1<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter�7.�Adding Domain Member Servers and Clients</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.74.0"><link rel="home" href="index.html" title="Samba-3 by Example"><link rel="up" href="DMSMig.html" title="Part�II.�Domain Members, Updating Samba and Migration"><link rel="prev" href="DMSMig.html" title="Part�II.�Domain Members, Updating Samba and Migration"><link rel="next" href="upgrades.html" title="Chapter�8.�Updating Samba-3"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter�7.�Adding Domain Member Servers and Clients</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="DMSMig.html">Prev</a>�</td><th width="60%" align="center">Part�II.�Domain Members, Updating Samba and Migration</th><td width="20%" align="right">�<a accesskey="n" href="upgrades.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="unixclients"></a>Chapter�7.�Adding Domain Member Servers and Clients</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="unixclients.html#id2589228">Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="unixclients.html#id2589282">Assignment Tasks</a></span></dt></dl></dd><dt><span class="sect1"><a href="unixclients.html#id2589317">Dissection and Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="unixclients.html#id2589345">Technical Issues</a></span></dt><dt><span class="sect2"><a href="unixclients.html#id2589994">Political Issues</a></span></dt></dl></dd><dt><span class="sect1"><a href="unixclients.html#id2590094">Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a></span></dt><dt><span class="sect2"><a href="unixclients.html#wdcsdm">NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind</a></span></dt><dt><span class="sect2"><a href="unixclients.html#dcwonss">NT4/Samba Domain with Samba Domain Member Server without NSS Support</a></span></dt><dt><span class="sect2"><a href="unixclients.html#adssdm">Active Directory Domain with Samba Domain Member Server</a></span></dt><dt><span class="sect2"><a href="unixclients.html#id2596343">UNIX/Linux Client Domain Member</a></span></dt><dt><span class="sect2"><a href="unixclients.html#id2596918">Key Points Learned</a></span></dt></dl></dd><dt><span class="sect1"><a href="unixclients.html#id2596972">Questions and Answers</a></span></dt></dl></div><p><a class="indexterm" name="id2589130"></a><a class="indexterm" name="id2589137"></a> 2 The most frequently discussed Samba subjects over the past 2 years have focused around domain control and printing. 3 It is well known that Samba is a file and print server. A recent survey conducted by <span class="emphasis"><em>Open Magazine</em></span> found 4 that of all respondents, 97 percent use Samba for file and print services, and 68 percent use Samba for Domain Control. See the 5 <a class="ulink" href="http://www.open-mag.com/cgi-bin/opencgi/surveys/survey.cgi?survey_name=samba" target="_top">Open-Mag</a> 6 Web site for current information. The survey results as found on January 14, 2004, are shown in 7 <a class="link" href="unixclients.html#ch09openmag" title="Figure�7.1.�Open Magazine Samba Survey">“Open Magazine Samba Survey”</a>. 8 </p><div class="figure"><a name="ch09openmag"></a><p class="title"><b>Figure�7.1.�Open Magazine Samba Survey</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/openmag.png" width="324" alt="Open Magazine Samba Survey"></div></div></div><br class="figure-break"><p> 9 While domain control is an exciting subject, basic file and print sharing remains the staple bread-and-butter 10 function that Samba provides. Yet this book may give the appearance of having focused too much on more 11 exciting aspects of Samba deployment. This chapter directs your attention to provide important information on 12 the addition of Samba servers into your present Windows network whatever the controlling technology 13 may be. So let's get back to our good friends at Abmas. 14 </p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2589228"></a>Introduction</h2></div></div></div><p><a class="indexterm" name="id2589234"></a><a class="indexterm" name="id2589242"></a> 15 Looking back over the achievements of the past year or two, daily events at Abmas are rather straightforward 16 with not too many distractions or problems. Your team is doing well, but a number of employees 17 are asking for Linux desktop systems. Your network has grown and demands additional domain member servers. Let's 18 get on with this; Christine and Stan are ready to go. 19 </p><p><a class="indexterm" name="id2589263"></a> 20 Stan is firmly in control of the department of the future, while Christine is enjoying a stable and 21 predictable network environment. It is time to add more servers and to add Linux desktops. It is 22 time to meet the demands of future growth and endure trial by fire. 23 </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2589282"></a>Assignment Tasks</h3></div></div></div><p><a class="indexterm" name="id2589288"></a> 24 You must now add UNIX/Linux domain member servers to your network. You have a friend who has a Windows 2003 25 Active Directory domain network who wants to add a Samba/Linux server and has asked Christine to help him 26 out. Your real objective is to help Christine to see more of the way the Microsoft world lives and use 27 her help to get validation that Samba really does live up to expectations. 28 </p><p> 29 Over the past 6 months, you have hired several new staff who want Linux on their desktops. You must integrate 30 these systems to make sure that Abmas is not building islands of technology. You ask Christine to 31 do likewise at Swodniw Biz NL (your friend's company) to help them to evaluate a Linux desktop. You want to make 32 the right decision, don't you? 33 </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2589317"></a>Dissection and Discussion</h2></div></div></div><p> 34 <a class="indexterm" name="id2589325"></a> 35 Recent Samba mailing-list activity is witness to how many sites are using winbind. Some have no trouble 36 at all with it, yet to others the problems seem insurmountable. Periodically there are complaints concerning 37 an inability to achieve identical user and group IDs between Windows and UNIX environments. 38 </p><p> 39 You provide step-by-step implementations of the various tools that can be used for identity 40 resolution. You also provide working examples of solutions for integrated authentication for 41 both UNIX/Linux and Windows environments. 42 </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2589345"></a>Technical Issues</h3></div></div></div><p> 43 One of the great challenges we face when people ask us, “<span class="quote">What is the best way to solve 44 this problem?</span>” is to get beyond the facts so we not only can clearly comprehend 45 the immediate technical problem, but also can understand how needs may change. 46 </p><p> 47 <a class="indexterm" name="id2589364"></a> 48 There are a few facts we should note when dealing with the question of how best to 49 integrate UNIX/Linux clients and servers into a Windows networking environment: 50 </p><div class="itemizedlist"><ul type="disc"><li><p> 51 <a class="indexterm" name="id2589380"></a> 52 <a class="indexterm" name="id2589387"></a> 53 <a class="indexterm" name="id2589394"></a> 54 <a class="indexterm" name="id2589403"></a> 55 <a class="indexterm" name="id2589410"></a> 56 A domain controller (PDC or BDC) is always authoritative for all accounts in its domain. 57 This means that a BDC must (of necessity) be able to resolve all account UIDs and GIDs 58 to the same values that the PDC resolved them to. 59 </p></li><li><p> 60 <a class="indexterm" name="id2589425"></a> 61 <a class="indexterm" name="id2589432"></a> 62 <a class="indexterm" name="id2589444"></a> 63 <a class="indexterm" name="id2589451"></a> 64 A domain member can be authoritative for local accounts, but is never authoritative for 65 domain accounts. If a user is accessing a domain member server and that user's account 66 is not known locally, the domain member server must resolve the identity of that user 67 from the domain in which that user's account resides. It must then map that ID to a 68 UID/GID pair that it can use locally. This is handled by <code class="literal">winbindd</code>. 69 </p></li><li><p> 70 Samba, when running on a domain member server, can resolve user identities from a 71 number of sources: 72 </p><div class="itemizedlist"><ul type="circle"><li><p> 73 <a class="indexterm" name="id2589483"></a> 74 <a class="indexterm" name="id2589490"></a> 75 <a class="indexterm" name="id2589497"></a> 76 <a class="indexterm" name="id2589503"></a> 77 <a class="indexterm" name="id2589510"></a> 78 By executing a system <code class="literal">getpwnam()</code> or <code class="literal">getgrnam()</code> call. 79 On systems that support it, this utilizes the name service switch (NSS) facility to 80 resolve names according to the configuration of the <code class="filename">/etc/nsswitch.conf</code> 81 file. NSS can be configured to use LDAP, winbind, NIS, or local files. 