From b31dd810d773097645195c5d7b17527b61592504 Mon Sep 17 00:00:00 2001 From: John Terpstra Date: Tue, 28 Jun 2005 04:31:00 +0000 Subject: Update. (This used to be commit 69259f930215a6fc1ae84f9c9db6ddd4b16a14d9) --- docs/Samba3-HOWTO/TOSHARG-Winbind.xml | 297 ++++++++++++++++++++++------------ 1 file changed, 198 insertions(+), 99 deletions(-) diff --git a/docs/Samba3-HOWTO/TOSHARG-Winbind.xml b/docs/Samba3-HOWTO/TOSHARG-Winbind.xml index b63611f59a..cfde983465 100644 --- a/docs/Samba3-HOWTO/TOSHARG-Winbind.xml +++ b/docs/Samba3-HOWTO/TOSHARG-Winbind.xml @@ -718,9 +718,11 @@ group: files winbind - - - +winbindd +ldconfig +libnss_winbind +grep +dynamic link loader The libraries needed by the winbindd daemon will be automatically entered into the ldconfig cache the next time your system reboots, but it is faster (and you do not need to reboot) if you do it manually: @@ -728,11 +730,39 @@ your system reboots, but it is faster (and you do not need to reboot) if you do &rootprompt;/sbin/ldconfig -v | grep winbind This makes libnss_winbind available to winbindd and reports the current -search path that is used by the dynamic link loader. +search path that is used by the dynamic link loader. The use of the grep +filters the output of the ldconfig command so that we may see proof that +this library is indeed recognized by the dynamic link loader. -The dynamic link-loader managment interface +dynamic link loader +crle +/usr/local/lib +link loader configuration +object module dependencies +The Sun Solaris dynamic link loader management tool is called crle. The +use of this tool is necessary to instruct the dynamic link loader to search directories that +contain library files that were not supplied as part of the original operating system platform. +The following example shows how to use this tool to add the directory /usr/local/lib +to the dynamic link loader's search path: + +&rootprompt; crle -u -l /usr/lib:/usr/local/lib + +When executed without arguments, crle reports the current dynamic +link loader configuration. This is demonstrated here: + +&rootprompt; crle + +Configuration file [version 4]: /var/ld/ld.config + Default Library Path (ELF): /lib:/usr/lib:/usr/local/lib + Trusted Directories (ELF): /lib/secure:/usr/lib/secure (system default) + +Command line: + crle -c /var/ld/ld.config -l /lib:/usr/lib:/usr/local/lib + +From this it is apparent that the /usr/local/lib directory is be included +in the search dynamic link libraries in order to satisfy object module dependencies. @@ -743,6 +773,12 @@ The dynamic link-loader managment interface (This section is only for those running AIX.) +AIX +Winbind +/usr/lib/security +authentication module API +/usr/lib/security/methods.cfg +PAM module The Winbind AIX identification module gets built as libnss_winbind.so in the nsswitch directory of the Samba source. This file can be copied to /usr/lib/security, and the AIX naming convention would indicate that it should be named WINBIND. A stanza like the following: @@ -767,10 +803,13 @@ Management Guide: Operating System and Devices. Configure smb.conf +winbind +man page +winbindd Several parameters are needed in the &smb.conf; file to control the behavior of &winbindd;. These are described in more detail in the winbindd 8 man page. My &smb.conf; file, as shown in Example 23.5.1, was modified to include the necessary entries in the [global] section. +linkend="winbindcfg">the smb.conf for Winbind Setup, was modified to include the necessary entries in the [global] section. @@ -799,11 +838,23 @@ linkend="winbindcfg">Example 23.5.1, was modified to include the necessar Join the Samba Server to the PDC Domain +domain security +PDC +BDC All machines that will participate in domain security should be members of the domain. This applies also to the PDC and all BDCs. +joining domain +domain join +netrpcjoin +smbd +PDC +domain controller +MS DCE RPC +DCE RPC +RPC The process of joining a domain requires the use of the net rpc join command. This process communicates with the domain controller it will register with (usually the PDC) via MS DCE RPC. This means, of course, that the smbd @@ -812,6 +863,9 @@ start Samba on a PDC so that it can join its own domain. +PDC +administrative privileges +Administrator Enter the following command to make the Samba server join the domain, where PDC is the name of your PDC and Administrator is @@ -819,16 +873,21 @@ a domain user who has administrative privileges in the domain. +domain controller +PDC +tcp ports +udp ports Before attempting to join a machine to the domain, verify that Samba is running on the target domain controller (usually PDC) and that it is capable of being reached via ports 137/udp, 135/tcp, 139/tcp, and 445/tcp (if Samba or Windows Server 2Kx). +netrpcjoin +The use of the net rpc join facility is shown here: + &rootprompt;/usr/local/samba/bin/net rpc join -S PDC -U Administrator - - - + The proper response to the command should be Joined