diff options
Diffstat (limited to 'docs/htmldocs/Samba-HOWTO-Collection.html')
| -rw-r--r-- | docs/htmldocs/Samba-HOWTO-Collection.html | 1979 |
1 files changed, 1415 insertions, 564 deletions
diff --git a/docs/htmldocs/Samba-HOWTO-Collection.html b/docs/htmldocs/Samba-HOWTO-Collection.html index 988766d5340..870b0ec6e82 100644 --- a/docs/htmldocs/Samba-HOWTO-Collection.html +++ b/docs/htmldocs/Samba-HOWTO-Collection.html @@ -558,96 +558,101 @@ HREF="#AEN1098" ></DT ><DT >8.3. <A -HREF="#AEN1140" +HREF="#AEN1137" >Configuring the Samba Domain Controller</A ></DT ><DT >8.4. <A -HREF="#AEN1182" ->Creating Machine Trust Accounts and Joining Clients -to the Domain</A +HREF="#AEN1180" +>Creating Machine Trust Accounts and Joining Clients to the +Domain</A ></DT ><DD ><DL ><DT >8.4.1. <A -HREF="#AEN1196" ->Manually creating machine trust accounts</A +HREF="#AEN1199" +>Manual Creation of Machine Trust Accounts</A ></DT ><DT >8.4.2. <A -HREF="#AEN1227" ->Creating machine trust accounts "on the fly"</A +HREF="#AEN1234" +>"On-the-Fly" Creation of Machine Trust Accounts</A +></DT +><DT +>8.4.3. <A +HREF="#AEN1243" +>Joining the Client to the Domain</A ></DT ></DL ></DD ><DT >8.5. <A -HREF="#AEN1238" +HREF="#AEN1258" >Common Problems and Errors</A ></DT ><DT >8.6. <A -HREF="#AEN1286" +HREF="#AEN1306" >System Policies and Profiles</A ></DT ><DT >8.7. <A -HREF="#AEN1330" ->What other help can I get ?</A +HREF="#AEN1350" +>What other help can I get?</A ></DT ><DT >8.8. <A -HREF="#AEN1444" +HREF="#AEN1464" >Domain Control for Windows 9x/ME</A ></DT ><DD ><DL ><DT >8.8.1. <A -HREF="#AEN1474" +HREF="#AEN1490" >Configuration Instructions: Network Logons</A ></DT ><DT >8.8.2. <A -HREF="#AEN1508" +HREF="#AEN1509" >Configuration Instructions: Setting up Roaming User Profiles</A ></DT ><DD ><DL ><DT >8.8.2.1. <A -HREF="#AEN1516" +HREF="#AEN1517" >Windows NT Configuration</A ></DT ><DT >8.8.2.2. <A -HREF="#AEN1524" +HREF="#AEN1525" >Windows 9X Configuration</A ></DT ><DT >8.8.2.3. <A -HREF="#AEN1532" +HREF="#AEN1533" >Win9X and WinNT Configuration</A ></DT ><DT >8.8.2.4. <A -HREF="#AEN1539" +HREF="#AEN1540" >Windows 9X Profile Setup</A ></DT ><DT >8.8.2.5. <A -HREF="#AEN1575" +HREF="#AEN1576" >Windows NT Workstation 4.0</A ></DT ><DT >8.8.2.6. <A -HREF="#AEN1588" +HREF="#AEN1589" >Windows NT Server</A ></DT ><DT >8.8.2.7. <A -HREF="#AEN1591" +HREF="#AEN1592" >Sharing Profiles between W95 and NT Workstation 4.0</A ></DT ></DL @@ -656,133 +661,194 @@ HREF="#AEN1591" ></DD ><DT >8.9. <A -HREF="#AEN1601" +HREF="#AEN1602" >DOMAIN_CONTROL.txt : Windows NT Domain Control & Samba</A ></DT ></DL ></DD ><DT >9. <A -HREF="#WINBIND" ->Unified Logons between Windows NT and UNIX using Winbind</A +HREF="#SAMBA-LDAP-HOWTO" +>Storing Samba's User/Machine Account information in an LDAP Directory</A ></DT ><DD ><DL ><DT >9.1. <A -HREF="#AEN1644" ->Abstract</A +HREF="#AEN1638" +>Purpose</A ></DT ><DT >9.2. <A -HREF="#AEN1648" +HREF="#AEN1652" >Introduction</A ></DT ><DT >9.3. <A -HREF="#AEN1661" +HREF="#AEN1677" +>Supported LDAP Servers</A +></DT +><DT +>9.4. <A +HREF="#AEN1682" +>Schema and Relationship to the RFC 2307 posixAccount</A +></DT +><DT +>9.5. <A +HREF="#AEN1706" +>smb.conf LDAP parameters</A +></DT +><DT +>9.6. <A +HREF="#AEN1734" +>Security and sambaAccount</A +></DT +><DT +>9.7. <A +HREF="#AEN1753" +></A +></DT +><DT +>9.8. <A +HREF="#AEN1773" +>Example LDIF Entries for a sambaAccount</A +></DT +><DT +>9.9. <A +HREF="#AEN1781" +>Comments</A +></DT +></DL +></DD +><DT +>10. <A +HREF="#WINBIND" +>Unified Logons between Windows NT and UNIX using Winbind</A +></DT +><DD +><DL +><DT +>10.1. <A +HREF="#AEN1810" +>Abstract</A +></DT +><DT +>10.2. <A +HREF="#AEN1814" +>Introduction</A +></DT +><DT +>10.3. <A +HREF="#AEN1827" >What Winbind Provides</A ></DT ><DD ><DL ><DT ->9.3.1. <A -HREF="#AEN1668" +>10.3.1. <A +HREF="#AEN1834" >Target Uses</A ></DT ></DL ></DD ><DT ->9.4. <A -HREF="#AEN1672" +>10.4. <A +HREF="#AEN1838" >How Winbind Works</A ></DT ><DD ><DL ><DT ->9.4.1. <A -HREF="#AEN1677" +>10.4.1. <A +HREF="#AEN1843" >Microsoft Remote Procedure Calls</A ></DT ><DT ->9.4.2. <A -HREF="#AEN1681" +>10.4.2. <A +HREF="#AEN1847" >Name Service Switch</A ></DT ><DT ->9.4.3. <A -HREF="#AEN1697" +>10.4.3. <A +HREF="#AEN1863" >Pluggable Authentication Modules</A ></DT ><DT ->9.4.4. <A -HREF="#AEN1705" +>10.4.4. <A +HREF="#AEN1871" >User and Group ID Allocation</A ></DT ><DT ->9.4.5. <A -HREF="#AEN1709" +>10.4.5. <A +HREF="#AEN1875" >Result Caching</A ></DT ></DL ></DD ><DT ->9.5. <A -HREF="#AEN1712" +>10.5. <A +HREF="#AEN1878" >Installation and Configuration</A ></DT ><DD ><DL ><DT ->9.5.1. <A -HREF="#AEN1717" +>10.5.1. <A +HREF="#AEN1883" >Introduction</A ></DT ><DT ->9.5.2. <A -HREF="#AEN1730" +>10.5.2. <A +HREF="#AEN1896" >Requirements</A ></DT ><DT ->9.5.3. <A -HREF="#AEN1738" +>10.5.3. <A +HREF="#AEN1910" >Testing Things Out</A ></DT ><DD ><DL ><DT ->9.5.3.1. <A -HREF="#AEN1747" +>10.5.3.1. <A +HREF="#AEN1921" >Configure and compile SAMBA</A ></DT ><DT ->9.5.3.2. <A -HREF="#AEN1759" ->Configure nsswitch.conf and the winbind libraries</A +>10.5.3.2. <A +HREF="#AEN1940" +>Configure <TT +CLASS="FILENAME" +>nsswitch.conf</TT +> and the +winbind libraries</A ></DT ><DT ->9.5.3.3. <A -HREF="#AEN1778" +>10.5.3.3. <A +HREF="#AEN1965" >Configure smb.conf</A ></DT ><DT ->9.5.3.4. <A -HREF="#AEN1787" +>10.5.3.4. <A +HREF="#AEN1981" >Join the SAMBA server to the PDC domain</A ></DT ><DT ->9.5.3.5. <A -HREF="#AEN1797" +>10.5.3.5. <A +HREF="#AEN1992" >Start up the winbindd daemon and test it!</A ></DT ><DT ->9.5.3.6. <A -HREF="#AEN1824" ->Fix the /etc/rc.d/init.d/smb startup files</A +>10.5.3.6. <A +HREF="#AEN2028" +>Fix the <TT +CLASS="FILENAME" +>/etc/rc.d/init.d/smb</TT +> startup files</A ></DT ><DT ->9.5.3.7. <A -HREF="#AEN1841" +>10.5.3.7. <A +HREF="#AEN2050" >Configure Winbind and PAM</A ></DT ></DL @@ -790,52 +856,52 @@ HREF="#AEN1841" ></DL ></DD ><DT ->9.6. <A -HREF="#AEN1882" +>10.6. <A +HREF="#AEN2097" >Limitations</A ></DT ><DT ->9.7. <A -HREF="#AEN1892" +>10.7. <A +HREF="#AEN2107" >Conclusion</A ></DT ></DL ></DD ><DT ->10. <A +>11. <A HREF="#OS2" >OS2 Client HOWTO</A ></DT ><DD ><DL ><DT ->10.1. <A -HREF="#AEN1906" +>11.1. <A +HREF="#AEN2121" >FAQs</A ></DT ><DD ><DL ><DT ->10.1.1. <A -HREF="#AEN1908" +>11.1.1. <A +HREF="#AEN2123" >How can I configure OS/2 Warp Connect or OS/2 Warp 4 as a client for Samba?</A ></DT ><DT ->10.1.2. <A -HREF="#AEN1923" +>11.1.2. <A +HREF="#AEN2138" >How can I configure OS/2 Warp 3 (not Connect), OS/2 1.2, 1.3 or 2.x for Samba?</A ></DT ><DT ->10.1.3. <A -HREF="#AEN1932" +>11.1.3. <A +HREF="#AEN2147" >Are there any other issues when OS/2 (any version) is used as a client?</A ></DT ><DT ->10.1.4. <A -HREF="#AEN1936" +>11.1.4. <A +HREF="#AEN2151" >How do I get printer driver download working for OS/2 clients?</A ></DT @@ -844,32 +910,32 @@ HREF="#AEN1936" ></DL ></DD ><DT ->11. <A +>12. <A HREF="#CVS-ACCESS" >HOWTO Access Samba source code via CVS</A ></DT ><DD ><DL ><DT ->11.1. <A -HREF="#AEN1952" +>12.1. <A +HREF="#AEN2167" >Introduction</A ></DT ><DT ->11.2. <A -HREF="#AEN1957" +>12.2. <A +HREF="#AEN2172" >CVS Access to samba.org</A ></DT ><DD ><DL ><DT ->11.2.1. <A -HREF="#AEN1960" +>12.2.1. <A +HREF="#AEN2175" >Access via CVSweb</A ></DT ><DT ->11.2.2. <A -HREF="#AEN1965" +>12.2.2. <A +HREF="#AEN2180" >Access via cvs</A ></DT ></DL @@ -878,7 +944,7 @@ HREF="#AEN1965" ></DD ><DT ><A -HREF="#AEN1993" +HREF="#AEN2208" >Index</A ></DT ></DL @@ -5565,32 +5631,33 @@ CLASS="NOTE" ><B >Note: </B ><EM ->Author's Note :</EM +>Author's Note:</EM > This document is a combination -of David Bannon's Samba 2.2 PDC HOWTO and the Samba NT Domain FAQ. +of David Bannon's "Samba 2.2 PDC HOWTO" and "Samba NT Domain FAQ". Both documents are superseded by this one.</P ></BLOCKQUOTE ></DIV ><P ->Version of Samba prior to release 2.2 had marginal capabilities to -act as a Windows NT 4.0 Primary DOmain Controller (PDC). Beginning with -Samba 2.2.0, we are proud to announce official support for Windows NT 4.0 -style domain logons from Windows NT 4.0 (through SP6) and Windows 2000 (through -SP1) clients. This article outlines the steps necessary for configuring Samba -as a PDC. It is necessary to have a working Samba server prior to implementing the -PDC functionality. If you have not followed the steps outlined in -<A +>Versions of Samba prior to release 2.2 had marginal capabilities to act +as a Windows NT 4.0 Primary Domain Controller + +(PDC). With Samba 2.2.0, we are proud to announce official support for +Windows NT 4.0-style domain logons from Windows NT 4.0 and Windows +2000 clients. This article outlines the steps +necessary for configuring Samba as a PDC. It is necessary to have a +working Samba server prior to implementing the PDC functionality. If +you have not followed the steps outlined in <A HREF="UNIX_INSTALL.html" TARGET="_top" > UNIX_INSTALL.html</A ->, please make sure -that your server is configured correctly before proceeding. Another good -resource in the <A +>, please make sure +that your server is configured correctly before proceeding. Another +good resource in the <A HREF="smb.conf.5.html" TARGET="_top" ->smb.conf(5) man +>smb.conf(5) man page</A ->. The following functionality should work in 2.2:</P +>. The following functionality should work in 2.2:</P ><P ></P ><UL @@ -5617,36 +5684,10 @@ page</A ></LI ><LI ><P -> Windows NT 4.0 style system policies +> Windows NT 4.0-style system policies </P ></LI ></UL -><DIV -CLASS="WARNING" -><P -></P -><TABLE -CLASS="WARNING" -BORDER="1" -WIDTH="100%" -><TR -><TD -ALIGN="CENTER" -><B ->Windows 2000 Service Pack 2 Clients</B -></TD -></TR -><TR -><TD -ALIGN="LEFT" -><P -> Samba 2.2.1 is required for PDC functionality when using Windows 2000 - SP2 clients. - </P -></TD -></TR -></TABLE -></DIV ><P >The following pieces of functionality are not included in the 2.2 release:</P ><P @@ -5678,7 +5719,7 @@ ALIGN="LEFT" ><P >Please note that Windows 9x clients are not true members of a domain for reasons outlined in this article. Therefore the protocol for -support Windows 9x style domain logons is completely different +support Windows 9x-style domain logons is completely different from NT4 domain logons and has been officially supported for some time.