Thanks for any assistance in advance.

My ultimate goal is to create a single sign on environment on our networks. Right now, we have a Win2K A/D environment (native mode) running with hundreds of Windows 2000 clients and a handful of Linux servers running Red Hat Enterprise Advanced Server 3.0. For most of our unix servers, we have an LDAP server running Solaris 9 to centralize all unix logins. But, for this situation, I will not have this new RHAS3.0 server configured for LDAP. I have configured samba 2.x in the past, but this is the first time I am working on 3.0.x. I am running samba 3.0.2 on the RHAS3.0 server which also has krb5-libs-1.2.7.

To simplify, there is one linux samba server that I need to access from a Windows client and I want to authenticate with the Win2K A/D. Right now, if the user account exists on the linux server using the same username as in A/D, I can access the samba share on the linux server from a windows client. Once I remove the unix user, I can no longer access the share.

I am new to Kerberos and Pam configuration, so please bear with me.

Here are the key configuration files:
smb.conf
[global]
realm = DOMAIN.COM
workgroup = DOMAIN
netbios name = LINUXSERVERNAME
password server = WIN2kDC
security = ADS
encrypt passwords = yes
winbind uid = 10000-20000
winbind gid = 10000-20000
template shell = /bin/bash
winbind separator = +

#SAMBA SHARE
[DROPZONE]
path = /data
read only = no
public = no
only guest = no
writable = yes

krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
ticket_lifetime = 24000
default_realm = DOMAIN.COM
dns_lookup_realm = false
dns_lookup_kdc = false
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
default_etypes = arcfour-hmac-md5
default_etypes_des = arcfour-hmac-md5

[realms]
DOMAIN.COM= {
kdc = Win2kDC.DOMAIN.COM:88
admin_server = Win2kDC.DOMAIN.COM:749
default_domain = domain.com
}

[domain_realm]
.domain.com = DOMAIN.COM
domain.com = DOMAIN.COM

[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}

pam.d/samba:
#%PAM-1.0
auth required pam_nologin.so
auth required pam_stack.so service=system-auth
account required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
SAMBA WINBIND authentication
#BEGIN
auth required /lib/security/pam_winbind.so
account required /lib/security/pam_winbind.so
auth required /lib/security/pam_pwdb.so nullok shadow
account required /lib/security/pam_pwdb.so
#END

pam.d/login
#%PAM-1.0
auth required pam_securetty.so
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
Added the following three lines for SAMBA and WINBIND
#BEGIN
auth sufficient /lib/security/pam_winbind.so
auth sufficient /lib/security/pam_unix.so use_first_pass
account sufficient /lib/security/pam_winbind.so
#END
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
session optional pam_console.so

As I was copying my config files into this post, I realized that I had group and passwd in /etc/nsswitch.conf set to "files". I changed that to "passwd: files winbind" and "group: files winbind", and now I can access the shares from a Windows client controlling access via the "valid users" field in smb.conf.

Now, what needs to be done to be able to have logins to all unix systems be authenticated via Win2K A/D? I know it's a huge question, but any guidance and experience would be greatly appreciated.

THANK YOU.

I restored the krb5.conf to the default that came with the install and I am a still able to access my shares. Was kerberos only needed when I joined the Linux Samba Server to the domain via "net ads join"?


It seems as though Kerberos is no longer needed once the system is joined to the domain.