SAMBA again

James McDonald james
Tue Nov 15 19:35:40 PST 2005 

> I have been trying to get a Windows Primary Domain Controller (PDC) to
> validate users for my Linux SAMBA. I seem on the verge of getting it to
> work. I have one question I don't see a proper answer for:
>
> When I join a domain, the docs say to log in as 'administrator'. Is this
> a requirement that you be administrator on the PDC, or just sloppy
> documentation? There is no way in hell your average admin is going to give
> out administrator accounts/passwords to linux boxes scattered around the
> net so that their samba servers can do authentication. Is it perhaps that
> you just need a user on the PDC with some specific rights? I have not
> found these documented in such a away that I can communicate these to out
> local PDC admin. I just see references to 'administrator'.
>
> Where in SAMBA/winbind do you configure the name/password of the user
> you should use to join the domain?
>
> Talk about an area with bad documentation. There is lots of it. But it
> is mostly bad. I have read so much, and it does not always help. The
> suggested By-Example book does not, that I could identify as such, give a
> step-by-step COMPLETE guide to joining a domain to authenticate users. You
> always get one bit here, a disconnected bit there, and so on.
>


This is how I do it.

This assumes that you have a windows 200x server and active directory. I
haven't  seen an NT4 box in years so I'm not much help with that.

In windows 200x you can be a normal user to add a workstation to the
domain so all you have to do is autheticate as a normal user... don't know
about NT.

This is configured on a Debian Box

I follow the instructions as in the swat tool here.

http://localhost:901/swat/help/Samba-HOWTO-Collection/domain-member.html#ads-member

You may also want to include pam_mkhomedir.so so that a new user logging
on get's a home directory created automagically.

I edit the files as follows

PAM.D

#
# /etc/pam.d/common-auth - authentication settings common to all services
#
#
auth	sufficient	pam_winbind.so
auth	required	pam_unix.so nullok use_first_pass

#
# /etc/pam.d/common-password - password-related modules common to all
services
#
password   sufficient pam_winbind.so
password   required   pam_unix.so nullok obscure min=4 max=8 md5

#
# /etc/pam.d/common-session - session-related modules common to all services
#

session	required	pam_unix.so nullok_secure


#
# /etc/pam.d/samba
#

@include common-auth
@include common-account
@include common-session


SMB.CONF
# Samba config file created using SWAT
# from 192.168.1.5 (192.168.1.5)
# Date: 2005/07/22 19:27:28

# Global parameters
[global]
	workgroup = APFOODS
	realm = APFOODS.LOCAL
	server string = IT Admin Server
	interfaces = eth0
	security = ADS
	obey pam restrictions = Yes
	passdb backend = tdbsam, guest
	passwd program = /usr/bin/passwd %u
	passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
*Retype\snew\sUNIX\spassword:* %n\n .
	syslog = 0
	syslog only = Yes
	log file = /var/log/samba/log
	max log size = 1000
	preferred master = No
	local master = No
	domain master = No
	dns proxy = No
	wins server = 192.168.1.2
	ldap ssl = no
	panic action = /usr/share/samba/panic-action %d
	idmap uid = 10000-20000
	idmap gid = 10000-20000
	template homedir = /home/%U
	template shell = /bin/bash
	winbind use default domain = Yes
	invalid users = root

[homes]
	comment = Home Directories
	read only = No
	create mask = 0700
	directory mask = 0700
	browseable = No

[printers]
	comment = All Printers
	path = /tmp
	create mask = 0700
	printable = Yes
	browseable = No

[print$]
	comment = Printer Drivers
	path = /var/lib/samba/printers

[backup]
	path = /opt/samba/backup
	invalid users =
	valid users = APFOODS\jamesm, "APFOODS\domain admins"
	force user = apfbackup
	force group = apfbackup
	read only = No
	create mask = 0770
	directory mask = 0770
	browseable = No


NSSWITCH

# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         compat winbind
group:          compat winbind
shadow:         compat

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis


KRB5.CONF

[libdefaults]
	default_realm = APFOODS.LOCAL
	krb4_config = /usr/kerberos/lib/krb.conf
	krb4_realms = /usr/kerberos/lib/krb.realms

[realms]
		APFOODS.LOCAL = {
		admin_server = APF-MA-DC01.APFOODS.LOCAL
		default_domain = APFOODS.LOCAL

	}

[domain_realm]
	.apfoods.local = APFOODS.LOCAL

[logging]
#	kdc = CONSOLE

More information about the Linux-users mailing list