and could have
> sworn it took me to the ADS portion.    Well nevermind this part, I just
> didn't pick up the book and look through it.

Ah, I do that too sometimes.

> Okay what I accomplished today is getting the logins working via console
> and gdm xdm.


> Things I found that may need correcting
> The html page when clicking on the link points you to a file that
> references ldap.
> passwd:   files ldap
> shadow:   files ldap
> group: files ldap
> I may be mistaken but I believe that for winbind configuration you need
> winbind instead of ldap here.  I started with a straight Suse 10 setup

Correct. If you use winbind to resolve user and group IDs it is necessary to 
specify that to NSS.

passwd: compat winbind
group: compat winbind


passwd: files winbind
shadow: files winbind
group: files winbind

The first uses the unix2 NSS module, the later uses the library that makes 
direct files access.

If your PDC is on UNIX, why use winbind? It's much more scalable and reliable 
to just use LDAP.

> with the files needed (I believe).  I used Yast2 for my initial
> configuration and that didn't work.  So I borrowed from your book and
> made some adjustments to the original files based on that.  I still have
> some problems but a domain user can now logon.
> Problems I still have that I know of:
> 1) Users when logging in.  System does not create a home directory for
> them if it's there first time to login.  I think there is a PAM module
> or something like that, that might help, by getting and using there home
> directories from the file server.  If someone has a better idea and/or
> sees the mistake I made causing this  please  post.

You need to call the pam_mkhomedir module to auto-create the users' home 
directory. Alternately, if the home directories are on a UNIX server, just 
NFS mount the homes directly - this is often more convenient.

> 2) Once a user logs in , they cannot browse the  network using the
> desktop application on Suse.  They can see Samba servers and shares, but
> when they click on a share they can't login.  Could something in the
> smb.conf file have done this?  I haven't looked at the Samba PDC logs,
> but I looked at the file server logs and saw no changes there, like my
> computer didn't exist.

That is all a matter of how the user is authenticated. Did you create a 
directory at the root of the user's home called ".smb"?

Did you put inside it a file called "smb.conf" with the following contents:

	workgroup = "your_workgroup_name"

This file can override the main smb.conf file. Refer to the libsmbclient man 
page for more info.

Also, you can specify as the URL:

So for the domain MIDEARTH, user = jht, password = urnuts, server = FRODO, 
share = archives, the following URL will get you connected as the specified 


> Here are my configuration files.
> nsswitch.conf--------------------------------------------------------------
> passwd: compat winbind
> group:  compat winbind
> hosts:  files dns
> networks:       files dns
> services:       files
> protocols:      files
> rpc:    files
> ethers: files
> netmasks:       files
> netgroup:       files
> publickey:      files
> bootparams:     files
> automount:      files nis
> aliases:        files
> smb.conf
> ---------------------------------------------------------------------
> # I modified the idmaps to match what is on my Samba PDC
> #
> [global]
>         workgroup = DOMTEST
>         printing = cups
>         security = domain
>         netbios name = WRKSTN
>         log level = 1
>         syslog = 0
>         log file = /var/log/samba/%m
>         smb ports = 139
>         name resolve order = wins bcast hosts
>         printcap name = cups
>         printcap cache time = 750
>         cups options = raw
>         map to guest = Bad User

Do you really want a illegal username to gain access as the guest account?

>         idmap gid = 16777216-33554431
>         idmap uid = 16777216-33554431
>         template primary group = "Domain Users"
>         template shell = /bin/bash
>         winbind separator = +
>         hosts allow = 192.168.5.,127.
> --------------------------------------------------------------------
> Okay here is where there is a slight deviation from the Samba3-examples
> (very slight, I think)
> [For those following along, if your logged into X to mak changes to
> pam.d file .  Make changes to your pam.d file save them then hit
> Ctrl-Alt-F1 or Ctrl-Alt-F2, which will take you to a console screen.
> Once you are there make sure you can log in as root.  Hit Ctrl-Alt-F7 to
> get back to the X window.  If you are ssh into the system, create
> another ssh session before you start or try to make sure you can log in
> as root via ssh , before logging out of your current session.]  Whatever
> you do don't directly copy these files onto you r system.  Look at
> Samba3-examples and understand the differences here and change at your
> on risk
> ------------------------------------------------------------------------
> /etc/pam.d/login
> #%PAM-1.0
> auth     required       pam_securetty.so
> auth     include        common-auth
> auth     required       pam_nologin.so
> auth     required       pam_mail.so
> account  include        common-account
> password include        common-password
> session  include        common-session
> session  required       pam_resmgr.so
> ---------------------------------------------------------------------------
>-- /etc/pam.d/common-auth
> auth    sufficient      pam_unix2.so    nullok
> auth    sufficient      pam_winbind.so use_first_pass use_authtok
> auth    required        pam_env.so
> #auth   required        pam_unix2.so
> ---------------------------------------------------------------------------
>----- /etc/pam.d/common-account
> #
> #account        required        pam_unix2.so
> account sufficient      pam_unix2.so
> account sufficient      pam_winbind.so use_first_pass use_authtok
> ---------------------------------------------------------------------------
>--------- /etc/pam.d/common-passwd
> password required       pam_pwcheck.so  nullok
> password sufficient     pam_winbind.so  use_first_pass use_authtok
> password required       pam_unix2.so    nullok use_first_pass use_authtok
> #password required      pam_make.so     /var/yp
> ---------------------------------------------------------------------------
>--------- etc/pam.d/common-session.
> #
> #account        required        pam_unix2.so
> account sufficient      pam_unix2.so
> account sufficient      pam_winbind.so use_first_pass use_authtok
> ---------------------------------------------------------------------------
>------------- Basically the changes were using an include file and you don't
> have to edit /etc/pam.d/gdm,
> /etc/pam.d/xdm or /etc/pam.d/login, just the common-* files.  You can
> look at it as a way of setting up everything at once or screwing up
> everything at once :-).
> So I'll still continue to work on my issues noted and find some more,
> then work on RHEL and then circle back and try to do LDAP authentication
> through the ldap server on the SambaPDC.   I started with winbind
> because after looking around it seemed that it might be the easiest to
> configure and I need to get these desktops up pretty quick.

- John T.

More information about the samba mailing list