Section 7.3. PAM and NSS Winbind Options

7.3. PAM and NSS Winbind Options

Getting the Winbind daemon up and running is only part of the configuration required on the domain member server. Once Winbind is functioning, you must configure PAM and NSS to use Winbind to authenticate users and return additional account information to programs that need it. These tasks are handled by special modules and configuration of these two subsystems. You may also want to configure Linux to create home directories automatically when they don't exist.

7.3.1. NSS and PAM Winbind Modules

PAM and NSS both rely on modules to interface with Winbind. These module files, and, are usually installed as part of a Samba package, such as samba-common. The file usually appears in /lib/security or /usr/lib/security. The file usually resides in /lib and is linked to another file, (either file may be a symbolic link to the other).

If you've installed Samba from source code, you may need to install these libraries independently. The source code appears in the source/nsswitch subdirectory of the Samba source code package, and the compiled libraries should appear there after you build the main Samba package. (These files appear only if you select the --with-pam configure option.) Copy the files to appropriate directories, and create an appropriate link for the file. You can then type ldconfig to force Linux to reexamine the library directories and register the new libraries.

7.3.2. Configuring NSS

NSS provides nonauthentication information on accounts to tools that require it. Before PAM allows you to log in using Winbind, you must configure NSS to use Winbind. This can be done by editing the /etc/nsswitch.conf file. Locate the passwd and group lines in this file. (The shadow line usually separates them, but you won't edit this line.) Add winbind to the passwd and group lines:

passwd:  files winbind shadow:  files group:   files winbind

Some distributions place other options on these lines in addition to files. Some use compat instead of files. If yours is so configured, simply add winbind to the end of the list, or to an earlier position if you prefer. (NSS consults each source in turn for account information.)

7.3.3. Configuring PAM

PAM enables you to customize authentication options on a service-by-service basis. For instance, you can tell Linux to use only the local account database for console logins, to use only the NT domain controller for FTP logins, and to use either method for remote SSH logins. PAM accomplishes this goal by using one or more configuration files: either a file called /etc/pam.conf or files in the /etc/pam.d directory named after the particular systems they control. Modifying these files to use additional PAM modules, such as those that support NT domain authentication, is described in Appendix A.

When reconfiguring PAM, you can easily render your system unable to support logins. Thus, I recommend experimenting with one login server at a time, leaving yourself some way to log in should you create an inoperable system. For instance, experiment with the login service and leave the gdm or xdm service alone.

As an example of adding NT domain authentication, consider Example 7-1. This listing shows the contents of the /etc/pam.d/login file on a Debian system, which defines how PAM handles authentication for text-mode console logins and logins via such servers as Telnet.

Example 7-1. Sample PAM configuration file
auth       requisite auth       requisite auth       required auth       required nullok account    requisite account    required session    required session    optional session    optional session    optional standard noenv password   required nullok min=6 max=255 md5

PAM configurations vary both from one service to another and from one distribution to another. If your PAM configuration file doesn't look exactly like Example 7-1, don't panic. The most important part of PAM Winbind configuration is adding lines, as described shortly.

To add NT domain authentication to this system, you should add a couple of lines to this file. These lines tell PAM to use the library for authentication and account validity checks. The result of adding these lines appears in Example 7-2, with the added or changed material shown in bold.

Example 7-2. Sample PAM configuration file with Winbind support
auth       requisite auth       requisite auth       required auth       sufficient auth       required nullok try_first_pass account    requisite account    sufficient account    required session    required session    optional session    optional session    optional standard noenv session    required skel=/etc/skel umask=0027 password   required nullok min=6 max=255 md5

This configuration adds an auth line just before the existing auth line that references and adds the try_first_pass parameter to that existing line. These changes add Winbind to the authentication system and cause to use the password entered for Winbind if Winbind authentication fails. A second set of changes is in the account stack, which adds a Winbind call to it. Finally, this configuration adds a call to, which creates a new home directory for the user if one doesn't already exist. You need to make these changes for every service that should use the NT domain controller.

Some distributions, including Red Hat, Fedora, and Gentoo, now use the module rather than or If you see calls to this module, you can either add your calls to to the file as described here or modify the /etc/pam/system-auth file instead of the file for the individual servers. The module pushes part of the PAM configuration into the system-auth file, as described in Appendix A.

You should also change the /etc/pam.d/passwd file, which controls the passwd command's actions. As described in Appendix A, this change requires adding references to to the auth, account, and password stacks.

You normally don't need to change the /etc/pam.d/samba configuration. The Samba server provides its own tools for authenticating against the domain controller, and in fact, if you configure Winbind properly, Samba is automatically configured to use the domain controller directly. Thus, although it has one, there's no need to edit Samba's PAM configuration file.

    Linux in a Windows World
    Linux in a Windows World
    ISBN: 0596007582
    EAN: 2147483647
    Year: 2005
    Pages: 152

    Similar book on Amazon © 2008-2017.
    If you may any questions please contact us: