20.5 Installation and Configuration


20.5.1 Introduction

This section describes the procedures used to get Winbind up and running. Winbind is capable of providing access and authentication control for Windows Domain users through an NT or Windows 200x PDC for regular services, such as telnet and ftp, as well for Samba services.

  • Why should I do this?

    This allows the Samba administrator to rely on the authentication mechanisms on the Windows NT/200x PDC for the authentication of Domain Members. Windows NT/200x users no longer need to have separate accounts on the Samba server.

  • Who should be reading this document?

    This document is designed for system administrators. If you are implementing Samba on a file server and wish to ( fairly easily) integrate existing Windows NT/200x users from your PDC onto the Samba server, this document is for you.

20.5.2 Requirements

If you have a Samba configuration file that you are currently using, BACK IT UP! If your system already uses PAM, back up the /etc/pam.d directory contents! If you haven't already made a boot disk, MAKE ONE NOW!

Messing with the PAM configuration files can make it nearly impossible to log in to your machine. That's why you want to be able to boot back into your machine in single user mode and restore your /etc/pam.d back to the original state they were in if you get frustrated with the way things are going.

The latest version of Samba-3 includes a functioning winbindd daemon. Please refer to the main Samba Web page [1] or, better yet, your closest Samba mirror site for instructions on downloading the source code.

[1] http://samba.org/

To allow domain users the ability to access Samba shares and files, as well as potentially other services provided by your Samba machine, PAM must be set up properly on your machine. In order to compile the Winbind modules, you should have at least the PAM development libraries installed on your system. Please refer the PAM web site http://www.kernel.org/pub/linux/libs/pam/ [2] .

[2] http://www.kernel.org/pub/linux/libs/pam/

20.5.3 Testing Things Out

Before starting, it is probably best to kill off all the Samba- related daemons running on your server. Kill off all smbd, nmbd, and winbindd processes that may be running. To use PAM, make sure that you have the standard PAM package that supplies the /etc/pam.d directory structure, including the PAM modules that are used by PAM-aware services, several pam libraries, and the /usr/doc and /usr/man entries for pam. Winbind built better in Samba if the pam- devel package is also installed. This package includes the header files needed to compile PAM-aware applications.

20.5.3.1 Configure nsswitch.conf and the Winbind Libraries on Linux and Solaris

PAM is a standard component of most current generation UNIX/Linux systems. Unfortunately, few systems install the pam-devel libraries that are needed to build PAM-enabled Samba. Additionally, Samba-3 may auto-install the Winbind files into their correct locations on your system, so before you get too far down the track be sure to check if the following configuration is really necessary. You may only need to configure /etc/nsswitch.conf .

The libraries needed to run the winbindd daemon through nsswitch need to be copied to their proper locations:

 
 root# cp ../samba/source/nsswitch/libnss_winbind.so /lib 

I also found it necessary to make the following symbolic link:

 
 root# ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2 

And, in the case of Sun Solaris:

 
 root# ln -s /usr/lib/libnss_winbind.so /usr/lib/libnss_winbind.so.1 root# ln -s /usr/lib/libnss_winbind.so /usr/lib/nss_winbind.so.1 root# ln -s /usr/lib/libnss_winbind.so /usr/lib/nss_winbind.so.2 

Now, as root you need to edit /etc/nsswitch.conf to allow user and group entries to be visible from the winbindd daemon. My /etc/nsswitch.conf file look like this after editing:

 
 passwd: files winbind shadow: files group: files winbind 

The libraries needed by the winbindd daemon will be automatically entered into the ldconfig cache the next time your system reboots, but it is faster (and you do not need to reboot) if you do it manually:

 
 root#/sbin/ldconfig -v  grep winbind 

This makes libnss_winbind available to winbindd and echos back a check to you.

20.5.3.2 NSS Winbind on AIX

(This section is only for those running AIX.)

The Winbind AIX identification module gets built as libnss_winbind.so in the nsswitch directory of the Samba source. This file can be copied to /usr/lib/security , and the AIX naming convention would indicate that it should be named WINBIND. A stanza like the following:

 
 WINBIND: program = /usr/lib/security/WINBIND options = authonly 

can then be added to /usr/lib/security/ methods .cfg . This module only supports identification, but there have been success reports using the standard Winbind PAM module for authentication. Use caution configuring loadable authentication modules since you can make it impossible to logon to the system. More information about the AIX authentication module API can be found at " Kernel Extensions and Device Support Programming Concepts for AIX " in Chapter 18(John, there is no section like this in 18). Loadable Authentication Module Programming Interface [3] and more information on administering the modules can be found at " System Management Guide: Operating System and Devices ." [4]

[3] http://publibn.boulder.ibm.com/doc_link/en_US/a_doc_lib/aixprggd/kernextc/sec_load_mod.htm

[4] http://publibn.boulder.ibm.com/doc_link/en_US/a_doc_lib/aixbman/baseadmn/iandaadmin.htm

20.5.3.3 Configure smb.conf

Several parameters are needed in the smb.conf file to control the behavior of winbindd. These are described in more detail in the winbindd(8) man page. My smb.conf file, as shown in Example 20.1, was modified to include the necessary entries in the [global] section.

