Linux - SoftwareThis forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
View Poll Results: Did this help you?
Yes , I'm on my way.
3
30.00%
Pointed me in the right direction
5
50.00%
No it didn't help or did not relate to my problem.
This document covers my adventures and pain in the integrating my Suse 9.X as a client and as a server in a Microsoft AD / Domain env. I decided to post this document to hopefully save others the pain. Feedback is welcome..
Suse 9.0 Window Active Directory / Domain How-to:
Purpose: This document will guide the setup of Suse 9.0 to support unified login as well as file and directory permission compatibility with in a Microsoft windows domain or active directory environment. And finally samba server setup..
Software and disclaimer:
This document was intended for Suse Linux 9.0 running samba-2.2.8a-107 only. Though there are common settings that can carry over to other Linux distributions this is what this document was written for. The pam structure differs the most between different Linux distribution's, documentation for redHat and Mandrake can be found on the web. Since this document was written the hard way through trial and error using bits and pieces of documentation found through books and on the web it may have faults that I am unaware of.
Packages used in the creation of this document:
pam_smb-1.1.6-528
samba-2.2.8a-107
Windows Structure:
Below I will define a fictional network, the network will consist of two machines the first listed is the domain controller running windows and the second machine will be our Linux workstation the domain name is also listed. The domain controller will also serve as the password server for the domain. Before you get started be aware that you must have a domain administrator account to put your Linux client in the domain.
Windows Side:
DomainMaster.MyCompany.com
Domain Name: MyCompany.com
Linux Side:
my-linux.MyCompany.com
DNS:
Before you get to far make sure that you have DNS name resolution to your domain controller from your Linux client, you should be able to ping it using the full domain name. (Note do not try to ping it by short name Linux is not using wins). If you cannot ping it then add the name to your hosts file located in the /etc directory.
Samba Configuration files:
1. From the console login as root using the su command.
Example:
# su
2. Change to the /etc/samba directory and make a backup of your smb.conf file.
Example:
# cp smb.conf smb.org
3. Edit the smb.conf global section, the following example uses MYCOMPANY as the domain and the domain controller is DomainMaster.MYCOMPANY.com. Substitute to suit your own network. Most of these lines will already be in your smb.conf file for the items that are not add them, for the lines that are different, change them. (note, you can add more then one password server just leave a space between the entries.)
[global]
workgroup = MYCOMPANY
os level = 2
time server = Yes
unix extensions = Yes
encrypt passwords = Yes
map to guest = Bad User
printing = CUPS
printcap name = CUPS
password server = DomainMaster.MYCOMPANY.com
socket options = SO_KEEPALIVE IPTOS_LOWDELAY TCP_NODELAY
wins support = No
veto files = /*.eml/*.nwd/riched20.dll/*.{*}/
security = domain
netbios name = my-Linux
4. Next we will setup the winbind section of the file , add these parms after the global section.
#Use PAM's password change control flag for Samba. If enables,
#then PAM will be used for password changes when requested by
#an SMB client instead of the program listed in the passwd program.
#It should be possible to enable this without changing your passwd
#chat parameter for most setups.
Pam password change = yes
5. Save the smb.conf file and close it, next run the testparm command to test the smb.conf file for syntax errors. If you have errors go back and fix them and then re-run testparm.
Example:
# testparm smb.conf
NSSWICH configuration:
1. Backup your nsswitch.conf file (note that I use the .org which stands for original, I will go back later and make copies of the working files as .bak)
Example:
# cp nsswitch.conf nsswitch.org
2. After your nsswitch.conf open it and add winbind to the end of the passwd: and group: lines at the beginning of the line. Then save and close the file when you are finished.
3. After you are finished editing the nsswitch.conf file run ldconfig to activate the changes.
Example:
# /sbin/ldconfig
Samba Service:
From the console cd over to the etc/rc.d directory , this is where you can view , change or modify your systems services, in the next few steps we will setup these services to ensure they start every time and then we will also start them.
1. From the console use the chkconfig script to see if smb and winbind services are on. We are looking for these services to be on for runlevels 3 and 5.
Example:
# chkconfig --list smb
2. If the services are not already set to on for runlevels 3 and 5 turn them on using the chkconfig
Example: (turn on smb and winbind:)
# chkconfig smb on
# chkconfig winbind on
3. Next we will have to disable the nscd service which interferes with the proper functioning of winbind.
Example:
#chkconfig nscd off
4. Now turn off the nscd service:
Example:
#./nscd stop
5. We are now ready to start smb and winbind, if it is running already restart them:
Example: (note that the two lines are separate commands)
Example:
#./smb start
#./winbind start
Join the Domain:
Joining the domain requires that you have name resolution to your password server (PDC) and an administrative account that can move machines into the domain. We will first create the domain account and then we will test winbind and local system accounts and groups to ensure they are both pulling the correct information.
1. From the console as root join the domain the syntax format is explained below:
DOMAIN = the name of your domain (upper case)
PDC = Full name of your PDC server ServerName.Domain.com
user_name = The domain username with admin privileges
2. We will now test winbind to ensure we can pull user and group into from the domain. Users should show up as DOMAIN+USER when the results are returned.
Example: (get users)
# wbinfo -u
Example: (get groups)
# wbinfo -g
Example: (tests connection)
# wbinfo -t
3. Next test the Linux system password, by changing the nsswitch.conf file the system should now see domain resources along with the local Linux machine accounts (note sometimes this command takes a long time to return)
Example: (list of users)
# getent passwd
Example: (list groups)
#getent group
PAM configuration:
(WARNING!!! DO EDIT ANY PAM FILES BEFORE BACKING THEM UP, DO NOT REBOOT UNTIL YOU HAVE TESTED YOUR CHANGES, NOT DOING SO CAN LOCK YOU OUT OF YOUR SYSTEM!!!!)
Were almost finished, the pam configuration is the last major component to configure. In this section we will setup the pam files to allow login to the system and we will also setup the base home directory. It would be wise to create a boot disk at this point, the installation CD can also serve as a point of rescue as well just make note of your hard devices listed in your fstab file, trying to find this info later can be hard if you are locked out of your system.
1. The first step will be to backup the pam files we will be working with, in this document there are only three files that will be edited. The pam files are stored in the etc/pam.d , you should be logged on as root, backup the following files, login, samba, and xdm
2. Edit the login file to add your winbind info below is an example of the file I created, remember the order of the lines matters, pam reads the file from the top down allowing you to go on to the next line only if the credentials supplied are good to pass the current line. Lines using pam_winbind.so and pam_mkhomedir.so were added.
Remember in the samba file we specified, template homedir = /home/%D/%U this means that we will have to create the %D (domain) directory and the %U (user) will be created automatically when the user logs on.
Example: (change MyDomain to the name of your domain.)
# cd /home
# mkdir MyDomain
# chmod 777 MyDomain
So now when a user logs in MyDomain+FRED the samba script will put the user in
/home/MyDomain/ and will automatically create FRED's home directory.
Testing PAM Settings:
The following steps are required before you move on if you are not able to perform all the steps below you must correct your pam configuration files so you can. If you get stuck on any of the steps ensure you do not reboot your machine without restoring your original pam files.
Console Login Test:
1. Using Ctrl+ALT+F1 start a new console session we will use this as a back door for testing our PAM setting. At the login prompt test your login using the local root account.
2. After you have verified that you can login using the machines local accounts you can test a console login of a domain account, the username is specified as DOMAIN+USER.
X-windows Login Test:
If you successfully managed to login using both the local root account and a domain account the next step is to test X-windows.
1. From the same console session that you performed the previous tests login as root.
2. Using Ctrl+ALT+F1 change back to your windows session
3. Logout of the X-windows session and return to the login window. (note this will take a long time because the login will pull all the domain accounts to add to the list, don't worry about this now we will change the settings later)
4. Test the login using a local machine account then logout after login is compete.
5. Test domain login using username specified as
DOMAIN+USER
If all tests were good congratulation's, if your still “work in process” you can save your pam files with the work you have done to this point but remember to restore your originals if you intend to reboot.
