Winbind/Smb Authentication
Jeff Graves
jeff at image-src.com
Tue Mar 30 17:54:45 UTC 2004
But:
1) Does sendmail still accept mail for these users since they are no
longer local? Ie. My email is jeff at image-src.com; if I'm changing from
/etc/passwd auth to winbind auth they're won't be a user jeff local to
the system anymore. Will I still be able to receive mail? Or does the
system contact the PDC every time to see if there is a user by that
name?
2) If people already have mbox dirs in their home-dirs, can I move these
files over? It seems from the documentation that the user home
directories get created on the fly? Does this also mean they are
temporary?
3) I don't want these users to be able to log on locally, only via email
protocols. Does that mean I only need to change /etc/pam.d/imap and
files like this or do I also need to change system-auth or all of them
for that matter.
Jeff Graves, MCP
Image Source, Inc.
10 Mill Street
Bellingham, MA 02019
508.966.5200 - Phone
508.966.5170 - Fax
jeff at image-src.com - Email
-----Original Message-----
From: redhat-list-bounces at redhat.com
[mailto:redhat-list-bounces at redhat.com] On Behalf Of Chris Purcell
Sent: Monday, March 29, 2004 4:16 PM
To: redhat-list at redhat.com
Subject: Re: Winbind/Smb Authentication
> I've been reading up on winbind and the samba authentication you can
use
> in rh linux. I basically have a rh linux 9 mail server up and running
> with it's own set of user accounts. Currently, I need to manage two
sets
> of user accounts which is no fun. I know that if I had a week to read
> through the documentation, I could probably configure the box to
> authenticate off of my Win2K domain myself. I have to believe that
there
> are plenty of people out there who have already done this so I'm
trying
> to find a good tutorial on how to setup a Redhat Linux 9 box to
> authenticate off of a Win2K AD Domain with the intent of being a mail
> server. Anyone's input is appreciated.
Here's some notes that I took when I set this up the first time...
1. Edit the /etc/nsswitch.conf file to allow user and group entries to
be
visible from the winbindd daemon. You need to add winbind to the passwd
and group entries?
passwd: files winbind
shadow: files
group: files winbind
2. Edit the smb.conf file?
[global]
winbind separator = -
winbind cache time = 10
template shell = /bin/bash
template homedir = /home/%D/%U
idmap uid = 10000-20000
idmap gid = 10000-20000
workgroup = DOMAIN
security = domain
password server = *
3. The next step is to join the domain. To do that use the net program
like this:
net join -S PDC -U Administrator
Sometimes you have to use this instead?
net rpc join -U Administrator
4. In /etc/pam.d/, edit the PAM files that you want to use winbind
with.
Example, the /etc/pam.d/system-auth file on Red Hat Linux 9.0 should
look
something like this?
[root at rh90 root]# cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/pam_winbind.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/pam_winbind.so
account required /lib/security/$ISA/pam_unix.so
password required /lib/security/$ISA/pam_cracklib.so retry=3
type=
password sufficient /lib/security/$ISA/pam_unix.so nullok
use_authtok md5 shadow
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/pam_mkhomedir.so skel=/etc/skel
umask=0077
session required /lib/security/$ISA/pam_unix.so
Here's an example of the /etc/pam.d/login file from a Red Hat 7.2
system?
[root at rh72 pam.d]# cat login
#%PAM-1.0
auth required /lib/security/pam_securetty.so
auth sufficient /lib/security/pam_winbind.so
auth required /lib/security/pam_stack.so service=system-auth
auth required /lib/security/pam_nologin.so
account required /lib/security/pam_winbind.so
account required /lib/security/pam_stack.so service=system-auth
password required /lib/security/pam_stack.so service=system-auth
session required /lib/security/pam_stack.so service=system-auth
session required /lib/security/pam_mkhomedir.so umask=0022
session optional /lib/security/pam_console.so
Here's an example of the /etc/pam.d/sshd file from a RH72 system?
[root at rh72 pam.d]# cat sshd
#%PAM-1.0
auth sufficient /lib/security/pam_winbind.so
auth required /lib/security/pam_stack.so service=system-auth
auth required /lib/security/pam_nologin.so
account required /lib/security/pam_stack.so service=system-auth
password required /lib/security/pam_stack.so service=system-auth
session required /lib/security/pam_stack.so service=system-auth
account required /lib/security/pam_winbind.so
session required /lib/security/pam_mkhomedir.so umask=0022
session required /lib/security/pam_limits.so
session optional /lib/security/pam_console.so
5. Now start winbindd and nmbd and you should find that your user and
group database is expanded to include your NT users and groups, and that
you can login to your unix box as a domain user, using the DOMAIN+user
syntax for the username. You may wish to use the commands getent passwd
and getent group to confirm the correct operation of winbindd. Note,
if
you use the "winbind use default domain = yes" parameter in smb.conf,
then
you don't have to use the DOMAIN+user syntax, and can just use "user"
without prepending the domain name.
6. Run some tests to ensure that everything is working okay.
getent passwd = returns all the users in Active Directory
getent group = returns all the groups in Active Directory
wbinfo -t = Verify that the workstation trust account created when the
Samba server is added to the Windows NT domain is working.
[root at rh90 pam.d]# wbinfo -t
checking the trust secret via RPC calls succeeded
wbinfo -a = Attempt to authenticate a user via winbindd. This checks
both authentication methods and reports its results.
[root at rh90 pam.d]# wbinfo -a jdoe%mypassword
plaintext password authentication succeeded
challenge/response password authentication succeeded
wbinfo -r username = try to obtain the list of UNIX group ids to which
the
user belongs. This only works for users defined on a
domain
controller.
[root at rh90 pam.d]# wbinfo -r cpurcell
10154
10001
10069
wbinfo -u = returns list of domain users
wbinfo -g = returns list of domain groups
If Samba was installed from source, then you'll need to?
Copy libnss_winbind.so to /lib and pam_winbind.so to /lib/security. A
symbolic link needs to be made from /lib/libnss_winbind.so to
/lib/libnss_winbind.so.2. If you are using an older version of glibc
then
the target of the link should be /lib/libnss_winbind.so.1.
Chris Purcell, RHCE
--
redhat-list mailing list
unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
More information about the redhat-list
mailing list