On Tuesday 14 June 2005 14:00, Romeo Theriault wrote:> I have a Suse 9.1 Enterprise Server connected to our Windows 2003 Active
> Directory Domain for use a file server, housing peoples home(backup)
> directories. The Suse box is connected to AD with winbind and it's
> connected fine. The problem is that when I create a user on the windows
> box it's not creating a home directory in Linux. It says I don't
have
> create access on the server when I try to map them a drive. I'm not
sure
> what the problem is but I think it's with my pam authentication of with
> my smb.conf file.
PAM is used only when you use Windows accounts to log onto the Linux system.
Samba does not use PAM. To automatically create a home directory that does not
exist you will need to write a shell script, and call it from the share
definition like this:
>
> Here is my smb.conf:
>
> [global]
>
> #global options needed to communicate with Active Directory
> unix charset = LOCALE
> ads server = (ip goes here)
> workgroup = NEWDOMAIN
> realm = NEWDOMAIN.LOCAL
> server string = SambaT
> security = ADS
> password server = *
> encrypt passwords = yes
> invalid users = root bin daemon adm sync shutdown halt mail news uucp
> operator gopher
>
> #winbind configuration
>
> idmap uid = 10000-20000
> idmap gid = 10000-20000
> winbind separator = +
> winbind enum users=yes
> winbind enum groups=yes
> template homedir = /home/%U
> #this makes it so they don't have shell logon accounts.
> template shell = /bin/false
>
> [homes]
> comment = Home Directories
> path = /home/%U
root preexec = /usr/local/sbin/mkhomedir.sh %U
> #user = @"NEWDOMAIN+domain users"
> browseable = No
> writeable= yes
The mkhomedir.sh file can contain:
----------------------- cut here ----------------------
#!/bin/bash
if [ ! -e /home/DOMAIN/$1 ]; then
mkdir /home/DOMAIN/$1
chown $1:"Domain Users" /home/DOMAIN/$1
fi
exit 0
--------------------- cut here -----------------------
Then set this file with permissions:
chown root:root /usr/local/sbin/mkhomedir.sh
chmod u=rwsx,g=rwx,o-rwx
- John T.
>
>
>
>
> and here is the pam.d samba file:
>
> #%PAM-1.0
> auth required /lib/security/pam_env.so
> auth sufficient /lib/security/pam_winbind.so
> auth sufficient /lib/security/pam_unix.so likeauth nullok
> use_first_pass auth required /lib/security/pam_deny.so
>
> account sufficient /lib/security/pam_winbind.so
> account required /lib/security/pam_unix.so
>
> password required /lib/security/pam_cracklib.so retry=3 minlen=2
> dcredit=0 ucredit=0 password sufficient /lib/security/pam_unix.so
> nullok use_authtok md5 shadow password required
> /lib/security/pam_deny.so
>
> session required /lib/security/pam_mkhomedir.so skel=/etc/skel/
> umask=0022 session required /lib/security/pam_limits.so
> session required /lib/security/pam_unix.so
>
>
>
> Thank you, I appreciate any help. I've been beating my head against the
> wall on this one.
--
John H Terpstra
Samba-Team Member
Phone: +1 (650) 580-8668
Author:
The Official Samba-3 HOWTO & Reference Guide, ISBN: 0131453556
Samba-3 by Example, ISBN: 0131472216
Hardening Linux, ISBN: 0072254971
Other books in production.