82 </p></li><li><p> 83 <a class="indexterm" name="id2589543"></a> 84 <a class="indexterm" name="id2589550"></a> 85 <a class="indexterm" name="id2589557"></a> 86 Performing, via NSS, a direct LDAP search (where an LDAP passdb backend has been configured). 87 This requires the use of the PADL nss_ldap tool (or equivalent). 88 </p></li><li><p> 89 <a class="indexterm" name="id2589571"></a> 90 <a class="indexterm" name="id2589578"></a> 91 <a class="indexterm" name="id2589584"></a> 92 <a class="indexterm" name="id2589591"></a> 93 Directly by querying <code class="literal">winbindd</code>. The <code class="literal">winbindd</code> 94 contacts a domain controller to attempt to resolve the identity of the user or group. It 95 receives the Windows networking security identifier (SID) for that appropriate 96 account and then allocates a local UID or GID from the range of available IDs and 97 creates an entry in its <code class="filename">winbindd_idmap.tdb</code> and 98 <code class="filename">winbindd_cache.tdb</code> files. 99 </p><p> 100 <a class="indexterm" name="id2589631"></a> 101 <a class="indexterm" name="id2589638"></a> 102 If the parameter <a class="link" href="smb.conf.5.html#IDMAPBACKEND" target="_top">idmap backend = ldap:ldap://myserver.domain</a> 103 was specified and the LDAP server has been configured with a container in which it may 104 store the IDMAP entries, all domain members may share a common mapping. 105 </p></li></ul></div><p> 106 Irrespective of how <code class="filename">smb.conf</code> is configured, winbind creates and caches a local copy of 107 the ID mapping database. It uses the <code class="filename">winbindd_idmap.tdb</code> and 108 <code class="filename">winbindd_cache.tdb</code> files to do this. 109 </p><p> 110 Which of the resolver methods is chosen is determined by the way that Samba is configured 111 in the <code class="filename">smb.conf</code> file. Some of the configuration options are rather less than obvious to the 112 casual user. 113 </p></li><li><p> 114 <a class="indexterm" name="id2589703"></a> 115 <a class="indexterm" name="id2589710"></a> 116 <a class="indexterm" name="id2589720"></a> 117 If you wish to make use of accounts (users and/or groups) that are local to (i.e., capable 118 of being resolved using) the NSS facility, it is possible to use the 119 <a class="link" href="smb.conf.5.html#WINBINDTRUSTEDDOMAINSONLY" target="_top">winbind trusted domains only = Yes</a> 120 in the <code class="filename">smb.conf</code> file. This parameter specifically applies to domain controllers, 121 and to domain member servers. 122 </p></li></ul></div><p> 123 <a class="indexterm" name="id2589755"></a> 124 <a class="indexterm" name="id2589762"></a> 125 <a class="indexterm" name="id2589769"></a> 126 For many administrators, it should be plain that the use of an LDAP-based repository for all network 127 accounts (both for POSIX accounts and for Samba accounts) provides the most elegant and 128 controllable facility. You eventually appreciate the decision to use LDAP. 129 </p><p> 130 <a class="indexterm" name="id2589784"></a> 131 <a class="indexterm" name="id2589790"></a> 132 <a class="indexterm" name="id2589797"></a> 133 If your network account information resides in an LDAP repository, you should use it ahead of any 134 alternative method. This means that if it is humanly possible to use the <code class="literal">nss_ldap</code> 135 tools to resolve UNIX account UIDs/GIDs via LDAP, this is the preferred solution, because it provides 136 a more readily controllable method for asserting the exact same user and group identifiers 137 throughout the network. 138 </p><p> 139 <a class="indexterm" name="id2589820"></a> 140 <a class="indexterm" name="id2589829"></a> 141 <a class="indexterm" name="id2589836"></a> 142 <a class="indexterm" name="id2589843"></a> 143 <a class="indexterm" name="id2589850"></a> 144 <a class="indexterm" name="id2589857"></a> 145 In the situation where UNIX accounts are held on the domain member server itself, the only effective 146 way to use them involves the <code class="filename">smb.conf</code> entry 147 <a class="link" href="smb.conf.5.html#WINBINDTRUSTEDDOMAINSONLY" target="_top">winbind trusted domains only = Yes</a>. This forces 148 Samba (<code class="literal">smbd</code>) to perform a <code class="literal">getpwnam()</code> system call that can 149 then be controlled via <code class="filename">/etc/nsswitch.conf</code> file settings. The use of this parameter 150 disables the use of Samba with trusted domains (i.e., external domains). 151 </p><p> 152 <a class="indexterm" name="id2589908"></a> 153 <a class="indexterm" name="id2589915"></a> 154 <a class="indexterm" name="id2589924"></a> 155 <a class="indexterm" name="id2589931"></a> 156 Winbind can be used to create an appliance mode domain member server. In this capacity, <code class="literal">winbindd</code> 157 is configured to automatically allocate UIDs/GIDs from numeric ranges set in the <code class="filename">smb.conf</code> file. The allocation 158 is made for all accounts that connect to that domain member server, whether within its own domain or from 159 trusted domains. If not stored in an LDAP backend, each domain member maintains its own unique mapping database. 160 This means that it is almost certain that a given user who accesses two domain member servers does not have the 161 same UID/GID on both servers however, this is transparent to the Windows network user. This data 162 is stored in the <code class="filename">winbindd_idmap.tdb</code> and <code class="filename">winbindd_cache.tdb</code> files. 163 </p><p> 164 <a class="indexterm" name="id2589979"></a> 165 The use of an LDAP backend for the Winbind IDMAP facility permits Windows domain SIDs 166 mappings to UIDs/GIDs to be stored centrally. The result is a consistent mapping across all domain member 167 servers so configured. This solves one of the major headaches for network administrators who need to copy 168 files between or across network file servers. 169 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2589994"></a>Political Issues</h3></div></div></div><p> 170 <a class="indexterm" name="id2590002"></a> 171 <a class="indexterm" name="id2590009"></a> 172 <a class="indexterm" name="id2590015"></a> 173 <a class="indexterm" name="id2590024"></a> 174 One of the most fierce conflicts recently being waged is resistance to the adoption of LDAP, in 175 particular OpenLDAP, as a replacement for UNIX NIS (previously called Yellow Pages). Let's face it, LDAP 176 is different and requires a new approach to the need for a better identity management solution. The more 177 you work with LDAP, the more its power and flexibility emerges from its dark, cavernous chasm. 178 </p><p> 179 LDAP is a most suitable solution for heterogenous environments. If you need crypto, add Kerberos. 180 The reason these are preferable is because they are heterogenous. Windows solutions of this sort are <span class="emphasis"><em>not</em></span> 181 heterogenous by design. This is fundamental it isn't religious or political. This also doesn't say that 182 you can't use Windows Active Directory in a heterogenous environment it can be done, it just requires 183 commercial integration products. But it's not what Active Directory was designed for. 184 </p><p> 185 <a class="indexterm" name="id2590063"></a> 186 <a class="indexterm" name="id2590069"></a> 187 A number of long-term UNIX devotees have recently commented in various communications that the Samba Team 188 is the first application group to almost force network administrators to use LDAP. It should be pointed 189 out that we resisted this for as long as we could. It is not out of laziness or malice that LDAP has 190 finally emerged as the preferred identity management backend for Samba. We recommend LDAP for your total 191 organizational directory needs. 192 </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2590094"></a>Implementation</h2></div></div></div><p> 193 <a class="indexterm" name="id2590102"></a> 194 <a class="indexterm" name="id2590112"></a> 195 <a class="indexterm" name="id2590121"></a> 196 The domain member server and the domain member client are at the center of focus in this chapter. 197 Configuration of Samba-3 domain controller is covered in earlier chapters, so if your 198 interest is in domain controller configuration, you will not find that here. You will find good 199 oil that helps you to add domain member servers and clients. 