[Samba] making pam_winbind to work
Rowland Penny
rpenny at samba.org
Mon Feb 14 13:56:49 UTC 2022
On Mon, 2022-02-14 at 16:41 +0300, Michael Tokarev wrote:
> 14.02.2022 16:32, Rowland Penny via samba wrote:
> > On Mon, 2022-02-14 at 16:22 +0300, Michael Tokarev via samba wrote:
> > > Hello!
> > >
> > > Another day, another issue which I can't resolve so far.
> > >
> > > We switched our user from local /etc/passwd to samba AD.
> > > And it was apparently a big mistake, since nothing work
> > > besides samba now.
> >
> > Anything that uses nsswitch should work, provided that everything
> > is
> > set up correctly.
>
> Are you sure you really mean nsswitch, not pam?
They both work together.
>
> Nsswitch is for mapping uid<=>users and the like, it is NOT for auth.
The conf file for nsswitch '/etc/nsswitch.conf' tells nsswitch were to
search for users etc.
> Auth can be done using /etc/shadow
Big shock here, AD does not use /etc/shadow.
> - it does not work with nsswitch.
See above.
> And in order for any service to look for user's local shadow password
> entry, pw_passwd should contain value "x", but samba returns "*", so
> no service will try to open local /etc/shadow for any samba user, so
> no auth will work.
But as I said above, AD does not use 'shadow'
>
> pam_winbind is exactly for this auth stuff. You can't log into the
> system based on nsswitch, passwords are stored elsewhere.
Not entirely true, yes the password is stored in AD, but you can log in
to a Unix domain member with the Ad password.
>
> Is the mlock() failure somehow relevant? I'm looking at the source
> now, but so far I don't understand the process model.
Please do not read the source, there is no point.
>
> Here's global smb.conf section:
> [global]
> server string = %h samba server %v
> netbios name = TSRV
> netbios aliases = LINUX FS
Do not use 'netbios aliases' , use a CNAME instead
> realm = TLS.MSK.RU
> workgroup = TLS
> server role = member server
> security = ADS
> idmap config TLS : backend = ad
> idmap config TLS : range = 1000-3000
> #idmap config TLS : schema_mode = rfc2307 # rfc2307 is the default
No it isn't, there is no default, see 'man idmap_ad'
If you want to use rfc2307 attributes from Ad, you will also need
'unix_nss_info = yes'
> idmap config TLS : unix_primary_group = yes
> template homedir = /home/%U
> template shell = /bin/bash
> idmap config * : backend = tdb
> idmap config * : range = 5000-7000
> winbind use default domain = yes
> acl allow execute always = true
> hostname lookups = yes
You do not need that either
> log file = /var/log/samba/log.%m
> max log size = 1000
> log level = 2
> # disable user shares
> usershare max shares = 0
> load printers = no
> printing = bsd
> disable spoolss = yes
> map hidden = yes
> create mask = 0775
> directory mask = 0775
Rowland
More information about the samba
mailing list