From 8cb4e23ffc77a9842e1304f3de20af5861982746 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Sat, 2 Feb 2002 06:08:43 +0000 Subject: merge from 2.2 and regen (This used to be commit 7b7e4190739bd7df422e3f239fd89373edb97ee5) --- docs/htmldocs/Samba-HOWTO-Collection.html | 1839 ++++++++++++++++++++++++----- 1 file changed, 1571 insertions(+), 268 deletions(-) (limited to 'docs/htmldocs/Samba-HOWTO-Collection.html') diff --git a/docs/htmldocs/Samba-HOWTO-Collection.html b/docs/htmldocs/Samba-HOWTO-Collection.html index 5429e4da05..50d9dea7e3 100644 --- a/docs/htmldocs/Samba-HOWTO-Collection.html +++ b/docs/htmldocs/Samba-HOWTO-Collection.html @@ -668,101 +668,231 @@ HREF="#AEN1602" >
9. Unified Logons between Windows NT and UNIX using WinbindHow to a Purely Samba Controlled Domain
9.1. AbstractPrerequisite Reading
9.2. Background
9.3. What qualifies a Domain Controller on the network?
9.3.1. How does a Workstation find its domain controller?
9.3.2. When is the PDC needed?
9.4. Can Samba be a Backup Domain Controller?
9.5. How do I set up a Samba BDC?
9.5.1. How do I replicate the smbpasswd file?
10. Storing Samba's User/Machine Account information in an LDAP Directory
10.1. Purpose
10.2. Introduction
9.3. 10.3. Supported LDAP Servers
10.4. Schema and Relationship to the RFC 2307 posixAccount
10.5. Configuring Samba with LDAP
10.5.1. OpenLDAP configuration
10.5.2. Configuring Samba
10.6. Accounts and Groups management
10.7. Security and sambaAccount
10.8. LDAP specials attributes for sambaAccounts
10.9. Example LDIF Entries for a sambaAccount
10.10. Comments
11. Unified Logons between Windows NT and UNIX using Winbind
11.1. Abstract
11.2. Introduction
11.3. What Winbind Provides
9.3.1. 11.3.1. Target Uses
9.4. 11.4. How Winbind Works
9.4.1. 11.4.1. Microsoft Remote Procedure Calls
9.4.2. 11.4.2. Name Service Switch
9.4.3. 11.4.3. Pluggable Authentication Modules
9.4.4. 11.4.4. User and Group ID Allocation
9.4.5. 11.4.5. Result Caching
9.5. 11.5. Installation and Configuration
9.5.1. 11.5.1. Introduction
9.5.2. 11.5.2. Requirements
9.5.3. 11.5.3. Testing Things Out
9.5.3.1. 11.5.3.1. Configure and compile SAMBA
9.5.3.2. 11.5.3.2. Configure nsswitch.conf
9.5.3.3. 11.5.3.3. Configure smb.conf
9.5.3.4. 11.5.3.4. Join the SAMBA server to the PDC domain
9.5.3.5. 11.5.3.5. Start up the winbindd daemon and test it!
9.5.3.6. 11.5.3.6. Fix the /etc/rc.d/init.d/smb startup files
9.5.3.7. 11.5.3.7. Configure Winbind and PAM
9.6. 11.6. Limitations
9.7. 11.7. Conclusion
10. 12. OS2 Client HOWTO
10.1. 12.1. FAQs
10.1.1. 12.1.1. How can I configure OS/2 Warp Connect or OS/2 Warp 4 as a client for Samba?
10.1.2. 12.1.2. How can I configure OS/2 Warp 3 (not Connect), OS/2 1.2, 1.3 or 2.x for Samba?
10.1.3. 12.1.3. Are there any other issues when OS/2 (any version) is used as a client?
10.1.4. 12.1.4. How do I get printer driver download working for OS/2 clients?
11. 13. HOWTO Access Samba source code via CVS
11.1. 13.1. Introduction
11.2. 13.2. CVS Access to samba.org
11.2.1. 13.2.1. Access via CVSweb
11.2.2. 13.2.2. Access via cvs
Index

Chapter 9. Unified Logons between Windows NT and UNIX using WinbindChapter 9. How to a Purely Samba Controlled Domain

9.1. Abstract9.1. Prerequisite Reading

Integration of UNIX and Microsoft Windows NT through - a unified logon has been considered a "holy grail" in heterogeneous - computing environments for a long time. We present - winbind, a component of the Samba suite - of programs as a solution to the unified logon problem. Winbind - uses a UNIX implementation - of Microsoft RPC calls, Pluggable Authentication Modules, and the Name - Service Switch to allow Windows NT domain users to appear and operate - as UNIX users on a UNIX machine. This paper describes the winbind - system, explaining the functionality it provides, how it is configured, - and how it works internally.

Before you continue reading in this chapter, please make sure +that you are comfortable with configuring a Samba PDC +as described in the Samba-PDC-HOWTO.

