LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 07-20-2004, 07:52 AM   #1
irishb3
LQ Newbie
 
Registered: Aug 2001
Posts: 6

Rep: Reputation: 0
Samba 3.0.2, Kerberos, Linux (RHAS3.0), Win2kAD - linux smb server with a w2k client


Thanks for any assistance in advance.

My ultimate goal is to create a single sign on environment on our networks. Right now, we have a Win2K A/D environment (native mode) running with hundreds of Windows 2000 clients and a handful of Linux servers running Red Hat Enterprise Advanced Server 3.0. For most of our unix servers, we have an LDAP server running Solaris 9 to centralize all unix logins. But, for this situation, I will not have this new RHAS3.0 server configured for LDAP. I have configured samba 2.x in the past, but this is the first time I am working on 3.0.x. I am running samba 3.0.2 on the RHAS3.0 server which also has krb5-libs-1.2.7.

To simplify, there is one linux samba server that I need to access from a Windows client and I want to authenticate with the Win2K A/D. Right now, if the user account exists on the linux server using the same username as in A/D, I can access the samba share on the linux server from a windows client. Once I remove the unix user, I can no longer access the share.

I am new to Kerberos and Pam configuration, so please bear with me.

Here are the key configuration files:
smb.conf
[global]
realm = DOMAIN.COM
workgroup = DOMAIN
netbios name = LINUXSERVERNAME
password server = WIN2kDC
security = ADS
encrypt passwords = yes
winbind uid = 10000-20000
winbind gid = 10000-20000
template shell = /bin/bash
winbind separator = +

#SAMBA SHARE
[DROPZONE]
path = /data
read only = no
public = no
only guest = no
writable = yes

krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
ticket_lifetime = 24000
default_realm = DOMAIN.COM
dns_lookup_realm = false
dns_lookup_kdc = false
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
default_etypes = arcfour-hmac-md5
default_etypes_des = arcfour-hmac-md5

[realms]
DOMAIN.COM= {
kdc = Win2kDC.DOMAIN.COM:88
admin_server = Win2kDC.DOMAIN.COM:749
default_domain = domain.com
}

[domain_realm]
.domain.com = DOMAIN.COM
domain.com = DOMAIN.COM

[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}

pam.d/samba:
#%PAM-1.0
auth required pam_nologin.so
auth required pam_stack.so service=system-auth
account required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
SAMBA WINBIND authentication
#BEGIN
auth required /lib/security/pam_winbind.so
account required /lib/security/pam_winbind.so
auth required /lib/security/pam_pwdb.so nullok shadow
account required /lib/security/pam_pwdb.so
#END

pam.d/login
#%PAM-1.0
auth required pam_securetty.so
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
Added the following three lines for SAMBA and WINBIND
#BEGIN
auth sufficient /lib/security/pam_winbind.so
auth sufficient /lib/security/pam_unix.so use_first_pass
account sufficient /lib/security/pam_winbind.so
#END
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
session optional pam_console.so

Last edited by irishb3; 07-20-2004 at 07:54 AM.
 
Old 07-20-2004, 08:01 AM   #2
irishb3
LQ Newbie
 
Registered: Aug 2001
Posts: 6

Original Poster
Rep: Reputation: 0
As I was copying my config files into this post, I realized that I had group and passwd in /etc/nsswitch.conf set to "files". I changed that to "passwd: files winbind" and "group: files winbind", and now I can access the shares from a Windows client controlling access via the "valid users" field in smb.conf.

Now, what needs to be done to be able to have logins to all unix systems be authenticated via Win2K A/D? I know it's a huge question, but any guidance and experience would be greatly appreciated.

THANK YOU.
 
Old 07-20-2004, 08:05 AM   #3
irishb3
LQ Newbie
 
Registered: Aug 2001
Posts: 6

Original Poster
Rep: Reputation: 0
I restored the krb5.conf to the default that came with the install and I am a still able to access my shares. Was kerberos only needed when I joined the Linux Samba Server to the domain via "net ads join"?


It seems as though Kerberos is no longer needed once the system is joined to the domain.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
error accessing samba server from smb client MichaelVaughn Linux - Software 1 04-30-2004 01:01 PM
Client server model using linux server and w2k clients? siva_bhavani Linux - Networking 2 09-29-2003 03:35 PM
W2K Server and Linux/Win98 Client problem gurkha Linux - Networking 3 06-24-2003 10:08 AM
RH Linux 7.3 (Gateway) and W2K server as client gogo Linux - Networking 7 06-24-2002 10:51 AM
Samba Printing from w2k client to epson on linux box vance Linux - Networking 0 12-18-2001 05:10 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 05:09 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration