Windows 2003 file-server with linux computer as an ADS member mounting Windows home directories with ssh login to Linux PC using pam_mount, samba, winbind
Joining a Samba Server (version 2) to a Windows 2000 domain
1) On the 2000 primary master, add the Samba host to the domain 2) On the Samba host, configure the smb.conf file thus: security = domain workgroup = DOM as this is the name of the domain we are joining. You must also have the parameter encrypt passwords set to yes in order for your users to authenticate to the NT PDC. Finally, add (or modify) a password server = line in the [global] section to read: password server = DOMPDC DOMBDC1 DOMBDC2 or password server = * 4) Execute: smbpasswd -j mydomain -r mydomain_dc WITHOUT specifying the login account name! This results in: 2004/05/05 15:07:26 : change_trust_account_password: Changed password for do main MYDOMAIN. Joined domain MYDOMAIN. Samba will now start. Domain users that access the Samba host now result in the a login event on behalf of the user coming from the Samba host appearing in the security log of the domain controller specified in the smb.conf file. You can also see what is going on by looking in /var/log/messages
Using Winbind to authenticate a Linux client computer against a samba PDC (version 3) so users have one account for windows and Linux and one home directoryInstructions here are pretty good, but I needed to do a few things differently: Samba-HOWTO-Collection : winbind
What follows is a summary of what I did to get a few linux workstations to authenticate from a samba server and get their home directories from the samba server using nfs.
Install samba + winbind. My smb.conf is:
[global] # separate domain and username with '\', like DOMAIN\username winbind separator = + # use uids from 10000 to 20000 for domain users idmap uid = 10000-20000 # use gids from 10000 to 20000 for domain groups idmap gid = 10000-20000 # allow enumeration of winbind users and groups winbind enum users = yes winbind enum groups = yes # give winbind users a real shell (only needed if they have telnet access) template homedir = /u/theserver/%U template shell = /bin/bash winbind cache time = 600 winbind trusted domains only = yes security = domain workgroup = THEDOMAIN password server = theserver encrypt passwords = yes # to remove domain from username winbind use default domain = yes obey pam restrictions = Yes
Install amd (you could use autofs, but we like amd for auto mounting). Our amd.users is:
# AMD map file for mounting the user directories as /u/nthomes/XX /defaults opts:=intr,rsize=8192,wsize=8192,nosuid,nodev,proto=udp bioserver type:=nfs;rhost:=theserver;rfs:=/samba/nthomes
[global] # Don't do NIS or other silly things map_type = file # Our maps are in /etc search_path = /etc # Reduce logging log_options = noinfo,error,fatal,warn,nouser #log_options = info,error,fatal,warn log_file = syslog # Inherit volumes already mounted restart_mounts = yes unmount_on_exit = no # We want a pid file print_pid = yes pid_file = /var/run/amd.pid # Don't unmount too vigourously cache_duration = 720 [ /u ] map_name = amd.users [ /misc ] map_name = amd.misc
Relevant bits from /etc/nsswitch.conf:
passwd: files winbind shadow: files group: files winbind
Now as I am just running a few workstations I decided to distribute the passwd map by just putting it into /etc/passwd on each computer. The reason for this is that winbind will create a UID for each samba user and these can end up different on each linux workstation which is pretty bad for NFS. If I was running more linux workstations I would probably use NIS or NIS+ for the passwd and group maps. The magic bits in the smb.conf are:
winbind trusted domains only = yes # to remove domain from username winbind use default domain = yes obey pam restrictions = Yes
Example entry in /etc/passwd:
Every time a user is added to THEDOMAIN on the samba server I have to add that user to the /etc/passwd file on each linux workstation.
Put computer into /etc/passwd file on PDC (samba server)
smbpasswd -a -m computer_name Join domain using: net join MEMBER -S bioserver root's password: Joined domain DOMAIN.