</P ><P @@ -5711,7 +5752,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN1140" +NAME="AEN1137" >8.3. Configuring the Samba Domain Controller</A ></H1 ><P @@ -5726,7 +5767,10 @@ man page</A >. For convenience, the parameters have been linked with the actual smb.conf description.</P ><P ->Here is an example smb.conf for acting as a PDC:</P +>Here is an example <TT +CLASS="FILENAME" +>smb.conf</TT +> for acting as a PDC:</P ><P ><TABLE BORDER="0" @@ -5838,10 +5882,10 @@ TARGET="_top" >path</A > = /usr/local/samba/lib/netlogon <A -HREF="smb.conf.5.html#WRITEABLE" +HREF="smb.conf.5.html#READONLY" TARGET="_top" ->writeable</A -> = no +>read only</A +> = yes <A HREF="smb.conf.5.html#WRITELIST" TARGET="_top" @@ -5861,10 +5905,10 @@ TARGET="_top" >path</A > = /export/smb/ntprofile <A -HREF="smb.conf.5.html#WRITEABLE" +HREF="smb.conf.5.html#READONLY" TARGET="_top" ->writeable</A -> = yes +>read only</A +> = no <A HREF="smb.conf.5.html#CREATEMASK" TARGET="_top" @@ -5913,72 +5957,89 @@ CLASS="FILENAME" ></LI ></UL ><P ->As Samba 2.2 does not offer a complete implementation of group mapping between -Windows NT groups and UNIX groups (this is really quite complicated to explain -in a short space), you should refer to the <A +>As Samba 2.2 does not offer a complete implementation of group mapping +between Windows NT groups and Unix groups (this is really quite +complicated to explain in a short space), you should refer to the +<A HREF="smb.conf.5.html#DOMAINADMINGROUP" TARGET="_top" ->domain -admin group</A -> smb.conf parameter for information of creating "Domain Admins" -style accounts.</P +>domain admin +group</A +> smb.conf parameter for information of creating "Domain +Admins" style accounts.</P ></DIV ><DIV CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN1182" ->8.4. Creating Machine Trust Accounts and Joining Clients -to the Domain</A +NAME="AEN1180" +>8.4. Creating Machine Trust Accounts and Joining Clients to the +Domain</A ></H1 ><P ->A machine trust account is a samba user account owned by a computer. -The account password acts as the shared secret for secure -communication with the Domain Controller. This is a security feature -to prevent an unauthorized machine with the same NetBIOS name from -joining the domain and gaining access to domain user/group accounts. -Hence a Windows 9x host is never a true member of a domain because it does -not posses a machine trust account, and thus has no shared secret with the DC.</P +>A machine trust account is a Samba account that is used to +authenticate a client machine (rather than a user) to the Samba +server. In Windows terminology, this is known as a "Computer +Account."</P +><P +>The password of a machine trust account acts as the shared secret for +secure communication with the Domain Controller. This is a security +feature to prevent an unauthorized machine with the same NetBIOS name +from joining the domain and gaining access to domain user/group +accounts. Windows NT and 2000 clients use machine trust accounts, but +Windows 9x clients do not. Hence, a Windows 9x client is never a true +member of a domain because it does not possess a machine trust +account, and thus has no shared secret with the domain controller.</P +><P +>A Windows PDC stores each machine trust account in the Windows +Registry. A Samba PDC, however, stores each machine trust account +in two parts, as follows: + +<P +></P +><UL +><LI ><P ->On a Windows NT PDC, these machine trust account passwords are stored -in the registry. A Samba PDC stores these accounts in the same location -as user LanMan and NT password hashes (currently <TT +>A Samba account, stored in the same location as user + LanMan and NT password hashes (currently + <TT CLASS="FILENAME" >smbpasswd</TT ->). -However, machine trust accounts only possess and use the NT password hash.</P +>). The Samba account + possesses and uses only the NT password hash.</P +></LI +><LI ><P ->Because Samba requires machine accounts to possess a UNIX uid from -which an Windows NT SID can be generated, all of these accounts -must have an entry in <TT +>A corresponding Unix account, typically stored in + <TT CLASS="FILENAME" >/etc/passwd</TT -> and smbpasswd. -Future releases will alleviate the need to create -<TT +>. (Future releases will alleviate the need to + create <TT CLASS="FILENAME" >/etc/passwd</TT -> entries. </P +> entries.) </P +></LI +></UL +></P ><P ->There are two means of creating machine trust accounts.</P +>There are two ways to create machine trust accounts:</P ><P ></P ><UL ><LI ><P -> Manual creation before joining the client to the domain. In this case, - the password is set to a known value -- the lower case of the - machine's NetBIOS name. - </P +> Manual creation. Both the Samba and corresponding + Unix account are created by hand.</P ></LI ><LI ><P -> Creation of the account at the time of joining the domain. In - this case, the session key of the administrative account used to join - the client to the domain acts as an encryption key for setting the - password to a random value (This is the recommended method). - </P +> "On-the-fly" creation. The Samba machine trust + account is automatically created by Samba at the time the client + is joined to the domain. (For security, this is the + recommended method.) The corresponding Unix account may be + created automatically or manually. </P ></LI ></UL ><DIV @@ -5986,22 +6047,28 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN1196" ->8.4.1. Manually creating machine trust accounts</A +NAME="AEN1199" +>8.4.1. Manual Creation of Machine Trust Accounts</A ></H2 ><P ->The first step in creating a machine trust account by hand is to -create an entry for the machine in /etc/passwd. This can be done -using <B +>The first step in manually creating a machine trust account is to +manually create the corresponding Unix account in +<TT +CLASS="FILENAME" +>/etc/passwd</TT +>. This can be done using +<B CLASS="COMMAND" >vipw</B -> or any 'add userr' command which is normally -used to create new UNIX accounts. The following is an example for a Linux -based Samba server:</P +> or other 'add user' command that is normally +used to create new Unix accounts. The following is an example for a +Linux based Samba server:</P ><P -><TT +> <TT CLASS="PROMPT" >root# </TT +><B +CLASS="COMMAND" >/usr/sbin/useradd -g 100 -d /dev/null -c <TT CLASS="REPLACEABLE" ><I @@ -6013,28 +6080,32 @@ CLASS="REPLACEABLE" ><I >machine_name</I ></TT ->$ </P +>$ </B +></P ><P ><TT CLASS="PROMPT" >root# </TT +><B +CLASS="COMMAND" >passwd -l <TT CLASS="REPLACEABLE" ><I >machine_name</I ></TT ->$</P +>$</B +></P ><P >The <TT CLASS="FILENAME" >/etc/passwd</TT > entry will list the machine name -with a $ appended, won't have a passwd, will have a null shell and no -home directory. For example a machine called 'doppy' would have an +with a "$" appended, won't have a password, will have a null shell and no +home directory. For example a machine named 'doppy' would have an <TT CLASS="FILENAME" >/etc/passwd</TT -> entry like this :</P +> entry like this:</P ><P ><TABLE BORDER="0" @@ -6060,20 +6131,22 @@ CLASS="REPLACEABLE" ><I >machine_nickname</I ></TT -> can be any descriptive name for the -pc i.e. BasementComputer. The <TT +> can be any +descriptive name for the client, i.e., BasementComputer. +<TT CLASS="REPLACEABLE" ><I >machine_name</I ></TT -> absolutely must be -the NetBIOS name of the pc to be added to the domain. The "$" must append the NetBIOS -name of the pc or samba will not recognize this as a machine account</P -><P ->Now that the UNIX account has been created, the next step is to create -the smbpasswd entry for the machine containing the well known initial -trust account password. This can be done using the <A -HREF="smbpasswd.6.html" +> absolutely must be the NetBIOS +name of the client to be joined to the domain. The "$" must be +appended to the NetBIOS name of the client or Samba will not recognize +this as a machine trust account.