9.2. Introduction9.2. Background

It is well known that UNIX and Microsoft Windows NT have - different models for representing user and group information and - use different technologies for implementing them. This fact has - made it difficult to integrate the two systems in a satisfactory - manner.

One common solution in use today has been to create - identically named user accounts on both the UNIX and Windows systems - and use the Samba suite of programs to provide file and print services - between the two. This solution is far from perfect however, as - adding and deleting users on both sets of machines becomes a chore - and two sets of passwords are required both of which - can lead to synchronization problems between the UNIX and Windows - systems and confusion for users.

We divide the unified logon problem for UNIX machines into - three smaller problems:

What is a Domain Controller? It is a machine that is able to answer +logon requests from workstations in a Windows NT Domain. Whenever a +user logs into a Windows NT Workstation, the workstation connects to a +Domain Controller and asks him whether the username and password the +user typed in is correct. The Domain Controller replies with a lot of +information about the user, for example the place where the users +profile is stored, the users full name of the user. All this +information is stored in the NT user database, the so-called SAM.

There are two kinds of Domain Controller in a NT 4 compatible Domain: +A Primary Domain Controller (PDC) and one or more Backup Domain +Controllers (BDC). The PDC contains the master copy of the +SAM. Whenever the SAM has to change, for example when a user changes +his password, this change has to be done on the PDC. A Backup Domain +Controller is a machine that maintains a read-only copy of the +SAM. This way it is able to reply to logon requests and authenticate +users in case the PDC is not available. During this time no changes to +the SAM are possible. Whenever changes to the SAM are done on the PDC, +all BDC receive the changes from the PDC.

Since version 2.2 Samba officially supports domain logons for all +current Windows Clients, including Windows 2000 and XP. This text +assumes the domain to be named SAMBA. To be able to act as a PDC, some +parameters in the [global]-section of the smb.conf have to be set:

workgroup = SAMBA
+domain master = yes
+domain logons = yes

  • Obtaining Windows NT user and group information -

  • Authenticating Windows NT users -

  • Password changing for Windows NT users -

Ideally, a prospective solution to the unified logon problem - would satisfy all the above components without duplication of - information on the UNIX machines and without creating additional - tasks for the system administrator when maintaining users and - groups on either system. The winbind system provides a simple - and elegant solution to all three components of the unified logon - problem.

Several other things like a [homes] and a [netlogon] share also may be +set along with settings for the profile path, the users home drive and +others. This will not be covered in this document.

9.3. What Winbind Provides9.3. What qualifies a Domain Controller on the network?

Winbind unifies UNIX and Windows NT account management by - allowing a UNIX box to become a full member of a NT domain. Once - this is done the UNIX box will see NT users and groups as if - they were native UNIX users and groups, allowing the NT domain - to be used in much the same manner that NIS+ is used within - UNIX-only environments.

The end result is that whenever any - program on the UNIX machine asks the operating system to lookup - a user or group name, the query will be resolved by asking the - NT domain controller for the specified domain to do the lookup. - Because Winbind hooks into the operating system at a low level - (via the NSS name resolution modules in the C library) this - redirection to the NT domain controller is completely - transparent.

Users on the UNIX machine can then use NT user and group - names as they would use "native" UNIX names. They can chown files - so that they are owned by NT domain users or even login to the - UNIX machine and run a UNIX X-Window session as a domain user.

The only obvious indication that Winbind is being used is - that user and group names take the form DOMAIN\user and - DOMAIN\group. This is necessary as it allows Winbind to determine - that redirection to a domain controller is wanted for a particular - lookup and which trusted domain is being referenced.

Additionally, Winbind provides an authentication service - that hooks into the Pluggable Authentication Modules (PAM) system - to provide authentication via a NT domain to any PAM enabled - applications. This capability solves the problem of synchronizing - passwords between systems since all passwords are stored in a single - location (on the domain controller).

Every machine that is a Domain Controller for the domain SAMBA has to +register the NetBIOS group name SAMBA#1c with the WINS server and/or +by broadcast on the local network. The PDC also registers the unique +NetBIOS name SAMBA#1b with the WINS server. The name type #1b is +normally reserved for the domain master browser, a role that has +nothing to do with anything related to authentication, but the +Microsoft Domain implementation requires the domain master browser to +be on the same machine as the PDC.

9.3.1. Target Uses9.3.1. How does a Workstation find its domain controller?

Winbind is targeted at organizations that have an - existing NT based domain infrastructure into which they wish - to put UNIX workstations or servers. Winbind will allow these - organizations to deploy UNIX workstations without having to - maintain a separate account infrastructure. This greatly - simplifies the administrative overhead of deploying UNIX - workstations into a NT based organization.