If you have not created the machine trust account on the server then you might get:
# wbinfo -t checking the trust secret via RPC calls failed error code was (0x0) Could not check secret # wbinfo -u Error looking up domain users # wbinfo -g
start winbind wbinfo -t checking the trust secret via RPC calls succeeded getent passwd should list the passwd map
Now you will want other things to work like sshd, login, rlogin, xlock and X11. In /etc/pam.d/ you will find a bunch of files that configure how PAM does authentication for different programs. You need to add in lines like:
auth sufficient pam_winbind.so account sufficient pam_winbind.so
to each of the relevant files. This is what I did (that works):
/etc/pam.d$ grep winbind * login:auth sufficient pam_winbind.so login:account sufficient pam_winbind.so other:auth sufficient pam_winbind.so other:account sufficient pam_winbind.so passwd:auth sufficient pam_winbind.so passwd:account sufficient pam_winbind.so rlogin:auth sufficient pam_winbind.so rpasswd:auth sufficient pam_winbind.so rpasswd:account sufficient pam_winbind.so sshd:auth sufficient pam_winbind.so sshd:account sufficient pam_winbind.so xdm:auth sufficient pam_winbind.so xdm:account sufficient pam_winbind.so xlock:auth sufficient pam_winbind.so
You should now find that most things work (login on the console, xlock, rlogin, etc.), BUT ssh will probably not work. I found an undocumented parameter that tells sshd to use PAM, and I had to change the setting of another parameter so that sshd would work:
UsePAM yes PasswordAuthentication no
To change user passwd from Linux:
smbpasswd -r theserver
Create a simple home directory creation script on the samba server that also puts example login scripts into their home directory (.basrc, etc.).
Mounting an smb share on a linux computer as a normal user with fstab
If you can:
mount -t smbfs -o username=USER,port=139 //computer.domain/USER /mntpoint
then you should be able to put this entry into your /etc/fstab:
//computer.domain/USER /mntpoint smbfs username=USER,port=139,user,noauto 0 0
Then you need to make a few adjustments so that a normal user can user smbmnt:
# chown USER /mntpoint # ls -ld /mntpoint drwxr-xr-x 2 USER root 4096 Sep 9 12:46 /mntpoint # chmod u+s /usr/bin/smbmnt
Then the USER should be able to: mount /mntpoint
You might have noticed that port=139 is specified, well we needed this cause we block port 445. smbmount reckons it uses port=139 by default, but I think it actually uses port=445.
For diagnosis it is rather useful to be able to:
#to see what shares are available: net rpc share -S computer.domain -U USER #to see what network connections there are: netstat -n #to do command line Windows drive mapping (Windows command prompt): net use #and also from the Windows command prompt you can view shares: net view #(put a question mark after a net command to get the syntax: net view ?
Annoyingly under RH9 (and 7.3) only root can umount this mount (yes the user did mount it). With Suse 9 the problem is worse and when trying to use /etc/fstab you get:
mount error: Invalid argument Please refer to the smbmnt(8) manual page smbmnt failed: 255
If you google you will find plenty of people with this problem, such as here.
Time to submit a bug to suse I guess.
These things do work as a non-root user:
smbmount //COMPUTER/SHARE /mnt -o username=USER,port=139 /sbin/mount.smbfs //COMPUTER/SHARE /mnt -o username=USER,port=139
Mounting smb share from Windows 2003 server (SP1)This worked for me (Suse 9.1 Pro):
mount -t cifs -o username="$user" //server.domain/sharename /mntpointI was getting this error message when trying to use smb:
mount -t smbfs -o username=$user,port=4139 //server.domain/sharename /mntpoint cli_negprot: SMB signing is mandatory and we have disabled it. 12400: protocol negotiation failed SMB connection failed
Suse 9.1 and Samba config - compiling your own samba
We prefer to compile samba ourselves (most installation and configuration done as a non-root user). Interestingly the magic machine adding command which is usually:
add user script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u add machine script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u, but useradd under Suse 9.1 does not like /dev/null so:
add user script = /usr/sbin/useradd -d /var/lib/nobody -g 100 -s /bin/false -M %u add machine script = /usr/sbin/useradd -d /var/lib/nobody -g 100 -s /bin/false -M %uNow this works, but you'll get some error messages in /var/log/samba/smb/log if you have changed your /etc/passwd file a bit:
useradd: Unknown group `dialout'. useradd: Unknown group `video'. useradd: Unknown group `audio'.So:
vim /etc/default/useraddand remove the groups that do not exist.
man useradd says " -g, --gid gid The group name or number of the user's main group. The group name or number must refer to an already existing group. If not specified, the default from /etc/default/useradd is used. ".
GROUP=100 HOME=/home INACTIVE=-1 EXPIRE= SHELL=/bin/bash SKEL=/etc/skel GROUPS=uucp
Without sorting this out when you try and add (on the fly) a Windows computers to your samba domain you will get an error message something like "The following error occured attempting to join the domain XXXX: The username not found"
Windows ADS on Windows 2003 Server with Linux file-server and linux clients as part of Windows domain
This could also be called: "IDMAP ADS Using ADS with SFU3.5"
If you want to put your linux authentication and directory information into ADS and have your linux computers as part of a Windows ADS then this does work.
Configure Windows 2003 Server ============================= Install SFU3.5 - default is fine, to extend ADS schema to include UNIX attributes - on a Windows 2003 Server running as a Domain Controller. Free download from the Microsoft website. Create a test user with UNIX attributes of: uid gid home directory default shell Make sure that the Windows ADS group/s this user is a member of also have UNIX attributes. In particular the gid of the test user needs to correspond to an ADS group with a UNIX gid. Linux Computer =============== /etc/resolve.conf needs to point to the DNS server with all of the ADS entries in it - so that samba can find AD. So if you have a Windows domain controller called "sd1" (IP=192.168.0.1) then /etc/resolv.conf can be: nameserver 192.168.0.1 search domain Pre-requisites: ldap + libraries + devel kerberos + libraries + devel openssl devel pam libraries cyrus-sasl libraries acl libraries For Suse9.1 these are the packages (rpms) that I needed: openldap2 openldap2-devel openldap2-client heimdal heimdal-lib heimdal-tools heimdal-devel db-devel e2fsprogs-devel openssl-devel cyrus-sasl-devel pam-devel libcap libacl-devel acl libacl quota Compile samba ============= This is an example of how to compile samba without too much root action: as root: mkdir /usr/local/samba/ chown mr /usr/local/samba/ as mr: ./configure --prefix=/usr/local/samba/ --with-ldap --with-ads --with-krb5 --with-pam --with-winbind --with-shared-modules=idmap_ad --with-acl-support --with-quotas Note: DO scan the config.log for errors. For example if you do not have libcap installed samba will still build, but winbind will crash everytime you try a "getent passwd". Mind you I still have a few errors in config.log, but they don't seem to matter... make make install Note: --with-shared-modules=idmap_ad is currently the only way to get the idmap_ad module built /usr/local/samba/lib/idmap$ ln -s ./idmap_ad.so ad.so To pick up users and groups from ADS you'll need to (as root): cd samba-3.0.20/source/nsswitch cp libnss_winbind.so /lib cp libnss_wins.so /lib ldconfig You might also want samba to startup on boot, so create a startup script. For linux this is typically in /etc/init.d Create your smb.conf. Best advice is to do this with a very simple configuration to start with: [global] winbind separator = '\' #idmap uid = 100-20000 #idmap gid = 100-20000 winbind enum users = yes winbind enum groups = yes winbind cache time = 600 winbind use default domain = yes allow trusted domains = yes idmap backend = ad winbind nss info = sfu workgroup = short_domain_name realm = domain security = ADS encrypt passwords = yes password server = winserver1.domain, winserver2.domain obey pam restrictions = Yes Use testparm to check it: testparm -s Note: if things do not work then you'll end up with default mappings to uid and gid for users created on the fly by winbind. These go into a file in: /usr/local/samba/var/locks. Now