SAMBA again

[Roger Oberholtzer]

On Wed, 2005-11-16 at 12:16 +1100, James McDonald wrote:
> > I have been trying to get a Windows Primary Domain Controller (PDC) to
> > validate users for my Linux SAMBA. I seem on the verge of getting it to
> > work. I have one question I don't see a proper answer for:
> >
> > When I join a domain, the docs say to log in as 'administrator'. Is this
> > a requirement that you be administrator on the PDC, or just sloppy
> > documentation? There is no way in hell your average admin is going to give
> > out administrator accounts/passwords to linux boxes scattered around the
> > net so that their samba servers can do authentication. Is it perhaps that
> > you just need a user on the PDC with some specific rights? I have not
> > found these documented in such a away that I can communicate these to out
> > local PDC admin. I just see references to 'administrator'.
> >
> > Where in SAMBA/winbind do you configure the name/password of the user
> > you should use to join the domain?
> >
> > Talk about an area with bad documentation. There is lots of it. But it
> > is mostly bad. I have read so much, and it does not always help. The
> > suggested By-Example book does not, that I could identify as such, give a
> > step-by-step COMPLETE guide to joining a domain to authenticate users. You
> > always get one bit here, a disconnected bit there, and so on.
> >
> 
> 
> This is how I do it.
> 
> This assumes that you have a windows 200x server and active directory. I
> haven't  seen an NT4 box in years so I'm not much help with that.
> 
> In windows 200x you can be a normal user to add a workstation to the
> domain so all you have to do is autheticate as a normal user... don't know
> about NT.
> 
> This is configured on a Debian Box
> 
> I follow the instructions as in the swat tool here.
> 
> http://localhost:901/swat/help/Samba-HOWTO-Collection/domain-member.html#ads-member
> 
> You may also want to include pam_mkhomedir.so so that a new user logging
> on get's a home directory created automagically.
> 
> I edit the files as follows
> 
> PAM.D
> 
> #
> # /etc/pam.d/common-auth - authentication settings common to all services
> #
> #
> auth	sufficient	pam_winbind.so
> auth	required	pam_unix.so nullok use_first_pass
> 
> #
> # /etc/pam.d/common-password - password-related modules common to all
> services
> #
> password   sufficient pam_winbind.so
> password   required   pam_unix.so nullok obscure min=4 max=8 md5
> 
> #
> # /etc/pam.d/common-session - session-related modules common to all services
> #
> 
> session	required	pam_unix.so nullok_secure
> 
> 
> #
> # /etc/pam.d/samba
> #
> 
> @include common-auth
> @include common-account
> @include common-session
> 
> 
> SMB.CONF
> # Samba config file created using SWAT
> # from 192.168.1.5 (192.168.1.5)
> # Date: 2005/07/22 19:27:28
> 
> # Global parameters
> [global]
> 	workgroup = APFOODS
> 	realm = APFOODS.LOCAL
> 	server string = IT Admin Server
> 	interfaces = eth0
> 	security = ADS
> 	obey pam restrictions = Yes
> 	passdb backend = tdbsam, guest
> 	passwd program = /usr/bin/passwd %u
> 	passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
> *Retype\snew\sUNIX\spassword:* %n\n .
> 	syslog = 0
> 	syslog only = Yes
> 	log file = /var/log/samba/log
> 	max log size = 1000
> 	preferred master = No
> 	local master = No
> 	domain master = No
> 	dns proxy = No
> 	wins server = 192.168.1.2
> 	ldap ssl = no
> 	panic action = /usr/share/samba/panic-action %d
> 	idmap uid = 10000-20000
> 	idmap gid = 10000-20000
> 	template homedir = /home/%U
> 	template shell = /bin/bash
> 	winbind use default domain = Yes
> 	invalid users = root
> 
> [homes]
> 	comment = Home Directories
> 	read only = No
> 	create mask = 0700
> 	directory mask = 0700
> 	browseable = No
> 
> [printers]
> 	comment = All Printers
> 	path = /tmp
> 	create mask = 0700
> 	printable = Yes
> 	browseable = No
> 
> [print$]
> 	comment = Printer Drivers
> 	path = /var/lib/samba/printers
> 
> [backup]
> 	path = /opt/samba/backup
> 	invalid users =
> 	valid users = APFOODS\jamesm, "APFOODS\domain admins"
> 	force user = apfbackup
> 	force group = apfbackup
> 	read only = No
> 	create mask = 0770
> 	directory mask = 0770
> 	browseable = No
> 
> 
> NSSWITCH
> 
> # /etc/nsswitch.conf
> #
> # Example configuration of GNU Name Service Switch functionality.
> # If you have the `glibc-doc' and `info' packages installed, try:
> # `info libc "Name Service Switch"' for information about this file.
> 
> passwd:         compat winbind
> group:          compat winbind
> shadow:         compat
> 
> hosts:          files dns
> networks:       files
> 
> protocols:      db files
> services:       db files
> ethers:         db files
> rpc:            db files
> 
> netgroup:       nis
> 
> 
> KRB5.CONF
> 
> [libdefaults]
> 	default_realm = APFOODS.LOCAL
> 	krb4_config = /usr/kerberos/lib/krb.conf
> 	krb4_realms = /usr/kerberos/lib/krb.realms
> 
> [realms]
> 		APFOODS.LOCAL = {
> 		admin_server = APF-MA-DC01.APFOODS.LOCAL
> 		default_domain = APFOODS.LOCAL
> 
> 	}
> 
> [domain_realm]
> 	.apfoods.local = APFOODS.LOCAL
> 
> [logging]
> #	kdc = CONSOLE

This is what I have. Pretty much verbatim. But as I replied to Chong
elsewhere in this thread. logging in to the doman seems to be
problematic.


> 
> 
> _______________________________________________
> Linux-users mailing list ( Linux-users at linux-sxs.org )
> Unsub/Password/Etc: http://mail.linux-sxs.org/cgi-bin/mailman/listinfo/linux-users
> 
> Need to chat further on this subject? Check out #linux-users on irc.linux-sxs.org !
-- 
Roger Oberholtzer
OPQ Systems AB