[Lias] Winbind HowTO

Simon Bryan sbryan at olmc.nsw.edu.au
Wed May 14 10:37:01 UTC 2003 

This is a cobbled together list of instructions that I am about to test on
another workstation, would be good if someone else could test them as
well.

Install RH Linux - DO NOT install Samba yet. Otherwise it will need to be
uninstalled.
These are the instructions from the Squid FAQ, I followed them:
Download latest Samba tarball, unzip and untar
Configure Samba
Build/Install Samba

Samba must be built with configure options:

        --with-winbind
        --with-winbind-auth-challenge (needed for ntlm)

Test Samba's winbindd

Edit smb.conf for winbindd functionality.
The following is the winbind entries I ended up with that work:

winbind enum users = yes
winbind gid = 10000-20000
winbind enum groups = yes
winbind uid = 10000-20000
winbind cache time = 15
winbind use default domain = yes
password server = *
name resolve order = hosts lmhosts wins bcast


Join the NT domain
smbpasswd -J domain_name -u domain_admin

Test winbindd functionality.
Start nmbd (required to insure proper operation).
Start winbindd.
Test basic winbindd functionality "wbinfo -t":
# wbinfo -t
Secret is good

Test winbindd user authentication:
# wbinfo -a mydomain\\myuser%mypasswd
plaintext password authentication succeeded
error code was NT_STATUS_OK (0x0)
challenge/response password authentication succeeded
error code was NT_STATUS_OK (0x0)

NOTE: both plaintext and challenge/response should return "succeeded." If
there is no "challenge/response" status returned then Samba was not built
with "--with-winbind-auth-challenge" and cannot support ntlm
authentication.

Also test that wbinfo -r user works. If not then check the smb.conf file.

Samba's smbd daemon, while not strictly required by winbindd may be needed
to manage the machine's trust account.

Well behaved domain members change the account password on a regular
basis. Windows and Samba servers default to changing this password every
seven days.

The Samba component responsible for managing the trust account password is
smbd. Smbd needs to receive requests to trigger the password change. If
the machine will be used for file and print services, then just running
smbd to serve routine requests should keep everything happy.

However, in cases where Squid's winbind helpers are the only reason Samba
components are running, smbd may sit idle. Indeed, there may be no other
reason to run smbd at all.

There are two sample options to change the trust account. Either may be
scheduled daily via a cron job to change the trust password.

UglySolution.pl is a sample perl script to load smbd, connect to a Samba
share using smbclient, and generate enough dummy activity to trigger
smbd's machine trust account password change code.

For the latest versions of Samba the smbpasswd syntax to change the
password is:

        smbpasswd -t DOMAIN -r PDC

add this to a daily cron job. (May need to include full path to smbpasswd)

Next visit this link:
http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection.html#WINBIND

This is the important section:

12.5.3.2. Configure nsswitch.conf and the winbind libraries
The libraries needed to run the winbindd daemon through nsswitch need to
be copied to their proper locations.

root# cp nsswitch/libnss_winbind.so /lib
root# chmod 755 /lib/libnss_winbind.so

It necessary to make the following symbolic link:

root# ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2

The .2 extension is due to the version of glibc used on your Linux host.
for most modern systems, the file extension is correct. However, some
other operating systems, Solaris 7/8 being the most common, the
destination filename should be replaced with /lib/nss_winbind.so.1

Now, as root edit /etc/nsswitch.conf to allow user and group entries to be
visible from the winbindd daemon. After editing, the file look appear:

	passwd:     files winbind
	shadow:     files
	group:      files winbind


wbinfo -u and wbinfo -g should now echo a list of Domain users and groups.

getent passwd and getent groups should display a unified list of users and
groups.

12.5.3.6. Configure Winbind and PAM

At this point we are assured that winbindd and smbd are working together.
If you want to use winbind to provide authentication for other services,
keep reading. The pam configuration files need to be altered in this step.
(Did you remember to make backups of your original /etc/pam.d (or
/etc/pam.conf) file[s]? If not, do it now.)

You will need a PAM module to use winbindd with these other services. This
module will be compiled in the ../source/nsswitch directory by invoking
the command

root# make nsswitch/pam_winbind.so

from the ../source directory. The pam_winbind.so file should be copied to
the location of your other pam security modules. On Linux and Solaris
systems, this is the /lib/security directory.

root# cp nsswitch/pam_winbind.so /lib/security root# chmod 755
/lib/security/pam_winbind.so


PAM

This is my /etc/pam.d/gdm file:
auth       required     /lib/security/pam_stack.so service=system-auth
auth       sufficient   /lib/security/pam_winbind.so
account    required     /lib/security/pam_winbind.so
session    required     /lib/security/pam_limits.so
session    optional     /lib/security/pam_console.so
session    required     /lib/security/pam_mkhomedir.so skel=/etc/skel
umask=0022

This is my /etc/pam.d/login file:

auth       required     /lib/security/pam_stack.so service=system-auth
auth       sufficient   /lib/security/pam_winbind.so
account    required     /lib/security/pam_winbind.so
session    required     /lib/security/pam_limits.so
session    required     /lib/security/pam_mkhomedir.so umask=0022
session    optional     /lib/security/pam_console/so

You can modify other files as needed eg sshd
auth       required     /lib/security/pam_stack.so service=system-auth
auth       required     /lib/security/pam_nologin.so
auth       sufficient   /lib/security/pam_winbind.so
account    required     /lib/security/pam_winbind.so
session    required     /lib/security/pam_limits.so
session    optional     /lib/security/pam_console.so

and su

auth       required     /lib/security/pam_stack.so service=system-auth
auth       sufficient   /lib/security/pam_winbind.so
account    required     /lib/security/pam_winbind.so
session    required     /lib/security/pam_limits.so
session    optional     /lib/security/pam_console.so

Note the use of the pam_mkhomedir.so module this is essential.

At this stage you should be able to login on your workstation, if it is
the first login for the user then the pam_mkhomedir module will create the
home directory (you can't login without one).

Then use:

smbmount //sambaserver/homes  /home/$USER

to map the real home directory to /home/username. You will need to give
the users password.




____________________
Simon Bryan
IT Manager
OLMC Parramatta

More information about the lias mailing list