20.5.3.4 Join the Samba Server to the PDC Domain

Enter the following command to make the Samba server join the PDC domain, where DOMAIN is the name of your Windows domain and Administrator is a domain user who has administrative privileges in the domain.

 
 root#/usr/local/samba/bin/net rpc join -S PDC -U Administrator 

The proper response to the command should be: " Joined the domain DOMAIN " where DOMAIN is your DOMAIN name.

20.5.3.5 Starting and Testing the winbindd Daemon

Eventually, you will want to modify your Samba startup script to automatically invoke the winbindd daemon when the other parts of Samba start, but it is possible to test out just the Winbind portion first. To start up Winbind services, enter the following command as root:

 
 root#/usr/local/samba/bin/winbindd 
Example 20.1 smb.conf for Winbind set-up
  [global]  # separate domain and username with `+', like DOMAIN+username  winbind separator = +  # use uids from 10000 to 20000 for domain users  idmap uid = 10000-20000  # use gids from 10000 to 20000 for domain groups  idmap gid = 10000-20000  # allow enumeration of winbind users and groups  winbind enum users = yes   winbind enum groups = yes  # give winbind users a real shell (only needed if they have telnet access)  template homedir = /home/winnt/%D/%U   template shell = /bin/bash  

N OTE

graphics/round_pencil.gif

The above assumes that Samba has been installed in the /usr/local/ samba directory tree. You may need to search for the location of Samba files if this is not the location of winbindd on your system.


Winbindd can now also run in " dual daemon modei ". This will make it run as two processes. The first will answer all requests from the cache, thus making responses to clients faster. The other will update the cache for the query that the first has just responded. The advantage of this is that responses stay accurate and are faster. You can enable dual daemon mode by adding -B to the commandline:

 
 root#/usr/local/samba/bin/winbindd -B 

I'm always paranoid and like to make sure the daemon is really running.

 
 root#ps -ae  grep winbindd 

This command should produce output like this, if the daemon is running you would expect to see a report something like this:

 
 3025 ? 00:00:00 winbindd 

Now, for the real test, try to get some information about the users on your PDC:

 
 root#/usr/local/samba/bin/ wbinfo -u 

This should echo back a list of users on your Windows users on your PDC. For example, I get the following response:

 
 CEO+Administrator CEO+burdell CEO+Guest CEO+jt-ad CEO+krbtgt CEO+TsInternetUser 

Obviously, I have named my domain " CEO " and my winbind separator is " + ".

You can do the same sort of thing to get group information from the PDC:

 
 root# /usr/local/samba/bin/wbinfo -g CEO+Domain Admins CEO+Domain Users CEO+Domain Guests CEO+Domain Computers CEO+Domain Controllers CEO+Cert Publishers CEO+Schema Admins CEO+Enterprise Admins CEO+Group Policy Creator Owners 

The function getent can now be used to get unified lists of both local and PDC users and groups. Try the following command:

 
 root#getent passwd 

You should get a list that looks like your /etc/passwd list followed by the domain users with their new UIDs, GIDs, home directories and default shells .

The same thing can be done for groups with the command:

 
 root#getent group 
20.5.3.6 Fix the init.d Startup Scripts
Linux

The winbindd daemon needs to start up after the smbd and nmbd daemons are running. To accomplish this task, you need to modify the startup scripts of your system. They are located at /etc/init.d/smb in Red Hat Linux and they are located in /etc/ init.d/samba in Debian Linux. Edit your script to add commands to invoke this daemon in the proper sequence. My startup script starts up smbd, nmbd, and winbindd from the / usr/local/samba/bin directory directly. The start function in the script looks like this:

 
 start() { KIND="SMB" echo -n $"Starting $KIND services: " daemon /usr/local/samba/bin/smbd $SMBDOPTIONS RETVAL=$? echo KIND="NMB" echo -n $"Starting $KIND services: " daemon /usr/local/samba/bin/nmbd $NMBDOPTIONS RETVAL2=$? echo KIND="Winbind" echo -n $"Starting $KIND services: " daemon /usr/local/samba/bin/winbindd RETVAL3=$? echo [ $RETVAL -eq 0 -a $RETVAL2 -eq 0 -a $RETVAL3 -eq 0 ] && \ touch /var/lock/subsys/smb  RETVAL=1 return $RETVAL } 

