Samba 3.0.2, Kerberos, Linux (RHAS3.0), Win2kAD - linux smb server with a w2k client
Thanks for any assistance in advance.
My ultimate goal is to create a single sign on environment on our networks. Right now, we have a Win2K A/D environment (native mode) running with hundreds of Windows 2000 clients and a handful of Linux servers running Red Hat Enterprise Advanced Server 3.0. For most of our unix servers, we have an LDAP server running Solaris 9 to centralize all unix logins. But, for this situation, I will not have this new RHAS3.0 server configured for LDAP. I have configured samba 2.x in the past, but this is the first time I am working on 3.0.x. I am running samba 3.0.2 on the RHAS3.0 server which also has krb5-libs-1.2.7.
To simplify, there is one linux samba server that I need to access from a Windows client and I want to authenticate with the Win2K A/D. Right now, if the user account exists on the linux server using the same username as in A/D, I can access the samba share on the linux server from a windows client. Once I remove the unix user, I can no longer access the share.
I am new to Kerberos and Pam configuration, so please bear with me.
Here are the key configuration files:
smb.conf
[global]
realm = DOMAIN.COM
workgroup = DOMAIN
netbios name = LINUXSERVERNAME
password server = WIN2kDC
security = ADS
encrypt passwords = yes
winbind uid = 10000-20000
winbind gid = 10000-20000
template shell = /bin/bash
winbind separator = +
#SAMBA SHARE
[DROPZONE]
path = /data
read only = no
public = no
only guest = no
writable = yes
krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
ticket_lifetime = 24000
default_realm = DOMAIN.COM
dns_lookup_realm = false
dns_lookup_kdc = false
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
default_etypes = arcfour-hmac-md5
default_etypes_des = arcfour-hmac-md5
[realms]
DOMAIN.COM= {
kdc = Win2kDC.DOMAIN.COM:88
admin_server = Win2kDC.DOMAIN.COM:749
default_domain = domain.com
}
[domain_realm]
.domain.com = DOMAIN.COM
domain.com = DOMAIN.COM
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
pam.d/samba:
#%PAM-1.0
auth required pam_nologin.so
auth required pam_stack.so service=system-auth
account required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
SAMBA WINBIND authentication
#BEGIN
auth required /lib/security/pam_winbind.so
account required /lib/security/pam_winbind.so
auth required /lib/security/pam_pwdb.so nullok shadow
account required /lib/security/pam_pwdb.so
#END
pam.d/login
#%PAM-1.0
auth required pam_securetty.so
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
Added the following three lines for SAMBA and WINBIND
#BEGIN
auth sufficient /lib/security/pam_winbind.so
auth sufficient /lib/security/pam_unix.so use_first_pass
account sufficient /lib/security/pam_winbind.so
#END
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
session optional pam_console.so
Last edited by irishb3; 07-20-2004 at 07:54 AM.
|