to join the domain. Several ways you can do this, such as: kinit Administrator@domain.thing.com net ads join "\unix_workstations" edit /etc/nsswitch.conf: passwd: files winbind shadow: files group: files winbind Restart samba (smbd, nmbd) and winbind Some testing: wbinfo -t should give: checking the trust secret via RPC calls succeeded wbinfo -u Administrator Guest SUPPORT_388945a0 SD1$ krbtgt bob SD2$ sf1$ wbinfo -g Domain Computers Domain Controllers Schema Admins Enterprise Admins Domain Admins Domain Users Domain Guests Group Policy Creator Owners DnsUpdateProxy Now the following should work: getent passwd getent group getent passwd test (where test is a test user) Troubleshooting =============== Well there will likely be problems. Take your time and do not panic. Think carefully about where the problem actually is. The Windows event log can be slightly useful (showing you security information about logins, etc.). The winbind log can be VERY useful. You can easily turn debuggin information up a fair bit: /etc/init.d/winbind stop winbindd -D 5 /usr/local/samba/var is where to look, with this example installation, for the log files. Note: if you do not get uid and gid values for the AD users and groups then it will NOT work. Un-comment this stuff in smb.conf: idmap uid = 100-20000 idmap gid = 100-20000 and you'll get mappings that you can, later, get rid of. If you end up with uid:gid set for users by winbindd choosing consecutive numbers and the values not coming from ADS then you can stop winbindd, nmbd and delete (argh!) the idmap database file. Usually in: /usr/local/samba/var/locks/ I think it is these files: winbindd_cache.tdb winbindd_idmap.tdb NOT recommended on a live server. startup winbind and the "on-the-fly" idmap-ings will be gone. Useful Links ============ http://lilly.csoft.net/~vdebaere/handleiding/samba-activedirectory/index_en.html
Samba Print Server - Open for print job management to all users
I wanted a samba print-server (also with lpd for UNIX) that would simply use host-based access control and allow users to manipulate print jobs.
I used this command to give printer management rights to guest users (you need to give the password for the samba root user):
net rpc rights grant 'nobody' SePrintOperatorPrivilegeTo check it has worked:
net rpc rights list nobodyOr you can be even more generous with:
net rpc rights grant 'Everyone' SePrintOperatorPrivilegeTo list rights for all accounts:
net rpc rights list accounts
The smb.conf for samba-3.0.21 is:
[global] server string = Print1 the XXX print server printing = lprng load printers = yes printcap name = /etc/printcap use client driver = no wins server = IP_address log file = /var/log/samba/%m.log socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 wide links = No max log size = 0 log level = 0 # mainly to allow visiting computers to print via our server. guest account = nobody map to guest = Bad User hosts allow = IP, IP, IP, localhost hosts deny = 0 0.0.0.0/0 security = USER paranoid server security = no workgroup = THING show add printer wizard = yes domain master = no enhanced browsing = no local master = no preferred master = no # PRINTER CONTROL enable privileges = yes print command = /usr/bin/lpr -r -P'%p' %s lpq command = /usr/bin/lpq -P'%p' lprm command = /usr/bin/lprm -P'%p' %j lppause command = /usr/bin/lpc hold '%p' %j lpresume command = /usr/bin/lpc release '%p' %j queuepause command = /usr/bin/lpc stop '%p' queueresume command = /usr/bin/lpc start '%p' [printers] comment = Printers path = /var/spool/samba printable = yes guest ok = yes browseable = no read only = yes writable = no [print$] comment = Printer Driver Download Area path = /usr/local/samba/drivers browseable = yes guest ok = yes read only = yes write list = @ntadmin, root