From e4840f0db911eaf3aee1195030c6efca70d78f14 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Thu, 6 Dec 2001 07:37:58 +0000 Subject: merge from 2.2 (This used to be commit c5ee06b7c8fc9f1fec679acc7d7f47f333707456) --- docs/htmldocs/winbind.html | 362 ++++++++++++++++++++++++++++++++------------- 1 file changed, 263 insertions(+), 99 deletions(-) (limited to 'docs/htmldocs/winbind.html') diff --git a/docs/htmldocs/winbind.html b/docs/htmldocs/winbind.html index addf74935c..5148b4bc85 100644 --- a/docs/htmldocs/winbind.html +++ b/docs/htmldocs/winbind.html @@ -473,12 +473,22 @@ NAME="AEN89" >

If you have a samba configuration file that you are currently -using... BACK IT UP! If your system already uses PAM, BACK UP -THE BACK IT UP! If your system already uses PAM, +back up the /etc/pam.d directory contents! If you -haven't already made a boot disk, MAKE ON NOW!

directory +contents! If you haven't already made a boot disk, +MAKE ONE NOW!

Messing with the pam configuration files can make it nearly impossible to log in to yourmachine. That's why you want to be able to boot back @@ -489,10 +499,15 @@ CLASS="FILENAME" > back to the original state they were in if you get frustrated with the way things are going. ;-)

The newest version of SAMBA (version 2.2.2), available from -cvs.samba.org, now include a functioning winbindd daemon. Please refer -to the main SAMBA web page or, better yet, your closest SAMBA mirror -site for instructions on downloading the source code.

The latest version of SAMBA (version 2.2.2 as of this writing), now +includes a functioning winbindd daemon. Please refer to the +main SAMBA web page or, +better yet, your closest SAMBA mirror site for instructions on +downloading the source code.

To allow Domain users the ability to access SAMBA shares and files, as well as potentially other services provided by your @@ -500,15 +515,21 @@ SAMBA machine, PAM (pluggable authentication modules) must be setup properly on your machine. In order to compile the winbind modules, you should have at least the pam libraries resident on your system. For recent RedHat systems (7.1, for instance), that -means 'pam-0.74-22'. For best results, it is helpful to also -install the development packages in 'pam-devel-0.74-22'.

pam-0.74-22. For best results, it is helpful to also +install the development packages in pam-devel-0.74-22.

Testing Things Out

/usr/man entries for pam. Winbind built better in SAMBA if the pam-devel package was also installed. This package includes -the header files needed to compile pam-aware applications. For instance, my RedHat -system has both 'pam-0.74-22' and 'pam-devel-0.74-22' RPMs installed.

pam-0.74-22 and +pam-devel-0.74-22 RPMs installed.

Configure and compile SAMBA

The configuration and compilation of SAMBA is pretty straightforward. -The first three steps maynot be necessary depending upon +The first three steps may not be necessary depending upon whether or not you have previously built the Samba binaries.

root#  autoconf
+>root# autoconf
 root#  make clean
+>root# make clean
 root#  rm config.cache
+>root# rm config.cache
 root#  ./configure --with-winbind
+>root# ./configure --with-winbind
 root#  make
+>root# make
 root#  make install
root# make install

This will, by default, install SAMBA in /usr/local/samba. See the -main SAMBA documentation if you want to install SAMBA somewhere else. +>This will, by default, install SAMBA in /usr/local/samba. +See the main SAMBA documentation if you want to install SAMBA somewhere else. It will also build the winbindd executable and libraries.

Configure nsswitch.conf and the winbind librariesConfigure nsswitch.conf and the +winbind libraries

The libraries needed to run the winbind daemon through nsswitch -need to be copied to their proper locations, so

The libraries needed to run the winbindd daemon +through nsswitch need to be copied to their proper locations, so

root# cp ../samba/source/nsswitch/libnss_winbind.so /lib

root# cp ../samba/source/nsswitch/libnss_winbind.so /lib

I also found it necessary to make the following symbolic link:

root# ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2

root# ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2

Now, as root you need to edit winbindd -daemon, as well as from your /etc/hosts files and NIS servers. My -/etc/nsswitch.conf file look like this after editing:

file look like +this after editing:

	passwd:     files winbind
-	shadow:     files winbind
+	shadow:     files 
 	group:      files winbind

The libraries needed by the winbind daemon will be automatically -entered into the ldconfig cache the next time your system reboots, but it +entered into the ldconfig cache the next time +your system reboots, but it is faster (and you don't need to reboot) if you do it manually:

root# /sbin/ldconfig -v | grep winbind

root# /sbin/ldconfig -v | grep winbind

This makes

Configure smb.conf

[global] <...> # separate domain and username with '+', like DOMAIN+username - winbind separator = + + winbind separator = + # use uids from 10000 to 20000 for domain users - winbind uid = 10000-20000 + winbind uid = 10000-20000 # use gids from 10000 to 20000 for domain groups - winbind gid = 10000-20000 + winbind gid = 10000-20000 # allow enumeration of winbind users and groups - winbind enum users = yes - winbind enum groups = yes + winbind enum users = yes + winbind enum groups = yes # give winbind users a real shell (only needed if they have telnet access) - template shell = /bin/bashtemplate homedir = /home/winnt/%D/%U + template shell = /bin/bash

Join the SAMBA server to the PDC domain

root# /usr/local/samba/bin/smbpasswd -j DOMAIN -r PDC -U Administrator

root# /usr/local/samba/bin/smbpasswd -j DOMAIN -r PDC -U Administrator

The proper response to the command should be: "Joined the domain

Start up the winbindd daemon and test it!

root# /usr/local/samba/bin/winbindd

root# /usr/local/samba/bin/winbindd

I'm always paranoid and like to make sure the daemon is really running...

root# ps -ae | grep winbindd -3025 ? 00:00:00 winbindd

root# ps -ae | grep winbindd

This command should produce output like this, if the daemon is running

3025 ? 00:00:00 winbindd

Now... for the real test, try to get some information about the users on your PDC

root# # /usr/local/samba/bin/wbinfo -u

root# /usr/local/samba/bin/wbinfo -u

This should echo back a list of users on your Windows users on @@ -787,7 +900,13 @@ CEO+krbtgt CEO+TsInternetUser

Obviously, I have named my domain 'CEO' and my winbindd separator is '+'.

Obviously, I have named my domain 'CEO' and my winbindd +separator is '+'.

You can do the same sort of thing to get group information from the PDC:

root# /usr/local/samba/bin/wbinfo -g +>root# /usr/local/samba/bin/wbinfo -g CEO+Domain Admins CEO+Domain Users CEO+Domain Guests @@ -815,8 +937,11 @@ Try the following command:

root# getent passwd

root# getent passwd

You should get a list that looks like your

root# getent group

root# getent group

Fix the /etc/rc.d/init.d/smb startup filesFix the /etc/rc.d/init.d/smb startup files

The

If you restart the smbd, nmbd, +and winbindd daemons at this point, you +should be able to connect to the samba server as a domain member just as +if you were a local user.

Configure Winbind and PAM

If you have made it this far, you know that winbindd is working. -Now it is time to integrate it into the operation of samba and other -services. The pam configuration files need to be altered in +>If you have made it this far, you know that winbindd and samba are working +together. If you want to use winbind to provide authentication for other +services, keep reading. The pam configuration files need to be altered in this step. (Did you remember to make backups of your original /etc/pam.d files? If not, do it now.)

To get samba to allow domain users and groups, I modified the +>You will need a pam module to use winbindd with these other services. This +module will be compiled in the ../source/nsswitch directory +by invoking the command

root# make nsswitch/pam_winbind.so

from the ../source directory. The /etc/pam.d/samba file from

pam_winbind.so file should be copied to the location of +your other pam security modules. On my RedHat system, this was the +/lib/security directory.

auth    required        /lib/security/pam_stack.so service=system-auth
-account required        /lib/security/pam_stack.so service=system-auth
root# cp ../samba/source/nsswitch/pam_winbind.so /lib/security

to

The /etc/pam.d/samba file does not need to be changed. I +just left this fileas it was:

auth    required        /lib/security/pam_winbind.so
-auth    required        /lib/security/pam_stack.so service=system-auth
-account required        /lib/security/pam_winbind.so
+>auth    required        /lib/security/pam_stack.so service=system-auth
 account required        /lib/security/pam_stack.so service=system-auth

auth       sufficient   /lib/security/pam_winbind.so
-auth       required     /lib/security/pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed
+>auth       required     /lib/security/pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed
+auth       sufficient   /lib/security/pam_winbind.so
 auth       required     /lib/security/pam_stack.so service=system-auth
 auth       required     /lib/security/pam_shells.so
+account    sufficient   /lib/security/pam_winbind.so
 account    required     /lib/security/pam_stack.so service=system-auth
 session    required     /lib/security/pam_stack.so service=system-auth

winbind.so line to get rid of annoying double prompts for passwords.

Finally, don't forget to copy the winbind pam modules from -the source directory in which you originally compiled the new -SAMBA up to the /lib/security directory so that pam can use it:

root# cp ../samba/source/nsswitch/pam_winbind.so /lib/security

Limitations

Conclusion