LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 10-30-2003, 10:59 AM   #1
teo
LQ Newbie
 
Registered: Oct 2003
Posts: 3

Rep: Reputation: 0
samba PDC and linux client login


i have a samba pdc for 10 win2000 client in my office.
now i want to setup a new machine based on linux mdk 9.2
i setup winbind (on the linux client) and i can see users via wbinfo -u and getent passwd.
the problem is that i cannot login using a samba account and i cannot join the samba domain using smbpasspw -j domain -Uadministrator%pass (NT_STATUS_ACCESS_DENIED unable to join domain)

wbinfo -t says Secret is bad

in the winbind log i can see:
could not lookup Domain Users



how can i add and trust my linux machine and join the samba domain via linux-client ?

thanks in advace for your help
matteo
 
Old 09-06-2012, 05:48 AM   #2
kashifazizawan
Member
 
Registered: Aug 2008
Location: Abbottabad, Pakistan
Distribution: CentOS
Posts: 40
Blog Entries: 13

Rep: Reputation: 15
http://www.hants.lug.org.uk/wiki/LinuxHints/SambaAuth

Setup Linux to authenticate against a Samba server

This will show you how to setup Debian GNU/Linux to authenticate against a remote Samba server (Samba could also imply a Windows PDC too). It also details how to setup pam_mount to mount Samba shares automatically on login, so when a Samba user logs on to the Linux client, they get their $HOME as their home directory on the server. There's also a shell script I devised to allow changing of passwords.

The article is based on a Linux client running Debian unstable and a Samba server running on a Debian stable server. It assumes you've already got a Samba server setup on a server and that it's currently serving Windows style domain logons.

Before you start

You're going to be changing files that effect the interactive login process - if you do something wrong you could (potentially) stop yourself from logging in to your machine. So before you start you may want to backup the /etc/nsswitch.conf file and the /etc/pam.d directory.

Installation on the client


# apt-get install winbind samba
That's it

Client configuration (Samba and NSS)

Edit /etc/samba/smb.conf and edit and/or add the following to it:


workgroup = YOURWORKGROUP
sercurity = domain
encrypt passwords = yes
password server = *
idmap uid = 10000-20000
idmap gid = 10000-20000
template shell = /bin/bash
template homedir = /home/%D/%U
As root, you need to mkdir /home/YOURWORKGROUP

Now edit /etc/nsswitch.conf so the passwd, group and shadow lines look like the following:


passwd: compat winbind
group: compat winbind
shadow: compat winbind
Testing things so far

Make sure the above has worked by running:


$ getent passwd
You should see your local /etc/passwd file, with the addition of the users from the remote Samba server at the bottom.

You may also be interested in:


$ wbinfo -u
$ wbinfo -g
If the above commands don't work for some reason, complete the steps in the following section below and try again. It may resolve the issues.

Add the client to the domain

You may need to join the Linux client to the Samba domain. On the Samba server, create a local account of the computer in /etc/passwd (otherwise Samba will complain later). For example, I added the following (as I always do):


oppressed$:x:1004:104::/dev/null:/bin/false
"oppressed" is the name of the Linux client. You append a dollar sign after the computer name to tell Samba it's a computer account. I've added all computer accounts to a seperate primary group (GID 104) called "computers". This account has no home directory (hence /dev/null) and is unable to login interactivly (/bin/false) - no need to set a password.

Now on the client, run the following command:


# net join -S server_name -U Administrator
Where server_name, is the name of the remote Samba server and Administrator is a Samba user with administrator privs - I have mine as "root". After running this, on the remote Samba machine, you should be able to cat /etc/samba/smbpasswd and see the computer account in there.

If net join gives you trouble, you could always just use smbpasswd -m on the remote Samba server.

