[Samba] linux auth against SAMBA PDC

Asier Baranguán abaranguan at elpagestion.com
Wed Jan 3 11:18:19 GMT 2007


El Martes, 2 de Enero de 2007 20:44, Jason Greene escribió:

> Wants:
> Linux server with Samba as the PCD
> Windows 2k and XP workstations  are on the Samba domain and authenticate
> all users with the Samba PDC.
> Migrate Windows workstations to Linux (ubuntu) workstations and have
> them authenticate all users against the Samba PDC and mount all
> necessary shares (just like the windows PCs did)
>
>
> Can someone point me to a good Howto on this or tell me how to
> accomplish this?

I've used the idealx howto and some other documents collected through the web 
to accomplish this.

This is a quick HOWTO, written without testing. In your linux machines you 
must do this:

PDC
---
Install a NFS server in the PDC. I use unfs3d, an user-space NFS server that 
suits my needs and works well with VServers. Adjust /etc/exports to match the 
homes of your users:

root at pdc # cat /etc/exports
# /etc/exports: the access control list for filesystems which may be exported
#               to NFS clients.  See unfsd(8).
/home/samba/users   192.168.1.0/24(rw,fixed,no_root_squash)
# === END ===

And restart your NFS server

root at pdc # invoke-rc.d unfs3 restart

In the linux clients
--------------------
The kernel in your clients must have the automounter v4 compiled or available 
as a module. Install the autofs package and configure it

root at client # cat /etc/auto.master
# /etc/auto.master
#
/home/samba/users   /etc/auto.home --timeout 600
# === END ===

root at client # cat /etc/auto.home
# /etc/auto.home
#
# Only one line!
*       -tcp,nfsvers=3,mountport=2049,port=2049,nolock,intr,rsize=16384,wsize=16384        
pdc.mydomain.com:/home/samba/users/&
# === END ===

root at client # invoke-rc.d autofs restart

(My /etc/auto.home line is so long because I don't use portmap) There's people 
that put the autofs data in the LDAP but right now I prefer to have it in the 
files.

Now install libpam-cracklib (if used), libnss-ldap and libpam-ldap packages. I 
use Debian but I suppose in Ubuntu the packages will be the same. Copy using 
scp the following files from the PDC to the clients:

root at pdc # scp /etc/pam.d/common-* <linux_client>:/etc/pam.d/
[ ... ]

root at pdc # scp /etc/ldap/ldap.conf <linux_client>:/etc/ldap/
[ ... ]

Normally you only have to edit the URI or HOST parameter and write there the 
IP or DNS name of your LDAP server. I also remove the ROOTBINDDN directive 
(and the /etc/ldap.secret file) from the files because it's only needed if 
you want to change one user password in the client machine using the root 
account and you can make that from the PDC.

root at client # cat /etc/ldap/ldap.conf
/etc/ldap/ldap.conf - Ajustes por defecto para clientes LDAP
# Modificado por Asier, 2006-11-22 - see ldap.conf(5) for details
#
# chmod 644 /etc/ldap/ldap.conf
ldap_version 3

###
### Common settings for LDAP
###
URI         ldap://ldapserver.mydomain.com/
BASE        dc=example,dc=com
TIMELIMIT   5

###
### TLS stuff
###
SSL             start_tls
TLS_CACERT      /etc/ldap/ssl/cert/ca.pem
TLS_CHECKPEER   no
TLS_REQCERT     allow

###
### Settings for libpam-ldap  (/etc/pam_ldap.conf)
###
pam_filter           objectclass=posixAccount
pam_password         exop
pam_login_attribute  uid
pam_member_attribute memberUid

###
### Setting for NSS (/etc/libnss-ldap.conf)
###
scope           one
bind_timelimit  5
nss_base_passwd ou=Users,dc=example,dc=com?one
nss_base_passwd ou=Computers,dc=example,dc=com?one
nss_base_shadow ou=Users,dc=example,dc=com?one
nss_base_group  ou=Groups,dc=example,dc=com?one
# === END ===

For commodity I use the same file for LDAP, PAM and NSS:

root at client # pwd
/etc/
root at client # ln -sf ldap/ldap.conf libnss-ldap.conf
root at client # ln -sf ldap/ldap.conf pam_ldap.conf

Last, adjust the /etc/nsswitch.conf (or copy it from the PDC, the settings 
will be if not the same very similar):

root at pdc # scp /etc/nsswitch.conf <linux_client>:/etc/
[ ... ]

Restart some services in the client

root at client # invoke-rc.d ssh restart
root at client # invoke-rc.d autofs restart

It's done. Now you should be able to login with ssh in the clients using 
-- 
Asier.


More information about the samba mailing list