7.4. Questions and AnswersThe following questions were obtained from the mailing list and also from private discussions with Windows network administrators. F.A.Q.
Example 7.3.1. Samba Domain Member in Samba Domain Using LDAP smb.conf File# Global parameters [global] unix charset = LOCALE workgroup = MEGANET2 security = DOMAIN username map = /e t c/samba/smbusers log level = 10 syslog = 0 log file = /var/log/samba/%m max log size = 50 smb ports = 139 name resolve order = wins bcast hosts printcap name = CUPS wins server = 192.168.2.1 ldap suffix = dc=abmas, dc=biz ldap machine suffix = ou=People ldap user suffix = ou=People ldap group suffix = ou=Groups ldap idmap suffix = ou=Idmap ldap admin dn = cn=Manager, dc=abmas, dc=biz idmap backend = ldap : ldap : //lapdc.abmas.biz idmap uid = 10000 20000 idmap gid = 10000 20000 winbind trusted domains only = Yes printer admin = root printing = cups [homes] comment = Home Directories valid users = %S read only = No browseable = No [printers] comment = SMB Print Spool path = /var/spool/samba guest ok = Yes printable = Yes browseable = No [print$] comment = Printer Drivers path = /var /lib/samba/drivers admin users = root, Administrator write list = root Example 7.3.2. LDIF IDMAP Add-On Load File File: /etc/openldap/idmap.LDIFdn: ou=Idmap,dc=abmas,dc=biz objectClass: organizationalUnit ou: idmap structuralObjectClass: organizationalUnit Example 7.3.3. Configuration File for NSS LDAP Support /etc/ldap.confURI ldap://massive.abmas.biz ldap://massive.abmas.biz:636 host 192.168.2.1 base dc=abmas,dc=biz binddn cn=Manager,dc=abmas,dc=biz bindpw not24get pam_password exop nss_base_passwd ou=People,dc=abmas,dc=biz?one nss_base_shadow ou=People,dc=abmas,dc=biz?one nss_base_group ou=Groups,dc=abmas,dc=biz?one ssl no Example 7.3.4. NSS using LDAP for Identity Resolution File: /etc/nsswitch.confpasswd: files ldap shadow: files ldap group: files ldap hosts: files dns wins networks: files dns services: files protocols: files rpc: files ethers: files netmasks: files netgroup: files publickey: files bootparams: files automount: files aliases: files Example 7.3.5. Samba Domain Member Server Using Winbind smb.conf File for NT4 Domain# Global parameters [global] unix charset = LOCALE workgroup = MEGANET2 security = DOMAIN username map = /etc/samba/smbusers log level = 1 syslog = 0 log file = /var/log/samba/%m max log size = 0 smb ports = 139 name resolve order = wins bcast hosts printcap name = CUPS wins server = 192.168.2.1 idmap uid = 10000 20000 idmap gid = 10000 20000 template primary group = "Domain Users " template shell = /bin /bash winbind separator = + printer admin = root hosts allow = 192.168.2., 192.168.3., 127. printing = cups [homes] comment = Home Directories valid users = %S read only = No browseable = No [printers] comment = SMB Print Spool path = /var/spool/samba guest ok = Yes printable = Yes browseable = No [print$] comment = Printer Drivers path = /var /lib/samba/drivers admin users = root, Administrator write list = root Example 7.3.6. Samba Domain Member Server Using Local Accounts smb.conf File for NT4 Domain# Global parameters [global] unix charset = LOCALE workgroup = MEGANET3 netbios name = BSDBOX security = DOMAIN username map = /etc/samba/smbusers log level = 1 syslog = 0 add user script = /usr /sbin /useradd m '%u' add machine script = /usr /sbin /useradd M '%u' add group script = /usr /sbin /groupadd '%g ' winbind enable local accounts = Yes log file = /var/log/samba/%m max log size = 0 smb ports = 139 name resolve order = wins bcast hosts printcap name = CUPS wins server = 192.168.2.1 printer admin = root hosts allow = 192.168.2., 192.168.3., 127. printing = cups [homes] comment = Home Directories valid users = %S read only = No browseable = No [printers] comment = SMB Print Spool path = /var/spool/samba guest ok = Yes printable = Yes browseable = No [print$] comment = Printer Drivers path = /var /lib/samba/drivers admin users = root, Administrator write list = root Example 7.3.7. Samba Domain Member smb.conf File for Active Directory Membership# Global parameters [global] unix charset = LOCALE workgroup = LONDON realm = LONDON.ABMAS. BIZ server string = Samba 3.0.20 security = ADS username map = /etc/samba/smbusers log level = 1 syslog = 0 log file = /var/log/samba/%m max log size = 50 printcap name = CUPS ldap ssl = no idmap uid = 10000 20000 idmap gid = 10000 20000 template primary group = "Domain Users " template shell = /bin/bash winbind separator = + printing = cups [homes] comment = Home Directories valid users = %S read only = No browseable = No [printers] comment = SMB Print Spool path = /var/spool/samba guest ok = Yes printable = Yes browseable = No [print$] comment = Printer Drivers path = /var/lib/samba/drivers admin users = root, Administrator write list = root Example 7.3.8. Example smb.conf File Using idmap_rid# Global parameters [global] workgroup = KPAK netbios name = BIGJOE realm = CORP.KPAK.COM server string = Office Server security = ADS allow trusted domains = No idmap backend = idmap_rid :KPAK=500100000000 idmap uid = 500 100000000 idmap gid = 500 100000000 template shell = /bin/bash winbind use default domain = Yes winbind enum users = No winbind enum groups = No winbind nested groups = Yes printer admin = "KPAK\Domain Admins" Example 7.3.9. Typical ADS Style Domain smb.conf File# Global parameters [global] workgroup = SNOWSHOW netbios name = GOODELF realm = SNOWSHOW.COM server string = Samba Server security = ADS log level = 1 ads :10 auth :10 sam:10 rpc :10 ldap admin dn = cn=Manager, dc=SNOWSHOW, dc=COM ldap idmap suffix = ou=Idmap ldap suffix = dc=SNOWSHOW, dc=COM idmap backend = ldap : ldap : //ldap.snowshow.com idmap uid = 150000 550000 idmap gid = 150000 550000 template shell = /bin /bash winbind use default domain = Yes Example 7.3.10. ADS Membership Using RFC2307bis Identity Resolution smb.conf File# Global parameters [global] workgroup = BUBBAH netbios name = MADMAX realm = BUBBAH.COM server string = Samba Server security = ADS idmap uid = 150000 550000 idmap gid = 150000 550000 template shell = /bin /bash winbind use default domain = Yes winbind trusted domains only = Yes winbind nested groups = Yes Example 7.3.11. SUSE: PAM login Module Using Winbind# /etc/pam.d/login #%PAM-1.0 auth sufficient pam_unix2.so nullok auth sufficient pam_winbind.so use_first_pass use_authtok auth required pam_securetty.so auth required pam_nologin.so auth required pam_env.so auth required pam_mail.so account sufficient pam_unix2.so account sufficient pam_winbind.so user_first_pass use_authtok password required pam_pwcheck.so nullok password sufficient pam_unix2.so nullok use_first_pass use_authtok password sufficient pam_winbind.so use_first_pass use_authtok session sufficient pam_unix2.so none session sufficient pam_winbind.so use_first_pass use_authtok session required pam_limits.so Example 7.3.12. SUSE: PAM xdm Module Using Winbind# /etc/pam.d/gdm (/etc/pam.d/xdm) #%PAM-1.0 auth sufficient pam_unix2.so nullok auth sufficient pam_winbind.so use_first_pass use_authtok account sufficient pam_unix2.so account sufficient pam_winbind.so use_first_pass use_authtok password sufficient pam_unix2.so password sufficient pam_winbind.so use_first_pass use_authtok session sufficient pam_unix2.so session sufficient pam_winbind.so use_first_pass use_authtok session required pam_dev perm.so session required pam_resmgr.so Example 7.3.13. Red Hat 9: PAM System Authentication File: /etc/pam.d/system-auth Module Using Winbind#%PAM-1.0 auth required /lib/security/$ISA/pam_env.so auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok auth sufficient /lib/security/$ISA/pam_winbind.so use_first_pass auth required /lib/security/$ISA/pam_deny.so account required /lib/security/$ISA/pam_unix.so account sufficient /lib/security/$ISA/pam_winbind.so use_first_pass password required /lib/security/$ISA/pam_cracklib.so retry=3 type= # Note: The above line is complete. There is nothing following the '=' password sufficient /lib/security/$ISA/pam_unix.so \ nullok use_authtok md5 shadow password sufficient /lib/security/$ISA/pam_winbind.so use_first_pass password required /lib/security/$ISA/pam_deny.so session required /lib/security/$ISA/pam_limits.so session sufficient /lib/security/$ISA/pam_unix.so session sufficient /lib/security/$ISA/pam_winbind.so use_first_pass |