SAMBA, SSH and an NT Domain

Matthew Carpenter matt
Mon May 17 11:59:57 PDT 2004 

Just been beating out the meaning of life for a Secure FTP Server (SFTP 
using SSH).
The need is a SFTP Server with CIFS access to it from the inside.  This 
allows our external vendors to securely dump/pull files to/from this 
server from the outside using SFTP.  The internal systems can access the 
system using a Windows Mapped drive to the share inside.  The approach 
is to minimize the appearance of "Linux" here but focus on ease of use.

Here is my preliminary documentation for setup.  This is from a SuSE 8.1 
box but should be similar on other versions/distros. 

Setup WINBIND in /etc/samba/smb.conf:
[global]
        # separate domain and username with '+', like DOMAIN+username
        # winbind separator = "\"
        # use uids from 10000 to 20000 for domain users
        winbind uid = 10000-20000
        # use gids from 10000 to 20000 for domain groups
        winbind gid = 10000-20000
        # allow enumeration of winbind users and groups
        winbind enum users = yes
        winbind enum groups = yes
        # give winbind users a real shell (only needed if they have 
telnet access)
        template homedir = /var/ftp/%D/%U
        template shell = /bin/bash


Setup SAMBA for inclusion in the NT Domain (/etc/samba/smb.conf):
[global]
        workgroup = NTDOMAIN
        encrypt passwords = yes
        wins support = no
        security = domain
        password server = *
        wins server = 10.150.2.32 10.142.2.3


Setup SAMBA "Homes" share to allow access from DOMAIN accounts 
(/etc/samba/smb.conf):
[homes]
        valid users = %S %D\%U


Added server to USNT domain (after an Admin creates the Computer account):
  lngz19:~ # smbpasswd -j NTDOMAIN


Setup WINBIND in /etc/nsswitch.conf by including winbind/wins on the 
following lines:
 passwd: files winbind ldap
 group:  files winbind ldap
 hosts:  files dns wins


Edit /etc/pam.d/sshd to allow Winbind Lookups and creation of Home 
Directories:
  #%PAM-1.0
  auth sufficient /lib/security/pam_winbind.so
  auth sufficient pam_unix2.so use_first_pass # set_secrpc
  auth required   pam_nologin.so
  auth required   pam_env.so
  account sufficient      pam_winbind.so
  account sufficient      pam_unix2.so
  account required        pam_nologin.so
  password required       pam_pwcheck.so
  password required       pam_unix2.so    use_first_pass use_authtok
  session required        pam_unix2.so    none         # trace or debug
  session      required      /lib/security/pam_mkhomedir.so 
skel=/etc/skel umask=0077
  session required        pam_limits.so


Edit /etc/ssh/sshd_config to allow the creation of Home Directories 
(add/edit the following line):
  UsePrivilegeSeparation no



Restart the following services:
  smb
  nmb (part of the above for RH)
  winbind
  nscd (name services cache daemon)
  sshd

Test username lookups against the NT Domain:
  SYS19# getent passwd    (list all usernames, including the Domain Users)
  SYS19# getent group     (list all groups including Domain Groups)


Comments are welcome.  Please let me know your mileage!

More information about the Linux-users mailing list