Setup Linux to authenticate against a Samba server
This will show you how to setup Debian GNU/Linux to authenticate against a remote Samba server (Samba could also imply a Windows PDC too). It also details how to setup pam_mount to mount Samba shares automatically on login, so when a Samba user logs on to the Linux client, they get their $HOME as their home directory on the server. There's also a shell script I devised to allow changing of passwords.
The article is based on a Linux client running Debian unstable and a Samba server running on a Debian stable server. It assumes you've already got a Samba server setup on a server and that it's currently serving Windows style domain logons.
Before you start
You're going to be changing files that effect the interactive login process - if you do something wrong you could (potentially) stop yourself from logging in to your machine. So before you start you may want to backup the /etc/nsswitch.conf file and the /etc/pam.d directory.
Installation on the client
# apt-get install winbind samba
Client configuration (Samba and NSS)
Edit /etc/samba/smb.conf and edit and/or add the following to it:
workgroup = YOURWORKGROUP
sercurity = domain
encrypt passwords = yes
password server = *
idmap uid = 10000-20000
idmap gid = 10000-20000
template shell = /bin/bash
template homedir = /home/%D/%U
As root, you need to mkdir /home/YOURWORKGROUP
Now edit /etc/nsswitch.conf so the passwd, group and shadow lines look like the following:
passwd: compat winbind
group: compat winbind
shadow: compat winbind
Testing things so far
Make sure the above has worked by running:
$ getent passwd
You should see your local /etc/passwd file, with the addition of the users from the remote Samba server at the bottom.
You may also be interested in:
$ wbinfo -u
$ wbinfo -g
If the above commands don't work for some reason, complete the steps in the following section below and try again. It may resolve the issues.
Add the client to the domain
You may need to join the Linux client to the Samba domain. On the Samba server, create a local account of the computer in /etc/passwd (otherwise Samba will complain later). For example, I added the following (as I always do):
"oppressed" is the name of the Linux client. You append a dollar sign after the computer name to tell Samba it's a computer account. I've added all computer accounts to a seperate primary group (GID 104) called "computers". This account has no home directory (hence /dev/null) and is unable to login interactivly (/bin/false) - no need to set a password.
Now on the client, run the following command:
# net join -S server_name -U Administrator
Where server_name, is the name of the remote Samba server and Administrator is a Samba user with administrator privs - I have mine as "root". After running this, on the remote Samba machine, you should be able to cat /etc/samba/smbpasswd and see the computer account in there.
If net join gives you trouble, you could always just use smbpasswd -m on the remote Samba server.
Allowing Samba users to login to the client
You're nearly there. You now need to edit PAM which controls interactive logins under Linux. All the PAM files to control logins can be found in /etc/pam.d
I found the easiest way to do this under Debian unstable was to edit just the following common files:
auth sufficient pam_winbind.so
auth required pam_unix.so nullok_secure use_first_pass
account sufficient pam_winbind.so
session required pam_unix.so nullok_secure
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
Now you're ready to test everything.
Switch to a console and enter the username in the format YOURWORKGROUP\username. For example, my workgroup (or SMB domain) is HEX, so to login as user "david", I use HEX\david
Hopefully, after entering your password you'll be logged in:
Debian GNU/Linux testing/unstable oppressed tty1
oppressed login: HEX\david
Last login: Thu Apr 22 03:20:31 2004 on tty1
Linux oppressed 2.6.5 #1 Tue Apr 20 17:23:40 BST 2004 i686 GNU/Linux
I have no name!@oppressed:~$ pwd
I have no name!@oppressed:~$
Mounting shares automatically using libpam-mount
Now you've got authentication working, you may want to automatically mount the users $HOME from the remote Samba server. This requires libpam-mount to be installed:
# apt-get install libpam-mount
Edit the /etc/security/pam_mount.conf file so it looks like:
lsof /usr/sbin/lsof %(MNTPT)
fsck /sbin/fsck -p %(FSCKLOOP)
cifsmount /bin/mount -t cifs //%(SERVER)/%(VOLUME) %(MNTPT) -S -o "user=%(USER)%(before=\",\" OPTIONS)"
smbmount /usr/bin/smbmount //%(SERVER)/%(VOLUME) %(MNTPT) -o "username=%(USER)%(before=\",\" OPTIONS)"
smbumount /usr/bin/smbumount %(MNTPT)
umount /bin/umount %(MNTPT)
mntagain /bin/mount --bind %(PREVMNTPT) %(MNTPT)
volume * smb server_name & /home/YOURWORKGROUP/& uid=&,gid=&,dmask=0700,workgroup=YOURWORKGROUP - -
Where server_name is the name of the remote Samba server and YOURWORKGROUP is the name of your workgroup or Samba domain.
You need to edit the following PAM files within /etc/pam.d in order to use pam_mount:
Before the pam_winbind.so line, add:
auth required pam_mount.so
Append use_first_pass to the end of the pam_winbind.so line.
At the end of the file, after the pam_mkhomedir.so line add:
session optional pam_mount.so
If you're logged in as a Samba user, you can't use the standard passwd command to change passwords. You need to use smbpasswd and tell it to change the password on the remote Samba server. For the average Joe, who maybe logs in via a Display Manager, remembering the syntax could be a burden.
For this reason I wrote a shell script that determines if the user is a Samba user or a local user and runs the correct password changing program. It will attempt to discover the remote Samba server as well.
## User defined settings
# Samba server - if left blank, will attempt to automatically discover it
# Minimum winbind UID, as specfied in smb.conf
# Maximum winbind UID, as speci
[Note: Unfortunately the original Text was cut off at some point earlier in the history of this page.]