This section contains information on the latest features
available in Samba, which allow you get the most out of your Linux desktop
or server, and allow you to integrate it into a large Windows network, or
to form the basis of a small Windows network.
Why join your Linux box to a Windows domain?
A Windows Domain is a workgroup (usually) controlled
by a Windows (Windows NT or Windows 2000) Server, which provides account
and authentication services to the clients (typically Windows NT or Windows
2000 Pro, but to a limited extent Windows 9x) in the way one would use NIS
or LDAP in a Unix network. This results in less admin overhead on the Windows
NT/2000 machines (users only need a domain account, as opposed to one per
machine) and more security on the Windows 9x machines (it is possible to
only allow authenticated logins to windows 9x).
It is possible for you to join your Linux box to a Windows
domain, which allows you to provide file sharing to your colleagues who run
Windows machines in the domain, without needing to try and keep their Samba
password on your machine in sync with their Windows domain password.
Configuration options required
To participate in a Windows domain, you need the following
entries in your 'smb.conf' file:
encrypt passwords = yes security = domain workgroup = <WORKGROUP> password server = <LIST_OF_DOMAIN_CONTROLLERS>
Setting password server = * will cause
Samba to lookup the domain controllers on your network automatically. If
for some reason this does not work, and you know the name of the domain controller,
you can instead enter a space-separated list of the NetBIOS names of your
Domain Controllers (PDCs and BDCs).
Actually joining the domain
You now need to join the Windows domain. This involves
having an account made for your machine, and then having your machine log
into the server and change it's password. You can do this all in one step
with the following command:
smbpasswd -j <DOMAIN> -r <DOMAIN_CONTROLLER>
-U <DOMAIN_ADMIN>
Where DOMAIN is the name of your domain (should be the
same as theworkgroup parameter in your 'smb.conf' file), DOMAIN_CONTROLLER
is the name of the Primary Domain Controller of your domain, and DOMAIN_ADMIN
is an account on the PDC with Domain Admin privileges. You will be prompted
for this users password, so you should ask your windows admin to help you
here if necessary.
Older versions of Samba need you to do this in two steps
(can also be used if your windows admin is far away but can make an account
for your computer):
-
Have a computer account made in the domain for your
Linux box. This must be the name used in the netbios name parameter
in 'smb.conf', or your host-name if you haven't specified a name. Ask your
windows admin to do this for you.
-
Join the Windows domain with the following command:
smbpasswd -j <DOMAIN>
Allowing domain users to access your machine
The advantages of joining a domain are mainly to allow
controlled access to files on your machine. To control the files permissions,
Linux needs a user and groups to assign file ownership to, or when determining
whether a user has access. Samba doesn't provide this, so you need to make
local Unix accounts (or via some other method like NIS or LDAP) for each
user accessing your machine via Samba. Samba only uses the domain to check
the password of the user at present.
If you trust everyone in your domain to not eat up your
disk space (or if you implement quotas), you can set samba up to create user
accounts when a user authenticated by a domain controller accesses your machine,
using theadd user script parameter in 'smb.conf'. For example,
you could use:
add user script = /usr/sbin/useradd -s /bin/false
%u
or specify an external shell script, or add more parameters.
There is also a corresponding delete user script parameter, which will run
a command if a user attempts to connect to your machine, and Samba receives
a packet that indicates that the user no longer exists. Please note that
both of these scripts need full paths and are executed as ROOT.
An important feature currently under development by
the Samba team is Winbind, which will allow Linux to directly get user and
group information from a domain, and will obviate the need to make local
user accounts. Look out for this feature in Samba 2.2.2.
Thanks to the Name Service Switch and Pluggable Authentication
Modules, Linux is very flexible regarding authentication of services. By
using the pam_smb
module to do password authentication, you can use the accounts in a Windows
domain to authenticate users for any service that supports PAM. The pam_smb
module is available as an RPM at rpmhelp.net.
After installing the pam_smb
RPM, you need to edit the '/etc/pam_smb.conf' file as follows:
<DOMAIN> <PDC> <BDC>
where <DOMAIN> is the name of your
domain, and<PDC> and <BDC> are the
NetBIOS names of your Primary Domain Controller and your Backup Domain Controller
respectively.
pam_smb will only provide password authentication from
the domain, but can not provide group or user information. Thus for this
to be useful, in most cases you will have to either use NIS
or LDAP for account information, or maintain passwd files on
each machine using pam_smb.
To use pam_smb for password authentication, you now
need to modify the PAM configuration files. For example, if you want to allow
users to use all PAM-aware services on your Mandrake 8.1 machine, you can
modify the file '/etc/pam.d/system-auth' file so that the "auth" lines are
as follows:
auth required /lib/security/pam_nologin.so auth required /lib/security/pam_env.so auth sufficient /lib/security/pam_ldap.so auth sufficient /lib/security/pam_smb_auth.so use_first_pass auth sufficient /lib/security/pam_unix.so likeauth nullok try_first_pass auth required /lib/security/pam_deny.so
(here having added line 4). See the full file
Authenticating Squid from a Windows domain
Unfortunately Squid does not have support for PAM, and
thus needs some other mechanism for authenticating. auth_smb
is a small program that can accomplish this.
Authenticating Apache from a Windows domain
An authentication module for Apache called mod_auth_external
allows you to do authentication for Apache via PAM, thus using 'mod_auth_external'
with 'pam_smb' will allow authentication from the Domain Controller. You
would probably want to secure this using SSL.
There is also mod_auth_smb (current location unknown).
Winbind is a set of 2 shared libraries for the Name
Service Switch (NSS) and Pluggable Authentication Modules (PAM) services,
which together allow you to do all user/group enumeration and password authentication
from a Windows Domain Controller (Samba itself does not support Winbind yet).
Winbind implements a mapping of Windows Relative Security
IDs to Unix UIDs. This mapping will most likely be different for each Linux
box, so if you intend implementing NFS between Linux boxes later, Winbind
is probably not a good choice, and you should consider using LDAP or NIS
in conjunction with 'pam_smb'. Also, the mapping is stored in a database
file on the machine, which should be backed up, otherwise the RID->UID
mappings could be lost
Please note that Winbind is only available in Samba
2.2.2 and later. RPMS of
samba-2.2.4 are available which implement a working Winbind, but other
parts of Samba may not work.
To implement Winbind, you need complete each of the
sections below.
Be a member of a (samba or windows) domain
This requires that you have:
encrypt passwords=yes security=domain password server = *
set in your '/etc/samba/smb.conf', that you have an
account in the domain for your machine, and that you have joined the domain
by issuing (as 'root'):
# smbpasswd -j <domain_name>
Add the following entries to smb.conf:
winbind uid = 10000-20000
winbind gid = 10000-20000
(you can change the values of course. The default character
Winbind uses to separate the users domain name from their user name is \
to suit Windows-type names, but it will not work for certain applications
(for example mail delivery).
You can change it with winbind separator = "+" , for example).
Add "winbind" to the passwd and group sections of /etc/nsswitch.conf
(An example nsswitch.conf
file is given below that accomplishes this and also allows name resolution
via WINS).
Start Winbindd
As 'root', type winbindd
If you have installed the samba-winbind rpm, you should
be able to useservice winbind start
Once Winbind is running, you can test it with 'wbinfo':
$ wbinfo -t #tests connection
$ wbinfo -m #lists trusted domains
$ wbinfo -u #gets users
To check that it really works, try:
$ getent passwd
$ getent group
Configure pam.d files to use winbindd
Mis-configuring PAM can prevent you from logging
in, allow others to log in without accounts, or be a very powerful tool for
allowing you to customize your authentication method. The files listed below
accomplish what I would want to test from Winbind on a Mandrake 8.0 box (allowing
users from a Windows domain to log in to a console, and still allowing users
with local Unix accounts all previous privileges), but are only given as
an example. Please customize and test this before implementing in a production
server, and always keep a 'root' login open somewhere when modifying PAM
configuration files.
The files system-auth and
login belong in the '/etc/pam.d' directory.
You will note that
-
system-auth has been modified
as follows:
auth sufficient /lib/security/pam_winbind.so auth sufficient /lib/security/pam_unix.so likeauth nullok use_first_pass
to allow authentication from Winbind or standard
Unix files, using only one password prompt.
-
login has been modified as follows:
account sufficient /lib/security/pam_winbind.so session required /lib/security/pam_mkhomedir.so skel=/etc/skel/ umask=0022
to allow account checking by Winbind and automatic
home directory creation.
-
Note that login uses:
auth required /lib/security/pam_stack.so service=system-auth
Note that the configuration of the 'system-auth'
file is used by many 'pam.d' files via 'pam_stack', so if you don't want
to do authentication via Winbind for all those services, you should probably
make a separate 'system-auth' file ('system-auth-winbind' for example) and
change thepam_stack line to have service=system-auth-winbind
(this is as yet untested).
The file 'system-auth-winbind.pamd' (Mandrake 8.0 - Mandrake 8.1) is a replacement
for '/etc/pam.d/system-auth' if you want all PAM-capable service to allow
authentication via Winbind.
section index top
SAMBA as a Domain Controller
|