From e4840f0db911eaf3aee1195030c6efca70d78f14 Mon Sep 17 00:00:00 2001
From: Gerald Carter
pam_smbpass.so module is provided by
-Samba version 2.2.1 or later. It can be compiled only if the
---with-pam --with-pam_smbpass options are both
-provided to the Samba configure program.
Windows 2000 Service Pack 2 Clients |
Samba 2.2.1 is required for PDC functionality when using Windows 2000 - SP2 clients. - |
The following pieces of functionality are not included in the 2.2 release:
Please note that Windows 9x clients are not true members of a domain for reasons outlined in this article. Therefore the protocol for -support Windows 9x style domain logons is completely different +support Windows 9x-style domain logons is completely different from NT4 domain logons and has been officially supported for some time.
. For convenience, the parameters have been linked with the actual smb.conf description.
Here is an example smb.conf for acting as a PDC:
Here is an example smb.conf for acting as a PDC:add user script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u[global] + # <...remainder of parameters...> + add user script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u |
The procedure for joining a client to the domain varies with the +version of Windows.
In Samba 2.2.1, only the root account can be used to create -machine accounts like this. Therefore, it is required to create -an entry in smbpasswd for root. The password -SHOULD be set to a different password that the -associated Windows 2000
When the user elects to join the client to a domain, Windows prompts for + an account and password that is privileged to join the domain. A + Samba administrative account (i.e., a Samba account that has root + privileges on the Samba server) must be entered here; the + operation will fail if an ordinary user account is given. + The password for this account should be + set to a different password than the associated + /etc/passwd entry for security reasons.
entry, for security + reasons.The session key of the Samba administrative account acts as an + encryption key for setting the password of the machine trust + account. The machine trust account will be created on-the-fly, or + updated if it already exists.
Windows NT
If the machine trust account was created manually, on the + Identification Changes menu enter the domain name, but do not + check the box "Create a Computer Account in the Domain." In this case, + the existing machine trust account is used to join the machine to + the domain.
If the machine trust account is to be created + on-the-fly, on the Identification Changes menu enter the domain + name, and check the box "Create a Computer Account in the Domain." In + this case, joining the domain proceeds as above for Windows 2000 + (i.e., you must supply a Samba administrative account when + prompted).
/etc/passwd of the machine name with a '$' appended. FreeBSD (and other BSD - systems ?) won't create a user with a '$' in their name. + systems?) won't create a user with a '$' in their name.
The problem is only in the program used to make the entry, once @@ -6202,7 +6296,7 @@ CLASS="COMMAND" >vipw to edit the entry, adding the '$'. Or create the whole entry with vipw if you like, make sure you use a - unique uid ! + unique User ID !
This happens if you try to create a machine account from the +> This happens if you try to create a machine trust account from the machine itself and already have a connection (e.g. mapped drive) to a share (or IPC$) on the Samba PDC. The following command will remove all network drive connections: @@ -6266,17 +6360,17 @@ CLASS="COMMAND" >
The machine account for this computer either does not +>The machine trust account for this computer either does not exist or is not accessible.
When I try to join the domain I get the message "The machine account - for this computer either does not exist or is not accessible". Whats + for this computer either does not exist or is not accessible". What's wrong?
This problem is caused by the PDC not having a suitable machine account. +> This problem is caused by the PDC not having a suitable machine trust account. If you are using the
Alternatively if you are creating account entries manually then they have not been created correctly. Make sure that you have the entry - correct for the machine account in smbpasswd file on the Samba PDC. + correct for the machine trust account in smbpasswd file on the Samba PDC. If you added the account using an editor rather than using the smbpasswd utility, make sure that the account name is the machine NetBIOS name with a '$' appended to it ( i.e. computer_name$ ). There must be an entry @@ -6371,7 +6465,7 @@ CLASS="SECT1" >
What about Windows NT Policy Editor ?What about Windows NT Policy Editor?
Can Win95 do Policies ?Can Win95 do Policies?
Since I don't need to buy an NT Server CD now, how do I get - the 'User Manager for Domains', the 'Server Manager' ? + the 'User Manager for Domains', the 'Server Manager'?
Microsoft distributes a version of these tools called nexus for @@ -6528,8 +6622,8 @@ CLASS="SECT1" >
There are many sources of information available in the form
@@ -6592,7 +6686,7 @@ HREF="http://www.tcpdump.org/"
TARGET="_top"
>http://www.tcpdup.org/.
- Ethereal, another good packet sniffer for UNIX and Win32
+ Ethereal, another good packet sniffer for Unix and Win32
hosts, can be downloaded from How do I get help from the mailing lists ?How do I get help from the mailing lists?