the domain DOMAIN where DOMAIN is your domain name. @@ -840,104 +899,109 @@ is your domain name. Starting and Testing the <command>winbindd</command> Daemon +startup script +winbindd +Winbind services Eventually, you will want to modify your Samba startup script to automatically invoke the winbindd daemon when the other parts of Samba start, but it is possible to test out just the Winbind portion first. To start up Winbind services, enter the following command as root: - - - + &rootprompt;/usr/local/samba/sbin/winbindd + +Use the appropriate path to the location of the winbindd executable file. +Winbind +/usr/local/samba The command to start up Winbind services assumes that Samba has been installed in the /usr/local/samba directory tree. You may need to search for the location of Samba files if this is not the location of winbindd on your system. +Winbindd +dual daemon mode Winbindd can now also run in dual daemon mode. This will make it run as two processes. The first will answer all requests from the cache, thus making responses to clients faster. The other will update the cache for the query to which the first has just responded. The advantage of this is that responses stay accurate and are faster. You can enable dual daemon mode by adding to the command line: - - - + &rootprompt;/usr/local/samba/sbin/winbindd -B + +paranoid +daemon running I'm always paranoid and like to make sure the daemon is really running. - - - + &rootprompt;ps -ae | grep winbindd + + +winbindd This command should produce output like the following if the daemon is running. - - 3025 ? 00:00:00 winbindd - - -Now, for the real test, try to get some information about the users on your PDC: +PDC +wbinfo +Now, for the real test, try to get some information about the users on your PDC: + &rootprompt;/usr/local/samba/bin/wbinfo -u - - - + This should echo back a list of users on your Windows users on your PDC. For example, I get the following response: - - - - CEO\Administrator - CEO\burdell - CEO\Guest - CEO\jt-ad - CEO\krbtgt - CEO\TsInternetUser - - - + +CEO\Administrator +CEO\burdell +CEO\Guest +CEO\jt-ad +CEO\krbtgt +CEO\TsInternetUser + Obviously, I have named my domain CEO and my is \. +wbinfo +PDC You can do the same sort of thing to get group information from the PDC: - - - + &rootprompt;/usr/local/samba/bin/wbinfo -g - CEO\Domain Admins - CEO\Domain Users - CEO\Domain Guests - CEO\Domain Computers - CEO\Domain Controllers - CEO\Cert Publishers - CEO\Schema Admins - CEO\Enterprise Admins - CEO\Group Policy Creator Owners +CEO\Domain Admins +CEO\Domain Users +CEO\Domain Guests +CEO\Domain Computers +CEO\Domain Controllers +CEO\Cert Publishers +CEO\Schema Admins +CEO\Enterprise Admins +CEO\Group Policy Creator Owners +getent +PDC +/etc/passwd +UID +GID +home directories +default shells The function getent can now be used to get unified lists of both local and PDC users and groups. Try the following command: - - - + &rootprompt;getent passwd - - - + You should get a list that looks like your /etc/passwd list followed by the domain users with their new UIDs, GIDs, home directories, and default shells. @@ -945,10 +1009,9 @@ directories, and default shells. The same thing can be done for groups with the command: - - - + &rootprompt;getent group + @@ -961,6 +1024,15 @@ The same thing can be done for groups with the command: Linux +winbindd daemon +smbd +nmbd +/etc/init.d/smb +/etc/init.d/samba +/usr/local/samba/bin + + + The &winbindd; daemon needs to start up after the &smbd; and &nmbd; daemons are running. To accomplish this task, you need to modify the startup scripts of your system. They are located at /etc/init.d/smb in Red Hat Linux and in @@ -969,9 +1041,7 @@ script to add commands to invoke this daemon in the proper sequence. My startup script starts up &smbd;, &nmbd;, and &winbindd; from the /usr/local/samba/bin directory directly. The start function in the script looks like this: - - - + start() { KIND="SMB" echo -n $"Starting $KIND services: " @@ -1045,6 +1115,12 @@ for details. +Solaris 9 +/etc/init.d/samba.server +/usr/local/samba/bin +smbd +nmbd +winbindd On Solaris, you need to modify the /etc/init.d/samba.server startup script. It usually only starts smbd and nmbd but should now start winbindd, too. If you have Samba installed in /usr/local/samba/bin, the file could contains something like this: @@ -1103,11 +1179,11 @@ usually only starts smbd and nmbd but should now start winbindd, too. If you hav Again, if you would like to run Samba in dual daemon mode, replace: - /usr/local/samba/sbin/winbindd +/usr/local/samba/sbin/winbindd in the script above with: - /usr/local/samba/sbin/winbindd -B +/usr/local/samba/sbin/winbindd -B @@ -1116,6 +1192,8 @@ in the script above with: Restarting +daemons +local user If you restart the &smbd;, &nmbd;, and &winbindd; daemons at this point, you should be able to connect to the Samba server as a domain member just as if you were a local user. @@ -1127,6 +1205,10 @@ if you were a local user. Configure Winbind and PAM +winbindd +authentication +PAM +/etc/pam.d If you have made it this far, you know that winbindd and Samba are working together. If you want to use Winbind to provide authentication for other services, keep reading. The PAM configuration files need to be altered in @@ -1135,42 +1217,50 @@ this step. (Did you remember to make backups of your original +NSS +../source/nsswitch +pam_winbind.so +/lib/security +Solaris +/usr/lib/security You will need a PAM module to use winbindd with these other services. This module will be compiled in the ../source/nsswitch directory by invoking the command: - - - + &rootprompt;make nsswitch/pam_winbind.so - - - + from the ../source directory. The pam_winbind.so file should be copied to the location of your other PAM security modules. On my Red Hat system, this was the /lib/security directory. On Solaris, the PAM security modules reside in /usr/lib/security. - - - + &rootprompt;cp ../samba/source/nsswitch/pam_winbind.so /lib/security + Linux/FreeBSD-Specific PAM Configuration +/etc/pam.d/samba The /etc/pam.d/samba file does not need to be changed. I just left this file as it was: - - - - - auth required /lib/security/pam_stack.so service=system-auth - account required /lib/security/pam_stack.so service=system-auth + +auth required /lib/security/pam_stack.so service=system-auth +account required /lib/security/pam_stack.so service=system-auth - + +Winbind +authentication service +login +console +telnet logins +ftp service +/etc/xinetd.d +/etc/inetd.conf +/etc/xinetd.d/telnet The other services that I modified to allow the use of Winbind as an authentication service were the normal login on the console (or a terminal session), telnet logins, and ftp service. In order to enable these @@ -1179,9 +1269,7 @@ services, you may first need to change the entries in Red Hat Linux 7.1 and later uses the new xinetd.d structure, in this case you need to change the lines in /etc/xinetd.d/telnet and /etc/xinetd.d/wu-ftp from - - - + enable = no to @@ -1190,6 +1278,9 @@ to +ftp services +home directory template +domain users For ftp services to work properly, you will also need to either have individual directories for the domain users already present on the server or change the home directory template to a general @@ -1198,14 +1289,16 @@ the &smb.conf; global entry . - - The directory in is not created automatically! Use pam_mkhomedir or pre-create - the directories of users to make sure users can log in on UNIX with - their own home directory. - - + +pam_mkhomedir +The directory in is not created automatically! Use pam_mkhomedir or +pre-create the directories of users to make sure users can log in on UNIX with their own home directory. + +/etc/pam.d/ftp +Winbind +ftp access The /etc/pam.d/ftp file can be changed to allow Winbind ftp access in a manner similar to the samba file. My /etc/pam.d/ftp file was @@ -1222,6 +1315,7 @@ session required /lib/security/pam_stack.so service=system-auth +/etc/pam.d/login The /etc/pam.d/login file can be changed in nearly the same way. It now looks like this: @@ -1235,9 +1329,10 @@ account required /lib/security/pam_stack.so service=system-auth password required /lib/security/pam_stack.so service=system-auth session required /lib/security/pam_stack.so service=system-auth session optional /lib/security/pam_console.so - - - + +pam_winbind.so +pam_securetty.so +pam_unix.so In this case, I added the auth sufficient /lib/security/pam_winbind.so lines as before, but also added the required pam_securetty.so above it to disallow root logins over the network. I also added a @@ -1252,14 +1347,14 @@ double prompts for passwords. Solaris-Specific Configuration +/etc/pam.conf + The /etc/pam.conf needs to be changed. I changed this file so my Domain users can log on both locally as well as with telnet. The following are the changes that I made. You can customize the pam.conf file as per your requirements, but be sure of those changes because in the worst case it will leave your system nearly impossible to boot. - - - + # #ident "@(#)pam.conf 1.14 99/09/16 SMI" # @@ -1322,6 +1417,7 @@ dtsession auth required /usr/lib/security/$ISA/pam_unix.so.1 +winbind.so I also added a try_first_pass line after the winbind.so line to get rid of annoying double prompts for passwords. @@ -1342,8 +1438,13 @@ configured in the pam.conf. Conclusion -The Winbind system, through the use of the NSS, -PAMs, and appropriate + +Winbind +NSS +PAM +RPC calls +domain users +The Winbind system, through the use of the NSS, PAMs, and appropriate Microsoft RPC calls, have allowed us to provide seamless integration of Microsoft Windows NT domain users on a UNIX system. The result is a great reduction in the administrative @@ -1383,8 +1484,6 @@ cost of running a mixed UNIX and NT network. NSCD Problem Warning - - Do not under any circumstances run nscd on any system on which winbindd is running. -- cgit