[Samba] linux auth against SAMBA PDC
Asier Baranguán
abaranguan at elpagestion.com
Wed Jan 3 11:18:19 GMT 2007
El Martes, 2 de Enero de 2007 20:44, Jason Greene escribió:
> Wants:
> Linux server with Samba as the PCD
> Windows 2k and XP workstations are on the Samba domain and authenticate
> all users with the Samba PDC.
> Migrate Windows workstations to Linux (ubuntu) workstations and have
> them authenticate all users against the Samba PDC and mount all
> necessary shares (just like the windows PCs did)
>
>
> Can someone point me to a good Howto on this or tell me how to
> accomplish this?
I've used the idealx howto and some other documents collected through the web
to accomplish this.
This is a quick HOWTO, written without testing. In your linux machines you
must do this:
PDC
---
Install a NFS server in the PDC. I use unfs3d, an user-space NFS server that
suits my needs and works well with VServers. Adjust /etc/exports to match the
homes of your users:
root at pdc # cat /etc/exports
# /etc/exports: the access control list for filesystems which may be exported
# to NFS clients. See unfsd(8).
/home/samba/users 192.168.1.0/24(rw,fixed,no_root_squash)
# === END ===
And restart your NFS server
root at pdc # invoke-rc.d unfs3 restart
In the linux clients
--------------------
The kernel in your clients must have the automounter v4 compiled or available
as a module. Install the autofs package and configure it
root at client # cat /etc/auto.master
# /etc/auto.master
#
/home/samba/users /etc/auto.home --timeout 600
# === END ===
root at client # cat /etc/auto.home
# /etc/auto.home
#
# Only one line!
* -tcp,nfsvers=3,mountport=2049,port=2049,nolock,intr,rsize=16384,wsize=16384
pdc.mydomain.com:/home/samba/users/&
# === END ===
root at client # invoke-rc.d autofs restart
(My /etc/auto.home line is so long because I don't use portmap) There's people
that put the autofs data in the LDAP but right now I prefer to have it in the
files.
Now install libpam-cracklib (if used), libnss-ldap and libpam-ldap packages. I
use Debian but I suppose in Ubuntu the packages will be the same. Copy using
scp the following files from the PDC to the clients:
root at pdc # scp /etc/pam.d/common-* <linux_client>:/etc/pam.d/
[ ... ]
root at pdc # scp /etc/ldap/ldap.conf <linux_client>:/etc/ldap/
[ ... ]
Normally you only have to edit the URI or HOST parameter and write there the
IP or DNS name of your LDAP server. I also remove the ROOTBINDDN directive
(and the /etc/ldap.secret file) from the files because it's only needed if
you want to change one user password in the client machine using the root
account and you can make that from the PDC.
root at client # cat /etc/ldap/ldap.conf
/etc/ldap/ldap.conf - Ajustes por defecto para clientes LDAP
# Modificado por Asier, 2006-11-22 - see ldap.conf(5) for details
#
# chmod 644 /etc/ldap/ldap.conf
ldap_version 3
###
### Common settings for LDAP
###
URI ldap://ldapserver.mydomain.com/
BASE dc=example,dc=com
TIMELIMIT 5
###
### TLS stuff
###
SSL start_tls
TLS_CACERT /etc/ldap/ssl/cert/ca.pem
TLS_CHECKPEER no
TLS_REQCERT allow
###
### Settings for libpam-ldap (/etc/pam_ldap.conf)
###
pam_filter objectclass=posixAccount
pam_password exop
pam_login_attribute uid
pam_member_attribute memberUid
###
### Setting for NSS (/etc/libnss-ldap.conf)
###
scope one
bind_timelimit 5
nss_base_passwd ou=Users,dc=example,dc=com?one
nss_base_passwd ou=Computers,dc=example,dc=com?one
nss_base_shadow ou=Users,dc=example,dc=com?one
nss_base_group ou=Groups,dc=example,dc=com?one
# === END ===
For commodity I use the same file for LDAP, PAM and NSS:
root at client # pwd
/etc/
root at client # ln -sf ldap/ldap.conf libnss-ldap.conf
root at client # ln -sf ldap/ldap.conf pam_ldap.conf
Last, adjust the /etc/nsswitch.conf (or copy it from the PDC, the settings
will be if not the same very similar):
root at pdc # scp /etc/nsswitch.conf <linux_client>:/etc/
[ ... ]
Restart some services in the client
root at client # invoke-rc.d ssh restart
root at client # invoke-rc.d autofs restart
It's done. Now you should be able to login with ssh in the clients using
--
Asier.
More information about the samba
mailing list