A NT workstation in the domain SAMBA that wants a local user to be +authenticated has to find the domain controller for SAMBA. It does +this by doing a NetBIOS name query for the group name SAMBA#1c. It +assumes that each of the machines it gets back from the queries is a +domain controller and can answer logon requests. To not open security +holes both the workstation and the selected (TODO: How is the DC +chosen) domain controller authenticate each other. After that the +workstation sends the user's credentials (his name and password) to +the domain controller, asking for approval.

9.3.2. When is the PDC needed?

Another interesting way in which we expect Winbind to - be used is as a central part of UNIX based appliances. Appliances - that provide file and print services to Microsoft based networks - will be able to use Winbind to provide seamless integration of - the appliance into the domain.

Whenever a user wants to change his password, this has to be done on +the PDC. To find the PDC, the workstation does a NetBIOS name query +for SAMBA#1b, assuming this machine maintains the master copy of the +SAM. The workstation contacts the PDC, both mutually authenticate and +the password change is done.

9.4. How Winbind Works9.4. Can Samba be a Backup Domain Controller?

The winbind system is designed around a client/server - architecture. A long running winbindd daemon - listens on a UNIX domain socket waiting for requests - to arrive. These requests are generated by the NSS and PAM - clients and processed sequentially.

With version 2.2, no. The native NT SAM replication protocols have +not yet been fully implemented. The Samba Team is working on +understanding and implementing the protocols, but this work has not +been finished for version 2.2.

The technologies used to implement winbind are described - in detail below.

Can I get the benefits of a BDC with Samba? Yes. The main reason for +implementing a BDC is availability. If the PDC is a Samba machine, +a second Samba machine can be set up to +service logon requests whenever the PDC is down.

9.4.1. Microsoft Remote Procedure Calls

9.5. How do I set up a Samba BDC?

Over the last two years, efforts have been underway - by various Samba Team members to decode various aspects of - the Microsoft Remote Procedure Call (MSRPC) system. This - system is used for most network related operations between - Windows NT machines including remote management, user authentication - and print spooling. Although initially this work was done - to aid the implementation of Primary Domain Controller (PDC) - functionality in Samba, it has also yielded a body of code which - can be used for other purposes.

Several things have to be done:

Winbind uses various MSRPC calls to enumerate domain users - and groups and to obtain detailed information about individual - users or groups. Other MSRPC calls can be used to authenticate - NT domain users and to change user passwords. By directly querying - a Windows PDC for user and group information, winbind maps the - NT account information onto UNIX user and group names.

  • The file private/MACHINE.SID identifies the domain. When a samba +server is first started, it is created on the fly and must never be +changed again. This file has to be the same on the PDC and the BDC, +so the MACHINE.SID has to be copied from the PDC to the BDC.

  • The Unix user database has to be synchronized from the PDC to the +BDC. This means that both the /etc/passwd and /etc/group have to be +replicated from the PDC to the BDC. This can be done manually +whenever changes are made, or the PDC is set up as a NIS master +server and the BDC as a NIS slave server. To set up the BDC as a +mere NIS client would not be enough, as the BDC would not be able to +access its user database in case of a PDC failure.

  • The Samba password database in the file private/smbpasswd has to be +replicated from the PDC to the BDC. This is a bit tricky, see the +next section.

  • Any netlogon share has to be replicated from the PDC to the +BDC. This can be done manually whenever login scripts are changed, +or it can be done automatically together with the smbpasswd +synchronization.

Finally, the BDC has to be found by the workstations. This can be done +by setting

workgroup = samba
+domain master = no
+domain logons = yes

in the [global]-section of the smb.conf of the BDC. This makes the BDC +only register the name SAMBA#1c with the WINS server. This is no +problem as the name SAMBA#1c is a NetBIOS group name that is meant to +be registered by more than one machine. The parameter 'domain master = +no' forces the BDC not to register SAMBA#1b which as a unique NetBIOS +name is reserved for the Primary Domain Controller.

9.5.1. How do I replicate the smbpasswd file?

Replication of the smbpasswd file is sensitive. It has to be done +whenever changes to the SAM are made. Every user's password change is +done in the smbpasswd file and has to be replicated to the BDC. So +replicating the smbpasswd file very often is necessary.

As the smbpasswd file contains plain text password equivalents, it +must not be sent unencrypted over the wire. The best way to set up +smbpasswd replication from the PDC to the BDC is to use the utility +rsync. rsync can use ssh as a transport. ssh itself can be set up to +accept *only* rsync transfer without requiring the user to type a +password.

Chapter 10. Storing Samba's User/Machine Account information in an LDAP Directory

10.1. Purpose

This document describes how to use an LDAP directory for storing Samba user +account information traditionally stored in the smbpasswd(5) file. It is +assumed that the reader already has a basic understanding of LDAP concepts +and has a working directory server already installed. For more information +on LDAP architectures and Directories, please refer to the following sites.

Note that O'Reilly Publishing is working on +a guide to LDAP for System Administrators which has a planned release date of +early summer, 2002.

Two additional Samba resources which may prove to be helpful are

  • The Samba-PDC-LDAP-HOWTO + maintained by Ignacio Coupeau.

  • The NT migration scripts from IDEALX that are + geared to manage users and group in such a Samba-LDAP Domain Controller configuration. +

10.2. Introduction

Traditionally, when configuring "encrypt +passwords = yes" in Samba's smb.conf file, user account +information such as username, LM/NT password hashes, password change times, and account +flags have been stored in the smbpasswd(5) file. There are several +disadvantages to this approach for sites with very large numbers of users (counted +in the thousands).

  • The first is that all lookups must be performed sequentially. Given that +there are approximately two lookups per domain logon (one for a normal +session connection such as when mapping a network drive or printer), this +is a performance bottleneck for lareg sites. What is needed is an indexed approach +such as is used in databases.

  • The second problem is that administrators who desired to replicate a +smbpasswd file to more than one Samba server were left to use external +tools such as rsync(1) and ssh(1) +and wrote custom, in-house scripts.

  • And finally, the amount of information which is stored in an +smbpasswd entry leaves no room for additional attributes such as +a home directory, password expiration time, or even a Relative +Identified (RID).

As a result of these defeciencies, a more robust means of storing user attributes +used by smbd was developed. The API which defines access to user accounts +is commonly referred to as the samdb interface (previously this was called the passdb +API, and is still so named in the CVS trees). In Samba 2.2.3, enabling support +for a samdb backend (e.g. --with-ldapsam or +--with-tdbsam) requires compile time support.

When compiling Samba to include the --with-ldapsam autoconf +option, smbd (and associated tools) will store and lookup user accounts in +an LDAP directory. In reality, this is very easy to understand. If you are +comfortable with using an smbpasswd file, simply replace "smbpasswd" with +"LDAP directory" in all the documentation.

There are a few points to stress about what the --with-ldapsam +does not provide. The LDAP support referred to in the this documentation does not +include:

  • A means of retrieving user account information from + an Windows 2000 Active Directory server.

  • A means of replacing /etc/passwd.

The second item can be accomplished by using LDAP NSS and PAM modules. LGPL +versions of these libraries can be obtained from PADL Software +(http://www.padl.com/). However, +the details of configuring these packages are beyond the scope of this document.

10.3. Supported LDAP Servers

The LDAP samdb code in 2.2.3 has been developed and tested using the OpenLDAP +2.0 server and client libraries. The same code should be able to work with +Netscape's Directory Server and client SDK. However, due to lack of testing +so far, there are bound to be compile errors and bugs. These should not be +hard to fix. If you are so inclined, please be sure to forward all patches to +samba-patches@samba.org and +jerry@samba.org.

10.4. Schema and Relationship to the RFC 2307 posixAccount

Samba 2.2.3 includes the necessary schema file for OpenLDAP 2.0 in +examples/LDAP/samba.schema. (Note that this schema +file has been modified since the experimental support initially included +in 2.2.2). The sambaAccount objectclass is given here:

objectclass ( 1.3.1.5.1.4.1.7165.2.2.2 NAME 'sambaAccount' SUP top STRUCTURAL
+     DESC 'Samba Account'
+     MUST ( uid $ rid )
+     MAY  ( cn $ lmPassword $ ntPassword $ pwdLastSet $ logonTime $
+            logoffTime $ kickoffTime $ pwdCanChange $ pwdMustChange $ acctFlags $
+            displayName $ smbHome $ homeDrive $ scriptPath $ profilePath $
+            description $ userWorkstations $ primaryGroupID $ domain ))

The samba.schema file has been formatted for OpenLDAP 2.0. The OID's are +owned by the Samba Team and as such is legal to be openly published. +If you translate the schema to be used with Netscape DS, please +submit the modified schema file as a patch to jerry@samba.org

Just as the smbpasswd file is mean to store information which supplements a +user's /etc/passwd entry, so is the sambaAccount object +meant to supplement the UNIX user account information. A sambaAccount is a +STRUCTURAL objectclass so it can be stored individually +in the directory. However, there are several fields (e.g. uid) which overlap +with the posixAccount objectclass outlined in RFC2307. This is by design.

In order to store all user account information (UNIX and Samba) in the directory, +it is necessary to use the sambaAccount and posixAccount objectclasses in +combination. However, smbd will still obtain the user's UNIX account +information via the standard C library calls (e.g. getpwnam(), et. al.). +This means that the Samba server must also have the LDAP NSS library installed +and functioning correctly. This division of information makes it possible to +store all Samba account information in LDAP, but still maintain UNIX account +information in NIS while the network is transitioning to a full LDAP infrastructure.

