7.3. PAM and NSS Winbind Options
Getting the Winbind daemon up and running is only part of the configuration required on the domain member server. Once Winbind is functioning, you must configure PAM and NSS to use Winbind to authenticate users and return additional account information to programs that need it. These tasks are handled by special modules and configuration of these two subsystems. You may also want to configure Linux to create home directories automatically when they don't exist.
7.3.1. NSS and PAM Winbind Modules
PAM and NSS both rely on modules to interface with Winbind. These module files, pam_winbind.so and libnss_winbind.so, are usually installed as part of a Samba package, such as samba-common. The pam_winbind.so file usually appears in /lib/security or /usr/lib/security. The libnss_winbind.so file usually resides in /lib and is linked to another file, libnss_winbind.so.2 (either file may be a symbolic link to the other).
If you've installed Samba from source code, you may need to install these libraries independently. The source code appears in the source/nsswitch subdirectory of the Samba source code package, and the compiled libraries should appear there after you build the main Samba package. (These files appear only if you select the --with-pam configure option.) Copy the files to appropriate directories, and create an appropriate link for the libnss_winbind.so file. You can then type ldconfig to force Linux to reexamine the library directories and register the new libraries.
7.3.2. Configuring NSS
NSS provides nonauthentication information on accounts to tools that require it. Before PAM allows you to log in using Winbind, you must configure NSS to use Winbind. This can be done by editing the /etc/nsswitch.conf file. Locate the passwd and group lines in this file. (The shadow line usually separates them, but you won't edit this line.) Add winbind to the passwd and group lines:
passwd: files winbind shadow: files group: files winbind
7.3.3. Configuring PAM
PAM enables you to customize authentication options on a service-by-service basis. For instance, you can tell Linux to use only the local account database for console logins, to use only the NT domain controller for FTP logins, and to use either method for remote SSH logins. PAM accomplishes this goal by using one or more configuration files: either a file called /etc/pam.conf or files in the /etc/pam.d directory named after the particular systems they control. Modifying these files to use additional PAM modules, such as those that support NT domain authentication, is described in Appendix A.
As an example of adding NT domain authentication, consider Example 7-1. This listing shows the contents of the /etc/pam.d/login file on a Debian system, which defines how PAM handles authentication for text-mode console logins and logins via such servers as Telnet.
Example 7-1. Sample PAM configuration file
auth requisite pam_securetty.so auth requisite pam_nologin.so auth required pam_env.so auth required pam_unix.so nullok account requisite pam_time.so account required pam_unix.so session required pam_unix.so session optional pam_lastlog.so session optional pam_motd.so session optional pam_mail.so standard noenv password required pam_unix.so nullok min=6 max=255 md5
To add NT domain authentication to this system, you should add a couple of lines to this file. These lines tell PAM to use the pam_winbind.so library for authentication and account validity checks. The result of adding these lines appears in Example 7-2, with the added or changed material shown in bold.
Example 7-2. Sample PAM configuration file with Winbind support
auth requisite pam_securetty.so auth requisite pam_nologin.so auth required pam_env.so auth sufficient pam_winbind.so auth required pam_unix.so nullok try_first_pass account requisite pam_time.so account sufficient pam_winbind.so account required pam_unix.so session required pam_unix.so session optional pam_lastlog.so session optional pam_motd.so session optional pam_mail.so standard noenv session required pam_mkhomedir.so skel=/etc/skel umask=0027 password required pam_unix.so nullok min=6 max=255 md5
This configuration adds an auth line just before the existing auth line that references pam_unix.so and adds the try_first_pass parameter to that existing line. These changes add Winbind to the authentication system and cause pam_unix.so to use the password entered for Winbind if Winbind authentication fails. A second set of changes is in the account stack, which adds a Winbind call to it. Finally, this configuration adds a call to pam_mkhomedir.so, which creates a new home directory for the user if one doesn't already exist. You need to make these changes for every service that should use the NT domain controller.
You should also change the /etc/pam.d/passwd file, which controls the passwd command's actions. As described in Appendix A, this change requires adding references to pam_winbind.so to the auth, account, and password stacks.