malk@sidehack.sat.gweep.net
2004-Dec-05 22:52 UTC
[Samba] Winbind running on Samba PDC for shell logins
Hello all- I setup a Samba 3.0.8 PDC w/ simple tdb backend and it's working great. The full RPC based printing w/ drivers installed on the samba server is sweet. I know down the line I may want the windows users to be able to possibly authenticate for other services like e-mail (via Pop or a webmail type service perhaps) or shell logins on the same PDC. I didn't want to have unix vs. windows passwords to worry about. I found several options (unix password sync w/ passwd program, several pam modules that might work), but I was most intrigued with the idea of running winbind along with pam_winbind.so configured on the PDC, but forcing it not to map UIDs or GIDs and simply only provide the authentication but against itself and not some remote windows or samba PDC. I scoured (spelling?) the howto, google, etc. and have never found anyone using winbind w/ security = USER and domain logons = yes, and having the PDC join it's own domain so winbind could do it's thing. So I did some testing. So I did this: winbind enum users = no winbind enum groups = no winbind use default domain = yes The use default domain is to guarantee unix users don't have a domain component in their name and I don't have any trusts or anything. Probably didn't need winbind enum [users|groups] because when winbind starts and there's no id ranges supplied, it keeps itself as only an auth proxy which is all I want anyway. Left "files" only in nsswitch.conf (winbind won't map or provide uid/gid mappings, enforced even more by not having nsswitch bother w/ winbind). Joined my PDC box to his own domain w/ net rpc join -U root (kinda funny seeing a machine account in /etc/passwd for itself) Setup /etc/pam.d/common-auth, session, acct w/ lines similar to auth sufficient pam_winbind.so auth required pam_unix.so Fired up winbind and voila, my windows users w/ disabled passwords in /etc/passwd can login to the PDC via their windows password stored in the tdb backend. As they change their password on windows, only one actual password changes as a result. Seems nice and clean. So my question is are there any disadvantages to running this way? i.e. would I be better off not bothering w/ winbind and instead use unix password sync ?? Or is there something I haven't thought of that is better? I personally like winbind better than anything else I found because it just seems to make more sense to me to have one password actually stored since linux auth via winbind works so well. I've just never used winbind except as a means to better integrate a linux box w/ a windows PDC (both active dir (ads) and flat NT domains (rpc)). Can any of you that understand samba's internals really well think of any "gotchas" I could avoid by use something else? I didn't test out unix password sync, but I'm confident it will solve my problem equally as well. Thanks for any thoughts, -- Eric Malkowski
malk@sidehack.sat.gweep.net
2004-Dec-06 13:34 UTC
[Samba] Winbind running on Samba PDC for shell logins
> > > Fired up winbind and voila, my windows users w/ disabled passwords in > > /etc/passwd can login to the PDC via their windows password stored > > in the tdb backend. As they change their password on windows, only > > one actual password changes as a result. Seems nice and clean. > > > > So my question is are there any disadvantages to running this way? > > i.e. would I be better off not bothering w/ winbind and instead use > > unix password sync ?? Or is there something I haven't thought of that is > > better? > One thing... if you set list of workstations on wich user can login... > then pam_winbind can't auth users anymore. >Oh wow... that's interesting and good to know. Thanks. So it sounds like you're talking about the windows based workstation access restrictions that are all stored in the tdb backend (access rights, or user rights in the windows based user manager? I use usermgr for testing so end user admins get a GUI for user management on samba PDC ). i.e. if I setup a windows user to only be able to login to 2 out of my 10 windows workstations, then pam_winbind can't authenticate ANY users anymore -- or just that one user or some subset of users? I doubt we'll be restricting what workstations users can login to, but this will save some headaches if we try it and have issues. Thanks again. This is one reason to favor unix password sync. I'm wondering if unix password sync will work -- i.e. a normal samba PDC setup has the windows password encrypted as LM hashes or whatever. Does the PDC every able to recover the plain text of XP/2K passwords so it can use the passwd command as root to set the unix password? Hopefully this thread will be useful to others too -- thanks for replying. -E
Possibly Parallel Threads
- Winbind separator char causing make_server_info_from_pw failed errors
- Winbind UID/GID unification across multiple machine solution
- 64 Bit XP client unable to add ACE on 3.0.24 Samba Domain member server
- REPOST: Winbind logins failing after upgrade from Samba3 to Samba4
- winbind offline login - NT_STATUS_NO_SUCH_USER (0xc0000064)