X-window login box:
As you seen during the test, our login box pulled all the account names that exist on the domain, this should be fine for a small user base. If you have a large user base and do not wish to display all the user names you can disable this option from within yast2 under system administration ==> login manager , select the users tab and change the show users to “none” .
Changing File and folder ownership from the console:
Changing ownership of files and folders isn't to different from what you would normally do from a console only now you have to specify the user using the domain scheme of DOMAIN+USER, below is an example.
Example:
# chown DOMAIN+USER filename
Part II Server Setup in a Domain Environment:
After you have completed the client install and verified everything is working you can setup the server side. The goal is to setup your Linux machine to support the identical scheme for directories and file permissions and shares as a Microsoft server would. To do this your linux machine must have the following configuration or software installed.
-ACL kernel support (using ext2 or ext3 “rieser filesystem”), by default Suse 9 has this option enabled in the kernel. The ACL option will have to be enabled though on the volume you wish to export your Samba shares.
-The above client setup must be enabled in order for Samba to successfully use the domain as a back end for file and folder permissions.
-If not already installed install the acl tools package to allow acl manipulation and querying from the linux side, at the time of this document the current package is acl-2.2.15-23
ALC support:
By default ACL support is already built into the Suse 9.X kernel , as long as your using a filesystem that supports ACL we are in good shape (ext2 and ext3). To enable ACL we will simply edit our /etc/fstab file and add the ACL option to the mount command of the volume where we will be exporting our Samba shares.
1. Using the console login as root using the su command, cd to the /etc directory and make a backup of your fstab file.
Example:
# cp fstab fstab.bak
2. Next edit your fstab and add the acl option towards the end of the file.
Example:
Before:
/def/hda1 / reiserfs defaults, 1 1
After:
/def/hda1 / reiserfs defaults,acl 1 1
3. Save the fstab file and reboot the machine, if you have any problems it more then likely you using a filesystem that does not support ACL.
Samba Configuration:
The samba configuration will take place in two parts, we will first setup our shares on the the linux side and then we will change ownership of the shares to our Microsoft domain accounts from there to setup permissions and access to the shares. You can later adjust the default permission and creation modes on the samba side if you don't like how I have them here but for the sake of sanity use the default setting I use first.
1. Create the directories you would like to use for your Samba exports, after you have created them run a chmod and then chown to your domain account you will be using later to setup the permissions on the domain side.
2. Next create a backup of your working smb.conf file then edit it. For your shares using the following format, repeat the format for each share you wish to export.
3. After you have setup your shares save the smb.conf file and restart both your smb and winbind services located in /etc/rc.d directory.
Example:
# ./smb restart
#./winbind restart
4. From your windows machine (WINNT, WIN2K , or XP) map to your shares using the account you gave ownership to on the Linux side. Once your mapped you can right click on the share itself to define the share defaults for file creation and default permissions. Individual folders can be manipulated as you would normally. Use a few accounts to connect as different users to test your stetting and ensure it works as you intend it to.
ACL from the Linux Side:
A standard ls or dir command will not show you the ACL info from the linux side , you can use the getfacl and the setfacl command to query or manipulate ACL information from the console.
If you are using Suse 9 and want to try to configure it through a GUI, Yast also works great. I would definately say that if you are trying to learn through CMI it will benefit you more when it comes to learning.
Raynet11, if you have a chance, send me an email. I have a question to ask you about using this post on another site.
to get Samba running on my SuSE8 Standard Server box. here are my package details:
Samba: 2.2.5-107
Pam: 1.1.6-372
SuSE Ver: SuSE8 Standard Server (I have a stock standard SuSE8 installation on my server)
I used your document line for line and it worked. I had some problems joining the domain - but I changed my smbconf PDC server order (placed local BDC before the PDC which is at a remote site) and everything started working once I joined the domain from the SuSE command line with the smbpasswd command. I found the connection test useful to see if I really have the authentication fixed. Initially the secrets password came up bad.