If you would like to run winbindd in dual daemon mode, replace the line :

 
 daemon /usr/local/samba/bin/winbindd 

in the example above with:

 
 daemon /usr/local/samba/bin/winbindd -B 

The stop function has a corresponding entry to shut down the services and looks like this:

 
 stop() { KIND="SMB" echo -n $"Shutting down $KIND services: " killproc smbd RETVAL=$? echo KIND="NMB" echo -n $"Shutting down $KIND services: " killproc nmbd RETVAL2=$? echo KIND="Winbind" echo -n $"Shutting down $KIND services: " killproc winbindd RETVAL3=$? [ $RETVAL -eq 0 -a $RETVAL2 -eq 0 -a $RETVAL3 -eq 0 ] && \ rm -f /var/lock/subsys/smb echo "" return $RETVAL } 
Solaris

Winbind does not work on Solaris 9, see Section 36.6.2 for details.

On Solaris, you need to modify the /etc/init.d/samba.server startup script. It usually only starts smbd and nmbd but should now start winbindd, too. If you have Samba installed in /usr/local/samba/bin , the file could contains something like this:

 
 ## ## samba.server ## if [! -d /usr/bin ] then # /usr not mounted exit fi killproc() { # kill the named process(es) pid=`/usr/bin/ps -e  /usr/bin/grep -w $1  /usr/bin/sed -e 's/^ *//' -e 's/ .*//'` [ "$pid" != "" ] && kill $pid } # Start/stop processes required for Samba server case "$1" in 'start') # # Edit these lines to suit your installation (paths, workgroup, host) # echo Starting SMBD /usr/local/samba/bin/smbd -D -s \ /usr/local/samba/smb.conf echo Starting NMBD /usr/local/samba/bin/nmbd -D -1 \ /usr/local/samba/var/log -s /usr/local/samba/smb.conf echo Starting Winbind Daemon /usr/local/samba/bin/winbindd ;; 'stop') killproc nmbd killproc smbd killproc winbindd ;; *) echo "Usage: /etc/init.d/samba.server { start  stop }" ;; esac 

Again, if you would like to run Samba in dual daemon mode, replace:

 
 /usr/local/samba/bin/winbindd 

in the script above with:

 
 /usr/local/samba/bin/winbindd -B 
Restarting

If you restart the smbd, nmbd, and winbindd daemons at this point, you should be able to connect to the Samba server as a Domain Member just as if you were a local user.

20.5.3.7 Configure Winbind and PAM

If you have made it this far, you know that winbindd and Samba are working together. If you want to use Winbind to provide authentication for other services, keep reading. The PAM configuration files need to be altered in this step. (Did you remember to make backups of your original /etc/pam.d files? If not, do it now.)

You will need a PAM module to use winbindd with these other services. This module will be compiled in the ../source/nsswitch directory by invoking the command:

 
 root#make nsswitch/pam_winbind.so 

from the ../source directory. The pam_winbind.so file should be copied to the location of your other PAM security modules. On my RedHat system, this was the /lib/security directory. On Solaris, the PAM security modules reside in /usr/lib/security .

 
 root#cp ../samba/source/nsswitch/pam_winbind.so /lib/security 
Linux/FreeBSD-specific PAM configuration

The /etc/pam.d/samba file does not need to be changed. I just left this file as it was:

 
 auth required /lib/security/pam_stack.so service=system-auth account required /lib/security/pam_stack.so service=system-auth 

The other services that I modified to allow the use of Winbind as an authentication service were the normal login on the console (or a terminal session), telnet logins, and ftp service. In order to enable these services, you may first need to change the entries in /etc/xinetd.d (or /etc/inetd.conf ). Red Hat Linux 7.1 and later uses the new xinetd.d structure, in this case you need to change the lines in /etc/xinetd.d/telnet and /etc/xinetd.d/wu-ftp from

 
 enable = no 

to:

 
 enable = yes 

For ftp services to work properly, you will also need to either have individual directories for the domain users already present on the server, or change the home directory template to a general directory for all domain users. These can be easily set using the smb.conf global entry template homedir .

The /etc/pam.d/ftp file can be changed to allow Winbind ftp access in a manner similar to the samba file. My /etc/pam.d/ftp file was changed to look like this:

 
 auth required /lib/security/pam_listfile.so item=user sense=deny \ file=/etc/ftpusers onerr=succeed auth sufficient /lib/security/pam_winbind.so auth required /lib/security/pam_stack.so service=system-auth auth required /lib/security/pam_shells.so account sufficient /lib/security/pam_winbind.so account required /lib/security/pam_stack.so service=system-auth session required /lib/security/pam_stack.so service=system-auth 

The /etc/pam.d/login file can be changed nearly the same way. It now looks like this:

 
 auth required /lib/security/pam_securetty.so auth sufficient /lib/security/pam_winbind.so auth sufficient /lib/security/pam_UNIX.so use_first_pass auth required /lib/security/pam_stack.so service=system-auth auth required /lib/security/pam_nologin.so account sufficient /lib/security/pam_winbind.so account required /lib/security/pam_stack.so service=system-auth password required /lib/security/pam_stack.so service=system-auth session required /lib/security/pam_stack.so service=system-auth session optional /lib/security/pam_console.so 

In this case, I added the

 
 auth sufficient /lib/security/pam_winbind.so 

lines as before, but also added the

 
 required pam_securetty.so 

above it, to disallow root logins over the network. I also added a

 
 sufficient /lib/security/pam_unix.so use_first_pass 

line after the winbind.so line to get rid of annoying double prompts for passwords.

Solaris-specific configuration

The /etc/pam.conf needs to be changed. I changed this file so my Domain users can logon both locally as well as telnet. The following are the changes that I made. You can customize the pam.conf file as per your requirements, but be sure of those changes because in the worst case it will leave your system nearly impossible to boot.

 
 # #ident "@(#)pam.conf 1.14 99/09/16 SMI" # # Copyright (c) 1996-1999, Sun Microsystems, Inc. # All Rights Reserved. # # PAM configuration # # Authentication management # login auth required /usr/lib/security/pam_winbind.so login auth required /usr/lib/security/$ISA/pam_UNIX.so.1 try_first_pass login auth required /usr/lib/security/$ISA/pam_dial_auth.so.1 try_first_pass # rlogin auth sufficient /usr/lib/security/pam_winbind.so rlogin auth sufficient /usr/lib/security/$ISA/pam_rhosts_auth.so.1 rlogin auth required /usr/lib/security/$ISA/pam_UNIX.so.1 try_first_pass # dtlogin auth sufficient /usr/lib/security/pam_winbind.so dtlogin auth required /usr/lib/security/$ISA/pam_UNIX.so.1 try_first_pass # rsh auth required /usr/lib/security/$ISA/pam_rhosts_auth.so.1 other auth sufficient /usr/lib/security/pam_winbind.so other auth required /usr/lib/security/$ISA/pam_UNIX.so.1 try_first_pass # # Account management # login account sufficient /usr/lib/security/pam_winbind.so login account requisite /usr/lib/security/$ISA/pam_roles.so.1 login account required /usr/lib/security/$ISA/pam_UNIX.so.1 # dtlogin account sufficient /usr/lib/security/pam_winbind.so dtlogin account requisite /usr/lib/security/$ISA/pam_roles.so.1 dtlogin account required /usr/lib/security/$ISA/pam_UNIX.so.1 # other account sufficient /usr/lib/security/pam_winbind.so other account requisite /usr/lib/security/$ISA/pam_roles.so.1 other account required /usr/lib/security/$ISA/pam_UNIX.so.1 # # Session management # other session required /usr/lib/security/$ISA/pam_UNIX.so.1 # # Password management # #other password sufficient /usr/lib/security/pam_winbind.so other password required /usr/lib/security/$ISA/pam_UNIX.so.1 dtsession auth required /usr/lib/security/$ISA/pam_UNIX.so.1 # # Support for Kerberos V5 authentication (uncomment to use Kerberos) # #rlogin auth optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass #login auth optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass #dtlogin auth optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass #other auth optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass #dtlogin account optional /usr/lib/security/$ISA/pam_krb5.so.1 #other account optional /usr/lib/security/$ISA/pam_krb5.so.1 #other session optional /usr/lib/security/$ISA/pam_krb5.so.1 #other password optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass 

I also added a try_first_pass line after the winbind.so line to get rid of annoying double prompts for passwords.

Now restart your Samba and try connecting through your application that you configured in the pam.conf.



Official Samba-3 HOWTO and Reference Guide
The Official Samba-3 HOWTO and Reference Guide, 2nd Edition
ISBN: 0131882228
EAN: 2147483647
Year: 2005
Pages: 297

Similar book on Amazon

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net