From 7a959e81d42bdff1269589b7d17a12ab0b3243be Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Wed, 8 May 2002 15:37:14 +0000 Subject: merging some changes from SAMBA_2_2 (This used to be commit e8ede079b5af4187573f1b8ed0d94b6f03cbbd22) --- docs/textdocs/Solaris-Winbind-HOWTO.txt | 361 ++++++++++++++++++++++++++++++++ 1 file changed, 361 insertions(+) create mode 100644 docs/textdocs/Solaris-Winbind-HOWTO.txt (limited to 'docs/textdocs/Solaris-Winbind-HOWTO.txt') diff --git a/docs/textdocs/Solaris-Winbind-HOWTO.txt b/docs/textdocs/Solaris-Winbind-HOWTO.txt new file mode 100644 index 0000000000..a81bacf486 --- /dev/null +++ b/docs/textdocs/Solaris-Winbind-HOWTO.txt @@ -0,0 +1,361 @@ +!== +!== Solaris-Winbind-HOWTO.txt +!== +Contributors: Naag Mummaneni +Updated: May 2, 2002 +Status: Current + +Subject: Installing and Configuring Winbind on Solaris +============================================================================= + +Installation and Configuration of Winbind on Solaris. +----------------------------------------------------- + +This HOWTO describes how to get winbind services up and running to control +access and authenticate users on your Solaris box using the winbind services +which come with SAMBA 2.2.x latest CVS Checkout.Make sure you are using the +latest Samba 2.2.x cvs checkout as other versions come with a lots of bugs +regarding winbind .And even the Latest Samba Stable Release is also not an +exception to this. + +Introduction +------------ + +This HOWTO describes the procedures used to get winbind up and running on a +Solaris system. Winbind is capable of providing access and authentication +control for Windows Domain users through an NT or Win2K PDC for 'regular' +services, such as telnet and ftp, as well for SAMBA services. + +Why should I to this? + +This allows the SAMBA administrator to rely on the authentication mechanisms +on the NT/Win2K PDC for the authentication of domain members. NT/Win2K users +no longer need to have separate accounts on the SAMBA server. + +Who should be reading this document? + +This HOWTO is designed for system administrators. If you are implementing +SAMBA on a file server and wish to (fairly easily) integrate existing +NT/Win2K users from your PDC onto the SAMBA server, this HOWTO is for you. + +Requirements +------------ + +If you have a samba configuration file that you are currently using... BACK +IT UP! If your system already uses PAM, back up the /etc/pam.conf file ! If +you haven't already made a boot disk, MAKEONE NOW! Messing with the pam +configuration file can make it nearly impossible to log in to yourmachine. +That's why you want to be able to boot back into your machine in single user +mode and restore your /etc/pam.conf back to the original state they were in +if you get frustrated with the way things are going. ;-) Please refer to the +main SAMBA web page or, better yet, your closest SAMBA mirror site for +instructions on downloading the source code of Samba 2.2.x from the SAMBA +CVS repository. To allow Domain users the ability to access SAMBA shares and +files, as well as potentially other services provided by your SAMBA machine, +PAM (pluggable authentication modules) must be setup properly on your +machine. In order to compile the winbind modules, you should have at least +the pam libraries resident on your system. Solaris 7/8 has its pam modules +coming with the distribution itself. + +Testing Things Out +------------------ + +Before starting, it is probably best to kill off all the SAMBA related +daemons running on your server. Kill off all smbd, nmbd, and winbindd +processes that may be running. + + +Configure and compile SAMBA +--------------------------- + +The configuration and compilation of SAMBA is pretty straightforward. The +first three steps may not be necessary depending upon whether or not you +have previously built the Samba binaries. + +root# autoconf +root# make clean +root# rm config.cache +root# ./configure --with-winbind --with-pam +root# make +root# make install + +This will, by default, install SAMBA in /usr/local/samba. See the main SAMBA +documentation if you want to install SAMBA somewhere else. It will also +build the winbindd executable and libraries. + +Configure nsswitch.conf and the winbind libraries +------------------------------------------------- + +The libraries needed to run the winbindd daemon through nsswitch need to be +copied to their proper locations, so + +root# cp ../samba/source/nsswitch/libnss_winbind.so /usr/lib + +I also found it necessary to make the following symbolic links: + +root# ln -s /usr/lib/libnss_winbind.so /usr/lib/libnss_winbind.so.1 +root# ln -s /usr/lib/libnss_winbind.so /usr/lib/libnss_winbind.so.2 +root# ln -s /usr/lib/libnss_winbind.so /usr/lib/nss_winbind.so.1 +root# ln -s /usr/lib/libnss_winbind.so /usr/lib/nss_winbind.so.2 + +Now, as root you need to edit /etc/nsswitch.conf to allow user and group +entries to be visible from the winbindd daemon. My /etc/nsswitch.conf file +look like this after editing: + + passwd: files winbind + group: files winbind + + +Configure smb.conf +------------------ + +Several parameters are needed in the smb.conf file to control the behavior +of winbindd. Configure smb.conf These are described in more detail in the +winbindd(8) man page. My smb.conf file was modified to include the following +entries in the [global] section: + +[global] + <...> + # The previous documentation says to + # as the "winbind seperator " directive also but + # it is no longer supported. + + # use uids from 10000 to 20000 for domain users + winbind uid = 10000-20000 + + # use gids from 10000 to 20000 for domain groups + winbind gid = 10000-20000 + + # allow enumeration of winbind users and groups + winbind enum users = yes + winbind enum groups = yes + + # give winbind users a real shell (only needed if + # they have telnet access) + template homedir = /home/winnt/%D/%U + template shell = /bin/bash + + +Join the SAMBA server to the PDC domain +--------------------------------------- + +Enter the following command to make the SAMBA server join the PDC domain, +where DOMAIN is the name of your Windows domain and Administrator is a +domain user who has administrative privileges in the domain. + +root# /usr/local/samba/bin/smbpasswd -j DOMAIN -r PDC -U Administrator + +The proper response to the command should be: "Joined the domain DOMAIN" +where DOMAIN is your DOMAIN name. + +Start up the winbindd daemon and test it! + +Eventually, you will want to modify your smb startup script to automatically +invoke the winbindd daemon when the other parts of SAMBA start, but it is +possible to test out just the winbind portion first. To start up winbind +services, enter the following command as root: + +root# /usr/local/samba/bin/winbindd + +I'm always paranoid and like to make sure the daemon is really running... + +root# ps -ae | grep winbindd + +This command should produce output like this, if the daemon is running + + 3025 ? 00:00:00 winbindd + +Now... for the real test, try to get some information about the users on +your PDC + +root# /usr/local/samba/bin/wbinfo -u + +This should echo back a list of users on your Windows users on your PDC. For +example, I get the following response: + +CEO\Administrator +CEO\burdell +CEO\Guest +CEO\jt-ad +CEO\krbtgt +CEO\TsInternetUser + +root# /usr/local/samba/bin/wbinfo -g + +CEO\Domain Admins +CEO\Domain Users +CEO\Domain Guests +CEO\Domain Computers +CEO\Domain Controllers +CEO\Cert Publishers +CEO\Schema Admins +CEO\Enterprise Admins +CEO\Group Policy Creator Owners + +The function 'getent' can now be used to get unified lists of both local and +PDC users and groups. Try the following command: + +root# getent passwd + +You should get a list that looks like your /etc/passwd list followed by the domain users with their new +uids, gids, home directories and default shells. + +The same thing can be done for groups with the command + +root# getent group + +Fix the /etc/rc.d/init.d/samba.server startup files The winbindd daemon +needs to start up after the smbd and nmbd daemons are running. To accomplish +this task, you need to modify the /etc/init.d/samba.server script to add +commands to invoke this daemon in the proper sequence. My +/etc/init.d/samba.server file starts up smbd, nmbd, and winbindd from the +/usr/local/samba/bin directory directly. + +## +## samba.server +## + +if [ ! -d /usr/bin ] +then # /usr not mounted + exit +fi + +killproc() { # kill the named process(es) + pid=`/usr/bin/ps -e | + /usr/bin/grep -w $1 | + /usr/bin/sed -e 's/^ *//' -e 's/ .