Winbind/Smb Authentication

Jeff Graves jeff at image-src.com
Tue Mar 30 17:54:45 UTC 2004 

But:

1) Does sendmail still accept mail for these users since they are no
longer local? Ie. My email is jeff at image-src.com; if I'm changing from
/etc/passwd auth to winbind auth they're won't be a user jeff local to
the system anymore. Will I still be able to receive mail? Or does the
system contact the PDC every time to see if there is a user by that
name?

2) If people already have mbox dirs in their home-dirs, can I move these
files over? It seems from the documentation that the user home
directories get created on the fly? Does this also mean they are
temporary?

3) I don't want these users to be able to log on locally, only via email
protocols. Does that mean I only need to change /etc/pam.d/imap and
files like this or do I also need to change system-auth or all of them
for that matter.

Jeff Graves, MCP
Image Source, Inc.
10 Mill Street
Bellingham, MA 02019

508.966.5200 - Phone
508.966.5170 - Fax
jeff at image-src.com - Email

-----Original Message-----
From: redhat-list-bounces at redhat.com
[mailto:redhat-list-bounces at redhat.com] On Behalf Of Chris Purcell
Sent: Monday, March 29, 2004 4:16 PM
To: redhat-list at redhat.com
Subject: Re: Winbind/Smb Authentication


> I've been reading up on winbind and the samba authentication you can
use
> in rh linux. I basically have a rh linux 9 mail server up and running
> with it's own set of user accounts. Currently, I need to manage two
sets
> of user accounts which is no fun. I know that if I had a week to read
> through the documentation, I could probably configure the box to
> authenticate off of my Win2K domain myself. I have to believe that
there
> are plenty of people out there who have already done this so I'm
trying
> to find a good tutorial on how to setup a Redhat Linux 9 box to
> authenticate off of a Win2K AD Domain with the intent of being a mail
> server. Anyone's input is appreciated.


Here's some notes that I took when I set this up the first time...



1. Edit the /etc/nsswitch.conf file to allow user and group entries to
be
visible from the winbindd daemon.  You need to add winbind to the passwd
and group entries?

passwd:     files winbind
shadow:     files
group:      files winbind


2.  Edit the smb.conf file?

[global]
        winbind separator = -
        winbind cache time = 10
        template shell = /bin/bash
        template homedir = /home/%D/%U
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        workgroup = DOMAIN
        security = domain
        password server = *


3.  The next step is to join the domain. To do that use the net program
like this:

net join -S PDC -U Administrator

Sometimes you have to use this instead?

net rpc join -U Administrator


4.  In /etc/pam.d/, edit the PAM files that you want to use winbind
with.

Example, the /etc/pam.d/system-auth file on Red Hat Linux 9.0 should
look
something like this?

[root at rh90 root]# cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/pam_winbind.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        required      /lib/security/$ISA/pam_deny.so

account     required      /lib/security/pam_winbind.so
account     required      /lib/security/$ISA/pam_unix.so
password    required      /lib/security/$ISA/pam_cracklib.so retry=3
type=
password    sufficient    /lib/security/$ISA/pam_unix.so nullok
use_authtok md5 shadow
password    required      /lib/security/$ISA/pam_deny.so
session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/pam_mkhomedir.so skel=/etc/skel
umask=0077
session     required      /lib/security/$ISA/pam_unix.so



Here's an example of the /etc/pam.d/login file from a Red Hat 7.2
system?

[root at rh72 pam.d]# cat login
#%PAM-1.0
auth       required     /lib/security/pam_securetty.so
auth       sufficient   /lib/security/pam_winbind.so
auth       required     /lib/security/pam_stack.so service=system-auth
auth       required     /lib/security/pam_nologin.so
account    required     /lib/security/pam_winbind.so
account    required     /lib/security/pam_stack.so service=system-auth
password   required     /lib/security/pam_stack.so service=system-auth
session    required     /lib/security/pam_stack.so service=system-auth
session    required     /lib/security/pam_mkhomedir.so umask=0022
session    optional     /lib/security/pam_console.so


Here's an example of the /etc/pam.d/sshd file from a RH72 system?

[root at rh72 pam.d]# cat sshd
#%PAM-1.0
auth       sufficient   /lib/security/pam_winbind.so
auth       required     /lib/security/pam_stack.so service=system-auth
auth       required     /lib/security/pam_nologin.so
account    required     /lib/security/pam_stack.so service=system-auth
password   required     /lib/security/pam_stack.so service=system-auth
session    required     /lib/security/pam_stack.so service=system-auth
account    required     /lib/security/pam_winbind.so
session    required     /lib/security/pam_mkhomedir.so umask=0022
session    required     /lib/security/pam_limits.so
session    optional     /lib/security/pam_console.so


5.  Now start winbindd and nmbd and you should find that your user and
group database is expanded to include your NT users and groups, and that
you can login to your unix box as a domain user, using the DOMAIN+user
syntax for the username. You may wish to use the commands getent passwd
and getent group to confirm the correct operation of winbindd.   Note,
if
you use the "winbind use default domain = yes" parameter in smb.conf,
then
you don't have to use the DOMAIN+user syntax, and can just use "user"
without prepending the domain name.




6.  Run some tests to ensure that everything is working okay.

getent passwd = returns all the users in Active Directory
getent group = returns all the groups in Active Directory

wbinfo -t = Verify that the workstation trust account created when the
Samba               server is added to the Windows NT domain is working.

[root at rh90 pam.d]# wbinfo -t
checking the trust secret via RPC calls succeeded

wbinfo -a =  Attempt  to authenticate a user via winbindd. This checks
both               authentication methods and reports its results.

[root at rh90 pam.d]# wbinfo -a jdoe%mypassword
plaintext password authentication succeeded
challenge/response password authentication succeeded

wbinfo -r username = try to obtain the list of UNIX group ids to which
the
user               belongs.  This only works for users defined on a
domain
controller.

[root at rh90 pam.d]# wbinfo -r cpurcell
10154
10001
10069

wbinfo -u = returns list of domain users
wbinfo -g = returns list of domain groups




If Samba was installed from source, then you'll need to?

Copy libnss_winbind.so to /lib and pam_winbind.so to /lib/security. A
symbolic link needs to be made from /lib/libnss_winbind.so to
/lib/libnss_winbind.so.2. If you are using an older version of glibc
then
the target of the link should be /lib/libnss_winbind.so.1.




Chris Purcell, RHCE




-- 
redhat-list mailing list
unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list

More information about the redhat-list mailing list