SAMBA (again) using a Win-Domain-Controller
Hey all, newbie seeking help.
I see my linx share, no probs. Can edit files, delete, add whatever.
Now I am trying to configure the samba server in order to be able to change user rights for linux shares vie windows machines. thus preparing the samba server to be compatible with active directory.
any clues ? hints ? tips ?
You cannot change user rights on directories with a NT domain controler. You can setup samba to join an nt domain and even authenticate users off the nt box (ones that do not exist on the nix box) You need winbindd for this. however, part of the setup screws your system accounts. You have to heavily edit /etc/pam.d/* to point all authentication to winbind, as well as editing nsswitch.conf.
Leave the sshd file in pam.d alone. so in the event you jack your system you can still login through ssh. But I don't think you can define shares on the nt box and have them be valid on nix. I could be wrong tho I havn't spent any time playing with winbind in depth
I read about editing the files, but most of the articles were about RH linux. any differences to SuSe 8.0 ?
so how exactly do I change the according files ?
thanks in advance
nsswitch.conf passwd: files winbind group: files winbind
All files in pam.d EXCEPT sshd..
auth required /lib/security/pam_securetty.so
auth required /lib/security/pam_nologin.so
auth sufficient /lib/security/pam_winbind.so
auth required /lib/security/pam_pwdb.so use_first_pass shadow nullok
replace the account lines with this:
account required /lib/security/pam_winbind.so
winbind separator = +
winbind cache time = 10
template shell = /bin/bash
template homedir = /home/%D/%U
winbind uid = 10000-20000
winbind gid = 10000-20000
workgroup = DOMAIN
security = domain
password server = *
Once you made all the changes restart samba. make sure winbindd is running. ps -ef |grep winbindd if not go to /etc/init.d
smbpasswd -j DOMAIN -r PDC -U Administrator
then check that it actually worked with
wbinfo --help (i cant remember the switches)
Some files might be in different places. All pam.d entries are replacements for lines there so if the line begins with auth or account replace it.
This will break root logins on the nix box. along with any other user account not in MS-AD
depending on the speperator you use the login now looks like this
domain+user or user+domain, I cannot remember which.
This is an example and by no means should you expect it to work the first try. Also if you make all the entries into pam.d/* EXCEPT sshd and you cant login through X or a shell. You will still be able to over ssh. And even if you can login. it wont be as root. or with root access. So my suggestion is to leave sshd a lone so you can still get root on the box.
|All times are GMT -5. The time now is 03:02 AM.|