*//'` + [ "$pid" != "" ] && kill $pid +} + +# Start/stop processes required for samba server + +case "$1" in + +'start') +# +# Edit these lines to suit your installation (paths, workgroup, host) +# +echo Starting SMBD + /usr/local/samba/bin/smbd -D -s \ + /usr/local/samba/smb.conf + +echo Starting NMBD + /usr/local/samba/bin/nmbd -D -l \ + /usr/local/samba/var/log -s /usr/local/samba/smb.conf + +echo Starting Winbind Daemon + /usr/local/samba/bin/winbindd + ;; + +'stop') + killproc nmbd + killproc smbd + killproc winbindd + ;; + +*) + echo "Usage: /etc/init.d/samba.server { start | stop }" + ;; +esac + +If you restart the smbd, nmbd, and winbindd daemons at this point, you +should be able to connect to the samba server as a domain member just as if +you were a local user. + + +Configure Winbind and PAM +------------------------- + +If you have made it this far, you know that winbindd and samba are working +together. If you want to use winbind to provide authentication for other +services, keep reading. The pam configuration file need to be altered in +this step. (Did you remember to make backups of your original /etc/pam.conf +file? If not, do it now.) You will need a pam module to use winbindd with +these other services. This module will be compiled in the ../source/nsswitch +directory by default when we used ./configure --with-pam option. + +root# make nsswitch/pam_winbind.so + +from the ../source directory. The pam_winbind.so file should be copied to +the location of your other pam security modules. On my Solaris 8, this was +the /usr/lib/security directory. + +root# cp ../samba/source/nsswitch/pam_winbind.so /usr/lib/security + +The /etc/pam.conf need to be changed. I changed this file so that my Domain +users can logon both locally as well as telnet.The following are the changes +that I made.You can customize the pam.conf file as per your requirements,but +be sure of those changes because in the worst case it will leave your system +nearly impossible to boot. + +# +#ident "@(#)pam.conf 1.14 99/09/16 SMI" +# +# Copyright (c) 1996-1999, Sun Microsystems, Inc. +# All Rights Reserved. +# +# PAM configuration +# +# Authentication management +# +login auth required /usr/lib/security/pam_winbind.so +login auth required /usr/lib/security/$ISA/pam_unix.so.1 try_first_pass +login auth required /usr/lib/security/$ISA/pam_dial_auth.so.1 try_first_pass +# +rlogin auth sufficient /usr/lib/security/pam_winbind.so +rlogin auth sufficient /usr/lib/security/$ISA/pam_rhosts_auth.so.1 +rlogin auth required /usr/lib/security/$ISA/pam_unix.so.1 try_first_pass +# +dtlogin auth sufficient /usr/lib/security/pam_winbind.so +dtlogin auth required /usr/lib/security/$ISA/pam_unix.so.1 try_first_pass +# +rsh auth required /usr/lib/security/$ISA/pam_rhosts_auth.so.1 +other auth sufficient /usr/lib/security/pam_winbind.so +other auth required /usr/lib/security/$ISA/pam_unix.so.1 try_first_pass +# +# Account management +# +login account sufficient /usr/lib/security/pam_winbind.so +login account requisite /usr/lib/security/$ISA/pam_roles.so.1 +login account required /usr/lib/security/$ISA/pam_unix.so.1 +# +dtlogin account sufficient /usr/lib/security/pam_winbind.so +dtlogin account requisite /usr/lib/security/$ISA/pam_roles.so.1 +dtlogin account required /usr/lib/security/$ISA/pam_unix.so.1 +# +other account sufficient /usr/lib/security/pam_winbind.so +other account requisite /usr/lib/security/$ISA/pam_roles.so.1 +other account required /usr/lib/security/$ISA/pam_unix.so.1 +# +# Session management +# +other session required /usr/lib/security/$ISA/pam_unix.so.1 +# +# Password management +# +#other password sufficient /usr/lib/security/pam_winbind.so +other password required /usr/lib/security/$ISA/pam_unix.so.1 +dtsession auth required /usr/lib/security/$ISA/pam_unix.so.1 +# +# Support for Kerberos V5 authentication (uncomment to use Kerberos) +# +#rlogin auth optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass +#login auth optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass +#dtlogin auth optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass +#other auth optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass +#dtlogin account optional /usr/lib/security/$ISA/pam_krb5.so.1 +#other account optional /usr/lib/security/$ISA/pam_krb5.so.1 +#other session optional /usr/lib/security/$ISA/pam_krb5.so.1 +#other password optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass + +I also added a try_first_pass line after the winbind.so line to get rid of +annoying double prompts for passwords. + +Now restart your Samba & try connecting through your application that you +configured in the pam.conf. + + + +!== +!== end of Solaris-Winbind-HOWTO.txt +!== -- cgit