</P +><P +>Now that the corresponding Unix account has been created, the next step is to create +the Samba account for the client containing the well-known initial +machine trust account password. This can be done using the <A +HREF="smbpasswd.8.html" TARGET="_top" ><B CLASS="COMMAND" @@ -6085,11 +6158,14 @@ as shown here:</P ><TT CLASS="PROMPT" >root# </TT -> smbpasswd -a -m <TT +><B +CLASS="COMMAND" +>smbpasswd -a -m <TT CLASS="REPLACEABLE" ><I >machine_name</I ></TT +></B ></P ><P >where <TT @@ -6098,7 +6174,8 @@ CLASS="REPLACEABLE" >machine_name</I ></TT > is the machine's NetBIOS -name. </P +name. The RID of the new machine account is generated from the UID of +the corresponding Unix account.</P ><DIV CLASS="WARNING" ><P @@ -6119,9 +6196,9 @@ ALIGN="CENTER" ALIGN="LEFT" ><P > Manually creating a machine trust account using this method is the - equivalent of creating a machine account on a Windows NT PDC using + equivalent of creating a machine trust account on a Windows NT PDC using the "Server Manager". From the time at which the account is created - to the time which th client joins the domain and changes the password, + to the time which the client joins the domain and changes the password, your domain is vulnerable to an intruder joining your domain using a a machine with the same NetBIOS name. A PDC inherently trusts members of the domain and will serve out a large degree of user @@ -6137,18 +6214,30 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN1227" ->8.4.2. Creating machine trust accounts "on the fly"</A +NAME="AEN1234" +>8.4.2. "On-the-Fly" Creation of Machine Trust Accounts</A ></H2 ><P ->The second, and most recommended way of creating machine trust accounts -is to create them as needed at the time the client is joined to -the domain. You will need to include a value for the <A +>The second (and recommended) way of creating machine trust accounts is +simply to allow the Samba server to create them as needed when the client +is joined to the domain. </P +><P +>Since each Samba machine trust account requires a corresponding +Unix account, a method for automatically creating the +Unix account is usually supplied; this requires configuration of the +<A HREF="smb.conf.5.html#ADDUSERSCRIPT" TARGET="_top" >add user script</A -> -parameter. Below is an example from a RedHat 6.2 Linux system.</P +> +option in <TT +CLASS="FILENAME" +>smb.conf</TT +>. This +method is not required, however; corresponding Unix accounts may also +be created manually.</P +><P +>Below is an example for a RedHat 6.2 Linux system.</P ><P ><TABLE BORDER="0" @@ -6158,26 +6247,72 @@ WIDTH="100%" ><TD ><PRE CLASS="PROGRAMLISTING" ->add user script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u </PRE +>[global] + # <...remainder of parameters...> + add user script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u </PRE ></TD ></TR ></TABLE ></P +></DIV +><DIV +CLASS="SECT2" +><HR><H2 +CLASS="SECT2" +><A +NAME="AEN1243" +>8.4.3. Joining the Client to the Domain</A +></H2 ><P ->In Samba 2.2.1, <EM ->only the root account</EM -> can be used to create -machine accounts like this. Therefore, it is required to create -an entry in smbpasswd for <EM ->root</EM ->. The password -<EM ->SHOULD</EM -> be set to a different password that the -associated <TT +>The procedure for joining a client to the domain varies with the +version of Windows.</P +><P +></P +><UL +><LI +><P +><EM +>Windows 2000</EM +></P +><P +> When the user elects to join the client to a domain, Windows prompts for + an account and password that is privileged to join the domain. A + Samba administrative account (i.e., a Samba account that has root + privileges on the Samba server) must be entered here; the + operation will fail if an ordinary user account is given. + The password for this account should be + set to a different password than the associated + <TT CLASS="FILENAME" >/etc/passwd</TT -> entry for security reasons.</P +> entry, for security + reasons. </P +><P +>The session key of the Samba administrative account acts as an + encryption key for setting the password of the machine trust + account. The machine trust account will be created on-the-fly, or + updated if it already exists.</P +></LI +><LI +><P +><EM +>Windows NT</EM +></P +><P +> If the machine trust account was created manually, on the + Identification Changes menu enter the domain name, but do not + check the box "Create a Computer Account in the Domain." In this case, + the existing machine trust account is used to join the machine to + the domain.</P +><P +> If the machine trust account is to be created + on-the-fly, on the Identification Changes menu enter the domain + name, and check the box "Create a Computer Account in the Domain." In + this case, joining the domain proceeds as above for Windows 2000 + (i.e., you must supply a Samba administrative account when + prompted).</P +></LI +></UL ></DIV ></DIV ><DIV @@ -6185,7 +6320,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN1238" +NAME="AEN1258" >8.5. Common Problems and Errors</A ></H1 ><P @@ -6205,7 +6340,7 @@ CLASS="FILENAME" >/etc/passwd</TT > of the machine name with a '$' appended. FreeBSD (and other BSD - systems ?) won't create a user with a '$' in their name. + systems?) won't create a user with a '$' in their name. </P ><P > The problem is only in the program used to make the entry, once @@ -6215,7 +6350,7 @@ CLASS="COMMAND" >vipw</B > to edit the entry, adding the '$'. Or create the whole entry with vipw if you like, make sure you use a - unique uid ! + unique User ID ! </P ></LI ><LI @@ -6223,11 +6358,11 @@ CLASS="COMMAND" > <EM >I get told "You already have a connection to the Domain...." or "Cannot join domain, the credentials supplied conflict with an - existing set.." when creating a machine account.</EM + existing set.." when creating a machine trust account.</EM > </P ><P -> This happens if you try to create a machine account from the +> This happens if you try to create a machine trust account from the machine itself and already have a connection (e.g. mapped drive) to a share (or IPC$) on the Samba PDC. The following command will remove all network drive connections: @@ -6279,17 +6414,17 @@ CLASS="COMMAND" ><LI ><P > <EM ->The machine account for this computer either does not +>The machine trust account for this computer either does not exist or is not accessible.</EM > </P ><P > When I try to join the domain I get the message "The machine account - for this computer either does not exist or is not accessible". Whats + for this computer either does not exist or is not accessible". What's wrong? </P ><P -> This problem is caused by the PDC not having a suitable machine account. +> This problem is caused by the PDC not having a suitable machine trust account. If you are using the <TT CLASS="PARAMETER" ><I @@ -6302,7 +6437,7 @@ CLASS="PARAMETER" ><P > Alternatively if you are creating account entries manually then they have not been created correctly. Make sure that you have the entry - correct for the machine account in smbpasswd file on the Samba PDC. + correct for the machine trust account in smbpasswd file on the Samba PDC. If you added the account using an editor rather than using the smbpasswd utility, make sure that the account name is the machine NetBIOS name with a '$' appended to it ( i.e. computer_name$ ). There must be an entry @@ -6384,7 +6519,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN1286" +NAME="AEN1306" >8.6. System Policies and Profiles</A ></H1 ><P @@ -6405,7 +6540,7 @@ Profiles and Policies in Windows NT 4.0</A ><LI ><P > <EM ->What about Windows NT Policy Editor ?</EM +>What about Windows NT Policy Editor?</EM > </P ><P @@ -6464,7 +6599,7 @@ CLASS="COMMAND" ><LI ><P > <EM ->Can Win95 do Policies ?</EM +>Can Win95 do Policies?</EM > </P ><P @@ -6495,7 +6630,7 @@ CLASS="FILENAME" </P ><P > Since I don't need to buy an NT Server CD now, how do I get - the 'User Manager for Domains', the 'Server Manager' ? + the 'User Manager for Domains', the 'Server Manager'? </P ><P > Microsoft distributes a version of these tools called nexus for @@ -6541,8 +6676,8 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN1330" ->8.7. What other help can I get ?</A +NAME="AEN1350" +>8.7. What other help can I get?</A ></H1 ><P >There are many sources of information available in the form @@ -6605,7 +6740,7 @@ HREF="http://www.tcpdump.org/" TARGET="_top" >http://www.tcpdup.org/</A >. - Ethereal, another good packet sniffer for UNIX and Win32 + Ethereal, another good packet sniffer for Unix and Win32 hosts, can be downloaded from <A HREF="http://www.ethereal.com/" TARGET="_top" @@ -6802,7 +6937,7 @@ TARGET="_top" ><LI ><P > <EM ->How do I get help from the mailing lists ?</EM +>How do I get help from the mailing lists?</EM > </P ><P @@ -6894,14 +7029,14 @@ TARGET="_top" >Please think carefully before attaching a document to an email. Consider pasting the relevant parts into the body of the message. The samba mailing lists go to a huge number of people, do they all need a copy of your - smb.conf in their attach directory ?</P + smb.conf in their attach directory?</P ></LI ></UL ></LI ><LI ><P > <EM ->How do I get off the mailing lists ?</EM +>How do I get off the mailing lists?</EM > </P ><P @@ -6937,7 +7072,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN1444" +NAME="AEN1464" >8.8. Domain Control for Windows 9x/ME</A ></H1 ><DIV @@ -6949,8 +7084,10 @@ CLASS="NOTE" >Note: </B >The following section contains much of the original DOMAIN.txt file previously included with Samba. Much of -the material is based on what went into the book Special -Edition, Using Samba. (Richard Sharpe)</P +the material is based on what went into the book <EM +>Special +Edition, Using Samba</EM +>, by Richard Sharpe.</P ></BLOCKQUOTE ></DIV ><P @@ -6965,11 +7102,12 @@ other systems based on NT server support this, as does at least Samba TNG now).< server in the domain should accept the same authentication information. Network browsing functionality of domains and workgroups is identical and is explained in BROWSING.txt. It should be noted, that browsing -is total orthogonal to logon support.</P +is totally orthogonal to logon support.</P ><P >Issues related to the single-logon network model are discussed in this -document. Samba supports domain logons, network logon scripts, and user -profiles for MS Windows for workgroups and MS Windows 9X clients.</P +section. Samba supports domain logons, network logon scripts, and user +profiles for MS Windows for workgroups and MS Windows 9X/ME clients +which will be the focus of this section.</P ><P >When an SMB client in a domain wishes to logon it broadcast requests for a logon server. The first one to reply gets the job, and validates its @@ -6980,37 +7118,12 @@ servers advertising themselves as participating in a domain. This demonstrates how authentication is quite different from but closely involved with domains.</P ><P ->Another thing commonly associated with single-logon domains is remote -administration over the SMB protocol. Again, there is no reason why this -cannot be implemented with an underlying username database which is -different from the Windows NT SAM. Support for the Remote Administration -Protocol is planned for a future release of Samba.</P -><P ->Network logon support as discussed in this section is aimed at Window for -Workgroups, and Windows 9X clients. </P -><P ->Support for profiles is confirmed as working for Win95, NT 4.0 and NT 3.51. -It is possible to specify: the profile location; script file to be loaded -on login; the user's home directory; and for NT a kick-off time could also -now easily be supported. However, there are some differences between Win9X -profile support and WinNT profile support. These are discussed below.</P -><P ->With NT Workstations, all this does not require the use or intervention of -an NT 4.0 or NT 3.51 server: Samba can now replace the logon services -provided by an NT server, to a limited and experimental degree (for example, -running "User Manager for Domains" will not provide you with access to -a domain created by a Samba Server).</P -><P ->With Win95, the help of an NT server can be enlisted, both for profile storage -and for user authentication. For details on user authentication, see -security_level.txt. For details on profile storage, see below.</P -><P >Using these features you can make your clients verify their logon via the Samba server; make clients run a batch file when they logon to the network and download their preferences, desktop and start menu.</P ><P ->Before launching into the configuration instructions, it is worthwhile looking -at how a Win9X client performs a logon:</P +>Before launching into the configuration instructions, it is +worthwhile lookingat how a Windows 9x/ME client performs a logon:</P ><P ></P ><OL @@ -7018,7 +7131,7 @@ TYPE="1" ><LI ><P > The client broadcasts (to the IP broadcast address of the subnet it is in) - a NetLogon request. This is sent to the NetBIOS address DOMAIN<00> at the + a NetLogon request. This is sent to the NetBIOS name DOMAIN<1c> at the NetBIOS layer. The client chooses the first response it receives, which contains the NetBIOS name of the logon server to use in the format of \\SERVER. @@ -7073,122 +7186,27 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN1474" +NAME="AEN1490" >8.8.1. Configuration Instructions: Network Logons</A ></H2 ><P ->To use domain logons and profiles you need to do the following:</P +>The main difference between a PDC and a Windows 9x logon +server configuration is that</P ><P ></P -><OL -TYPE="1" -><LI -><P -> Create a share called [netlogon] in your smb.conf. This share should - be readable by all users, and probably should not be writeable. This - share will hold your network logon scripts, and the CONFIG.POL file - (Note: for details on the CONFIG.POL file, how to use it, what it is, - refer to the Microsoft Windows NT Administration documentation. - The format of these files is not known, so you will need to use - Microsoft tools). - </P -><P -> For example I have used: - </P -><P -><TABLE -BORDER="0" -BGCOLOR="#E0E0E0" -WIDTH="90%" -><TR -><TD -><PRE -CLASS="PROGRAMLISTING" ->[netlogon] - path = /data/dos/netlogon - writeable = no - guest ok = no</PRE -></TD -></TR -></TABLE -></P -><P -> Note that it is important that this share is not writeable by ordinary - users, in a secure environment: ordinary users should not be allowed - to modify or add files that another user's computer would then download - when they log in. - </P -></LI -><LI -><P -> in the [global] section of smb.conf set the following: - </P -><P -><TABLE -BORDER="0" -BGCOLOR="#E0E0E0" -WIDTH="90%" -><TR -><TD -><PRE -CLASS="PROGRAMLISTING" ->domain logons = yes -logon script = %U.bat - </PRE -></TD -></TR -></TABLE -></P -><P -> The choice of batch file is, of course, up to you. The above would - give each user a separate batch file as the %U will be changed to - their username automatically. The other standard % macros may also be - used. You can make the batch files come from a subdirectory by using - something like: - </P -><P -><TABLE -BORDER="0" -BGCOLOR="#E0E0E0" -WIDTH="90%" -><TR -><TD -><PRE -CLASS="PROGRAMLISTING" ->logon script = scripts\%U.bat - </PRE -></TD -></TR -></TABLE -></P -></LI +><UL ><LI ><P -> create the batch files to be run when the user logs in. If the batch - file doesn't exist then no batch file will be run. - </P -><P -> In the batch files you need to be careful to use DOS style cr/lf line - endings. If you don't then DOS may get confused. I suggest you use a - DOS editor to remotely edit the files if you don't know how to produce - DOS style files under unix. - </P +>Password encryption is not required for a Windows 9x logon server.</P ></LI ><LI ><P -> Use smbclient with the -U option for some users to make sure that - the \\server\NETLOGON share is available, the batch files are - visible and they are readable by the users. - </P +>Windows 9x/ME clients do not possess machine trust accounts.</P ></LI -><LI +></UL ><P -> you will probably find that your clients automatically mount the - \\SERVER\NETLOGON share as drive z: while logging in. You can put - some useful programs there to execute from the batch files. - </P -></LI -></OL +>Therefore, a Samba PDC will also act as a Windows 9x logon +server.</P ><DIV CLASS="WARNING" ><P @@ -7228,7 +7246,7 @@ CLASS="CONSTANT" > mode security is really just a variation on SMB user level security.</P ><P ->Actually, this issue is also closer tied to the debate on whether +>Actually, this issue is also closely tied to the debate on whether or not Samba must be the domain master browser for its workgroup when operating as a DC. While it may technically be possible to configure a server as such (after all, browsing and domain logons @@ -7262,7 +7280,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN1508" +NAME="AEN1509" >8.8.2. Configuration Instructions: Setting up Roaming User Profiles</A ></H2 ><DIV @@ -7309,11 +7327,11 @@ CLASS="SECT3" ><HR><H3 CLASS="SECT3" ><A -NAME="AEN1516" +NAME="AEN1517" >8.8.2.1. Windows NT Configuration</A ></H3 ><P ->To support WinNT clients, inn the [global] section of smb.conf set the +>To support WinNT clients, in the [global] section of smb.conf set the following (for example):</P ><P ><TABLE @@ -7353,7 +7371,7 @@ CLASS="SECT3" ><HR><H3 CLASS="SECT3" ><A -NAME="AEN1524" +NAME="AEN1525" >8.8.2.2. Windows 9X Configuration</A ></H3 ><P @@ -7393,7 +7411,7 @@ CLASS="SECT3" ><HR><H3 CLASS="SECT3" ><A -NAME="AEN1532" +NAME="AEN1533" >8.8.2.3. Win9X and WinNT Configuration</A ></H3 ><P @@ -7431,7 +7449,7 @@ CLASS="SECT3" ><HR><H3 CLASS="SECT3" ><A -NAME="AEN1539" +NAME="AEN1540" >8.8.2.4. Windows 9X Profile Setup</A ></H3 ><P @@ -7503,7 +7521,7 @@ the newest folders and short-cuts from each set.</P >If you have made the folders / files read-only on the samba server, then you will get errors from the w95 machine on logon and logout, as it attempts to merge the local and the remote profile. Basically, if -you have any errors reported by the w95 machine, check the unix file +you have any errors reported by the w95 machine, check the Unix file permissions and ownership rights on the profile directory contents, on the samba server.</P ><P @@ -7587,7 +7605,7 @@ CLASS="SECT3" ><HR><H3 CLASS="SECT3" ><A -NAME="AEN1575" +NAME="AEN1576" >8.8.2.5. Windows NT Workstation 4.0</A ></H3 ><P @@ -7669,7 +7687,7 @@ CLASS="SECT3" ><HR><H3 CLASS="SECT3" ><A -NAME="AEN1588" +NAME="AEN1589" >8.8.2.6. Windows NT Server</A ></H3 ><P @@ -7683,7 +7701,7 @@ CLASS="SECT3" ><HR><H3 CLASS="SECT3" ><A -NAME="AEN1591" +NAME="AEN1592" >8.8.2.7. Sharing Profiles between W95 and NT Workstation 4.0</A ></H3 ><DIV @@ -7748,7 +7766,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN1601" +NAME="AEN1602" >8.9. DOMAIN_CONTROL.txt : Windows NT Domain Control & Samba</A ></H1 ><DIV @@ -7869,16 +7887,697 @@ within its registry.</P CLASS="CHAPTER" ><HR><H1 ><A +NAME="SAMBA-LDAP-HOWTO" +>Chapter 9. Storing Samba's User/Machine Account information in an LDAP Directory</A +></H1 +><DIV +CLASS="SECT1" +><H1 +CLASS="SECT1" +><A +NAME="AEN1638" +>9.1. Purpose</A +></H1 +><P +>This document describes how to use an LDAP directory for storing Samba user +account information normally stored in the smbpasswd(5) file. It is +assumed that the reader already has a basic understanding of LDAP concepts +and has a working directory server already installed. For more information +on LDAP architectures and Directories, please refer to the following sites.</P +><P +></P +><UL +><LI +><P +>OpenLDAP - <A +HREF="http://www.openldap.org/" +TARGET="_top" +>http://www.openldap.org/</A +></P +></LI +><LI +><P +>iPlanet Directory Server - <A +HREF="http://iplanet.netscape.com/directory" +TARGET="_top" +>http://iplanet.netscape.com/directory</A +></P +></LI +></UL +><P +>Note that <A +HREF="http://www.ora.com/" +TARGET="_top" +>O'Reilly Publishing</A +> is working on +a guide to LDAP for System Administrators which has a planned release date of +early summer, 2002.</P +><P +>It may also be helpful to supplement the reading of the HOWTO with +the <A +HREF="http://www.unav.es/cti/ldap-smb/ldap-smb-2_2-howto.html" +TARGET="_top" +>Samba-PDC-LDAP-HOWTO</A +> +maintained by Ignacio Coupeau.</P +></DIV +><DIV +CLASS="SECT1" +><HR><H1 +CLASS="SECT1" +><A +NAME="AEN1652" +>9.2. Introduction</A +></H1 +><P +>Traditionally, when configuring <A +HREF="smb.conf.5.html#ENCRYPTPASSWORDS" +TARGET="_top" +>"encrypt +passwords = yes"</A +> in Samba's <TT +CLASS="FILENAME" +>smb.conf</TT +> file, user account +information such as username, LM/NT password hashes, password change times, and account +flags have been stored in the <TT +CLASS="FILENAME" +>smbpasswd(5)</TT +> file. There are several +disadvantages to this approach for sites with very large numbers of users (counted +in the thousands).</P +><P +>The first is that all lookups must be performed sequentially. Given that +there are approximately two lookups per domain logon (one for a normal +session connection such as when mapping a network drive or printer), this +is non-optimal. What is needed is an indexed approach such as is used in +databases.</P +><P +>The second problem is that administrators who desired to replicate a +smbpasswd file to more than one Samba server were left to use external +tools such as <B +CLASS="COMMAND" +>rsync(1)</B +> and <B +CLASS="COMMAND" +>ssh(1)</B +> +and wrote custom, in-house scripts.</P +><P +>And finally, the amount of information which is stored in an +smbpasswd entry leaves no room for additional attributes such as +a home directory, password expiration time, or even a Relative +Identified (RID).</P +><P +>As a result of these defeciencies, a more robust means of storing user attributes +used by smbd was developed. The API which defines access to user accounts +is referred to as the samdb interface (previously this was called the passdb +API, and is still so named in the CVS trees). In Samba 2.2.3, enabling support +for a samdb backend (e.g. <TT +CLASS="PARAMETER" +><I +>--with-ldapsam</I +></TT +> or +<TT +CLASS="PARAMETER" +><I +>--with-tdbsam</I +></TT +>) requires compile time support.</P +><P +>When compiling Samba to include the <TT +CLASS="PARAMETER" +><I +>--with-ldapsam</I +></TT +> autoconf +option, smbd (and associated tools) will store and lookup user accounts in +an LDAP directory. In reality, this is very easy to understand. If you are +comfortable with using an smbpasswd file, simply replace "smbpasswd" with +"LDAP directory" in all the documentation.</P +><P +>There are a few points to stress about what the <TT +CLASS="PARAMETER" +><I +>--with-ldapsam</I +></TT +> +does not provide. The LDAP support referred to in the this documentation does not +include:</P +><P +></P +><UL +><LI +><P +>A means of retrieving user account information from + an Windows 2000 Active Directory server.</P +></LI +><LI +><P +>A means of replacing /etc/passwd.</P +></LI +></UL +><P +>The second item can be accomplished by using LDAP NSS and PAM modules. LGPL +versions of these libraries can be obtained from PADL Software +(<A +HREF="http://www.padl.com/" +TARGET="_top" +>http://www.padl.com/</A +>). However, +the details of configuring these packages are beyond the scope of this document.</P +></DIV +><DIV +CLASS="SECT1" +><HR><H1 +CLASS="SECT1" +><A +NAME="AEN1677" +>9.3. Supported LDAP Servers</A +></H1 +><P +>The LDAP samdb code in 2.2.3 has been developed and tested using the OpenLDAP +2.0 server and client libraries. The same code should be able to work with +Netscape's Directory Server and client SDK. However, due to lack of testing +so far, there are bound to be compile errors and bugs. These should not be +hard to fix. If you are so inclined, please be sure to forward all patches to +<A +HREF="samba-patches@samba.org" +TARGET="_top" +>samba-patches@samba.org</A +> and +<A +HREF="jerry@samba.org" +TARGET="_top" +>jerry@samba.org</A +>.</P +></DIV +><DIV +CLASS="SECT1" +><HR><H1 +CLASS="SECT1" +><A +NAME="AEN1682" +>9.4. Schema and Relationship to the RFC 2307 posixAccount</A +></H1 +><P +>Samba 2.2.3 includes the necessary schema file for OpenLDAP 2.0 in +<TT +CLASS="FILENAME" +>examples/LDAP/samba.schema</TT +>. (Note that this schema +file has been modified since the experimental support initially included +in 2.2.2). The sambaAccount objectclass is given here:</P +><P +><TABLE +BORDER="0" +BGCOLOR="#E0E0E0" +WIDTH="100%" +><TR +><TD +><PRE +CLASS="PROGRAMLISTING" +>objectclass ( 1.3.1.5.1.4.1.7165.2.2.2 NAME 'sambaAccount' SUP top STRUCTURAL + DESC 'Samba Account' + MUST ( uid $ rid ) + MAY ( cn $ lmPassword $ ntPassword $ pwdLastSet $ logonTime $ + logoffTime $ kickoffTime $ pwdCanChange $ pwdMustChange $ acctFlags $ + displayName $ smbHome $ homeDrive $ scriptPath $ profilePath $ + description $ userWorkstations $ primaryGroupID ))</PRE +></TD +></TR +></TABLE +></P +><P +>The samba.schema file has been formatted for OpenLDAP 2.0. The OID's are +owned by the Samba Team and as such is legal to be openly published. +If you translate the schema to be used with Netscape DS, please +submit the modified schema file as a patch to <A +HREF="jerry@samba.org" +TARGET="_top" +>jerry@samba.org</A +></P +><P +>Just as the smbpasswd file is mean to store information which supplements a +user's <TT +CLASS="FILENAME" +>/etc/passwd</TT +> entry, so is the sambaAccount object +meant to supplement the UNIX user account information. A sambaAccount is a +<TT +CLASS="CONSTANT" +>STRUCTURAL</TT +> objectclass so it can be stored individually +in the directory. However, there are several fields (e.g. uid) which overlap +with the posixAccount objectclass outlined in RFC2307. This is by design.</P +><P +>In order to store all user account information (UNIX and Samba) in the directory, +it is necessary to use the sambaAccount and posixAccount objectclasses in +combination. However, smbd will still obtain the user's UNIX account +information via the standard C library calls (e.g. getpwnam(), et. al.). +This means that the Samba server must also have the LDAP NSS library installed +and functioning correctly. This division of information makes it possible to +store all Samba account information in LDAP, but still maintain UNIX account +information in NIS while the network is transitioning to a full LDAP infrastructure.</P +><P +>To include support for the sambaAccount object in an OpenLDAP directory +server, first copy the samba.schema file to slapd's configuration directory.</P +><P +><TT +CLASS="PROMPT" +>root# </TT +><B +CLASS="COMMAND" +>cp samba.schema /etc/openldap/schema/</B +></P +><P +>Next, include the <TT +CLASS="FILENAME" +>samba.schema</TT +> file in <TT +CLASS="FILENAME" +>slapd.conf</TT +>. +The sambaAccount object contains two attributes which depend upon other schema +files. The 'uid' attribute is defined in <TT +CLASS="FILENAME" +>cosine.schema</TT +> and +the 'displayName' attribute is defined in the <TT +CLASS="FILENAME" +>inetorgperson.schema</TT +> +file. Bother of these must be included before the <TT +CLASS="FILENAME" +>samba.schema</TT +> file.</P +><P +><TABLE +BORDER="0" +BGCOLOR="#E0E0E0" +WIDTH="100%" +><TR +><TD +><PRE +CLASS="PROGRAMLISTING" +>## /etc/openldap/slapd.conf + +## schema files (core.schema is required by default) +include /etc/openldap/schema/core.schema + +## needed for sambaAccount +include /etc/openldap/schema/cosine.schema +include /etc/openldap/schema/inetorgperson.schema +include /etc/openldap/schema/samba.schema + +## uncomment this line if you want to support the RFC2307 (NIS) schema +## include /etc/openldap/schema/nis.schema + +....</PRE +></TD +></TR +></TABLE +></P +></DIV +><DIV +CLASS="SECT1" +><HR><H1 +CLASS="SECT1" +><A +NAME="AEN1706" +>9.5. smb.conf LDAP parameters</A +></H1 +><P +>The following parameters are available in smb.conf only with <TT +CLASS="PARAMETER" +><I +>--with-ldapsam</I +></TT +> +was included with compiling Samba.