LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 03-05-2004, 11:23 AM   #1
raynet11
LQ Newbie
 
Registered: Aug 2003
Location: U.S.A
Distribution: RedHat , Mandrake
Posts: 28

Rep: Reputation: 15
Suse 9, Winbind + Samba Doc


Hey guys, I couldn't find any good info for the complete setup (start to finish) so I did it the hard way.. Here is how I did it, hope it helps someone.. There are a lot of docs out there for RedHat but I couldn't find any for Suse 9 so here goes.. Don't flame me for mistakes, this is what I did to get my sytem working.. feel free to add.. =>

Suse 9.0 Window Active Directory / Domain How-to:

Purpose: This document will guide the setup of Suse 9.0 to support unified login as well as file and directory permission compatibility with in a microsoft windows domain or active directory environment.

Software and disclaimer:

This document was intended for Suse Linux 9.0 running samba-2.2.8a-107 only. Though there are common settings that can carry over to other Linux distributions this is what this document was written for. The pam structure differs the most between different Linux distribution's, documentation for redHat and Mandrake can be found on the web. Since this document was written the hard way through trial and error using bits and pieces of documentation found through books and on the web it may have faults that I am unaware of.

Packages used in the creation of this document:

pam_smb-1.1.6-528
samba-2.2.8a-107

Windows Structure:

Below I will define a fictional network, the network will consist of two machines the first listed is the domain controller running windows and the second machine will be our Linux workstation the domain name is also listed. The domain controller will also serve as the password server for the domain. Before you get started be aware that you must have a domain administrator account to put your Linux client in the domain.

Windows Side:

DomainMaster.MyCompany.com
Domain Name: MyCompany.com

Linux Side:

my-linux.MyCompany.com

DNS:

Before you get to far make sure that you have DNS name resolution to your domain controller from your Linux client, you should be able to ping it using the full domain name. (Note do not try to ping it by short name Linux is not using wins). If you cannot ping it then add the name to your hosts file located in the /etc directory.

Samba Configuration files:

From the console login as root using the su command.

Example:
# su

Change to the /etc/samba directory and make a backup of your smb.conf file.

Example:
# cp smb.conf smb.org

Edit the smb.conf global section, the following example uses MYCOMPANY as the domain and the domain controller is DomainMaster.MYCOMPANY.com. Substitute to suit your own network. Most of these lines will already be in your smb.conf file for the items that are not add them, for the lines that are different, change them. (note, you can add more then one password server just leave a space between the entries.)

[global]
workgroup = MYCOMPANY
os level = 2
time server = Yes
unix extensions = Yes
encrypt passwords = Yes
map to guest = Bad User
printing = CUPS
printcap name = CUPS
password server = DomainMaster.MYCOMPANY.com
socket options = SO_KEEPALIVE IPTOS_LOWDELAY TCP_NODELAY
wins support = No
veto files = /*.eml/*.nwd/riched20.dll/*.{*}/
security = domain
netbios name = my-Linux

Next we will setup the winbind section of the file , add these parms after the global section.

#winbind options per me 03-02-04:
winbind separator = +
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind cache time = 15
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%D/%U
template shell = /bin/bash

#Allow password changing from Windows to update Linux System Password:
unix password sync = Yes
passwd program = /usr/bin/passwd %u
passwd chat = *New*password* %n\n *Retype*new*password* %n\n *password:*all*authentication*tokens*updated*successfully

#Use PAM's password change control flag for Samba. If enables,
#then PAM will be used for password changes when requested by
#an SMB client instead of the program listed in the passwd program.
#It should be possible to enable this without changing your passwd
#chat parameter for most setups.

pam password change = yes

Save the smb.conf file and close it, next run the testparm command to test the smb.conf file for syntax errors. If you have errors go back and fix them and then re-run testparm.

Example:
# testparm smb.conf

NSSWICH configuration:

Backup your nsswitch.conf file (note that I use the .org which stands for original, I will go back later and make copies of the working files as .bak)

Example:
# cp nsswitch.conf nsswitch.org

After your nsswitch.conf open it and add winbind to the end of the passwd: and group: lines at the beginning of the line. Then save and close the file when you are finished.

Example:
passwd: compat winbind
group: compat winbind

After you are finished editing the nsswitch.conf file run ldconfig to activate the changes.

Example:
# /sbin/ldconfig

Samba Service:

From the console cd over to the etc/rc.d directory , this is where you can view , change or modify your systems services, in the next few steps we will setup these services to ensure they start every time and then we will also start them.

From the console use the chkconfig script to see if smb and winbind services are on. We are looking for these services to be on for runlevels 3 and 5.

Example:
# chkconfig --list smb

If the services are not already set to on for runlevels 3 and 5 turn them on using the chkconfig

Example: (turn on smb and winbind
# chkconfig smb on
# chkconfig winbind on

Next we will have to disable the nscd service which interferes with the proper functioning of winbind.

Example:
#chkconfig nscd off

Now turn off the nscd service:

Example:
#./nscd stop

We are now ready to start smb and winbind, if it is running already restart them:

Example: (note that the two lines are separate commands)
Example:
#./smb start
#./winbind start

Join the Domain:

Joining the domain requires that you have name resolution to your password server (PDC) and an administrative account that can move machines into the domain. We will first create the domain account and then we will test winbind and local system accounts and groups to ensure they are both pulling the correct information.

From the console as root join the domain the syntax format is explained below:

DOMAIN = the name of your domain (upper case)
PDC = Full name of your PDC server ServerName.Domain.com
user_name = The domain username with admin privileges

Example:
# smbpasswd -j DOMAIN -r PDC -U user_name

We will now test winbind to ensure we can pull user and group into from the domain. Users should show up as DOMAIN+USER when the results are returned.

Example: (get users)
# wbinfo -u

Example: (get groups)
# wbinfo -g

Example: (tests connection)
# wbinfo -t

Next test the Linux system password, by changing the nsswitch.conf file the system should now see domain resources along with the local Linux machine accounts (note sometimes this command takes a long time to return)

Example: (list of users)
# getent passwd

Example: (list groups)
#getent group

PAM configuration:

(WARNING!!! DO EDIT ANY PAM FILES BEFORE BACKING THEM UP, DO NOT REBOOT UNTIL YOU HAVE TESTED YOUR CHANGES, NOT DOING SO CAN LOCK YOU OUT OF YOUR SYSTEM!!!!)

Were almost finished, the pam configuration is the last major component to configure. In this section we will setup the pam files to allow login to the system and we will also setup the base home directory. It would be wise to create a boot disk at this point, the installation CD can also serve as a point of rescue as well just make note of your hard devices listed in your fstab file, trying to find this info later can be hard if you are locked out of your system.

The first step will be to backup the pam files we will be working with, in this document there are only three files that will be edited. The pam files are stored in the etc/pam.d , you should be logged on as root, backup the following files, login, samba, and xdm

Example:
# cp login login.org
#cp samba samba.org
#cp xdm xdm.org

Edit the login file to add your winbind info below is an example of the file I created, remember the order of the lines matters, pam reads the file from the top down allowing you to go on to the next line only if the credentials supplied are good to pass the current line. Lines using pam_winbind.so and pam_mkhomedir.so were added.


#%PAM-1.0
auth required pam_securetty.so
auth required pam_env.so
auth sufficient pam_unix2.so nullok
auth sufficient pam_winbind.so use_first_pass
auth required pam_deny.so
auth required pam_nologin.so
account sufficient pam_winbind.so
account required pam_unix2.so
password required pam_pwcheck.so nullok
#password required pam_unix2.so nullok use_first_pass use_authtok
session sufficient pam_unix2.so none # debug or trace
session sufficient pam_limits.so
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022


Edit the xdm file and add the pam_winbind.so parameters below is an example of my file.

#%PAM-1.0
auth sufficient pam_winbind.so
auth sufficient pam_unix2.so use_first_pass nullok #set_secrpc
account sufficient pam_winbind.so
account required pam_unix2.so
password required pam_unix2.so #strict=false
session required pam_unix2.so debug # trace or none
session required pam_devperm.so
session required pam_resmgr.so

Next edit the samba file and ensure it looks like the following example below.

#%PAM-1.0
auth required pam_unix.so
account required pam_unix.so


Testing PAM Settings:

The following steps are required before you move on if you are not able to perform all the steps below you must correct your pam configuration files so you can. If you get stuck on any of the steps ensure you do not reboot your machine without restoring your original pam files.

Console Login Test:

Using Ctrl+ALT+F1 start a new console session we will use this as a back door for testing our PAM setting. At the login prompt test your login using the local root account.

After you have verified that you can login using the machines local accounts you can test a console login of a domain account, the username is specified as DOMAIN+USER.

X-windows Login Test:

If you successfully managed to login using both the local root account and a domain account the next step is to test X-windows.

From the same console session that you performed the previous tests login as root.

Using Ctrl+ALT+F1 change back to your windows session

Logout of the X-windows session and return to the login window. (note this will take a long time because the login will pull all the domain accounts to add to the list, don't worry about this now we will change the settings later)

Test the login using a local machine account then logout after login is compete.

Test domain login using username specified as
DOMAIN+USER

If all tests were good congratulation's, if your still “work in process” you can save your pam files with the work you have done to this point but remember to restore your originals if you intend to reboot.

X-window login box:

As you seen during the test our login box pulled all the account names that exist on the domain, this should be fine for a small user base. If you have a large user base and do not wish to display all the user names you can disable this option from within yast2 under system administration ==> login manager , select the users tab and change the show users to “none” .
 
Old 03-11-2004, 07:13 AM   #2
mcandy
LQ Newbie
 
Registered: Mar 2004
Posts: 12

Rep: Reputation: 0
Thumbs up thanks

it was working exactly the described way, thanks,
did you got tftp server running on you Suse9 pro?
 
Old 03-11-2004, 08:14 AM   #3
raynet11
LQ Newbie
 
Registered: Aug 2003
Location: U.S.A
Distribution: RedHat , Mandrake
Posts: 28

Original Poster
Rep: Reputation: 15
FTP

I'm not using FTP but I would imagine that if you modify your pam files just as you did for the xdm or login it should work. Remember to leave yourself a back door using ALT+Ctrl+F1 so you don't lock yourself out if you make a mistake. (I learned the hard way and had to restore my test box) .
 
Old 03-11-2004, 09:05 AM   #4
raynet11
LQ Newbie
 
Registered: Aug 2003
Location: U.S.A
Distribution: RedHat , Mandrake
Posts: 28

Original Poster
Rep: Reputation: 15
Update to this document:

I have also created an update to this document called "Suse9, samba integration with Microsoft". The document has everything this document has but has a part II for getting the Samba server, ACL, and Shares up and going as well do a search for I'm affraid to link it in case linuxquestions.com moves links to posts.


raynet11..
 
Old 04-02-2004, 04:57 PM   #5
KGT
LQ Newbie
 
Registered: Apr 2004
Location: Belgium
Distribution: SuSE 9.0
Posts: 1

Rep: Reputation: 0
Unhappy

I can't seem to log in using a Windows 2000 domain account.
I followed all your steps, I even have the same Linux version and package versions you have.
I also copied exactly the same information from your login, xdm and samba files.
wbinfo -u does show me all the windows users though.

The only thing I had was that testparm smb.conf displayed a message "'winbind separator = +' might cause problems with group membership." so I changed it to / in my smb.conf file.
I restarted the services /etc/rc.d/smb and /etc/rc.d/winbind and reconnected to the w2k server.
Nothing helps. Anyone who can help me?

Last edited by KGT; 04-02-2004 at 04:59 PM.
 
Old 04-22-2004, 02:38 AM   #6
pacoman
LQ Newbie
 
Registered: Apr 2004
Posts: 2

Rep: Reputation: 0
Hi Raynet

Your document has been of a great help, allowing me to integrate squid with a win2k server.

I would like your permission to translate to spanish you instructions to be published in a spanish linux group website.


Thanks
 
Old 04-22-2004, 08:30 AM   #7
raynet11
LQ Newbie
 
Registered: Aug 2003
Location: U.S.A
Distribution: RedHat , Mandrake
Posts: 28

Original Poster
Rep: Reputation: 15
posting this..

Feel free to post it as you wish, I want this document to help others to avoid doing it the "hard way" as I have done.

raynet11
 
Old 04-23-2004, 04:04 AM   #8
pacoman
LQ Newbie
 
Registered: Apr 2004
Posts: 2

Rep: Reputation: 0
Thanks a lot.

Could you mail me so I can reference you in the credits?
 
Old 06-02-2004, 04:45 AM   #9
jaywave
LQ Newbie
 
Registered: Jun 2004
Posts: 18

Rep: Reputation: 0
Post yo

hi ray

I hav tried the the same way u did...but there is prob with it ...
there is prob after i joined the domain...

when i do wbinfo - u or -g
it shows: 0xxxxx6 or 0xxxx22

but the wbinfo -t is working fine...

however, i still carry on the PAM settings....as a result it is not working!

For some reasons, i do join the Domain again...it works fine until i do wbinfo...and it shows could lookup in the domain...

Do u mind tell me wat prob i encounter...and wat prob i suspect...and how to cope with it

ps:do u mind tell me ur email adress =)

Cheers
Jay
 
Old 06-02-2004, 10:09 AM   #10
raynet11
LQ Newbie
 
Registered: Aug 2003
Location: U.S.A
Distribution: RedHat , Mandrake
Posts: 28

Original Poster
Rep: Reputation: 15
winbind problem:

Try deleting your account from the windows side and then rejoin the domain, if your secret is OK then there is something else that is not translating the accounts. Try some wbinfo testing with some of the other options to see if it's just a translation issue.

-u lists all domain users
-g lists all domain groups
-n name converts name to sid
-s sid converts sid to name
-N name converts NetBIOS name to IP (WINS)
-I IP converts IP address to NetBIOS name (WINS)
-U uid converts uid to sid
-G gid converts gid to sid
-S sid converts sid to uid
-Y sid converts sid to gid
-t check shared secret
-m list trusted domains
-r user get user groups
-a user%password authenticate user
-A user%password store user and password used by winbindd (root only)
-p 'ping' winbindd to see if it is alive
--sequence show sequence numbers of all domains
--set-auth-user DOMAIN\user%password set password for restrict anonymous
 
Old 06-02-2004, 10:32 AM   #11
jaywave
LQ Newbie
 
Registered: Jun 2004
Posts: 18

Rep: Reputation: 0
Red face worse thing happen

yes, it did show "secret is good" last time....but after i restart the computer...and try to join it again.....is JOINEd!

But neither wbinfo -t nor -u -g working.....showing Could not find secret and error: could not lookup the domain...

and all the settings are same as yesterday...

*out of bullets this time...*

using suse 9.0

man...u gonna hlp me out of this


Cheers
Jay
 
Old 06-02-2004, 10:37 AM   #12
jaywave
LQ Newbie
 
Registered: Jun 2004
Posts: 18

Rep: Reputation: 0
cont...

oh yes..
"delete the account from the windows side and then rejoin the domain..."

for the previous testing that wbinfo -t works...i actually create the computer name in the windows server 1st which u hav mentioned in ur doc...correct me if i'm worng....

and the account u mean....do i need to create an user account or the computer name...as the computer name is linuxsuse....and user account i am trying to log on with my user account that is created in the active directory...am i rite?

so do u mean delete the computer name???
and rejoin using the smbpasswd???


Cheers
Jay
 
Old 06-02-2004, 10:43 AM   #13
raynet11
LQ Newbie
 
Registered: Aug 2003
Location: U.S.A
Distribution: RedHat , Mandrake
Posts: 28

Original Poster
Rep: Reputation: 15
winbind:

1. Make sure that smb and winbind services are running
2. Ensure that you can ping your DC by name
3. Verify your nsswitch.conf file

if above is correct and you still have problems try running the ldconfig again. also , I have a more in depth document at this link, I posted it after I posted this doc, it also has server side and a few things that I may have missed in this doc:

http://www.linuxquestions.org/questi...=samba+winbind
 
Old 06-02-2004, 10:59 AM   #14
jaywave
LQ Newbie
 
Registered: Jun 2004
Posts: 18

Rep: Reputation: 0
reply

Quote:
1. Make sure that smb and winbind services are running
2. Ensure that you can ping your DC by name
3. Verify your nsswitch.conf file

yes, all are fine...
I hav read the post u gave me, is cool and will try ! But i think the same prob will happen again as is about the joining domain prob....

1 thing i concern ...when i do testparm smb.conf...it gives me that something abt winbind separator= + may affect the member of bla bla....is tat a big matter?

What do u think i should do if i still fail :S

Cheers
Jay-NeverFail
 
Old 06-03-2004, 09:55 AM   #15
jaywave
LQ Newbie
 
Registered: Jun 2004
Posts: 18

Rep: Reputation: 0
yo ray

ray,

yo man...

I delete the pc name from the domain
I couldn't do it in the sambaclient...it jst dun allow me to join....
so i do the smbpasswd again....then i go back to the domain to check ....the name is created...tat means it is joined to domian....

but teh prob is the wbinfo -t or -u ...they are not working....st wat tat's mean
i think is the winbind could look at the domain...rite?

but i did the same as wat u did...is there any way i can do to check is the winbind is fine ...

so wat wrong i hav done....

pls help!

cheers
jay
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Samba + Winbind + AD Thakowbbery Linux - Networking 6 06-28-2007 01:49 AM
Samba and Winbind bkesting Linux - Networking 0 11-18-2004 03:12 PM
samba with winbind kaasi Red Hat 2 10-26-2003 02:48 PM
samba with winbind kaasi Linux - Newbie 1 10-26-2003 02:43 PM
Winbind, Samba, NT acb67 Linux - Networking 2 07-22-2003 03:45 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 03:51 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration