[Lias] Winbind HowTO

Jonathon Coombes jon at cybersite.com.au
Wed May 14 11:01:02 UTC 2003


On Wed, 2003-05-14 at 12:32, Simon Bryan wrote:
> This is a cobbled together list of instructions that I am about to test on
> another workstation, would be good if someone else could test them as
> well.
> 
> Install RH Linux - DO NOT install Samba yet. Otherwise it will need to be
> uninstalled.
> These are the instructions from the Squid FAQ, I followed them:
> Download latest Samba tarball, unzip and untar
> Configure Samba
> Build/Install Samba

Have not checked Redhat out yet, but Mandrake has the winbind options
compiled into Samba. They also supply a smb-winbind.conf file which
can be used in place of the standard smb.conf file. I would Redhat
would have close to something like this by now.

> Samba must be built with configure options:
> 
>         --with-winbind
>         --with-winbind-auth-challenge (needed for ntlm)
> 
> Test Samba's winbindd
> 
> Edit smb.conf for winbindd functionality.
> The following is the winbind entries I ended up with that work:
> 
> winbind enum users = yes
> winbind gid = 10000-20000
> winbind enum groups = yes
> winbind uid = 10000-20000
> winbind cache time = 15
> winbind use default domain = yes
> password server = *
> name resolve order = hosts lmhosts wins bcast
> 
> 
> Join the NT domain
> smbpasswd -J domain_name -u domain_admin
> 
> Test winbindd functionality.
> Start nmbd (required to insure proper operation).
> Start winbindd.
> Test basic winbindd functionality "wbinfo -t":
> # wbinfo -t
> Secret is good
> 
> Test winbindd user authentication:
> # wbinfo -a mydomain\\myuser%mypasswd
> plaintext password authentication succeeded
> error code was NT_STATUS_OK (0x0)
> challenge/response password authentication succeeded
> error code was NT_STATUS_OK (0x0)

getent group or getent passwd is also a good start for testing.
These should show you the users and groups for both the Linux
system and the NT system. If you are only seeing the Linux users,
you may need to check your nsswitch file.

> NOTE: both plaintext and challenge/response should return "succeeded." If
> there is no "challenge/response" status returned then Samba was not built
> with "--with-winbind-auth-challenge" and cannot support ntlm
> authentication.
> 
> Also test that wbinfo -r user works. If not then check the smb.conf file.
> 
> Samba's smbd daemon, while not strictly required by winbindd may be needed
> to manage the machine's trust account.
> 
> Well behaved domain members change the account password on a regular
> basis. Windows and Samba servers default to changing this password every
> seven days.
> 
> The Samba component responsible for managing the trust account password is
> smbd. Smbd needs to receive requests to trigger the password change. If
> the machine will be used for file and print services, then just running
> smbd to serve routine requests should keep everything happy.
> 
> However, in cases where Squid's winbind helpers are the only reason Samba
> components are running, smbd may sit idle. Indeed, there may be no other
> reason to run smbd at all.
> 
> There are two sample options to change the trust account. Either may be
> scheduled daily via a cron job to change the trust password.
> 
> UglySolution.pl is a sample perl script to load smbd, connect to a Samba
> share using smbclient, and generate enough dummy activity to trigger
> smbd's machine trust account password change code.
> 
> For the latest versions of Samba the smbpasswd syntax to change the
> password is:
> 
>         smbpasswd -t DOMAIN -r PDC
> 
> add this to a daily cron job. (May need to include full path to smbpasswd)
> 
> Next visit this link:
> http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection.html#WINBIND
> 
> This is the important section:
> 
> 12.5.3.2. Configure nsswitch.conf and the winbind libraries
> The libraries needed to run the winbindd daemon through nsswitch need to
> be copied to their proper locations.
> 
> root# cp nsswitch/libnss_winbind.so /lib
> root# chmod 755 /lib/libnss_winbind.so
> 
> It necessary to make the following symbolic link:
> 
> root# ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2
> 
> The .2 extension is due to the version of glibc used on your Linux host.
> for most modern systems, the file extension is correct. However, some
> other operating systems, Solaris 7/8 being the most common, the
> destination filename should be replaced with /lib/nss_winbind.so.1
> 
> Now, as root edit /etc/nsswitch.conf to allow user and group entries to be
> visible from the winbindd daemon. After editing, the file look appear:
> 
> 	passwd:     files winbind
> 	shadow:     files
> 	group:      files winbind
> 
> 
> wbinfo -u and wbinfo -g should now echo a list of Domain users and groups.
> 
> getent passwd and getent groups should display a unified list of users and
> groups.
> 
> 12.5.3.6. Configure Winbind and PAM
> 
> At this point we are assured that winbindd and smbd are working together.
> If you want to use winbind to provide authentication for other services,
> keep reading. The pam configuration files need to be altered in this step.
> (Did you remember to make backups of your original /etc/pam.d (or
> /etc/pam.conf) file[s]? If not, do it now.)
> 
> You will need a PAM module to use winbindd with these other services. This
> module will be compiled in the ../source/nsswitch directory by invoking
> the command
> 
> root# make nsswitch/pam_winbind.so
> 
> from the ../source directory. The pam_winbind.so file should be copied to
> the location of your other pam security modules. On Linux and Solaris
> systems, this is the /lib/security directory.
> 
> root# cp nsswitch/pam_winbind.so /lib/security root# chmod 755
> /lib/security/pam_winbind.so
> 
> 
> PAM
> 
> This is my /etc/pam.d/gdm file:
> auth       required     /lib/security/pam_stack.so service=system-auth
> auth       sufficient   /lib/security/pam_winbind.so
> account    required     /lib/security/pam_winbind.so
> session    required     /lib/security/pam_limits.so
> session    optional     /lib/security/pam_console.so
> session    required     /lib/security/pam_mkhomedir.so skel=/etc/skel
> umask=0022
> 
> This is my /etc/pam.d/login file:
> 
> auth       required     /lib/security/pam_stack.so service=system-auth
> auth       sufficient   /lib/security/pam_winbind.so
> account    required     /lib/security/pam_winbind.so
> session    required     /lib/security/pam_limits.so
> session    required     /lib/security/pam_mkhomedir.so umask=0022
> session    optional     /lib/security/pam_console/so
> 
> You can modify other files as needed eg sshd
> auth       required     /lib/security/pam_stack.so service=system-auth
> auth       required     /lib/security/pam_nologin.so
> auth       sufficient   /lib/security/pam_winbind.so
> account    required     /lib/security/pam_winbind.so
> session    required     /lib/security/pam_limits.so
> session    optional     /lib/security/pam_console.so
> 
> and su
> 
> auth       required     /lib/security/pam_stack.so service=system-auth
> auth       sufficient   /lib/security/pam_winbind.so
> account    required     /lib/security/pam_winbind.so
> session    required     /lib/security/pam_limits.so
> session    optional     /lib/security/pam_console.so
> 
> Note the use of the pam_mkhomedir.so module this is essential.

Check first to see if there is a system-auth-winbind file in the 
/etc/pam.d directory. If so, then you can use this instead of changing
each of the individual pam files. Simply change the service=system-auth
part to service=system-auth-winbind in each of the above mentioned pam
files and you should be right. If it does not exist, I suggest creating
one, as it makes management a lot easier in the long term. Also, if you
have a samba file in the pam.d directory, you may want to add it to
that if you need Linux-Linux authentication throught the NT box.

A job well done!

Regards
-- 
Jonathon Coombes <jon at cybersite.com.au>




More information about the lias mailing list