Allowing Samba users to login to the client

You're nearly there. You now need to edit PAM which controls interactive logins under Linux. All the PAM files to control logins can be found in /etc/pam.d

I found the easiest way to do this under Debian unstable was to edit just the following common files:

/etc/pam.d/common-auth


auth sufficient pam_winbind.so
auth required pam_unix.so nullok_secure use_first_pass
/etc/pam.d/common-account


account sufficient pam_winbind.so
/etc/pam.d/common-session


session required pam_unix.so nullok_secure
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
Testing everything

Now you're ready to test everything.

Switch to a console and enter the username in the format YOURWORKGROUP\username. For example, my workgroup (or SMB domain) is HEX, so to login as user "david", I use HEX\david

Hopefully, after entering your password you'll be logged in:


Debian GNU/Linux testing/unstable oppressed tty1

oppressed login: HEX\david
Password:
Last login: Thu Apr 22 03:20:31 2004 on tty1
Linux oppressed 2.6.5 #1 Tue Apr 20 17:23:40 BST 2004 i686 GNU/Linux
I have no name!@oppressed:~$ pwd
/home/HEX/david
I have no name!@oppressed:~$
Mounting shares automatically using libpam-mount

Now you've got authentication working, you may want to automatically mount the users $HOME from the remote Samba server. This requires libpam-mount to be installed:


# apt-get install libpam-mount
Edit the /etc/security/pam_mount.conf file so it looks like:


debug 0
mkmountpoint 1
luserconf .pam_mount.conf

options_allow nosuid,nodev
options_deny suid,dev
options_require nosuid,nodev

lsof /usr/sbin/lsof %(MNTPT)
fsck /sbin/fsck -p %(FSCKLOOP)
cifsmount /bin/mount -t cifs //%(SERVER)/%(VOLUME) %(MNTPT) -S -o "user=%(USER)%(before=\",\" OPTIONS)"
smbmount /usr/bin/smbmount //%(SERVER)/%(VOLUME) %(MNTPT) -o "username=%(USER)%(before=\",\" OPTIONS)"
smbumount /usr/bin/smbumount %(MNTPT)
umount /bin/umount %(MNTPT)
mntagain /bin/mount --bind %(PREVMNTPT) %(MNTPT)

volume * smb server_name & /home/YOURWORKGROUP/& uid=&,gid=&,dmask=0700,workgroup=YOURWORKGROUP - -
Where server_name is the name of the remote Samba server and YOURWORKGROUP is the name of your workgroup or Samba domain.

You need to edit the following PAM files within /etc/pam.d in order to use pam_mount:

/etc/pam.d/common-auth

Before the pam_winbind.so line, add:


auth required pam_mount.so
Append use_first_pass to the end of the pam_winbind.so line.

/etc/pam.d/common-session

At the end of the file, after the pam_mkhomedir.so line add:


session optional pam_mount.so
Changing passwords

If you're logged in as a Samba user, you can't use the standard passwd command to change passwords. You need to use smbpasswd and tell it to change the password on the remote Samba server. For the average Joe, who maybe logs in via a Display Manager, remembering the syntax could be a burden.

For this reason I wrote a shell script that determines if the user is a Samba user or a local user and runs the correct password changing program. It will attempt to discover the remote Samba server as well.


#!/bin/sh
#

## User defined settings
#
# Samba server - if left blank, will attempt to automatically discover it
SERVER=''
# Minimum winbind UID, as specfied in smb.conf
MINUID=10000
# Maximum winbind UID, as speci
[Note: Unfortunately the original Text was cut off at some point earlier in the history of this page.]
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
joining a linux client into the domain running Samba PDC zdehman Linux - Networking 2 08-18-2006 05:06 AM
Samba problems XP Client cant find PDC 3333 Linux - Software 4 01-28-2005 04:31 PM
How to join a Linux client to a Samba PDC Niceman2005 Linux - Networking 4 11-29-2004 09:23 PM
Joining Win2k client to a samba PDC seaver Linux - Networking 3 08-07-2003 09:34 AM
Samba PDC client Problem ah_shades Linux - Networking 5 01-17-2003 07:49 PM


All times are GMT -5. The time now is 11:36 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration