[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

RE: Winbind/Smb Authentication


1) Does sendmail still accept mail for these users since they are no
longer local? Ie. My email is jeff image-src com; if I'm changing from
/etc/passwd auth to winbind auth they're won't be a user jeff local to
the system anymore. Will I still be able to receive mail? Or does the
system contact the PDC every time to see if there is a user by that

2) If people already have mbox dirs in their home-dirs, can I move these
files over? It seems from the documentation that the user home
directories get created on the fly? Does this also mean they are

3) I don't want these users to be able to log on locally, only via email
protocols. Does that mean I only need to change /etc/pam.d/imap and
files like this or do I also need to change system-auth or all of them
for that matter.

Jeff Graves, MCP
Image Source, Inc.
10 Mill Street
Bellingham, MA 02019

508.966.5200 - Phone
508.966.5170 - Fax
jeff image-src com - Email

-----Original Message-----
From: redhat-list-bounces redhat com
[mailto:redhat-list-bounces redhat com] On Behalf Of Chris Purcell
Sent: Monday, March 29, 2004 4:16 PM
To: redhat-list redhat com
Subject: Re: Winbind/Smb Authentication

> I've been reading up on winbind and the samba authentication you can
> in rh linux. I basically have a rh linux 9 mail server up and running
> with it's own set of user accounts. Currently, I need to manage two
> of user accounts which is no fun. I know that if I had a week to read
> through the documentation, I could probably configure the box to
> authenticate off of my Win2K domain myself. I have to believe that
> are plenty of people out there who have already done this so I'm
> to find a good tutorial on how to setup a Redhat Linux 9 box to
> authenticate off of a Win2K AD Domain with the intent of being a mail
> server. Anyone's input is appreciated.

Here's some notes that I took when I set this up the first time...

1. Edit the /etc/nsswitch.conf file to allow user and group entries to
visible from the winbindd daemon.  You need to add winbind to the passwd
and group entries?

passwd:     files winbind
shadow:     files
group:      files winbind

2.  Edit the smb.conf file?

        winbind separator = -
        winbind cache time = 10
        template shell = /bin/bash
        template homedir = /home/%D/%U
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        workgroup = DOMAIN
        security = domain
        password server = *

3.  The next step is to join the domain. To do that use the net program
like this:

net join -S PDC -U Administrator

Sometimes you have to use this instead?

net rpc join -U Administrator

4.  In /etc/pam.d/, edit the PAM files that you want to use winbind

Example, the /etc/pam.d/system-auth file on Red Hat Linux 9.0 should
something like this?

[root rh90 root]# cat /etc/pam.d/system-auth
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/pam_winbind.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        required      /lib/security/$ISA/pam_deny.so

account     required      /lib/security/pam_winbind.so
account     required      /lib/security/$ISA/pam_unix.so
password    required      /lib/security/$ISA/pam_cracklib.so retry=3
password    sufficient    /lib/security/$ISA/pam_unix.so nullok
use_authtok md5 shadow
password    required      /lib/security/$ISA/pam_deny.so
session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/pam_mkhomedir.so skel=/etc/skel
session     required      /lib/security/$ISA/pam_unix.so

Here's an example of the /etc/pam.d/login file from a Red Hat 7.2

[root rh72 pam.d]# cat login
auth       required     /lib/security/pam_securetty.so
auth       sufficient   /lib/security/pam_winbind.so
auth       required     /lib/security/pam_stack.so service=system-auth
auth       required     /lib/security/pam_nologin.so
account    required     /lib/security/pam_winbind.so
account    required     /lib/security/pam_stack.so service=system-auth
password   required     /lib/security/pam_stack.so service=system-auth
session    required     /lib/security/pam_stack.so service=system-auth
session    required     /lib/security/pam_mkhomedir.so umask=0022
session    optional     /lib/security/pam_console.so

Here's an example of the /etc/pam.d/sshd file from a RH72 system?

[root rh72 pam.d]# cat sshd
auth       sufficient   /lib/security/pam_winbind.so
auth       required     /lib/security/pam_stack.so service=system-auth
auth       required     /lib/security/pam_nologin.so
account    required     /lib/security/pam_stack.so service=system-auth
password   required     /lib/security/pam_stack.so service=system-auth
session    required     /lib/security/pam_stack.so service=system-auth
account    required     /lib/security/pam_winbind.so
session    required     /lib/security/pam_mkhomedir.so umask=0022
session    required     /lib/security/pam_limits.so
session    optional     /lib/security/pam_console.so

5.  Now start winbindd and nmbd and you should find that your user and
group database is expanded to include your NT users and groups, and that
you can login to your unix box as a domain user, using the DOMAIN+user
syntax for the username. You may wish to use the commands getent passwd
and getent group to confirm the correct operation of winbindd.   Note,
you use the "winbind use default domain = yes" parameter in smb.conf,
you don't have to use the DOMAIN+user syntax, and can just use "user"
without prepending the domain name.

6.  Run some tests to ensure that everything is working okay.

getent passwd = returns all the users in Active Directory
getent group = returns all the groups in Active Directory

wbinfo -t = Verify that the workstation trust account created when the
Samba               server is added to the Windows NT domain is working.

[root rh90 pam.d]# wbinfo -t
checking the trust secret via RPC calls succeeded

wbinfo -a =  Attempt  to authenticate a user via winbindd. This checks
both               authentication methods and reports its results.

[root rh90 pam.d]# wbinfo -a jdoe%mypassword
plaintext password authentication succeeded
challenge/response password authentication succeeded

wbinfo -r username = try to obtain the list of UNIX group ids to which
user               belongs.  This only works for users defined on a

[root rh90 pam.d]# wbinfo -r cpurcell

wbinfo -u = returns list of domain users
wbinfo -g = returns list of domain groups

If Samba was installed from source, then you'll need to?

Copy libnss_winbind.so to /lib and pam_winbind.so to /lib/security. A
symbolic link needs to be made from /lib/libnss_winbind.so to
/lib/libnss_winbind.so.2. If you are using an older version of glibc
the target of the link should be /lib/libnss_winbind.so.1.

Chris Purcell, RHCE

redhat-list mailing list
unsubscribe mailto:redhat-list-request redhat com?subject=unsubscribe

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]