Other than that everything worked straight up.
Many, many thanks for a well written document that saved me many hours of struggling. I hope you can, using my feedback to update your documentation to state that this setup also works on a stock standard SuSE 8 Standard Server installation. All the packages I used are the standard SuSE 8 Standard Server installation versions of the Samba and Pam modules.
Dont mistake your WindowsNT domain 'JAYWAVE' with a TCP/IP based DNS domain 'jay.com'. That is a mistake I see some of the new techies make here were I work.
but is this affect the way to join the NT domain by doing
smbpasswd -j XX -r XX- U xx
i hav the prob that...when i do this command...it said "Joined domain xx"
but when i do wbinfo -t ...it said can't check the secret....
wbinfo -u....shows error:can't look up the domain
Yes - I had the same problem. Do the following to try and resolve:
- In your SMB.conf file ensure the BDC or PDC listed first is on your network segment. (This is my solution - may not be validated by SAMBA team however)
- run SMBCLIENT and remove your PC from your NT domain JAYWAVE
- Ensure that your Linux box is not on the domain in Server Manager on NT
- Now wait a few minutes (also can right click PDC and click replicate changes in Server Manager).
- Now join the domain from Linux client using Administrator user ID and password.
- Check secrets file to ensure it is good.
If this does not work then I will have to get miore specific. I had the same problem as you and i summed it up that my machine was not seeing the domain as it was located over a very busy network link.
Hope this helps - remeber that the removing and adding a client to the NT domain may take time to kick into effect as the changes take time to replicate around the domain.
thanks for ur information*which may not be validated...lol*
i change the netbios name in smb.conf.... =)
so the PC name will not exists in the domain JAYWAVE ( no need to wait)
then i do the join commmand again....it said "Joined JAYWAVE"
but when i do wbinfo -t..... pissed off :could not check secret...
Quote:
my machine was not seeing the domain as it was located over a very busy network link.
how i know if it is bz or not...but i think should be working fine...nt very very bz network i presume
might good to go to something specific...heheh
*tell u the story...actually i able to get wbinfo -t work fine 1 days ago, but not the wbinfo -u or -g but for some reasons...i think i didn't change anything particular....then from yesterday it couldn't work anymore....but jst mentioned "JOined domain"
do u do it by logging it as root or created user... b4 u do #su?
any idea how to solve this..=(
I do everything from SMBCLIENT util from the root login console. I usually remove the Linux client/server in the NT server manager. I must admit there is a weird kinda cool logging into the mighty Linux using my Windows NT account details and password. If you remove the user using server manager - then login to Linux as root and do the same there using SMBCLIENT util.
Also - I had trouble logging other users in on their first login - I had to manually create their:
/home/MY-DOMAIN-NAME/LOGIN-ID
folders. I create the folder from the root account and chmod the permissions with the user who I am trying to login as. It seems the standard user account of a non-root user cannot make the required folders at the time user first logs in - I am sure this is user rights based. I plan to create a Perl script to do this automatically.
Sounds to me like you may have a locked or innaccesible Secrets file....???...
I would not try this stuff from a non-root account.
Note I am not on an Active Directory domain and my Samba version is the default SuSE 8.0 Standard Server version. We have a good old fashioned NT domain here. Although our PDC is located on the other side of a busy link - it is pretty much avaliable.
ok i get the sambaclient...i hav tried that last time, but not work...but now got some modification...so may giv it a try again....but there is a box" get samba information with linux authentication" ...i think i will tick it for the try rite??/
I delete the pc name from the domain
I couldn't do it in the sambaclient...it jst dun allow me to join....
so i do the smbpasswd again....then i go back to the domain to check ....the name is created...tat means it is joined to domian....
but teh prob is the wbinfo -t or -u ...they are not working....st wat tat's mean
i think is the winbind could look at the domain...rite?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
Thanks
hosts b4 join domain
hi
pissed off :could not check secret...