</P +><P +></P +><UL +><LI +><P +><A +HREF="smb.conf.5.html#LDAPSSL" +TARGET="_top" +>ldap ssl</A +></P +></LI +><LI +><P +><A +HREF="smb.conf.5.html#LDAPSERVER" +TARGET="_top" +>ldap server</A +></P +></LI +><LI +><P +><A +HREF="smb.conf.5.html#LDAPADMINDN" +TARGET="_top" +>ldap admin dn</A +></P +></LI +><LI +><P +><A +HREF="smb.conf.5.html#LDAPSUFFIX" +TARGET="_top" +>ldap suffix</A +></P +></LI +><LI +><P +><A +HREF="smb.conf.5.html#LDAPFILTER" +TARGET="_top" +>ldap filter</A +></P +></LI +><LI +><P +><A +HREF="smb.conf.5.html#LDAPPORT" +TARGET="_top" +>ldap port</A +></P +></LI +></UL +><P +>These are described in the <A +HREF="smb.conf.5.html" +TARGET="_top" +>smb.conf(5)</A +> man +page and so will not be repeated here. However, a sample smb.conf file for +use with an LDAP directory could appear as</P +><P +><TABLE +BORDER="0" +BGCOLOR="#E0E0E0" +WIDTH="100%" +><TR +><TD +><PRE +CLASS="PROGRAMLISTING" +>## /usr/local/samba/lib/smb.conf +[global] + security = user + encrypt passwords = yes + + netbios name = TASHTEGO + workgroup = NARNIA + + # ldap related parameters + + # define the DN to use when binding to the directory servers + # The password for this DN is not stored in smb.conf. Rather it + # must be set by using 'smbpasswd -w <TT +CLASS="REPLACEABLE" +><I +>secretpw</I +></TT +>' to store the + # passphrase in the secrets.tdb file. If the "ldap admin dn" values + # changes, this password will need to be reset. + ldap admin dn = "cn=Manager,dc=samba,dc=org" + + # specify the LDAP server's hostname (defaults to locahost) + ldap server = ahab.samba.org + + # Define the SSL option when connecting to the directory + # ('off', 'start tls', or 'on' (default)) + ldap ssl = start tls + + # define the port to use in the LDAP session (defaults to 636 when + # "ldap ssl = on") + ldap port = 389 + + # specify the base DN to use when searching the directory + ldap suffix = "ou=people,dc=samba,dc=org" + + # generally the default ldap search filter is ok + # ldap filter = "(&(uid=%u)(objectclass=sambaAccount))"</PRE +></TD +></TR +></TABLE +></P +></DIV +><DIV +CLASS="SECT1" +><HR><H1 +CLASS="SECT1" +><A +NAME="AEN1734" +>9.6. Security and sambaAccount</A +></H1 +><P +>There are two important points to remember when discussing the security +of sambaAccount entries in the directory.</P +><P +></P +><UL +><LI +><P +><EM +>Never</EM +> retrieve the lmPassword or + ntPassword attribute values over an unencrypted LDAP session.</P +></LI +><LI +><P +><EM +>Never</EM +> allow non-admin users to + view the lmPassword or ntPassword attribute values.</P +></LI +></UL +><P +>These password hashes are clear text equivalents and can be used to impersonate +the user without deriving the original clear text strings.</P +><P +>To remedy the first security issue, the "ldap ssl" smb.conf parameter defaults +to require an encrypted session (<B +CLASS="COMMAND" +>ldap ssl = on</B +>) using +the default port of 636 +when contacting the directory server. When using an OpenLDAP 2.0 server, it +is possible to use the use the StartTLS LDAP extended operation in the place of +LDAPS. In either case, you are strongly discouraged to disable this security +(<B +CLASS="COMMAND" +>ldap ssl = off</B +>).</P +><P +>The second security precaution is to prevent non-administrative users from +harvesting password hashes from the directory. This can be done using the +following ACL in <TT +CLASS="FILENAME" +>slapd.conf</TT +>:</P +><P +><TABLE +BORDER="0" +BGCOLOR="#E0E0E0" +WIDTH="100%" +><TR +><TD +><PRE +CLASS="PROGRAMLISTING" +>## allow users to update their own password, but not to browse others +access to attrs=userPassword,lmPassword,ntPassword + by self write + by * auth</PRE +></TD +></TR +></TABLE +></P +><P +>You may of course, add in write access to administrative DN's as necessary.</P +></DIV +><DIV +CLASS="SECT1" +><HR><H1 +CLASS="SECT1" +><A +NAME="AEN1753" +>9.7. </A +></H1 +><P +>There are currently four sambaAccount attributes which map directly onto +<TT +CLASS="FILENAME" +>smb.conf</TT +> parameters.</P +><P +></P +><UL +><LI +><P +>smbHome -> "logon home"</P +></LI +><LI +><P +>profilePath -> "logon path"</P +></LI +><LI +><P +>homeDrive -> "logon drive"</P +></LI +><LI +><P +>scriptPath -> "logon script"</P +></LI +></UL +><P +>First of all, these parameters are only used when Samba is acting as a +PDC or a domain (refer to the <A +HREF="Samba-PDC-HOWTO.html" +TARGET="_top" +>Samba-PDC-HOWTO</A +> +for details on how to configure Samba as a Primary Domain Controller). +Furthermore, these attributes are only stored with the sambaAccount entry if +the values are non-default values. For example, assume TASHTEGO has now been +configured as a PDC and that <B +CLASS="COMMAND" +>logon home = \\%L\%u</B +> was defined in +its <TT +CLASS="FILENAME" +>smb.conf</TT +> file. When a user named "becky" logons to the domain, +the <TT +CLASS="PARAMETER" +><I +>logon home</I +></TT +> string is expanded to \\TASHTEGO\becky.</P +><P +>If the smbHome attribute exists in the entry "uid=becky,ou=people,dc=samba,dc=org", +this value is used. However, if this attribute does not exist, then the value +of the <TT +CLASS="PARAMETER" +><I +>logon home</I +></TT +> parameter is used in its place. Samba +will only write the attribute value to the directory entry is the value is +something other than the default (e.g. \\MOBY\becky).</P +></DIV +><DIV +CLASS="SECT1" +><HR><H1 +CLASS="SECT1" +><A +NAME="AEN1773" +>9.8. Example LDIF Entries for a sambaAccount</A +></H1 +><P +>The following is a working LDIF with the inclusion of the posixAccount objectclass:</P +><P +><TABLE +BORDER="0" +BGCOLOR="#E0E0E0" +WIDTH="100%" +><TR +><TD +><PRE +CLASS="PROGRAMLISTING" +>dn: uid=guest2, ou=people,dc=plainjoe,dc=org +ntPassword: 878D8014606CDA29677A44EFA1353FC7 +pwdMustChange: 2147483647 +primaryGroupID: 1201 +lmPassword: 552902031BEDE9EFAAD3B435B51404EE +pwdLastSet: 1010179124 +logonTime: 0 +objectClass: sambaAccount +uid: guest2 +kickoffTime: 2147483647 +acctFlags: [UX ] +logoffTime: 2147483647 +rid: 19006 +pwdCanChange: 0</PRE +></TD +></TR +></TABLE +></P +><P +>The following is an LDIF entry for using both the sambaAccount and +posixAccount objectclasses:</P +><P +><TABLE +BORDER="0" +BGCOLOR="#E0E0E0" +WIDTH="100%" +><TR +><TD +><PRE +CLASS="PROGRAMLISTING" +>dn: uid=gcarter, ou=people,dc=plainjoe,dc=org +logonTime: 0 +displayName: Gerald Carter +lmPassword: 552902031BEDE9EFAAD3B435B51404EE +primaryGroupID: 1201 +objectClass: posixAccount +objectClass: sambaAccount +acctFlags: [UX ] +userPassword: {crypt}BpM2ej8Rkzogo +uid: gcarter +uidNumber: 9000 +cn: Gerald Carter +loginShell: /bin/bash +logoffTime: 2147483647 +gidNumber: 100 +kickoffTime: 2147483647 +pwdLastSet: 1010179230 +rid: 19000 +homeDirectory: /home/tashtego/gcarter +pwdCanChange: 0 +pwdMustChange: 2147483647 +ntPassword: 878D8014606CDA29677A44EFA1353FC7</PRE +></TD +></TR +></TABLE +></P +></DIV +><DIV +CLASS="SECT1" +><HR><H1 +CLASS="SECT1" +><A +NAME="AEN1781" +>9.9. Comments</A +></H1 +><P +>Please mail all comments regarding this HOWTO to <A +HREF="mailto:jerry@samba.org" +TARGET="_top" +>jerry@samba.org</A +>. This documents was +last updated to reflect the Samba 2.2.3 release. </P +></DIV +></DIV +><DIV +CLASS="CHAPTER" +><HR><H1 +><A NAME="WINBIND" ->Chapter 9. Unified Logons between Windows NT and UNIX using Winbind</A +>Chapter 10. Unified Logons between Windows NT and UNIX using Winbind</A ></H1 ><DIV CLASS="SECT1" ><H1 CLASS="SECT1" ><A -NAME="AEN1644" ->9.1. Abstract</A +NAME="AEN1810" +>10.1. Abstract</A ></H1 ><P >Integration of UNIX and Microsoft Windows NT through @@ -7900,8 +8599,8 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN1648" ->9.2. Introduction</A +NAME="AEN1814" +>10.2. Introduction</A ></H1 ><P >It is well known that UNIX and Microsoft Windows NT have @@ -7954,8 +8653,8 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN1661" ->9.3. What Winbind Provides</A +NAME="AEN1827" +>10.3. What Winbind Provides</A ></H1 ><P >Winbind unifies UNIX and Windows NT account management by @@ -7996,8 +8695,8 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN1668" ->9.3.1. Target Uses</A +NAME="AEN1834" +>10.3.1. Target Uses</A ></H2 ><P >Winbind is targeted at organizations that have an @@ -8020,8 +8719,8 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN1672" ->9.4. How Winbind Works</A +NAME="AEN1838" +>10.4. How Winbind Works</A ></H1 ><P >The winbind system is designed around a client/server @@ -8040,8 +8739,8 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN1677" ->9.4.1. Microsoft Remote Procedure Calls</A +NAME="AEN1843" +>10.4.1. Microsoft Remote Procedure Calls</A ></H2 ><P >Over the last two years, efforts have been underway @@ -8066,8 +8765,8 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN1681" ->9.4.2. Name Service Switch</A +NAME="AEN1847" +>10.4.2. Name Service Switch</A ></H2 ><P >The Name Service Switch, or NSS, is a feature that is @@ -8146,8 +8845,8 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN1697" ->9.4.3. Pluggable Authentication Modules</A +NAME="AEN1863" +>10.4.3. Pluggable Authentication Modules</A ></H2 ><P >Pluggable Authentication Modules, also known as PAM, @@ -8195,8 +8894,8 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN1705" ->9.4.4. User and Group ID Allocation</A +NAME="AEN1871" +>10.4.4. User and Group ID Allocation</A ></H2 ><P >When a user or group is created under Windows NT @@ -8221,8 +8920,8 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN1709" ->9.4.5. Result Caching</A +NAME="AEN1875" +>10.4.5. Result Caching</A ></H2 ><P >An active system can generate a lot of user and group @@ -8244,8 +8943,8 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN1712" ->9.5. Installation and Configuration</A +NAME="AEN1878" +>10.5. Installation and Configuration</A ></H1 ><P >Many thanks to John Trostel <A @@ -8263,8 +8962,8 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN1717" ->9.5.1. Introduction</A +NAME="AEN1883" +>10.5.1. Introduction</A ></H2 ><P >This HOWTO describes the procedures used to get winbind up and @@ -8314,17 +9013,24 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN1730" ->9.5.2. Requirements</A +NAME="AEN1896" +>10.5.2. Requirements</A ></H2 ><P >If you have a samba configuration file that you are currently -using... BACK IT UP! If your system already uses PAM, BACK UP -THE <TT +using... <EM +>BACK IT UP!</EM +> If your system already uses PAM, +<EM +>back up the <TT CLASS="FILENAME" >/etc/pam.d</TT -> directory contents! If you -haven't already made a boot disk, MAKE ON NOW!</P +> directory +contents!</EM +> If you haven't already made a boot disk, +<EM +>MAKE ONE NOW!</EM +></P ><P >Messing with the pam configuration files can make it nearly impossible to log in to yourmachine. That's why you want to be able to boot back @@ -8335,10 +9041,15 @@ CLASS="FILENAME" > back to the original state they were in if you get frustrated with the way things are going. ;-)</P ><P ->The newest version of SAMBA (version 2.2.2), available from -cvs.samba.org, now include a functioning winbindd daemon. Please refer -to the main SAMBA web page or, better yet, your closest SAMBA mirror -site for instructions on downloading the source code.</P +>The latest version of SAMBA (version 2.2.2 as of this writing), now +includes a functioning winbindd daemon. Please refer to the +<A +HREF="http://samba.org/" +TARGET="_top" +>main SAMBA web page</A +> or, +better yet, your closest SAMBA mirror site for instructions on +downloading the source code.</P ><P >To allow Domain users the ability to access SAMBA shares and files, as well as potentially other services provided by your @@ -8346,16 +9057,22 @@ SAMBA machine, PAM (pluggable authentication modules) must be setup properly on your machine. In order to compile the winbind modules, you should have at least the pam libraries resident on your system. For recent RedHat systems (7.1, for instance), that -means 'pam-0.74-22'. For best results, it is helpful to also -install the development packages in 'pam-devel-0.74-22'.</P +means <TT +CLASS="FILENAME" +>pam-0.74-22</TT +>. For best results, it is helpful to also +install the development packages in <TT +CLASS="FILENAME" +>pam-devel-0.74-22</TT +>.</P ></DIV ><DIV CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN1738" ->9.5.3. Testing Things Out</A +NAME="AEN1910" +>10.5.3. Testing Things Out</A ></H2 ><P >Before starting, it is probably best to kill off all the SAMBA @@ -8385,19 +9102,26 @@ CLASS="FILENAME" >/usr/man</TT > entries for pam. Winbind built better in SAMBA if the pam-devel package was also installed. This package includes -the header files needed to compile pam-aware applications. For instance, my RedHat -system has both 'pam-0.74-22' and 'pam-devel-0.74-22' RPMs installed.</P +the header files needed to compile pam-aware applications. For instance, +my RedHat system has both <TT +CLASS="FILENAME" +>pam-0.74-22</TT +> and +<TT +CLASS="FILENAME" +>pam-devel-0.74-22</TT +> RPMs installed.</P ><DIV CLASS="SECT3" ><HR><H3 CLASS="SECT3" ><A -NAME="AEN1747" ->9.5.3.1. Configure and compile SAMBA</A +NAME="AEN1921" +>10.5.3.1. Configure and compile SAMBA</A ></H3 ><P >The configuration and compilation of SAMBA is pretty straightforward. -The first three steps maynot be necessary depending upon +The first three steps may not be necessary depending upon whether or not you have previously built the Samba binaries.</P ><P ><TABLE @@ -8410,35 +9134,56 @@ WIDTH="100%" CLASS="PROGRAMLISTING" ><TT CLASS="PROMPT" ->root# </TT -> autoconf +>root#</TT +> <B +CLASS="COMMAND" +>autoconf</B +> <TT CLASS="PROMPT" ->root# </TT -> make clean +>root#</TT +> <B +CLASS="COMMAND" +>make clean</B +> <TT CLASS="PROMPT" ->root# </TT -> rm config.cache +>root#</TT +> <B +CLASS="COMMAND" +>rm config.cache</B +> <TT CLASS="PROMPT" ->root# </TT -> ./configure --with-winbind +>root#</TT +> <B +CLASS="COMMAND" +>./configure --with-winbind</B +> <TT CLASS="PROMPT" ->root# </TT -> make +>root#</TT +> <B +CLASS="COMMAND" +>make</B +> <TT CLASS="PROMPT" ->root# </TT -> make install</PRE +>root#</TT +> <B +CLASS="COMMAND" +>make install</B +></PRE ></TD ></TR ></TABLE ></P ><P ->This will, by default, install SAMBA in /usr/local/samba. See the -main SAMBA documentation if you want to install SAMBA somewhere else. +>This will, by default, install SAMBA in <TT +CLASS="FILENAME" +>/usr/local/samba</TT +>. +See the main SAMBA documentation if you want to install SAMBA somewhere else. It will also build the winbindd executable and libraries. </P ></DIV ><DIV @@ -8446,24 +9191,37 @@ CLASS="SECT3" ><HR><H3 CLASS="SECT3" ><A -NAME="AEN1759" ->9.5.3.2. Configure nsswitch.conf and the winbind libraries</A +NAME="AEN1940" +>10.5.3.2. Configure <TT +CLASS="FILENAME" +>nsswitch.conf</TT +> and the +winbind libraries</A ></H3 ><P ->The libraries needed to run the winbind daemon through nsswitch -need to be copied to their proper locations, so</P +>The libraries needed to run the <B +CLASS="COMMAND" +>winbindd</B +> daemon +through nsswitch need to be copied to their proper locations, so</P ><P ><TT CLASS="PROMPT" ->root# </TT -> cp ../samba/source/nsswitch/libnss_winbind.so /lib</P +>root#</TT +> <B +CLASS="COMMAND" +>cp ../samba/source/nsswitch/libnss_winbind.so /lib</B +></P ><P >I also found it necessary to make the following symbolic link:</P ><P ><TT CLASS="PROMPT" ->root# </TT -> ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2</P +>root#</TT +> <B +CLASS="COMMAND" +>ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2</B +></P ><P >Now, as root you need to edit <TT CLASS="FILENAME" @@ -8473,11 +9231,11 @@ allow user and group entries to be visible from the <B CLASS="COMMAND" >winbindd</B > -daemon, as well as from your /etc/hosts files and NIS servers. My -<TT +daemon. My <TT CLASS="FILENAME" >/etc/nsswitch.conf</TT -> file look like this after editing:</P +> file look like +this after editing:</P ><P ><TABLE BORDER="0" @@ -8488,7 +9246,7 @@ WIDTH="100%" ><PRE CLASS="PROGRAMLISTING" > passwd: files winbind - shadow: files winbind + shadow: files group: files winbind</PRE ></TD ></TR @@ -8497,13 +9255,20 @@ CLASS="PROGRAMLISTING" ><P > The libraries needed by the winbind daemon will be automatically -entered into the ldconfig cache the next time your system reboots, but it +entered into the <B +CLASS="COMMAND" +>ldconfig</B +> cache the next time +your system reboots, but it is faster (and you don't need to reboot) if you do it manually:</P ><P ><TT CLASS="PROMPT" ->root# </TT -> /sbin/ldconfig -v | grep winbind</P +>root#</TT +> <B +CLASS="COMMAND" +>/sbin/ldconfig -v | grep winbind</B +></P ><P >This makes <TT CLASS="FILENAME" @@ -8516,8 +9281,8 @@ CLASS="SECT3" ><HR><H3 CLASS="SECT3" ><A -NAME="AEN1778" ->9.5.3.3. Configure smb.conf</A +NAME="AEN1965" +>10.5.3.3. Configure smb.conf</A ></H3 ><P >Several parameters are needed in the smb.conf file to control @@ -8551,16 +9316,45 @@ CLASS="PROGRAMLISTING" >[global] <...> # separate domain and username with '+', like DOMAIN+username - winbind separator = + + <A +HREF="winbindd.8.html#WINBINDSEPARATOR" +TARGET="_top" +>winbind separator</A +> = + # use uids from 10000 to 20000 for domain users - winbind uid = 10000-20000 + <A +HREF="winbindd.8.html#WINBINDUID" +TARGET="_top" +>winbind uid</A +> = 10000-20000 # use gids from 10000 to 20000 for domain groups - winbind gid = 10000-20000 + <A +HREF="winbindd.8.html#WINBINDGID" +TARGET="_top" +>winbind gid</A +> = 10000-20000 # allow enumeration of winbind users and groups - winbind enum users = yes - winbind enum groups = yes + <A +HREF="winbindd.8.html#WINBINDENUMUSERS" +TARGET="_top" +>winbind enum users</A +> = yes + <A +HREF="winbindd.8.html#WINBINDENUMGROUP" +TARGET="_top" +>winbind enum groups</A +> = yes # give winbind users a real shell (only needed if they have telnet access) - template shell = /bin/bash</PRE + <A +HREF="winbindd.8.html#TEMPLATEHOMEDIR" +TARGET="_top" +>template homedir</A +> = /home/winnt/%D/%U + <A +HREF="winbindd.8.html#TEMPLATESHELL" +TARGET="_top" +>template shell</A +> = /bin/bash</PRE ></TD ></TR ></TABLE @@ -8571,8 +9365,8 @@ CLASS="SECT3" ><HR><H3 CLASS="SECT3" ><A -NAME="AEN1787" ->9.5.3.4. Join the SAMBA server to the PDC domain</A +NAME="AEN1981" +>10.5.3.4. Join the SAMBA server to the PDC domain</A ></H3 ><P >Enter the following command to make the SAMBA server join the @@ -8592,8 +9386,11 @@ a domain user who has administrative privileges in the domain.