10.5. Configuring Samba with LDAP

10.5.1. OpenLDAP configuration

To include support for the sambaAccount object in an OpenLDAP directory +server, first copy the samba.schema file to slapd's configuration directory.

root# cp samba.schema /etc/openldap/schema/

Next, include the samba.schema file in slapd.conf. +The sambaAccount object contains two attributes which depend upon other schema +files. The 'uid' attribute is defined in cosine.schema and +the 'displayName' attribute is defined in the inetorgperson.schema +file. Bother of these must be included before the samba.schema file.

## /etc/openldap/slapd.conf
+
+## schema files (core.schema is required by default)
+include	           /etc/openldap/schema/core.schema
+
+## needed for sambaAccount
+include            /etc/openldap/schema/cosine.schema
+include            /etc/openldap/schema/inetorgperson.schema
+include            /etc/openldap/schema/samba.schema
+
+## uncomment this line if you want to support the RFC2307 (NIS) schema
+## include         /etc/openldap/schema/nis.schema
+
+....

It is recommended that you maintain some indices on some of the most usefull attributes, +like in the following example, to speed up searches made on sambaAccount objectclasses +(and possibly posixAccount and posixGroup as well).

# Indices to maintain
+## required by OpenLDAP 2.0
+index objectclass   eq
+
+## support pb_getsampwnam()
+index uid           pres,eq
+## support pdb_getsambapwrid()
+index rid           eq
+
+## uncomment these if you are storing posixAccount and
+## posixGroup entries in the directory as well
+##index uidNumber     eq
+##index gidNumber     eq
+##index cn            eq
+##index memberUid     eq

10.5.2. Configuring Samba

The following parameters are available in smb.conf only with --with-ldapsam +was included with compiling Samba.

These are described in the smb.conf(5) man +page and so will not be repeated here. However, a sample smb.conf file for +use with an LDAP directory could appear as

## /usr/local/samba/lib/smb.conf
+[global]
+     security = user
+     encrypt passwords = yes
+
+     netbios name = TASHTEGO
+     workgroup = NARNIA
+
+     # ldap related parameters
+
+     # define the DN to use when binding to the directory servers
+     # The password for this DN is not stored in smb.conf.  Rather it
+     # must be set by using 'smbpasswd -w secretpw' to store the
+     # passphrase in the secrets.tdb file.  If the "ldap admin dn" values
+     # changes, this password will need to be reset.
+     ldap admin dn = "cn=Samba Manager,ou=people,dc=samba,dc=org"
+
+     #  specify the LDAP server's hostname (defaults to locahost)
+     ldap server = ahab.samba.org
+
+     # Define the SSL option when connecting to the directory
+     # ('off', 'start tls', or 'on' (default))
+     ldap ssl = start tls
+
+     # define the port to use in the LDAP session (defaults to 636 when
+     # "ldap ssl = on")
+     ldap port = 389
+
+     # specify the base DN to use when searching the directory
+     ldap suffix = "ou=people,dc=samba,dc=org"
+
+     # generally the default ldap search filter is ok
+     # ldap filter = "(&(uid=%u)(objectclass=sambaAccount))"

10.6. Accounts and Groups management

As users accounts are managed thru the sambaAccount objectclass, you should +modify you existing administration tools to deal with sambaAccount attributes.

Machines accounts are managed with the sambaAccount objectclass, just +like users accounts. However, it's up to you to stored thoses accounts +in a different tree of you LDAP namespace: you should use +"ou=Groups,dc=plainjoe,dc=org" to store groups and +"ou=People,dc=plainjoe,dc=org" to store users. Just configure your +NSS and PAM accordingly (usually, in the /etc/ldap.conf configuration +file).

In Samba release 2.2.3, the group management system is based on posix +groups. This meand that Samba make usage of the posixGroup objectclass. +For now, there is no NT-like group system management (global and local +groups).

10.7. Security and sambaAccount

There are two important points to remember when discussing the security +of sambaAccount entries in the directory.

  • Never retrieve the lmPassword or + ntPassword attribute values over an unencrypted LDAP session.

  • Never allow non-admin users to + view the lmPassword or ntPassword attribute values.

These password hashes are clear text equivalents and can be used to impersonate +the user without deriving the original clear text strings. For more information +on the details of LM/NT password hashes, refer to the ENCRYPTION chapter of the Samba-HOWTO-Collection.

To remedy the first security issue, the "ldap ssl" smb.conf parameter defaults +to require an encrypted session (ldap ssl = on) using +the default port of 636 +when contacting the directory server. When using an OpenLDAP 2.0 server, it +is possible to use the use the StartTLS LDAP extended operation in the place of +LDAPS. In either case, you are strongly discouraged to disable this security +(ldap ssl = off).

Note that the LDAPS protocol is deprecated in favor of the LDAPv3 StartTLS +extended operation. However, the OpenLDAP library still provides support for +the older method of securing communication between clients and servers.

The second security precaution is to prevent non-administrative users from +harvesting password hashes from the directory. This can be done using the +following ACL in slapd.conf:

## allow the "ldap admin dn" access, but deny everyone else
+access to attrs=lmPassword,ntPassword
+     by dn="cn=Samba Admin,ou=people,dc=plainjoe,dc=org" write
+     by * none

10.8. LDAP specials attributes for sambaAccounts

The sambaAccount objectclass is composed of the following attributes:

  • lmPassword: the LANMAN password 16-byte hash stored as a character + representation of a hexidecimal string.

  • ntPassword: the NT password hash 16-byte stored as a character + representation of a hexidecimal string.

  • pwdLastSet: The integer time in seconds since 1970 when the + lmPassword and ntPassword attributes were last set. +

  • acctFlags: string of 11 characters surrounded by square brackets [] + representing account flags such as U (user), W(workstation), X(no password expiration), and + D(disabled).

  • logonTime: Integer value currently unused

  • logoffTime: Integer value currently unused

  • kickoffTime: Integer value currently unused

  • pwdCanChange: Integer value currently unused

  • pwdMustChange: Integer value currently unused

  • homeDrive: specifies the drive letter to which to map the + UNC path specified by homeDirectory. The drive letter must be specified in the form "X:" + where X is the letter of the drive to map. Refer to the "logon drive" parameter in the + smb.conf(5) man page for more information.

  • scriptPath: The scriptPath property specifies the path of + the user's logon script, .CMD, .EXE, or .BAT file. The string can be null. The path + is relative to the netlogon share. Refer to the "logon script" parameter in the + smb.conf(5) man page for more information.

  • profilePath: specifies a path to the user's profile. + This value can be a null string, a local absolute path, or a UNC path. Refer to the + "logon path" parameter in the smb.conf(5) man page for more information.

  • smbHome: The homeDirectory property specifies the path of + the home directory for the user. The string can be null. If homeDrive is set and specifies + a drive letter, homeDirectory should be a UNC path. The path must be a network + UNC path of the form \\server\share\directory. This value can be a null string. + Refer to the "logon home" parameter in the smb.conf(5) man page for more information. +

  • userWorkstation: character string value currently unused. +

  • rid: the integer representation of the user's relative identifier + (RID).

  • primaryGroupID: the relative identifier (RID) of the primary group + of the user.

The majority of these parameters are only used when Samba is acting as a PDC of +a domain (refer to the Samba-PDC-HOWTO for details on +how to configure Samba as a Primary Domain Controller). The following four attributes +are only stored with the sambaAccount entry if the values are non-default values:

  • smbHome

  • scriptPath

  • logonPath

  • homeDrive

These attributes are only stored with the sambaAccount entry if +the values are non-default values. For example, assume TASHTEGO has now been +configured as a PDC and that logon home = \\%L\%u was defined in +its smb.conf file. When a user named "becky" logons to the domain, +the logon home string is expanded to \\TASHTEGO\becky. +If the smbHome attribute exists in the entry "uid=becky,ou=people,dc=samba,dc=org", +this value is used. However, if this attribute does not exist, then the value +of the logon home parameter is used in its place. Samba +will only write the attribute value to the directory entry is the value is +something other than the default (e.g. \\MOBY\becky).

10.9. Example LDIF Entries for a sambaAccount

The following is a working LDIF with the inclusion of the posixAccount objectclass:

dn: uid=guest2, ou=people,dc=plainjoe,dc=org
+ntPassword: 878D8014606CDA29677A44EFA1353FC7
+pwdMustChange: 2147483647
+primaryGroupID: 1201
+lmPassword: 552902031BEDE9EFAAD3B435B51404EE
+pwdLastSet: 1010179124
+logonTime: 0
+objectClass: sambaAccount
+uid: guest2
+kickoffTime: 2147483647
+acctFlags: [UX         ]
+logoffTime: 2147483647
+rid: 19006
+pwdCanChange: 0

The following is an LDIF entry for using both the sambaAccount and +posixAccount objectclasses:

dn: uid=gcarter, ou=people,dc=plainjoe,dc=org
+logonTime: 0
+displayName: Gerald Carter
+lmPassword: 552902031BEDE9EFAAD3B435B51404EE
+primaryGroupID: 1201
+objectClass: posixAccount
+objectClass: sambaAccount
+acctFlags: [UX         ]
+userPassword: {crypt}BpM2ej8Rkzogo
+uid: gcarter
+uidNumber: 9000
+cn: Gerald Carter
+loginShell: /bin/bash
+logoffTime: 2147483647
+gidNumber: 100
+kickoffTime: 2147483647
+pwdLastSet: 1010179230
+rid: 19000
+homeDirectory: /home/tashtego/gcarter
+pwdCanChange: 0
+pwdMustChange: 2147483647
+ntPassword: 878D8014606CDA29677A44EFA1353FC7

10.10. Comments

Please mail all comments regarding this HOWTO to jerry@samba.org. This documents was +last updated to reflect the Samba 2.2.3 release.

Chapter 11. Unified Logons between Windows NT and UNIX using Winbind

11.1. Abstract

Integration of UNIX and Microsoft Windows NT through + a unified logon has been considered a "holy grail" in heterogeneous + computing environments for a long time. We present + winbind, a component of the Samba suite + of programs as a solution to the unified logon problem. Winbind + uses a UNIX implementation + of Microsoft RPC calls, Pluggable Authentication Modules, and the Name + Service Switch to allow Windows NT domain users to appear and operate + as UNIX users on a UNIX machine. This paper describes the winbind + system, explaining the functionality it provides, how it is configured, + and how it works internally.

11.2. Introduction

It is well known that UNIX and Microsoft Windows NT have + different models for representing user and group information and + use different technologies for implementing them. This fact has + made it difficult to integrate the two systems in a satisfactory + manner.

One common solution in use today has been to create + identically named user accounts on both the UNIX and Windows systems + and use the Samba suite of programs to provide file and print services + between the two. This solution is far from perfect however, as + adding and deleting users on both sets of machines becomes a chore + and two sets of passwords are required both of which + can lead to synchronization problems between the UNIX and Windows + systems and confusion for users.

We divide the unified logon problem for UNIX machines into + three smaller problems:

  • Obtaining Windows NT user and group information +

  • Authenticating Windows NT users +

  • Password changing for Windows NT users +

Ideally, a prospective solution to the unified logon problem + would satisfy all the above components without duplication of + information on the UNIX machines and without creating additional + tasks for the system administrator when maintaining users and + groups on either system. The winbind system provides a simple + and elegant solution to all three components of the unified logon + problem.

11.3. What Winbind Provides

Winbind unifies UNIX and Windows NT account management by + allowing a UNIX box to become a full member of a NT domain. Once + this is done the UNIX box will see NT users and groups as if + they were native UNIX users and groups, allowing the NT domain + to be used in much the same manner that NIS+ is used within + UNIX-only environments.

The end result is that whenever any + program on the UNIX machine asks the operating system to lookup + a user or group name, the query will be resolved by asking the + NT domain controller for the specified domain to do the lookup. + Because Winbind hooks into the operating system at a low level + (via the NSS name resolution modules in the C library) this + redirection to the NT domain controller is completely + transparent.

Users on the UNIX machine can then use NT user and group + names as they would use "native" UNIX names. They can chown files + so that they are owned by NT domain users or even login to the + UNIX machine and run a UNIX X-Window session as a domain user.

The only obvious indication that Winbind is being used is + that user and group names take the form DOMAIN\user and + DOMAIN\group. This is necessary as it allows Winbind to determine + that redirection to a domain controller is wanted for a particular + lookup and which trusted domain is being referenced.

Additionally, Winbind provides an authentication service + that hooks into the Pluggable Authentication Modules (PAM) system + to provide authentication via a NT domain to any PAM enabled + applications. This capability solves the problem of synchronizing + passwords between systems since all passwords are stored in a single + location (on the domain controller).

11.3.1. Target Uses

Winbind is targeted at organizations that have an + existing NT based domain infrastructure into which they wish + to put UNIX workstations or servers. Winbind will allow these + organizations to deploy UNIX workstations without having to + maintain a separate account infrastructure. This greatly + simplifies the administrative overhead of deploying UNIX + workstations into a NT based organization.

Another interesting way in which we expect Winbind to + be used is as a central part of UNIX based appliances. Appliances + that provide file and print services to Microsoft based networks + will be able to use Winbind to provide seamless integration of + the appliance into the domain.

11.4. How Winbind Works

The winbind system is designed around a client/server + architecture. A long running winbindd daemon + listens on a UNIX domain socket waiting for requests + to arrive. These requests are generated by the NSS and PAM + clients and processed sequentially.

The technologies used to implement winbind are described + in detail below.

11.4.1. Microsoft Remote Procedure Calls

Over the last two years, efforts have been underway + by various Samba Team members to decode various aspects of + the Microsoft Remote Procedure Call (MSRPC) system. This + system is used for most network related operations between + Windows NT machines including remote management, user authentication + and print spooling. Although initially this work was done + to aid the implementation of Primary Domain Controller (PDC) + functionality in Samba, it has also yielded a body of code which + can be used for other purposes.

Winbind uses various MSRPC calls to enumerate domain users + and groups and to obtain detailed information about individual + users or groups. Other MSRPC calls can be used to authenticate + NT domain users and to change user passwords. By directly querying + a Windows PDC for user and group information, winbind maps the + NT account information onto UNIX user and group names.

