Mikko Rautiainen
2002-Nov-17 09:51 UTC
[Samba] WINBIND configuration and NT Authentication]
Hi, Yes it's possible to authenticate users from win 2000 server with winbind. For me the PAM configuration was the hardest part. I used mandrake 9 and it has a realy good pre config. And if you want to modify the folder/file permissions from NT/W2k PDC then don't use ReiserFS as the filesystem. Use either EXT3 or XFS. Mayby the ReiserFS 4 will have the ACL support. I have had dificulties with suse and samba. Like my suse8 home server needs a restart after 2 days and I don't know the reason why. I just lose the connection to the samba. So the winbind part was easy to make work in mandrake 9, just need to config smb.conf right and thats about it. The PAM is a bit harder (to me at least). PAM is the key for the linux end to understand to use the winbind connection. If not correctly cinfigured it can't get the authentication from the Win NT/2k PDC. Here are some links that was helpful for me. http://archives.neohapsis.com/archives/pam-list/2001-10/0038.html http://ma.ph-freiburg.de/tng/tng-users/2001-06/msg00025.html http://www.samba.org/samba/docs/Samba-HOWTO-Collection.html (very helpful) Hope these help Mikko Rautiainen Chris McKeever wrote:>Setup: > Suse 7.2, Samba 2.2.6 > Win 2K PDC > >Project: >I would like to use winbind to authenticate users that do not have local >accounts on the linux machine for access to various file and print shares. >I have gotten winbind to successfully grab the user and groups from the NT >box (verified by getent passwd). However, I have had little luck obtaining >the permission based file share that I would like. > >Questions: >1. Do users accessing the share need local accounts? > a. if so, is there a way to export users from win2k into linux? >2. Can you use NT groups in the smb.conf file to control access? >3. The documentation on winbind >http://us2.samba.org/samba/docs/man/winbindd.8.html almost makes it sound as >if it may be possible to authenticate NT users and grant them login rights >(actual session login rights, not samba shares) to the linux machine. Is >this true? If so is there additional configuration to achieve this assuming >quesiton 1 has been answered and setup properly? >4. Does anyone know of further online winbind documentation? > >Thanks in advance... > >Chris McKeever > > > >
Mikko..you hit the nail on the head with the PAM configuration... I will fiddle around with those sites to try to get i going (I already locked myself out once...wonderful!) If any one has working pam config files that they could post or email, that would be great. Does one need to restart a pam service after changes are made? If so..how? -----Original Message----- From: Mikko Rautiainen [mailto:mrautia6@welho.com] Sent: Sunday, November 17, 2002 3:56 AM To: Samba ML Subject: Re: [Samba] WINBIND configuration and NT Authentication] Hi, Yes it's possible to authenticate users from win 2000 server with winbind. For me the PAM configuration was the hardest part. I used mandrake 9 and it has a realy good pre config. And if you want to modify the folder/file permissions from NT/W2k PDC then don't use ReiserFS as the filesystem. Use either EXT3 or XFS. Mayby the ReiserFS 4 will have the ACL support. I have had dificulties with suse and samba. Like my suse8 home server needs a restart after 2 days and I don't know the reason why. I just lose the connection to the samba. So the winbind part was easy to make work in mandrake 9, just need to config smb.conf right and thats about it. The PAM is a bit harder (to me at least). PAM is the key for the linux end to understand to use the winbind connection. If not correctly cinfigured it can't get the authentication from the Win NT/2k PDC. Here are some links that was helpful for me. http://archives.neohapsis.com/archives/pam-list/2001-10/0038.html http://ma.ph-freiburg.de/tng/tng-users/2001-06/msg00025.html http://www.samba.org/samba/docs/Samba-HOWTO-Collection.html (very helpful) Hope these help Mikko Rautiainen Chris McKeever wrote:>Setup: > Suse 7.2, Samba 2.2.6 > Win 2K PDC > >Project: >I would like to use winbind to authenticate users that do not have local >accounts on the linux machine for access to various file and print shares. >I have gotten winbind to successfully grab the user and groups from the NT >box (verified by getent passwd). However, I have had little luck obtaining >the permission based file share that I would like. > >Questions: >1. Do users accessing the share need local accounts? > a. if so, is there a way to export users from win2k into linux? >2. Can you use NT groups in the smb.conf file to control access? >3. The documentation on winbind >http://us2.samba.org/samba/docs/man/winbindd.8.html almost makes it soundas>if it may be possible to authenticate NT users and grant them login rights >(actual session login rights, not samba shares) to the linux machine. Is >this true? If so is there additional configuration to achieve thisassuming>quesiton 1 has been answered and setup properly? >4. Does anyone know of further online winbind documentation? > >Thanks in advance... > >Chris McKeever > > > >-- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1> Message: 1 > From: Chris McKeever <cgmckeever@prupref.com> > To: "'samba@lists.samba.org'" <samba@lists.samba.org> > Subject: RE: [Samba] WINBIND configuration and NT Authentication] > Date: Sun, 17 Nov 2002 09:54:51 -0600 > > Mikko..you hit the nail on the head with the PAM configuration... > I will fiddle around with those sites to try to get i going (I already > locked myself out once...wonderful!)When playing with pam, always keep a root login open until you are absolutely sure your config works.> If any one has working pam config files that they could post or email,that> would be great.You can find one in recent versions of samba (2.2.5 and later I think): packaging/Mandrake/system-auth-winbind.pamd This is what we use to replace /etc/pam.d/system-auth to do all authentication via winbind. In pam files that use pam_stack, you can also use 'service=system-auth-winbind' if you install this file as /etc/pam.d/system-auth-winbind and don't want to authenticate all services by winbind. Here is the file in webcvs: http://cvs.samba.org/cgi-bin/cvsweb/samba/packaging/Mandrake/system-auth-winbind.pamd?rev=1.2.2.1&content-type=text/x-cvsweb-markup> Does one need to restart a pam service after changes are made? If so..how?No.> > > -----Original Message----- > From: Mikko Rautiainen [mailto:mrautia6@welho.com] > Sent: Sunday, November 17, 2002 3:56 AM > To: Samba ML > Subject: Re: [Samba] WINBIND configuration and NT Authentication] > > > Hi, > > > Yes it's possible to authenticate users from win 2000 server with > winbind. For me > the PAM configuration was the hardest part. I used mandrake 9 and it has > a realy > good pre config. And if you want to modify the folder/file permissions > from NT/W2k > PDC then don't use ReiserFS as the filesystem. Use either EXT3 or XFS. > Mayby the > ReiserFS 4 will have the ACL support. > I have had dificulties with suse and samba. Like my suse8 home server > needs a restart > after 2 days and I don't know the reason why. I just lose the connection > to the samba. > > So the winbind part was easy to make work in mandrake 9, just need to > config smb.conf > right and thats about it.In fact, if you do an expert installation of Mandrake 9.0, you can join the domain during installtion (choose "Windows Domain" as authentication method in the dialog where you enter your root password). Just enter your domain name in caps (small buglet, we don't capitalise the domain name before creating /home/%D). It will join the domain for you, configure pam etc. But, this sets up a very basic smb.conf (only for running winbind for authentication of other services). For real samba use, copy /etc/samba/smb-winbind.conf over /etc/samba/smb.conf and just set your workgroup again in the file, and you will get a more usual samba config.> The PAM is a bit harder (to me at least). PAM > is the key for the > linux end to understand to use the winbind connection. If not correctly > cinfigured it can't > get the authentication from the Win NT/2k PDC. > > Here are some links that was helpful for me. > http://archives.neohapsis.com/archives/pam-list/2001-10/0038.html > http://ma.ph-freiburg.de/tng/tng-users/2001-06/msg00025.html > http://www.samba.org/samba/docs/Samba-HOWTO-Collection.html (very helpful) > > Hope these help > > Mikko Rautiainen- -- |----------------Registered Linux User #182071-----------------| Buchan Milne Mechanical Engineer, Network Manager Cellphone * Work +27 82 472 2231 * +27 21 8828820x121 Stellenbosch Automotive Engineering http://www.cae.co.za GPG Key http://ranger.dnsalias.com/bgmilne.asc 1024D/60D204A7 2919 E232 5610 A038 87B1 72D6 AC92 BA50 60D2 04A7 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE92LEyrJK6UGDSBKcRAlsHAJ0fIX3/3YsDvP3W6BmRCaNKxJVfMgCgtu8i peiVXkGtLme5YGPpWbYc3K0=xhf9 -----END PGP SIGNATURE-----