</P ><P ><TT CLASS="PROMPT" ->root# </TT ->/usr/local/samba/bin/smbpasswd -j DOMAIN -r PDC -U Administrator</P +>root#</TT +> <B +CLASS="COMMAND" +>/usr/local/samba/bin/smbpasswd -j DOMAIN -r PDC -U Administrator</B +></P ><P >The proper response to the command should be: "Joined the domain <TT @@ -8614,8 +9411,8 @@ CLASS="SECT3" ><HR><H3 CLASS="SECT3" ><A -NAME="AEN1797" ->9.5.3.5. Start up the winbindd daemon and test it!</A +NAME="AEN1992" +>10.5.3.5. Start up the winbindd daemon and test it!</A ></H3 ><P >Eventually, you will want to modify your smb startup script to @@ -8626,25 +9423,37 @@ command as root:</P ><P ><TT CLASS="PROMPT" ->root# </TT ->/usr/local/samba/bin/winbindd</P +>root#</TT +> <B +CLASS="COMMAND" +>/usr/local/samba/bin/winbindd</B +></P ><P >I'm always paranoid and like to make sure the daemon is really running...</P ><P ><TT CLASS="PROMPT" ->root# </TT -> ps -ae | grep winbindd -3025 ? 00:00:00 winbindd</P +>root#</TT +> <B +CLASS="COMMAND" +>ps -ae | grep winbindd</B +></P +><P +>This command should produce output like this, if the daemon is running</P +><P +>3025 ? 00:00:00 winbindd</P ><P >Now... for the real test, try to get some information about the users on your PDC</P ><P ><TT CLASS="PROMPT" ->root# </TT -> # /usr/local/samba/bin/wbinfo -u</P +>root#</TT +> <B +CLASS="COMMAND" +>/usr/local/samba/bin/wbinfo -u</B +></P ><P > This should echo back a list of users on your Windows users on @@ -8669,7 +9478,13 @@ CEO+TsInternetUser</PRE ></TABLE ></P ><P ->Obviously, I have named my domain 'CEO' and my winbindd separator is '+'.</P +>Obviously, I have named my domain 'CEO' and my <TT +CLASS="PARAMETER" +><I +>winbindd +separator</I +></TT +> is '+'.</P ><P >You can do the same sort of thing to get group information from the PDC:</P @@ -8684,8 +9499,11 @@ WIDTH="100%" CLASS="PROGRAMLISTING" ><TT CLASS="PROMPT" ->root# </TT ->/usr/local/samba/bin/wbinfo -g +>root#</TT +> <B +CLASS="COMMAND" +>/usr/local/samba/bin/wbinfo -g</B +> CEO+Domain Admins CEO+Domain Users CEO+Domain Guests @@ -8706,8 +9524,11 @@ Try the following command:</P ><P ><TT CLASS="PROMPT" ->root# </TT -> getent passwd</P +>root#</TT +> <B +CLASS="COMMAND" +>getent passwd</B +></P ><P >You should get a list that looks like your <TT CLASS="FILENAME" @@ -8720,16 +9541,22 @@ directories and default shells.</P ><P ><TT CLASS="PROMPT" ->root# </TT -> getent group</P +>root#</TT +> <B +CLASS="COMMAND" +>getent group</B +></P ></DIV ><DIV CLASS="SECT3" ><HR><H3 CLASS="SECT3" ><A -NAME="AEN1824" ->9.5.3.6. Fix the /etc/rc.d/init.d/smb startup files</A +NAME="AEN2028" +>10.5.3.6. Fix the <TT +CLASS="FILENAME" +>/etc/rc.d/init.d/smb</TT +> startup files</A ></H3 ><P >The <B @@ -8835,47 +9662,81 @@ CLASS="PROGRAMLISTING" ></TR ></TABLE ></P +><P +>If you restart the <B +CLASS="COMMAND" +>smbd</B +>, <B +CLASS="COMMAND" +>nmbd</B +>, +and <B +CLASS="COMMAND" +>winbindd</B +> daemons at this point, you +should be able to connect to the samba server as a domain member just as +if you were a local user.</P ></DIV ><DIV CLASS="SECT3" ><HR><H3 CLASS="SECT3" ><A -NAME="AEN1841" ->9.5.3.7. Configure Winbind and PAM</A +NAME="AEN2050" +>10.5.3.7. Configure Winbind and PAM</A ></H3 ><P ->If you have made it this far, you know that winbindd is working. -Now it is time to integrate it into the operation of samba and other -services. The pam configuration files need to be altered in +>If you have made it this far, you know that winbindd and samba are working +together. If you want to use winbind to provide authentication for other +services, keep reading. The pam configuration files need to be altered in this step. (Did you remember to make backups of your original <TT CLASS="FILENAME" >/etc/pam.d</TT > files? If not, do it now.)</P ><P ->To get samba to allow domain users and groups, I modified the +>You will need a pam module to use winbindd with these other services. This +module will be compiled in the <TT +CLASS="FILENAME" +>../source/nsswitch</TT +> directory +by invoking the command</P +><P +><TT +CLASS="PROMPT" +>root#</TT +> <B +CLASS="COMMAND" +>make nsswitch/pam_winbind.so</B +></P +><P +>from the <TT +CLASS="FILENAME" +>../source</TT +> directory. The <TT CLASS="FILENAME" ->/etc/pam.d/samba</TT -> file from</P +>pam_winbind.so</TT +> file should be copied to the location of +your other pam security modules. On my RedHat system, this was the +<TT +CLASS="FILENAME" +>/lib/security</TT +> directory.</P ><P -><TABLE -BORDER="0" -BGCOLOR="#E0E0E0" -WIDTH="100%" -><TR -><TD -><PRE -CLASS="PROGRAMLISTING" ->auth required /lib/security/pam_stack.so service=system-auth -account required /lib/security/pam_stack.so service=system-auth</PRE -></TD -></TR -></TABLE +><TT +CLASS="PROMPT" +>root#</TT +> <B +CLASS="COMMAND" +>cp ../samba/source/nsswitch/pam_winbind.so /lib/security</B ></P ><P ->to</P +>The <TT +CLASS="FILENAME" +>/etc/pam.d/samba</TT +> file does not need to be changed. I +just left this fileas it was:</P ><P ><TABLE BORDER="0" @@ -8885,9 +9746,7 @@ WIDTH="100%" ><TD ><PRE CLASS="PROGRAMLISTING" ->auth required /lib/security/pam_winbind.so -auth required /lib/security/pam_stack.so service=system-auth -account required /lib/security/pam_winbind.so +>auth required /lib/security/pam_stack.so service=system-auth account required /lib/security/pam_stack.so service=system-auth</PRE ></TD ></TR @@ -8978,10 +9837,11 @@ WIDTH="100%" ><TD ><PRE CLASS="PROGRAMLISTING" ->auth sufficient /lib/security/pam_winbind.so -auth required /lib/security/pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed +>auth required /lib/security/pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed +auth sufficient /lib/security/pam_winbind.so auth required /lib/security/pam_stack.so service=system-auth auth required /lib/security/pam_shells.so +account sufficient /lib/security/pam_winbind.so account required /lib/security/pam_stack.so service=system-auth session required /lib/security/pam_stack.so service=system-auth</PRE ></TD @@ -9036,15 +9896,6 @@ CLASS="COMMAND" >winbind.so</B > line to get rid of annoying double prompts for passwords.</P -><P ->Finally, don't forget to copy the winbind pam modules from -the source directory in which you originally compiled the new -SAMBA up to the /lib/security directory so that pam can use it:</P -><P -><TT -CLASS="PROMPT" ->root# </TT -> cp ../samba/source/nsswitch/pam_winbind.so /lib/security</P ></DIV ></DIV ></DIV @@ -9053,8 +9904,8 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN1882" ->9.6. Limitations</A +NAME="AEN2097" +>10.6. Limitations</A ></H1 ><P >Winbind has a number of limitations in its current @@ -9094,8 +9945,8 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN1892" ->9.7. Conclusion</A +NAME="AEN2107" +>10.7. Conclusion</A ></H1 ><P >The winbind system, through the use of the Name Service @@ -9111,23 +9962,23 @@ CLASS="CHAPTER" ><HR><H1 ><A NAME="OS2" ->Chapter 10. OS2 Client HOWTO</A +>Chapter 11. OS2 Client HOWTO</A ></H1 ><DIV CLASS="SECT1" ><H1 CLASS="SECT1" ><A -NAME="AEN1906" ->10.1. FAQs</A +NAME="AEN2121" +>11.1. FAQs</A ></H1 ><DIV CLASS="SECT2" ><H2 CLASS="SECT2" ><A -NAME="AEN1908" ->10.1.1. How can I configure OS/2 Warp Connect or +NAME="AEN2123" +>11.1.1. How can I configure OS/2 Warp Connect or OS/2 Warp 4 as a client for Samba?</A ></H2 ><P @@ -9185,8 +10036,8 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN1923" ->10.1.2. How can I configure OS/2 Warp 3 (not Connect), +NAME="AEN2138" +>11.1.2. How can I configure OS/2 Warp 3 (not Connect), OS/2 1.2, 1.3 or 2.x for Samba?</A ></H2 ><P @@ -9238,8 +10089,8 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN1932" ->10.1.3. Are there any other issues when OS/2 (any version) +NAME="AEN2147" +>11.1.3. Are there any other issues when OS/2 (any version) is used as a client?</A ></H2 ><P @@ -9260,8 +10111,8 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN1936" ->10.1.4. How do I get printer driver download working +NAME="AEN2151" +>11.1.4. How do I get printer driver download working for OS/2 clients?</A ></H2 ><P @@ -9309,15 +10160,15 @@ CLASS="CHAPTER" ><HR><H1 ><A NAME="CVS-ACCESS" ->Chapter 11. HOWTO Access Samba source code via CVS</A +>Chapter 12. HOWTO Access Samba source code via CVS</A ></H1 ><DIV CLASS="SECT1" ><H1 CLASS="SECT1" ><A -NAME="AEN1952" ->11.1. Introduction</A +NAME="AEN2167" +>12.1. Introduction</A ></H1 ><P >Samba is developed in an open environment. Developers use CVS @@ -9338,8 +10189,8 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN1957" ->11.2. CVS Access to samba.org</A +NAME="AEN2172" +>12.2. CVS Access to samba.org</A ></H1 ><P >The machine samba.org runs a publicly accessible CVS @@ -9351,8 +10202,8 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN1960" ->11.2.1. Access via CVSweb</A +NAME="AEN2175" +>12.2.1. Access via CVSweb</A ></H2 ><P >You can access the source code via your @@ -9372,8 +10223,8 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN1965" ->11.2.2. Access via cvs</A +NAME="AEN2180" +>12.2.2. Access via cvs</A ></H2 ><P >You can also access the source code via a @@ -9478,12 +10329,12 @@ CLASS="COMMAND" ></DIV ><HR><H1 ><A -NAME="AEN1993" +NAME="AEN2208" >Index</A ></H1 ><DL ><DT ->Primary Domain Controller, +>Primary Domain Controller, <A HREF="x1098.htm" >Background</A |