But: 1) Does sendmail still accept mail for these users since they are no longer local? Ie. My email is jeff@xxxxxxxxxxxxx; if I'm changing from /etc/passwd auth to winbind auth they're won't be a user jeff local to the system anymore. Will I still be able to receive mail? Or does the system contact the PDC every time to see if there is a user by that name? 2) If people already have mbox dirs in their home-dirs, can I move these files over? It seems from the documentation that the user home directories get created on the fly? Does this also mean they are temporary? 3) I don't want these users to be able to log on locally, only via email protocols. Does that mean I only need to change /etc/pam.d/imap and files like this or do I also need to change system-auth or all of them for that matter. Jeff Graves, MCP Image Source, Inc. 10 Mill Street Bellingham, MA 02019 508.966.5200 - Phone 508.966.5170 - Fax jeff@xxxxxxxxxxxxx - Email -----Original Message----- From: redhat-list-bounces@xxxxxxxxxx [mailto:redhat-list-bounces@xxxxxxxxxx] On Behalf Of Chris Purcell Sent: Monday, March 29, 2004 4:16 PM To: redhat-list@xxxxxxxxxx Subject: Re: Winbind/Smb Authentication > I've been reading up on winbind and the samba authentication you can use > in rh linux. I basically have a rh linux 9 mail server up and running > with it's own set of user accounts. Currently, I need to manage two sets > of user accounts which is no fun. I know that if I had a week to read > through the documentation, I could probably configure the box to > authenticate off of my Win2K domain myself. I have to believe that there > are plenty of people out there who have already done this so I'm trying > to find a good tutorial on how to setup a Redhat Linux 9 box to > authenticate off of a Win2K AD Domain with the intent of being a mail > server. Anyone's input is appreciated. Here's some notes that I took when I set this up the first time... 1. Edit the /etc/nsswitch.conf file to allow user and group entries to be visible from the winbindd daemon. You need to add winbind to the passwd and group entries? passwd: files winbind shadow: files group: files winbind 2. Edit the smb.conf file? [global] winbind separator = - winbind cache time = 10 template shell = /bin/bash template homedir = /home/%D/%U idmap uid = 10000-20000 idmap gid = 10000-20000 workgroup = DOMAIN security = domain password server = * 3. The next step is to join the domain. To do that use the net program like this: net join -S PDC -U Administrator Sometimes you have to use this instead? net rpc join -U Administrator 4. In /etc/pam.d/, edit the PAM files that you want to use winbind with. Example, the /etc/pam.d/system-auth file on Red Hat Linux 9.0 should look something like this? [root@rh90 root]# cat /etc/pam.d/system-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required /lib/security/$ISA/pam_env.so auth sufficient /lib/security/pam_winbind.so auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok auth required /lib/security/$ISA/pam_deny.so account required /lib/security/pam_winbind.so account required /lib/security/$ISA/pam_unix.so password required /lib/security/$ISA/pam_cracklib.so retry=3 type= password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow password required /lib/security/$ISA/pam_deny.so session required /lib/security/$ISA/pam_limits.so session required /lib/security/pam_mkhomedir.so skel=/etc/skel umask=0077 session required /lib/security/$ISA/pam_unix.so Here's an example of the /etc/pam.d/login file from a Red Hat 7.2 system? [root@rh72 pam.d]# cat login #%PAM-1.0 auth required /lib/security/pam_securetty.so auth sufficient /lib/security/pam_winbind.so auth required /lib/security/pam_stack.so service=system-auth auth required /lib/security/pam_nologin.so account required /lib/security/pam_winbind.so account required /lib/security/pam_stack.so service=system-auth password required /lib/security/pam_stack.so service=system-auth session required /lib/security/pam_stack.so service=system-auth session required /lib/security/pam_mkhomedir.so umask=0022 session optional /lib/security/pam_console.so Here's an example of the /etc/pam.d/sshd file from a RH72 system? [root@rh72 pam.d]# cat sshd #%PAM-1.0 auth sufficient /lib/security/pam_winbind.so auth required /lib/security/pam_stack.so service=system-auth auth required /lib/security/pam_nologin.so account required /lib/security/pam_stack.so service=system-auth password required /lib/security/pam_stack.so service=system-auth session required /lib/security/pam_stack.so service=system-auth account required /lib/security/pam_winbind.so session required /lib/security/pam_mkhomedir.so umask=0022 session required /lib/security/pam_limits.so session optional /lib/security/pam_console.so 5. Now start winbindd and nmbd and you should find that your user and group database is expanded to include your NT users and groups, and that you can login to your unix box as a domain user, using the DOMAIN+user syntax for the username. You may wish to use the commands getent passwd and getent group to confirm the correct operation of winbindd. Note, if you use the "winbind use default domain = yes" parameter in smb.conf, then you don't have to use the DOMAIN+user syntax, and can just use "user" without prepending the domain name. 6. Run some tests to ensure that everything is working okay. getent passwd = returns all the users in Active Directory getent group = returns all the groups in Active Directory wbinfo -t = Verify that the workstation trust account created when the Samba server is added to the Windows NT domain is working. [root@rh90 pam.d]# wbinfo -t checking the trust secret via RPC calls succeeded wbinfo -a = Attempt to authenticate a user via winbindd. This checks both authentication methods and reports its results. [root@rh90 pam.d]# wbinfo -a jdoe%mypassword plaintext password authentication succeeded challenge/response password authentication succeeded wbinfo -r username = try to obtain the list of UNIX group ids to which the user belongs. This only works for users defined on a domain controller. [root@rh90 pam.d]# wbinfo -r cpurcell 10154 10001 10069 wbinfo -u = returns list of domain users wbinfo -g = returns list of domain groups If Samba was installed from source, then you'll need to? Copy libnss_winbind.so to /lib and pam_winbind.so to /lib/security. A symbolic link needs to be made from /lib/libnss_winbind.so to /lib/libnss_winbind.so.2. If you are using an older version of glibc then the target of the link should be /lib/libnss_winbind.so.1. Chris Purcell, RHCE -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