Please think carefully before attaching a document to an email.
Consider pasting the relevant parts into the body of the message. The samba
mailing lists go to a huge number of people, do they all need a copy of your
- smb.conf in their attach directory ?
How do I get off the mailing lists ?How do I get off the mailing lists?
Issues related to the single-logon network model are discussed in this -document. Samba supports domain logons, network logon scripts, and user -profiles for MS Windows for workgroups and MS Windows 9X clients.
When an SMB client in a domain wishes to logon it broadcast requests for a logon server. The first one to reply gets the job, and validates its @@ -6967,37 +7064,12 @@ servers advertising themselves as participating in a domain. This demonstrates how authentication is quite different from but closely involved with domains.
Another thing commonly associated with single-logon domains is remote -administration over the SMB protocol. Again, there is no reason why this -cannot be implemented with an underlying username database which is -different from the Windows NT SAM. Support for the Remote Administration -Protocol is planned for a future release of Samba.
Network logon support as discussed in this section is aimed at Window for -Workgroups, and Windows 9X clients.
Support for profiles is confirmed as working for Win95, NT 4.0 and NT 3.51. -It is possible to specify: the profile location; script file to be loaded -on login; the user's home directory; and for NT a kick-off time could also -now easily be supported. However, there are some differences between Win9X -profile support and WinNT profile support. These are discussed below.
With NT Workstations, all this does not require the use or intervention of -an NT 4.0 or NT 3.51 server: Samba can now replace the logon services -provided by an NT server, to a limited and experimental degree (for example, -running "User Manager for Domains" will not provide you with access to -a domain created by a Samba Server).
With Win95, the help of an NT server can be enlisted, both for profile storage -and for user authentication. For details on user authentication, see -security_level.txt. For details on profile storage, see below.
Using these features you can make your clients verify their logon via the Samba server; make clients run a batch file when they logon to the network and download their preferences, desktop and start menu.
Before launching into the configuration instructions, it is worthwhile looking -at how a Win9X client performs a logon:
Before launching into the configuration instructions, it is +worthwhile lookingat how a Windows 9x/ME client performs a logon:The client broadcasts (to the IP broadcast address of the subnet it is in) - a NetLogon request. This is sent to the NetBIOS address DOMAIN<00> at the + a NetLogon request. This is sent to the NetBIOS name DOMAIN<1c> at the NetBIOS layer. The client chooses the first response it receives, which contains the NetBIOS name of the logon server to use in the format of \\SERVER. @@ -7060,122 +7132,27 @@ CLASS="SECT2" >
To use domain logons and profiles you need to do the following:
Create a share called [netlogon] in your smb.conf. This share should - be readable by all users, and probably should not be writeable. This - share will hold your network logon scripts, and the CONFIG.POL file - (Note: for details on the CONFIG.POL file, how to use it, what it is, - refer to the Microsoft Windows NT Administration documentation. - The format of these files is not known, so you will need to use - Microsoft tools). -
For example I have used: -
[netlogon] - path = /data/dos/netlogon - writeable = no - guest ok = no |
Note that it is important that this share is not writeable by ordinary - users, in a secure environment: ordinary users should not be allowed - to modify or add files that another user's computer would then download - when they log in. -
in the [global] section of smb.conf set the following: -
domain logons = yes -logon script = %U.bat - |
The choice of batch file is, of course, up to you. The above would - give each user a separate batch file as the %U will be changed to - their username automatically. The other standard % macros may also be - used. You can make the batch files come from a subdirectory by using - something like: -
The main difference between a PDC and a Windows 9x logon +server configuration is thatlogon script = scripts\%U.bat - |
create the batch files to be run when the user logs in. If the batch - file doesn't exist then no batch file will be run. -
In the batch files you need to be careful to use DOS style cr/lf line - endings. If you don't then DOS may get confused. I suggest you use a - DOS editor to remotely edit the files if you don't know how to produce - DOS style files under unix. -
Password encryption is not required for a Windows 9x logon server.Use smbclient with the -U option for some users to make sure that - the \\server\NETLOGON share is available, the batch files are - visible and they are readable by the users. -
Windows 9x/ME clients do not possess machine trust accounts.you will probably find that your clients automatically mount the - \\SERVER\NETLOGON share as drive z: while logging in. You can put - some useful programs there to execute from the batch files. -
mode security is really just a variation on SMB user level security.
Actually, this issue is also closer tied to the debate on whether +>Actually, this issue is also closely tied to the debate on whether or not Samba must be the domain master browser for its workgroup when operating as a DC. While it may technically be possible to configure a server as such (after all, browsing and domain logons @@ -7249,7 +7226,7 @@ CLASS="SECT2" >
To support WinNT clients, inn the [global] section of smb.conf set the +>To support WinNT clients, in the [global] section of smb.conf set the following (for example):
This will, by default, install SAMBA in /usr/local/samba. See the -main SAMBA documentation if you want to install SAMBA somewhere else. +>This will, by default, install SAMBA in /usr/local/samba. +See the main SAMBA documentation if you want to install SAMBA somewhere else. It will also build the winbindd executable and libraries.
The libraries needed to run the winbind daemon through nsswitch -need to be copied to their proper locations, so
The libraries needed to run the winbindd daemon +through nsswitch need to be copied to their proper locations, soroot# cp ../samba/source/nsswitch/libnss_winbind.so /lib
root# cp ../samba/source/nsswitch/libnss_winbind.so /libI also found it necessary to make the following symbolic link:
root# ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2
root# ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2Now, as root you need to edit winbindd -daemon, as well as from your /etc/hosts files and NIS servers. My -/etc/nsswitch.conf file look like this after editing:
file look like +this after editing:root# /usr/local/samba/bin/smbpasswd -j DOMAIN -r PDC -U Administrator
root# /usr/local/samba/bin/smbpasswd -j DOMAIN -r PDC -U AdministratorThe proper response to the command should be: "Joined the domain
9.5.3.5. Start up the winbindd daemon and test it!
root# /usr/local/samba/bin/winbindd
root# /usr/local/samba/bin/winbinddI'm always paranoid and like to make sure the daemon is really running...
root# ps -ae | grep winbindd -3025 ? 00:00:00 winbindd
root# ps -ae | grep winbinddThis command should produce output like this, if the daemon is running
3025 ? 00:00:00 winbindd
Now... for the real test, try to get some information about the users on your PDC
root# # /usr/local/samba/bin/wbinfo -u
root# /usr/local/samba/bin/wbinfo -uThis should echo back a list of users on your Windows users on @@ -8656,7 +8743,13 @@ CEO+TsInternetUser
Obviously, I have named my domain 'CEO' and my winbindd separator is '+'.
Obviously, I have named my domain 'CEO' and my winbindd +separator is '+'.You can do the same sort of thing to get group information from the PDC:
root# /usr/local/samba/bin/wbinfo -g +>root# /usr/local/samba/bin/wbinfo -g CEO+Domain Admins CEO+Domain Users CEO+Domain Guests @@ -8693,8 +8789,11 @@ Try the following command:root# getent passwd
root# getent passwdYou should get a list that looks like your
root# getent group
root# getent groupThe
If you restart the smbd, nmbd, +and winbindd daemons at this point, you +should be able to connect to the samba server as a domain member just as +if you were a local user.
If you have made it this far, you know that winbindd is working. -Now it is time to integrate it into the operation of samba and other -services. The pam configuration files need to be altered in +>If you have made it this far, you know that winbindd and samba are working +together. If you want to use winbind to provide authentication for other +services, keep reading. The pam configuration files need to be altered in this step. (Did you remember to make backups of your original /etc/pam.d files? If not, do it now.)
To get samba to allow domain users and groups, I modified the +>You will need a pam module to use winbindd with these other services. This +module will be compiled in the ../source/nsswitch directory +by invoking the command
root# make nsswitch/pam_winbind.so
from the ../source directory. The /etc/pam.d/samba file from
pam_winbind.so file should be copied to the location of +your other pam security modules. On my RedHat system, this was the +/lib/security directory.auth required /lib/security/pam_stack.so service=system-auth -account required /lib/security/pam_stack.so service=system-auth |
to
The /etc/pam.d/samba file does not need to be changed. I +just left this fileas it was:auth required /lib/security/pam_winbind.so -auth required /lib/security/pam_stack.so service=system-auth -account required /lib/security/pam_winbind.so +>auth required /lib/security/pam_stack.so service=system-auth account required /lib/security/pam_stack.so service=system-auth | auth sufficient /lib/security/pam_winbind.so -auth required /lib/security/pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed +>auth required /lib/security/pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed +auth sufficient /lib/security/pam_winbind.so auth required /lib/security/pam_stack.so service=system-auth auth required /lib/security/pam_shells.so +account sufficient /lib/security/pam_winbind.so account required /lib/security/pam_stack.so service=system-auth session required /lib/security/pam_stack.so service=system-auth | winbind.so line to get rid of annoying
double prompts for passwords.