9.4.2. Name Service Switch11.4.2. Name Service Switch

The Name Service Switch, or NSS, is a feature that is @@ -8110,8 +9413,8 @@ CLASS="SECT2" >

9.4.3. Pluggable Authentication Modules11.4.3. Pluggable Authentication Modules

Pluggable Authentication Modules, also known as PAM, @@ -8159,8 +9462,8 @@ CLASS="SECT2" >

9.4.4. User and Group ID Allocation11.4.4. User and Group ID Allocation

When a user or group is created under Windows NT @@ -8185,8 +9488,8 @@ CLASS="SECT2" >

9.4.5. Result Caching11.4.5. Result Caching

An active system can generate a lot of user and group @@ -8208,8 +9511,8 @@ CLASS="SECT1" >

9.5. Installation and Configuration11.5. Installation and Configuration

Many thanks to John Trostel

9.5.1. Introduction11.5.1. Introduction

This HOWTO describes the procedures used to get winbind up and @@ -8278,8 +9581,8 @@ CLASS="SECT2" >

9.5.2. Requirements11.5.2. Requirements

If you have a samba configuration file that you are currently @@ -8336,8 +9639,8 @@ CLASS="SECT2" >

9.5.3. Testing Things Out11.5.3. Testing Things Out

Before starting, it is probably best to kill off all the SAMBA @@ -8381,8 +9684,8 @@ CLASS="SECT3" >

9.5.3.1. Configure and compile SAMBA11.5.3.1. Configure and compile SAMBA

The configuration and compilation of SAMBA is pretty straightforward. @@ -8456,8 +9759,8 @@ CLASS="SECT3" >

9.5.3.2. Configure 11.5.3.2. Configure nsswitch.conf and the @@ -8546,8 +9849,8 @@ CLASS="SECT3" >

9.5.3.3. Configure smb.conf11.5.3.3. Configure smb.conf

Several parameters are needed in the smb.conf file to control @@ -8630,8 +9933,8 @@ CLASS="SECT3" >

9.5.3.4. Join the SAMBA server to the PDC domain11.5.3.4. Join the SAMBA server to the PDC domain

Enter the following command to make the SAMBA server join the @@ -8654,7 +9957,7 @@ CLASS="PROMPT" >root# /usr/local/samba/bin/smbpasswd -j DOMAIN -r PDC -U Administrator/usr/local/samba/bin/net rpc join -s PDC -U Administrator

The proper response to the command should be: "Joined the domain @@ -8676,8 +9979,8 @@ CLASS="SECT3" >

9.5.3.5. Start up the winbindd daemon and test it!11.5.3.5. Start up the winbindd daemon and test it!

Eventually, you will want to modify your smb startup script to @@ -8817,8 +10120,8 @@ CLASS="SECT3" >

9.5.3.6. Fix the 11.5.3.6. Fix the /etc/rc.d/init.d/smb startup files

9.5.3.7. Configure Winbind and PAM11.5.3.7. Configure Winbind and PAM

If you have made it this far, you know that winbindd and samba are working @@ -9169,8 +10472,8 @@ CLASS="SECT1" >

9.6. Limitations11.6. Limitations

Winbind has a number of limitations in its current @@ -9210,8 +10513,8 @@ CLASS="SECT1" >

9.7. Conclusion11.7. Conclusion

The winbind system, through the use of the Name Service @@ -9227,23 +10530,23 @@ CLASS="CHAPTER" >

Chapter 10. OS2 Client HOWTOChapter 12. OS2 Client HOWTO

10.1. FAQs12.1. FAQs

10.1.1. How can I configure OS/2 Warp Connect or +NAME="AEN2258" +>12.1.1. How can I configure OS/2 Warp Connect or OS/2 Warp 4 as a client for Samba?

10.1.2. How can I configure OS/2 Warp 3 (not Connect), +NAME="AEN2273" +>12.1.2. How can I configure OS/2 Warp 3 (not Connect), OS/2 1.2, 1.3 or 2.x for Samba?

10.1.3. Are there any other issues when OS/2 (any version) +NAME="AEN2282" +>12.1.3. Are there any other issues when OS/2 (any version) is used as a client?

10.1.4. How do I get printer driver download working +NAME="AEN2286" +>12.1.4. How do I get printer driver download working for OS/2 clients?

Chapter 11. HOWTO Access Samba source code via CVSChapter 13. HOWTO Access Samba source code via CVS

11.1. Introduction13.1. Introduction

Samba is developed in an open environment. Developers use CVS @@ -9454,8 +10757,8 @@ CLASS="SECT1" >

11.2. CVS Access to samba.org13.2. CVS Access to samba.org

The machine samba.org runs a publicly accessible CVS @@ -9467,8 +10770,8 @@ CLASS="SECT2" >

11.2.1. Access via CVSweb13.2.1. Access via CVSweb

You can access the source code via your @@ -9488,8 +10791,8 @@ CLASS="SECT2" >

11.2.2. Access via cvs13.2.2. Access via cvs

You can also access the source code via a @@ -9594,7 +10897,7 @@ CLASS="COMMAND" >

Index