Re: Winbind/Smb Authentication

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> I've been reading up on winbind and the samba authentication you can use
> in rh linux. I basically have a rh linux 9 mail server up and running
> with it's own set of user accounts. Currently, I need to manage two sets
> of user accounts which is no fun. I know that if I had a week to read
> through the documentation, I could probably configure the box to
> authenticate off of my Win2K domain myself. I have to believe that there
> are plenty of people out there who have already done this so I'm trying
> to find a good tutorial on how to setup a Redhat Linux 9 box to
> authenticate off of a Win2K AD Domain with the intent of being a mail
> server. Anyone's input is appreciated.


Here's some notes that I took when I set this up the first time...



1. Edit the /etc/nsswitch.conf file to allow user and group entries to be
visible from the winbindd daemon.  You need to add winbind to the passwd
and group entries?

passwd:     files winbind
shadow:     files
group:      files winbind


2.  Edit the smb.conf file?

[global]
        winbind separator = -
        winbind cache time = 10
        template shell = /bin/bash
        template homedir = /home/%D/%U
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        workgroup = DOMAIN
        security = domain
        password server = *


3.  The next step is to join the domain. To do that use the net program
like this:

net join -S PDC -U Administrator

Sometimes you have to use this instead?

net rpc join -U Administrator


4.  In /etc/pam.d/, edit the PAM files that you want to use winbind with.

Example, the /etc/pam.d/system-auth file on Red Hat Linux 9.0 should look
something like this?

[root@rh90 root]# cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/pam_winbind.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        required      /lib/security/$ISA/pam_deny.so

account     required      /lib/security/pam_winbind.so
account     required      /lib/security/$ISA/pam_unix.so
password    required      /lib/security/$ISA/pam_cracklib.so retry=3 type=
password    sufficient    /lib/security/$ISA/pam_unix.so nullok
use_authtok md5 shadow
password    required      /lib/security/$ISA/pam_deny.so
session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/pam_mkhomedir.so skel=/etc/skel
umask=0077
session     required      /lib/security/$ISA/pam_unix.so



Here's an example of the /etc/pam.d/login file from a Red Hat 7.2 system?

[root@rh72 pam.d]# cat login
#%PAM-1.0
auth       required     /lib/security/pam_securetty.so
auth       sufficient   /lib/security/pam_winbind.so
auth       required     /lib/security/pam_stack.so service=system-auth
auth       required     /lib/security/pam_nologin.so
account    required     /lib/security/pam_winbind.so
account    required     /lib/security/pam_stack.so service=system-auth
password   required     /lib/security/pam_stack.so service=system-auth
session    required     /lib/security/pam_stack.so service=system-auth
session    required     /lib/security/pam_mkhomedir.so umask=0022
session    optional     /lib/security/pam_console.so


Here's an example of the /etc/pam.d/sshd file from a RH72 system?

[root@rh72 pam.d]# cat sshd
#%PAM-1.0
auth       sufficient   /lib/security/pam_winbind.so
auth       required     /lib/security/pam_stack.so service=system-auth
auth       required     /lib/security/pam_nologin.so
account    required     /lib/security/pam_stack.so service=system-auth
password   required     /lib/security/pam_stack.so service=system-auth
session    required     /lib/security/pam_stack.so service=system-auth
account    required     /lib/security/pam_winbind.so
session    required     /lib/security/pam_mkhomedir.so umask=0022
session    required     /lib/security/pam_limits.so
session    optional     /lib/security/pam_console.so


5.  Now start winbindd and nmbd and you should find that your user and
group database is expanded to include your NT users and groups, and that
you can login to your unix box as a domain user, using the DOMAIN+user
syntax for the username. You may wish to use the commands getent passwd
and getent group to confirm the correct operation of winbindd.   Note, if
you use the "winbind use default domain = yes" parameter in smb.conf, then
you don't have to use the DOMAIN+user syntax, and can just use "user"
without prepending the domain name.




6.  Run some tests to ensure that everything is working okay.

getent passwd = returns all the users in Active Directory
getent group = returns all the groups in Active Directory

wbinfo -t = Verify that the workstation trust account created when the
Samba               server is added to the Windows NT domain is working.

[root@rh90 pam.d]# wbinfo -t
checking the trust secret via RPC calls succeeded

wbinfo -a =  Attempt  to authenticate a user via winbindd. This checks
both               authentication methods and reports its results.

[root@rh90 pam.d]# wbinfo -a jdoe%mypassword
plaintext password authentication succeeded
challenge/response password authentication succeeded

wbinfo -r username = try to obtain the list of UNIX group ids to which the
user               belongs.  This only works for users defined on a domain
controller.

[root@rh90 pam.d]# wbinfo -r cpurcell
10154
10001
10069

wbinfo -u = returns list of domain users
wbinfo -g = returns list of domain groups




If Samba was installed from source, then you'll need to?

Copy libnss_winbind.so to /lib and pam_winbind.so to /lib/security. A
symbolic link needs to be made from /lib/libnss_winbind.so to
/lib/libnss_winbind.so.2. If you are using an older version of glibc then
the target of the link should be /lib/libnss_winbind.so.1.




Chris Purcell, RHCE




-- 
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list

[Index of Archives]     [CentOS]     [Kernel Development]     [PAM]     [Fedora Users]     [Red Hat Development]     [Big List of Linux Books]     [Linux Admin]     [Gimp]     [Asterisk PBX]     [Yosemite News]     [Red Hat Crash Utility]


  Powered by Linux