-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
| Message: 7
| From: "Steve Snyder" <steves@formation.com>
| To: "Samba Mailing List" <samba@lists.samba.org>
| Date: Wed, 13 Feb 2002 10:16:19 -0600
| Subject: [Samba] Need advice on Linux/Samba as PDC
|
| I've just upgraded my Linux (RedHat v7.2 + v2.4.17 kernel) box to Samba
| v2.2.3a. Now I'm ready to set up winbindd so that this box may act as a
| PDC.
This is incorrect. Winbind is only for use in getting password information to
the linux/unix system FROM A WINDOWS DOMAIN CONTROLLER.
You would use it if you want to join a samba box to a windows domain without
having to create local (or LDAP/NIS) accounts for the samba box.
|
| First, a little background. I have previously been using Samba 2.2.2 as a
| master workgroup server for Linux and Win98 clients. Now I want to add
| support for use as a PDC with Win2K clients.
|
| I've set up my /etc/nsswitch.conf per the documentation:
|
| passwd: files winbind nisplus
| shadow: files winbind nisplus
| group: files winbind nisplus
|
Please remove all configuration for winbind from your domain controller ....
| I'm a little confused about which file in /etc/pam.d to modify. Is it the
| samba file or the system-auth file? I suspect it is the system-auth, but
| I'm not clear on how to integrate the documented changes into my existing
| RedHat config. This is what the file looks like now:
|
| # cat /etc/pam.d/system-auth
| #%PAM-1.0
| # This file is auto-generated.
| # User changes will be destroyed the next time authconfig is run.
| auth required /lib/security/pam_env.so
| auth sufficient /lib/security/pam_unix.so likeauth nullok
| auth required /lib/security/pam_deny.so
| account required /lib/security/pam_unix.so
| password required /lib/security/pam_cracklib.so retry=3 type| password
sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow
| password required /lib/security/pam_deny.so
| session required /lib/security/pam_limits.so
| session required /lib/security/pam_unix.so
|
~ ... including this file.
Samba has been able to do limited domain controlling since 2.0.x (we started
ours on 2.0.6)., but it has improved in 2.2.x, and will be copmlete in 3.0.
That said, for a smallish network (where you don't need domain groups on
windows
machines), samba rocks as a domain controller.
Please take a look at the following documentation:
- -There is a chapter on this in the samba-howto-collection PDF distributed with
samba
- -http://mandrakeuser.org/connect/csamba6.html
Basically, you need to:
enable the following entries in smb.conf:
security=user
encrypt passwords = yes
# add user script for joining machines to the domain without having to manually
make accounts
add user script = /usr/sbin/useradd -d /dev/null -g machines -s /bin/false -M %u
domain admin group = user1 user2 @group1 @group2
domain logons = yes
logon home = <some UNC path>
#optionals
logon path = <some UNC path>
logon script = %U.bat
If you don't have a windows server running wins, you might as well run wins
on
the PDC:
wins support = yes
Then you will want to ensure that the profiles and netlogon shares are defined
also.
Good luck.
- --
|----------------Registered Linux User #182071-----------------|
Buchan Milne Mechanical Engineer, Network Manager
Cellphone * Work +27 82 472 2231 * +27 21 8828820x202
Stellenbosch Automotive Engineering http://www.cae.co.za
GPG Key http://ranger.dnsalias.com/gpg.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE8a4nzrJK6UGDSBKcRAiklAJ9hK3a1SIhVo6lhVXl+8BwAc2TGAgCdHZ0w
tU/++kTkntudpXmH8aODo3c=7VuL
-----END PGP SIGNATURE-----