200 </p><p> 201 <a class="indexterm" name="id2590137"></a> 202 In practice, domain member servers and domain member workstations are very different entities, but in 203 terms of technology they share similar core infrastructure. A technologist would argue that servers 204 and workstations are identical. Many users would argue otherwise, given that in a well-disciplined 205 environment a workstation (client) is a device from which a user creates documents and files that 206 are located on servers. A workstation is frequently viewed as a disposable (easy to replace) item, 207 but a server is viewed as a core component of the business. 208 </p><p> 209 <a class="indexterm" name="id2590159"></a> 210 We can look at this another way. If a workstation breaks down, one user is affected, but if a 211 server breaks down, hundreds of users may not be able to work. The services that a workstation 212 must provide are document- and file-production oriented; a server provides information storage 213 and is distribution oriented. 214 </p><p> 215 <a class="indexterm" name="id2590175"></a> 216 <a class="indexterm" name="id2590182"></a> 217 <a class="indexterm" name="id2590189"></a> 218 <span class="emphasis"><em>Why is this important?</em></span> For starters, we must identify what 219 components of the operating system and its environment must be configured. Also, it is necessary 220 to recognize where the interdependencies between the various services to be used are. 221 In particular, it is important to understand the operation of each critical part of the 222 authentication process, the logon process, and how user identities get resolved and applied 223 within the operating system and applications (like Samba) that depend on this and may 224 actually contribute to it. 225 </p><p> 226 So, in this chapter we demonstrate how to implement the technology. It is done within a context of 227 what type of service need must be fulfilled. 228 </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="sdcsdmldap"></a>Samba Domain with Samba Domain Member Server Using NSS LDAP</h3></div></div></div><p> 229 <a class="indexterm" name="id2590230"></a> 230 <a class="indexterm" name="id2590236"></a> 231 <a class="indexterm" name="id2590243"></a> 232 <a class="indexterm" name="id2590250"></a> 233 <a class="indexterm" name="id2590259"></a> 234 <a class="indexterm" name="id2590266"></a> 235 In this example, it is assumed that you have Samba PDC/BDC servers. This means you are using 236 an LDAP ldapsam backend. We are adding to the LDAP backend database (directory) 237 containers for use by the IDMAP facility. This makes it possible to have globally consistent 238 mapping of SIDs to and from UIDs and GIDs. This means that it is necessary to run 239 <code class="literal">winbindd</code> as part of your configuration. The primary purpose of running 240 <code class="literal">winbindd</code> (within this operational context) is to permit mapping of foreign 241 SIDs (those not originating from the the local Samba server). Foreign SIDs can come from any 242 domain member client or server, or from Windows clients that do not belong to a domain. Another 243 way to explain the necessity to run <code class="literal">winbindd</code> is that Samba can locally 244 resolve only accounts that belong to the security context of its own machine SID. Winbind 245 handles all non-local SIDs and maps them to a local UID/GID value. The UID and GID are allocated 246 from the parameter values set in the <code class="filename">smb.conf</code> file for the <em class="parameter"><code>idmap uid</code></em> and 247 <em class="parameter"><code>idmap gid</code></em> ranges. Where LDAP is used, the mappings can be stored in LDAP 248 so that all domain member servers can use a consistent mapping. 249 </p><p> 250 <a class="indexterm" name="id2590336"></a> 251 <a class="indexterm" name="id2590343"></a> 252 <a class="indexterm" name="id2590350"></a> 253 If your installation is accessed only from clients that are members of your own domain, and all 254 user accounts are present in a local passdb backend then it is not necessary to run 255 <code class="literal">winbindd</code>. The local passdb backend can be in smbpasswd, tdbsam, or in ldapsam. 256 </p><p> 257 It is possible to use a local passdb backend with any convenient means of resolving the POSIX 258 user and group account information. The POSIX information is usually obtained using the 259 <code class="literal">getpwnam()</code> system call. On NSS-enabled systems, the actual POSIX account 260 source can be provided from 261 </p><div class="itemizedlist"><ul type="disc"><li><p> 262 <a class="indexterm" name="id2590387"></a> 263 <a class="indexterm" name="id2590394"></a> 264 Accounts in <code class="filename">/etc/passwd</code> or in <code class="filename">/etc/group</code>. 265 </p></li><li><p> 266 <a class="indexterm" name="id2590417"></a> 267 <a class="indexterm" name="id2590424"></a> 268 <a class="indexterm" name="id2590430"></a> 269 <a class="indexterm" name="id2590437"></a> 270 <a class="indexterm" name="id2590444"></a> 271 <a class="indexterm" name="id2590450"></a> 272 <a class="indexterm" name="id2590457"></a> 273 <a class="indexterm" name="id2590464"></a> 274 <a class="indexterm" name="id2590471"></a> 275 Resolution via NSS. On NSS-enabled systems, there is usually a facility to resolve IDs 276 via multiple methods. The methods typically include <code class="literal">files</code>, 277 <code class="literal">compat</code>, <code class="literal">db</code>, <code class="literal">ldap</code>, 278 <code class="literal">nis</code>, <code class="literal">nisplus</code>, <code class="literal">hesiod.</code> When 279 correctly installed, Samba adds to this list the <code class="literal">winbindd</code> facility. 280 The ldap facility is frequently the nss_ldap tool provided by PADL Software. 281 </p></li></ul></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> 282 To advoid confusion the use of the term <code class="literal">local passdb backend</code> means that 283 the user account backend is not shared by any other Samba server instead, it is 284 used only locally on the Samba domain member server under discussion. 285 </p></div><p> 286 <a class="indexterm" name="id2590550"></a> 287 The diagram in <a class="link" href="unixclients.html#ch9-sambadc" title="Figure�7.2.�Samba Domain: Samba Member Server">“Samba Domain: Samba Member Server”</a> demonstrates the relationship of Samba and system 288 components that are involved in the identity resolution process where Samba is used as a domain 289 member server within a Samba domain control network. 290 </p><div class="figure"><a name="ch9-sambadc"></a><p class="title"><b>Figure�7.2.�Samba Domain: Samba Member Server</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/chap9-SambaDC.png" width="324" alt="Samba Domain: Samba Member Server"></div></div></div><br class="figure-break"><p> 291 <a class="indexterm" name="id2590612"></a> 292 <a class="indexterm" name="id2590619"></a> 293 In this example configuration, Samba will directly search the LDAP-based passwd backend ldapsam 294 to obtain authentication and user identity information. The IDMAP information is stored in the LDAP 295 backend so that it can be shared by all domain member servers so that every user will have a 296 consistent UID and GID across all of them. The IDMAP facility will be used for all foreign 297 (i.e., not having the same SID as the domain it is a member of) domains. The configuration of 298 NSS will ensure that all UNIX processes will obtain a consistent UID/GID. 299 </p><p> 300 The instructions given here apply to the Samba environment shown in <a class="link" href="happy.html" title="Chapter�5.�Making Happy Users">“Making Happy Users”</a> and <a class="link" href="net2000users.html" title="Chapter�6.�A Distributed 2000-User Network">“A Distributed 2000-User Network”</a>. 301 If the network does not have an LDAP slave server (i.e., <a class="link" href="happy.html" title="Chapter�5.�Making Happy Users">“Making Happy Users”</a> configuration), 302 change the target LDAP server from <code class="constant">lapdc</code> to <code class="constant">massive.</code> 303 </p><div class="procedure"><a name="id2590668"></a><p class="title"><b>Procedure�7.1.�Configuration of NSS_LDAP-Based Identity Resolution</b></p><ol type="1"><li><p> 304 Create the <code class="filename">smb.conf</code> file as shown in <a class="link" href="unixclients.html#ch9-sdmsdc" title="Example�7.1.�Samba Domain Member in Samba Domain Using LDAP smb.conf File">“Samba Domain Member in Samba Domain Using LDAP smb.conf File”</a>. Locate 305 this file in the directory <code class="filename">/etc/samba</code>. 306 </p></li><li><p> 307 <a class="indexterm" name="id2590706"></a> 308 Configure the file that will be used by <code class="constant">nss_ldap</code> to 309 locate and communicate with the LDAP server. This file is called <code class="filename">ldap.conf</code>. 310 If your implementation of <code class="constant">nss_ldap</code> is consistent with 311 the defaults suggested by PADL (the authors), it will be located in the 312 <code class="filename">/etc</code> directory. On some systems, the default location is 313 the <code class="filename">/etc/openldap</code> directory, however this file is intended 314 for use by the OpenLDAP utilities and should not really be used by the nss_ldap 315 utility since its content and structure serves the specific purpose of enabling 316 the resolution of user and group IDs via NSS. 317 </p><p> 318 Change the parameters inside the file that is located on your OS so it matches 319 <a class="link" href="unixclients.html#ch9-sdmlcnf" title="Example�7.3.�Configuration File for NSS LDAP Support /etc/ldap.conf">“Configuration File for NSS LDAP Support /etc/ldap.conf”</a>. To find the correct location of this file, you 320 can obtain this from the library that will be used by executing the following: 321</p><pre class="screen"> 322<code class="prompt">root# </code> strings /lib/libnss_ldap* | grep ldap.conf 323/etc/ldap.conf 324</pre><p> 325 </p></li><li><p> 326 Configure the NSS control file so it matches the one shown in 327 <a class="link" href="unixclients.html#ch9-sdmnss" title="Example�7.4.�NSS using LDAP for Identity Resolution File: /etc/nsswitch.conf">“NSS using LDAP for Identity Resolution File: /etc/nsswitch.conf”</a>. 328 </p></li><li><p> 329 <a class="indexterm" name="id2590794"></a> 330 <a class="indexterm" name="id2590800"></a> 331 Before proceeding to configure Samba, validate the operation of the NSS identity 332 resolution via LDAP by executing: 333</p><pre class="screen"> 334<code class="prompt">root# </code> getent passwd 335... 336root:x:0:512:Netbios Domain Administrator:/root:/bin/false 337nobody:x:999:514:nobody:/dev/null:/bin/false 338bobj:x:1000:513:Robert Jordan:/home/bobj:/bin/bash 339stans:x:1001:513:Stanley Soroka:/home/stans:/bin/bash 340chrisr:x:1002:513:Christine Roberson:/home/chrisr:/bin/bash 341maryv:x:1003:513:Mary Vortexis:/home/maryv:/bin/bash 342jht:x:1004:513:John H Terpstra:/home/jht:/bin/bash 343bldg1$:x:1006:553:bldg1$:/dev/null:/bin/false 344temptation$:x:1009:553:temptation$:/dev/null:/bin/false 345vaioboss$:x:1005:553:vaioboss$:/dev/null:/bin/false 346fran$:x:1008:553:fran$:/dev/null:/bin/false 347josephj:x:1007:513:Joseph James:/home/josephj:/bin/bash 348</pre><p> 349 You should notice the location of the users' home directories. First, make certain that 350 the home directories exist on the domain member server; otherwise, the home directory 351 share is not available. The home directories could be mounted off a domain controller 352 using NFS or by any other suitable means. Second, the absence of the domain name in the 353 home directory path is indicative that identity resolution is not being done via winbind. 354</p><pre class="screen"> 355<code class="prompt">root# </code> getent group 356... 357Domain Admins:x:512:root,jht 358Domain Users:x:513:bobj,stans,chrisr,maryv,jht,josephj 359Domain Guests:x:514: 360Accounts:x:1000: 361Finances:x:1001: 362PIOps:x:1002: 363sammy:x:4321: 364</pre><p> 365 <a class="indexterm" name="id2590865"></a> 366 <a class="indexterm" name="id2590872"></a> 367 <a class="indexterm" name="id2590878"></a> 368 This shows that all is working as it should be. Notice that in the LDAP database 369 the users' primary and secondary group memberships are identical. It is not 370 necessary to add secondary group memberships (in the group database) if the 371 user is already a member via primary group membership in the password database. 372 When using winbind, it is in fact undesirable to do this because it results in 373 doubling up of group memberships and may cause problems with winbind under certain 374 conditions. It is intended that these limitations with winbind will be resolved soon 375 after Samba-3.0.20 has been released. 376 </p></li><li><p> 377 <a class="indexterm" name="id2590902"></a> 378 The LDAP directory must have a container object for IDMAP data. There are several ways you can 379 check that your LDAP database is able to receive IDMAP information. One of the simplest is to 380 execute: 381</p><pre class="screen"> 382<code class="prompt">root# </code> slapcat | grep -i idmap 383dn: ou=Idmap,dc=abmas,dc=biz 384ou: idmap 385</pre><p> 386 <a class="indexterm" name="id2590925"></a> 387 If the execution of this command does not return IDMAP entries, you need to create an LDIF 388 template file (see <a class="link" href="unixclients.html#ch9-ldifadd" title="Example�7.2.�LDIF IDMAP Add-On Load File File: /etc/openldap/idmap.LDIF">“LDIF IDMAP Add-On Load File File: /etc/openldap/idmap.LDIF”</a>). You can add the required entries using 389 the following command: 390</p><pre class="screen"> 391<code class="prompt">root# </code> ldapadd -x -D "cn=Manager,dc=abmas,dc=biz" \ 392 -w not24get < /etc/openldap/idmap.LDIF 393</pre><p> 394 </p></li><li><p> 395 Samba automatically populates the LDAP directory container when it needs to. To permit Samba 396 write access to the LDAP directory it is necessary to set the LDAP administrative password 397 in the <code class="filename">secrets.tdb</code> file as shown here: 398</p><pre class="screen"> 399<code class="prompt">root# </code> smbpasswd -w not24get 400</pre><p> 401 </p></li><li><p> 402 <a class="indexterm" name="id2590989"></a> 403 <a class="indexterm" name="id2591000"></a> 404 The system is ready to join the domain. Execute the following: 405</p><pre class="screen"> 406<code class="prompt">root# </code> net rpc join -U root%not24get 407Joined domain MEGANET2. 408</pre><p> 409 This indicates that the domain join succeeded. 410 </p><p> 411 Failure to join the domain could be caused by any number of variables. The most common 412 causes of failure to join are: 413 </p><p> 414 </p><div class="itemizedlist"><ul type="disc"><li><p>Broken resolution of NetBIOS names to the respective IP address.</p></li><li><p>Incorrect username and password credentials.</p></li><li><p>The NT4 <em class="parameter"><code>restrict anonymous</code></em> is set to exclude anonymous 415 connections.</p></li></ul></div><p> 416 </p><p> 417 The connection setup can be diagnosed by executing: 418</p><pre class="screen"> 419<code class="prompt">root# </code> net rpc join -S 'pdc-name' -U administrator%password -d 5 420</pre><p> 421 <a class="indexterm" name="id2591072"></a> 422 <a class="indexterm" name="id2591079"></a> 423 <a class="indexterm" name="id2591086"></a> 424 <a class="indexterm" name="id2591093"></a> 425 Note: Use "root" for UNIX/Linux and Samba, use "Administrator" for Windows NT4/200X. If the cause of 426 the failure appears to be related to a rejected or failed NT_SESSION_SETUP* or an error message that 427 says NT_STATUS_ACCESS_DENIED immediately check the Windows registry setting that controls the 428 <code class="constant">restrict anonymous</code> setting. Set this to the value 0 so that an anonymous connection 429 can be sustained, then try again. 430 </p><p> 431 It is possible (perhaps even recommended) to use the following to validate the ability to connect 432 to an NT4 PDC/BDC: 433</p><pre class="screen"> 434<code class="prompt">root# </code> net rpc info -S 'pdc-name' -U Administrator%not24get 435Domain Name: MEGANET2 436Domain SID: S-1-5-21-422319763-4138913805-7168186429 437Sequence number: 1519909596 438Num users: 7003 439Num domain groups: 821 440Num local groups: 8 441 442<code class="prompt">root# </code> net rpc testjoin -S 'pdc-name' -U Administrator%not24get 443Join to 'MEGANET2' is OK 444</pre><p> 445 If for any reason the following response is obtained to the last command above,it is time to 446 call in the Networking Super-Snooper task force (i.e., start debugging): 447</p><pre class="screen"> 448NT_STATUS_ACCESS_DENIED 449Join to 'MEGANET2' failed. 450</pre><p> 451 </p></li><li><p> 452 <a class="indexterm" name="id2591154"></a> 453 Just joining the domain is not quite enough; you must now provide a privileged set 454 of credentials through which <code class="literal">winbindd</code> can interact with the 455 domain servers. Execute the following to implant the necessary credentials: 456</p><pre class="screen"> 457<code class="prompt">root# </code> wbinfo --set-auth-user=Administrator%not24get 458</pre><p> 459 The configuration is now ready to obtain the Samba domain user and group information. 460 </p></li><li><p> 461 You may now start Samba in the usual manner, and your Samba domain member server 462 is ready for use. Just add shares as required. 463 </p></li></ol></div><div class="example"><a name="ch9-sdmsdc"></a><p class="title"><b>Example�7.1.�Samba Domain Member in Samba Domain Using LDAP <code class="filename">smb.conf</code> File</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id2591232"></a><em class="parameter"><code>unix charset = LOCALE</code></em></td></tr><tr><td><a class="indexterm" name="id2591244"></a><em class="parameter"><code>workgroup = MEGANET2</code></em></td></tr><tr><td><a class="indexterm" name="id2591256"></a><em class="parameter"><code>security = DOMAIN</code></em></td></tr><tr><td><a class="indexterm" name="id2591267"></a><em class="parameter"><code>username map = /etc/samba/smbusers</code></em></td></tr><tr><td><a class="indexterm" name="id2591279"></a><em class="parameter"><code>log level = 10</code></em></td></tr><tr><td><a class="indexterm" name="id2591291"></a><em class="parameter"><code>syslog = 0</code></em></td></tr><tr><td><a class="indexterm" name="id2591302"></a><em class="parameter"><code>log file = /var/log/samba/%m</code></em></td></tr><tr><td><a class="indexterm" name="id2591314"></a><em class="parameter"><code>max log size = 50</code></em></td></tr><tr><td><a class="indexterm" name="id2591326"></a><em class="parameter"><code>smb ports = 139</code></em></td></tr><tr><td><a class="indexterm" name="id2591337"></a><em class="parameter"><code>name resolve order = wins bcast hosts</code></em></td></tr><tr><td><a class="indexterm" name="id2591350"></a><em class="parameter"><code>printcap name = CUPS</code></em></td></tr><tr><td><a class="indexterm" name="id2591361"></a><em class="parameter"><code>wins server = 192.168.2.1</code></em></td></tr><tr><td><a class="indexterm" name="id2591373"></a><em class="parameter"><code>ldap suffix = dc=abmas,dc=biz</code></em></td></tr><tr><td><a class="indexterm" name="id2591385"></a><em class="parameter"><code>ldap machine suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id2591397"></a><em class="parameter"><code>ldap user suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id2591409"></a><em class="parameter"><code>ldap group suffix = ou=Groups</code></em></td></tr><tr><td><a class="indexterm" name="id2591421"></a><em class="parameter"><code>ldap idmap suffix = ou=Idmap</code></em></td></tr><tr><td><a class="indexterm" name="id2591433"></a><em class="parameter"><code>ldap admin dn = cn=Manager,dc=abmas,dc=biz</code></em></td></tr><tr><td><a class="indexterm" name="id2591445"></a><em class="parameter"><code>idmap backend = ldap:ldap://lapdc.abmas.biz</code></em></td></tr><tr><td><a class="indexterm" name="id2591457"></a><em class="parameter"><code>idmap uid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id2591469"></a><em class="parameter"><code>idmap gid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id2591481"></a><em class="parameter"><code>winbind trusted domains only = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2591493"></a><em class="parameter"><code>printer admin = root</code></em></td></tr><tr><td><a class="indexterm" name="id2591505"></a><em class="parameter"><code>printing = cups</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[homes]</code></em></td></tr><tr><td><a class="indexterm" name="id2591525"></a><em class="parameter"><code>comment = Home Directories</code></em></td></tr><tr><td><a class="indexterm" name="id2591537"></a><em class="parameter"><code>valid users = %S</code></em></td></tr><tr><td><a class="indexterm" name="id2591549"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id2591560"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[printers]</code></em></td></tr><tr><td><a class="indexterm" name="id2591581"></a><em class="parameter"><code>comment = SMB Print Spool</code></em></td></tr><tr><td><a class="indexterm" name="id2591593"></a><em class="parameter"><code>path = /var/spool/samba</code></em></td></tr><tr><td><a class="indexterm" name="id2591604"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2591616"></a><em class="parameter"><code>printable = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2591628"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[print$]</code></em></td></tr><tr><td><a class="indexterm" name="id2591648"></a><em class="parameter"><code>comment = Printer Drivers</code></em></td></tr><tr><td><a class="indexterm" name="id2591660"></a><em class="parameter"><code>path = /var/lib/samba/drivers</code></em></td></tr><tr><td><a class="indexterm" name="id2591672"></a><em class="parameter"><code>admin users = root, Administrator</code></em></td></tr><tr><td><a class="indexterm" name="id2591684"></a><em class="parameter"><code>write list = root</code></em></td></tr></table></div></div><br class="example-break"><div class="example"><a name="ch9-ldifadd"></a><p class="title"><b>Example�7.2.�LDIF IDMAP Add-On Load File File: /etc/openldap/idmap.LDIF</b></p><div class="example-contents"><pre class="screen"> 464dn: ou=Idmap,dc=abmas,dc=biz 465objectClass: organizationalUnit 466ou: idmap 467structuralObjectClass: organizationalUnit 468</pre></div></div><br class="example-break"><div class="example"><a name="ch9-sdmlcnf"></a><p class="title"><b>Example�7.3.�Configuration File for NSS LDAP Support <code class="filename">/etc/ldap.conf</code></b></p><div class="example-contents"><pre class="screen"> 469URI ldap://massive.abmas.biz ldap://massive.abmas.biz:636 470host 192.168.2.1 471base dc=abmas,dc=biz 472binddn cn=Manager,dc=abmas,dc=biz 473bindpw not24get 474 475pam_password exop 476 477nss_base_passwd ou=People,dc=abmas,dc=biz?one 478nss_base_shadow ou=People,dc=abmas,dc=biz?one 479nss_base_group ou=Groups,dc=abmas,dc=biz?one 480ssl no 481</pre></div></div><br class="example-break"><div class="example"><a name="ch9-sdmnss"></a><p class="title"><b>Example�7.4.�NSS using LDAP for Identity Resolution File: <code class="filename">/etc/nsswitch.conf</code></b></p><div class="example-contents"><pre class="screen"> 482passwd: files ldap 483shadow: files ldap 484group: files ldap 485 486hosts: files dns wins 487networks: files dns 488 489services: files 490protocols: files 491rpc: files 492ethers: files 493netmasks: files 494netgroup: files 495publickey: files 496 497bootparams: files 498automount: files 499aliases: files 500</pre></div></div><br class="example-break"></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="wdcsdm"></a>NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind</h3></div></div></div><p> 501 You need to use this method for creating a Samba domain member server if any of the following conditions 502 prevail: 503 </p><div class="itemizedlist"><ul type="disc"><li><p> 504 LDAP support (client) is not installed on the system. 505 </p></li><li><p> 506 There are mitigating circumstances forcing a decision not to use LDAP. 507 </p></li><li><p> 508 The Samba domain member server must be part of a Windows NT4 Domain, or a Samba Domain. 509 </p></li></ul></div><p> 510 <a class="indexterm" name="id2591815"></a> 511 <a class="indexterm" name="id2591821"></a> 512 <a class="indexterm" name="id2591828"></a> 513 Later in the chapter, you can see how to configure a Samba domain member server for a Windows ADS domain. 514 Right now your objective is to configure a Samba server that can be a member of a Windows NT4-style 515 domain and/or does not use LDAP. 516 </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> 517 <a class="indexterm" name="id2591844"></a> 518 If you use <code class="literal">winbind</code> for identity resolution, make sure that there are no 519 duplicate accounts. 520 </p><p> 521 <a class="indexterm" name="id2591861"></a> 522 For example, do not have more than one account that has UID=0 in the password database. If there 523 is an account called <code class="constant">root</code> in the <code class="filename">/etc/passwd</code> database, 524 it is okay to have an account called <code class="constant">root</code> in the LDAP ldapsam or in the 525 tdbsam. But if there are two accounts in the passdb backend that have the same UID, winbind will 526 break. This means that the <code class="constant">Administrator</code> account must be called 527 <code class="constant">root</code>. 528 </p><p> 529 <a class="indexterm" name="id2591898"></a> 530 <a class="indexterm" name="id2591904"></a> 531 <a class="indexterm" name="id2591911"></a> 532 Winbind will break if there is an account in <code class="filename">/etc/passwd</code> that has 533 the same UID as an account that is in LDAP ldapsam (or in tdbsam) but that differs in name only. 534 </p></div><p> 535 <a class="indexterm" name="id2591930"></a> 536 <a class="indexterm" name="id2591937"></a> 537 <a class="indexterm" name="id2591944"></a> 538 <a class="indexterm" name="id2591950"></a> 539 <a class="indexterm" name="id2591960"></a> 540 The following configuration uses CIFS/SMB protocols alone to obtain user and group credentials. 541 The winbind information is locally cached in the <code class="filename">winbindd_cache.tdb winbindd_idmap.tdb</code> 542 files. This provides considerable performance benefits compared with the LDAP solution, particularly 543 where the LDAP lookups must traverse WAN links. You may examine the contents of these 544 files using the tool <code class="literal">tdbdump</code>, though you may have to build this from the Samba 545 source code if it has not been supplied as part of a binary package distribution that you may be using. 546 </p><div class="procedure"><a name="id2591989"></a><p class="title"><b>Procedure�7.2.�Configuration of Winbind-Based Identity Resolution</b></p><ol type="1"><li><p> 547 Using your favorite text editor, create the <code class="filename">smb.conf</code> file so it has the contents 548 shown in <a class="link" href="unixclients.html#ch0-NT4DSDM" title="Example�7.5.�Samba Domain Member Server Using Winbind smb.conf File for NT4 Domain">“Samba Domain Member Server Using Winbind smb.conf File for NT4 Domain”</a>. 549 </p></li><li><p> 550 <a class="indexterm" name="id2592021"></a> 551 Edit the <code class="filename">/etc/nsswitch.conf</code> so it has the entries shown in 552 <a class="link" href="unixclients.html#ch9-sdmnss" title="Example�7.4.�NSS using LDAP for Identity Resolution File: /etc/nsswitch.conf">“NSS using LDAP for Identity Resolution File: /etc/nsswitch.conf”</a>. 553 </p></li><li><p> 554 <a class="indexterm" name="id2592047"></a> 555 The system is ready to join the domain. Execute the following: 556</p><pre class="screen"> 557net rpc join -U root%not2g4et 558Joined domain MEGANET2. 559</pre><p> 560 This indicates that the domain join succeed. 561 562 </p></li><li><p> 563 <a class="indexterm" name="id2592073"></a> 564 <a class="indexterm" name="id2592080"></a> 565 Validate operation of <code class="literal">winbind</code> using the <code class="literal">wbinfo</code> 566 tool as follows: 567</p><pre class="screen"> 568<code class="prompt">root# </code> wbinfo -u 569MEGANET2+root 570MEGANET2+nobody 571MEGANET2+jht 572MEGANET2+maryv 573MEGANET2+billr 574MEGANET2+jelliott 575MEGANET2+dbrady 576MEGANET2+joeg 577MEGANET2+balap 578</pre><p> 579 This shows that domain users have been listed correctly. 580</p><pre class="screen"> 581<code class="prompt">root# </code> wbinfo -g 582MEGANET2+Domain Admins 583MEGANET2+Domain Users 584MEGANET2+Domain Guests 585MEGANET2+Accounts 586MEGANET2+Finances 587MEGANET2+PIOps 588</pre><p> 589 This shows that domain groups have been correctly obtained also. 590 </p></li><li><p> 591 <a class="indexterm" name="id2592136"></a> 592 <a class="indexterm" name="id2592143"></a> 593 <a class="indexterm" name="id2592150"></a> 594 The next step verifies that NSS is able to obtain this information 595 correctly from <code class="literal">winbind</code> also. 596</p><pre class="screen"> 597<code class="prompt">root# </code> getent passwd 598... 599MEGANET2+root:x:10000:10001:NetBIOS Domain Admin: 600 /home/MEGANET2/root:/bin/bash 601MEGANET2+nobody:x:10001:10001:nobody: 602 /home/MEGANET2/nobody:/bin/bash 603MEGANET2+jht:x:10002:10001:John H Terpstra: 604 /home/MEGANET2/jht:/bin/bash 605MEGANET2+maryv:x:10003:10001:Mary Vortexis: 606 /home/MEGANET2/maryv:/bin/bash 607MEGANET2+billr:x:10004:10001:William Randalph: 608 /home/MEGANET2/billr:/bin/bash 609MEGANET2+jelliott:x:10005:10001:John G Elliott: 610 /home/MEGANET2/jelliott:/bin/bash 611MEGANET2+dbrady:x:10006:10001:Darren Brady: 612 /home/MEGANET2/dbrady:/bin/bash 613MEGANET2+joeg:x:10007:10001:Joe Green: 614 /home/MEGANET2/joeg:/bin/bash 615MEGANET2+balap:x:10008:10001:Bala Pillay: 616 /home/MEGANET2/balap:/bin/bash 617</pre><p> 618 The user account information has been correctly obtained. This information has 619 been merged with the winbind template information configured in the <code class="filename">smb.conf</code> file. 620</p><pre class="screen"> 621<code class="prompt">root# </code># getent group 622... 623MEGANET2+Domain Admins:x:10000:MEGANET2+root,MEGANET2+jht 624MEGANET2+Domain Users:x:10001:MEGANET2+jht,MEGANET2+maryv,\ 625 MEGANET2+billr,MEGANET2+jelliott,MEGANET2+dbrady,\ 626 MEGANET2+joeg,MEGANET2+balap 627MEGANET2+Domain Guests:x:10002:MEGANET2+nobody 628MEGANET2+Accounts:x:10003: 629MEGANET2+Finances:x:10004: 630MEGANET2+PIOps:x:10005: 631</pre><p> 632 </p></li><li><p> 633 The Samba member server of a Windows NT4 domain is ready for use. 634 </p></li></ol></div><div class="example"><a name="ch0-NT4DSDM"></a><p class="title"><b>Example�7.5.�Samba Domain Member Server Using Winbind <code class="filename">smb.conf</code> File for NT4 Domain</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id2592261"></a><em class="parameter"><code>unix charset = LOCALE</code></em></td></tr><tr><td><a class="indexterm" name="id2592272"></a><em class="parameter"><code>workgroup = MEGANET2</code></em></td></tr><tr><td><a class="indexterm" name="id2592284"></a><em class="parameter"><code>security = DOMAIN</code></em></td></tr><tr><td><a class="indexterm" name="id2592296"></a><em class="parameter"><code>username map = /etc/samba/smbusers</code></em></td></tr><tr><td><a class="indexterm" name="id2592308"></a><em class="parameter"><code>log level = 1</code></em></td></tr><tr><td><a class="indexterm" name="id2592319"></a><em class="parameter"><code>syslog = 0</code></em></td></tr><tr><td><a class="indexterm" name="id2592331"></a><em class="parameter"><code>log file = /var/log/samba/%m</code></em></td></tr><tr><td><a class="indexterm" name="id2592343"></a><em class="parameter"><code>max log size = 0</code></em></td></tr><tr><td><a class="indexterm" name="id2592354"></a><em class="parameter"><code>smb ports = 139</code></em></td></tr><tr><td><a class="indexterm" name="id2592366"></a><em class="parameter"><code>name resolve order = wins bcast hosts</code></em></td></tr><tr><td><a class="indexterm" name="id2592378"></a><em class="parameter"><code>printcap name = CUPS</code></em></td></tr><tr><td><a class="indexterm" name="id2592390"></a><em class="parameter"><code>wins server = 192.168.2.1</code></em></td></tr><tr><td><a class="indexterm" name="id2592402"></a><em class="parameter"><code>idmap uid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id2592414"></a><em class="parameter"><code>idmap gid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id2592425"></a><em class="parameter"><code>template primary group = "Domain Users"</code></em></td></tr><tr><td><a class="indexterm" name="id2592438"></a><em class="parameter"><code>template shell = /bin/bash</code></em></td></tr><tr><td><a class="indexterm" name="id2592449"></a><em class="parameter"><code>winbind separator = +</code></em></td></tr><tr><td><a class="indexterm" name="id2592461"></a><em class="parameter"><code>printer admin = root</code></em></td></tr><tr><td><a class="indexterm" name="id2592473"></a><em class="parameter"><code>hosts allow = 192.168.2., 192.168.3., 127.</code></em></td></tr><tr><td><a class="indexterm" name="id2592485"></a><em class="parameter"><code>printing = cups</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[homes]</code></em></td></tr><tr><td><a class="indexterm" name="id2592506"></a><em class="parameter"><code>comment = Home Directories</code></em></td></tr><tr><td><a class="indexterm" name="id2592517"></a><em class="parameter"><code>valid users = %S</code></em></td></tr><tr><td><a class="indexterm" name="id2592529"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id2592541"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[printers]</code></em></td></tr><tr><td><a class="indexterm" name="id2592561"></a><em class="parameter"><code>comment = SMB Print Spool</code></em></td></tr><tr><td><a class="indexterm" name="id2592573"></a><em class="parameter"><code>path = /var/spool/samba</code></em></td></tr><tr><td><a class="indexterm" name="id2592585"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2592596"></a><em class="parameter"><code>printable = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2592608"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[print$]</code></em></td></tr><tr><td><a class="indexterm" name="id2592628"></a><em class="parameter"><code>comment = Printer Drivers</code></em></td></tr><tr><td><a class="indexterm" name="id2592640"></a><em class="parameter"><code>path = /var/lib/samba/drivers</code></em></td></tr><tr><td><a class="indexterm" name="id2592652"></a><em class="parameter"><code>admin users = root, Administrator</code></em></td></tr><tr><td><a class="indexterm" name="id2592664"></a><em class="parameter"><code>write list = root</code></em></td></tr></table></div></div><br class="example-break"></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="dcwonss"></a>NT4/Samba Domain with Samba Domain Member Server without NSS Support</h3></div></div></div><p> 635 No matter how many UNIX/Linux administrators there may be who believe that a UNIX operating 636 system that does not have NSS and PAM support to be outdated, the fact is there 637 are still many such systems in use today. Samba can be used without NSS support, but this 638 does limit it to the use of local user and group accounts only. 639 </p><p> 640 The following steps may be followed to implement Samba with support for local accounts. 641 In this configuration Samba is made a domain member server. All incoming connections 642 to the Samba server will cause the look-up of the incoming username. If the account 643 is found, it is used. If the account is not found, one will be automatically created 644 on the local machine so that it can then be used for all access controls. 645 </p><div class="procedure"><a name="id2592707"></a><p class="title"><b>Procedure�7.3.�Configuration Using Local Accounts Only</b></p><ol type="1"><li><p> 646 Using your favorite text editor, create the <code class="filename">smb.conf</code> file so it has the contents 647 shown in <a class="link" href="unixclients.html#ch0-NT4DSCM" title="Example�7.6.�Samba Domain Member Server Using Local Accounts smb.conf File for NT4 Domain">“Samba Domain Member Server Using Local Accounts smb.conf File for NT4 Domain”</a>. 648 </p></li><li><p><a class="indexterm" name="id2592740"></a> 649 The system is ready to join the domain. Execute the following: 650</p><pre class="screen"> 651net rpc join -U root%not24get 652Joined domain MEGANET2. 653</pre><p> 654 This indicates that the domain join succeed. 655 </p></li><li><p> 656 Be sure to run all three Samba daemons: <code class="literal">smbd</code>, <code class="literal">nmbd</code>, <code class="literal">winbindd</code>. 657 </p></li><li><p> 658 The Samba member server of a Windows NT4 domain is ready for use. 659 </p></li></ol></div><div class="example"><a name="ch0-NT4DSCM"></a><p class="title"><b>Example�7.6.�Samba Domain Member Server Using Local Accounts <code class="filename">smb.conf</code> File for NT4 Domain</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id2592828"></a><em class="parameter"><code>unix charset = LOCALE</code></em></td></tr><tr><td><a class="indexterm" name="id2592840"></a><em class="parameter"><code>workgroup = MEGANET3</code></em></td></tr><tr><td><a class="indexterm" name="id2592852"></a><em class="parameter"><code>netbios name = BSDBOX</code></em></td></tr><tr><td><a class="indexterm" name="id2592864"></a><em class="parameter"><code>security = DOMAIN</code></em></td></tr><tr><td><a class="indexterm" name="id2592876"></a><em class="parameter"><code>username map = /etc/samba/smbusers</code></em></td></tr><tr><td><a class="indexterm" name="id2592888"></a><em class="parameter"><code>log level = 1</code></em></td></tr><tr><td><a class="indexterm" name="id2592899"></a><em class="parameter"><code>syslog = 0</code></em></td></tr><tr><td><a class="indexterm" name="id2592911"></a><em class="parameter"><code>add user script = /usr/sbin/useradd -m '%u'</code></em></td></tr><tr><td><a class="indexterm" name="id2592923"></a><em class="parameter"><code>add machine script = /usr/sbin/useradd -M '%u'</code></em></td></tr><tr><td><a class="indexterm" name="id2592935"></a><em class="parameter"><code>add group script = /usr/sbin/groupadd '%g'</code></em></td></tr><tr><td><a class="indexterm" name="id2592947"></a><em class="parameter"><code>log file = /var/log/samba/%m</code></em></td></tr><tr><td><a class="indexterm" name="id2592959"></a><em class="parameter"><code>max log size = 0</code></em></td></tr><tr><td><a class="indexterm" name="id2592971"></a><em class="parameter"><code>smb ports = 139</code></em></td></tr><tr><td><a class="indexterm" name="id2592982"></a><em class="parameter"><code>name resolve order = wins bcast hosts</code></em></td></tr><tr><td><a class="indexterm" name="id2592994"></a><em class="parameter"><code>printcap name = CUPS</code></em></td></tr><tr><td><a class="indexterm" name="id2593006"></a><em class="parameter"><code>wins server = 192.168.2.1</code></em></td></tr><tr><td><a class="indexterm" name="id2593018"></a><em class="parameter"><code>printer admin = root</code></em></td></tr><tr><td><a class="indexterm" name="id2593030"></a><em class="parameter"><code>hosts allow = 192.168.2., 192.168.3., 127.</code></em></td></tr><tr><td><a class="indexterm" name="id2593042"></a><em class="parameter"><code>printing = cups</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[homes]</code></em></td></tr><tr><td><a class="indexterm" name="id2593062"></a><em class="parameter"><code>comment = Home Directories</code></em></td></tr><tr><td><a class="indexterm" name="id2593074"></a><em class="parameter"><code>valid users = %S</code></em></td></tr><tr><td><a class="indexterm" name="id2593086"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id2593097"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[printers]</code></em></td></tr><tr><td><a class="indexterm" name="id2593118"></a><em class="parameter"><code>comment = SMB Print Spool</code></em></td></tr><tr><td><a class="indexterm" name="id2593130"></a><em class="parameter"><code>path = /var/spool/samba</code></em></td></tr><tr><td><a class="indexterm" name="id2593141"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2593153"></a><em class="parameter"><code>printable = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2593165"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[print$]</code></em></td></tr><tr><td><a class="indexterm" name="id2593185"></a><em class="parameter"><code>comment = Printer Drivers</code></em></td></tr><tr><td><a class="indexterm" name="id2593197"></a><em class="parameter"><code>path = /var/lib/samba/drivers</code></em></td></tr><tr><td><a class="indexterm" name="id2593209"></a><em class="parameter"><code>admin users = root, Administrator</code></em></td></tr><tr><td><a class="indexterm" name="id2593221"></a><em class="parameter"><code>write list = root</code></em></td></tr></table></div></div><br class="example-break"></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="adssdm"></a>Active Directory Domain with Samba Domain Member Server</h3></div></div></div><p> 660 <a class="indexterm" name="id2593246"></a> 661 <a class="indexterm" name="id2593255"></a> 662 <a class="indexterm" name="id2593262"></a> 663 One of the much-sought-after features new to Samba-3 is the ability to join an Active Directory 664 domain using Kerberos protocols. This makes it possible to operate an entire Windows network 665 without the need to run NetBIOS over TCP/IP and permits more secure networking in general. An 666 exhaustively complete discussion of the protocols is not possible in this book; perhaps a 667 later book may explore the intricacies of the NetBIOS-less operation that Samba-3 can participate 668 in. For now, we simply focus on how a Samba-3 server can be made a domain member server. 669 </p><p> 670 <a class="indexterm" name="id2593284"></a> 671 <a class="indexterm" name="id2593291"></a> 672 <a class="indexterm" name="id2593298"></a> 673 <a class="indexterm" name="id2593305"></a> 674 The diagram in <a class="link" href="unixclients.html#ch9-adsdc" title="Figure�7.3.�Active Directory Domain: Samba Member Server">“Active Directory Domain: Samba Member Server”</a> demonstrates how Samba-3 interfaces with 675 Microsoft Active Directory components. It should be noted that if Microsoft Windows Services 676 for UNIX (SFU) has been installed and correctly configured, it is possible to use client LDAP 677 for identity resolution just as can be done with Samba-3 when using an LDAP passdb backend. 678 The UNIX tool that you need for this, as in the case of LDAP on UNIX/Linux, is the PADL 679 Software nss_ldap tool-set. Compared with use of winbind and Kerberos, the use of 680 LDAP-based identity resolution is a little less secure. In view of the fact that this solution 681 requires additional software to be installed on the Windows 200x ADS domain controllers, 682 and that means more management overhead, it is likely that most Samba-3 ADS client sites 683 may elect to use winbind. 684 </p><p> 685 Do not attempt to use this procedure if you are not 100 percent certain that the build of Samba-3 686 you are using has been compiled and linked with all the tools necessary for this to work. 687 Given the importance of this step, you must first validate that the Samba-3 message block 688 daemon (<code class="literal">smbd</code>) has the necessary features. 689 </p><p> 690 The hypothetical domain you are using in this example assumes that the Abmas London office 691 decided to take its own lead (some would say this is a typical behavior in a global 692 corporate world; besides, a little divergence and conflict makes for an interesting life). 693 The Windows Server 2003 ADS domain is called <code class="constant">london.abmas.biz</code> and the 694 name of the server is <code class="constant">W2K3S</code>. In ADS realm terms, the domain controller 695 is known as <code class="constant">w2k3s.london.abmas.biz</code>. In NetBIOS nomenclature, the 696 domain name is <code class="constant">LONDON</code> and the server name is <code class="constant">W2K3S</code>. 697 </p><div class="figure"><a name="ch9-adsdc"></a><p class="title"><b>Figure�7.3.�Active Directory Domain: Samba Member Server</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/chap9-ADSDC.png" width="324" alt="Active Directory Domain: Samba Member Server"></div></div></div><br class="figure-break"><div class="procedure"><a name="id2593418"></a><p class="title"><b>Procedure�7.4.�Joining a Samba Server as an ADS Domain Member</b></p><ol type="1"><li><p> 698 <a class="indexterm" name="id2593430"></a> 699 Before you try to use Samba-3, you want to know for certain that your executables have 700 support for Kerberos and for LDAP. Execute the following to identify whether or 701 not this build is perhaps suitable for use: 702</p><pre class="screen"> 703<code class="prompt">root# </code> cd /usr/sbin 704<code class="prompt">root# </code> smbd -b | grep KRB 705 HAVE_KRB5_H 706 HAVE_ADDR_TYPE_IN_KRB5_ADDRESS 707 HAVE_KRB5 708 HAVE_KRB5_AUTH_CON_SETKEY 709 HAVE_KRB5_GET_DEFAULT_IN_TKT_ETYPES 710 HAVE_KRB5_GET_PW_SALT 711 HAVE_KRB5_KEYBLOCK_KEYVALUE 712 HAVE_KRB5_KEYTAB_ENTRY_KEYBLOCK 713 HAVE_KRB5_MK_REQ_EXTENDED 714 HAVE_KRB5_PRINCIPAL_GET_COMP_STRING 715 HAVE_KRB5_SET_DEFAULT_IN_TKT_ETYPES 716 HAVE_KRB5_STRING_TO_KEY 717 HAVE_KRB5_STRING_TO_KEY_SALT 718 HAVE_LIBKRB5 719</pre><p> 720 This output was obtained on a SUSE Linux system and shows the output for 721 Samba that has been compiled and linked with the Heimdal Kerberos libraries. 722 The following is a typical output that will be found on a Red Hat Linux system that 723 has been linked with the MIT Kerberos libraries: 724</p><pre class="screen"> 725<code class="prompt">root# </code> cd /usr/sbin 726<code class="prompt">root# </code> smbd -b | grep KRB 727 HAVE_KRB5_H 728 HAVE_ADDRTYPE_IN_KRB5_ADDRESS 729 HAVE_KRB5 730 HAVE_KRB5_AUTH_CON_SETUSERUSERKEY 731 HAVE_KRB5_ENCRYPT_DATA 732 HAVE_KRB5_FREE_DATA_CONTENTS 733 HAVE_KRB5_FREE_KTYPES 734 HAVE_KRB5_GET_PERMITTED_ENCTYPES 735 HAVE_KRB5_KEYTAB_ENTRY_KEY 736 HAVE_KRB5_LOCATE_KDC 737 HAVE_KRB5_MK_REQ_EXTENDED 738 HAVE_KRB5_PRINCIPAL2SALT 739 HAVE_KRB5_PRINC_COMPONENT 740 HAVE_KRB5_SET_DEFAULT_TGS_KTYPES 741 HAVE_KRB5_SET_REAL_TIME 742 HAVE_KRB5_STRING_TO_KEY 743 HAVE_KRB5_TKT_ENC_PART2 744 HAVE_KRB5_USE_ENCTYPE 745 HAVE_LIBGSSAPI_KRB5 746 HAVE_LIBKRB5 747</pre><p> 748 You can validate that Samba has been compiled and linked with LDAP support 749 by executing: 750</p><pre class="screen"> 751<code class="prompt">root# </code> smbd -b | grep LDAP 752massive:/usr/sbin # smbd -b | grep LDAP 753 HAVE_LDAP_H 754 HAVE_LDAP 755 HAVE_LDAP_DOMAIN2HOSTLIST 756 HAVE_LDAP_INIT 757 HAVE_LDAP_INITIALIZE 758 HAVE_LDAP_SET_REBIND_PROC 759 HAVE_LIBLDAP 760 LDAP_SET_REBIND_PROC_ARGS 761</pre><p> 762 This does look promising; <code class="literal">smbd</code> has been built with Kerberos and LDAP 763 support. You are relieved to know that it is safe to progress. 764 </p></li><li><p> 765 <a class="indexterm" name="id2593529"></a> 766 <a class="indexterm" name="id2593538"></a> 767 <a class="indexterm" name="id2593545"></a> 768 <a class="indexterm" name="id2593552"></a> 769 <a class="indexterm" name="id2593561"></a> 770 <a class="indexterm" name="id2593570"></a> 771 <a class="indexterm" name="id2593577"></a> 772 <a class="indexterm" name="id2593584"></a> 773 <a class="indexterm" name="id2593591"></a> 774 The next step is to identify which version of the Kerberos libraries have been used. 775 In order to permit Samba-3 to interoperate with Windows 2003 Active Directory, it is 776 essential that it has been linked with either MIT Kerberos version 1.3.1 or later, 777 or that it has been linked with Heimdal Kerberos 0.6 plus specific patches. You may 778 identify what version of the MIT Kerberos libraries are installed on your system by 779 executing (on Red Hat Linux): 780</p><pre class="screen"> 781<code class="prompt">root# </code> rpm -q krb5 782</pre><p> 783 Or on SUSE Linux, execute: 784</p><pre class="screen"> 785<code class="prompt">root# </code> rpm -q heimdal 786</pre><p> 787 Please note that the RPMs provided by the Samba-Team are known to be working and have 788 been validated. Red Hat Linux RPMs may be obtained from the Samba FTP sites. SUSE 789 Linux RPMs may be obtained from <a class="ulink" href="ftp://ftp.sernet.de" target="_top">Sernet</a> in 790 Germany. 791 </p><p> 792 From this point on, you are certain that the Samba-3 build you are using has the 793 necessary capabilities. You can now configure Samba-3 and the NSS. 794 </p></li><li><p> 795 Using you favorite editor, configure the <code class="filename">smb.conf</code> file that is located in the 796 <code class="filename">/etc/samba</code> directory so that it has the contents shown 797 in <a class="link" href="unixclients.html#ch9-adssdm" title="Example�7.7.�Samba Domain Member smb.conf File for Active Directory Membership">“Samba Domain Member smb.conf File for Active Directory Membership”</a>. 798 </p></li><li><p> 799 Edit or create the NSS control file so it has the contents shown in <a class="link" href="unixclients.html#ch9-sdmnss" title="Example�7.4.�NSS using LDAP for Identity Resolution File: /etc/nsswitch.conf">“NSS using LDAP for Identity Resolution File: /etc/nsswitch.conf”</a>. 800 </p></li><li><p> 801 <a class="indexterm" name="id2593692"></a> 802 Delete the file <code class="filename">/etc/samba/secrets.tdb</code> if it exists. Of course, you 803 do keep a backup, don't you? 804 </p></li><li><p> 805 Delete the tdb files that cache Samba information. You keep a backup of the old 806 files, of course. You also remove all files to ensure that nothing can pollute your 807 nice, new configuration. Execute the following (example is for SUSE Linux): 808</p><pre class="screen"> 809<code class="prompt">root# </code> rm /var/lib/samba/*tdb 810</pre><p> 811 </p></li><li><p> 812 <a class="indexterm" name="id2593736"></a> 813 Validate your <code class="filename">smb.conf</code> file using <code class="literal">testparm</code> (as you have 814 done previously). Correct all errors reported before proceeding. The command you 815 execute is: 816</p><pre class="screen"> 817<code class="prompt">root# </code> testparm -s | less 818</pre><p> 819 Now that you are satisfied that your Samba server is ready to join the Windows 820 ADS domain, let's move on. 821 </p></li><li><p> 822 <a class="indexterm" name="id2593778"></a> 823 <a class="indexterm" name="id2593789"></a> 824 This is a good time to double-check everything and then execute the following 825 command when everything you have done has checked out okay: 826</p><pre class="screen"> 827<code class="prompt">root# </code> net ads join -UAdministrator%not24get 828Using short domain name -- LONDON 829Joined 'FRAN' to realm 'LONDON.ABMAS.BIZ' 830</pre><p> 831 You have successfully made your Samba-3 server a member of the ADS domain 832 using Kerberos protocols. 833 </p><p> 834 <a class="indexterm" name="id2593817"></a> 835 <a class="indexterm" name="id2593824"></a> 836 In the event that you receive no output messages, a silent return means that the 837 domain join failed. You should use <code class="literal">ethereal</code> to identify what 838 may be failing. Common causes of a failed join include: 839 840 </p><div class="itemizedlist"><ul type="disc"><li><p> 841 <a class="indexterm" name="id2593845"></a> 842 Defective or misconfigured DNS name resolution. 843 </p></li><li><p> 844 <a class="indexterm" name="id2593860"></a> 845 Restrictive security settings on the Windows 200x ADS domain controller 846 preventing needed communications protocols. You can check this by searching 847 the Windows Server 200x Event Viewer. 848 </p></li><li><p> 849 Incorrectly configured <code class="filename">smb.conf</code> file settings. 850 </p></li><li><p> 851 Lack of support of necessary Kerberos protocols because the version of MIT 852 Kerberos (or Heimdal) in use is not up to date enough to support the necessary 853 functionality. 854 </p></li></ul></div><p> 855 856 <a class="indexterm" name="id2593891"></a> 857 <a class="indexterm" name="id2593902"></a> 858 <a class="indexterm" name="id2593909"></a> 859 In any case, never execute the <code class="literal">net rpc join</code> command in an attempt 860 to join the Samba server to the domain, unless you wish not to use the Kerberos 861 security protocols. Use of the older RPC-based domain join facility requires that 862 Windows Server 200x ADS has been configured appropriately for mixed mode operation. 863 </p></li><li><p> 864 <a class="indexterm" name="id2593934"></a> 865 <a class="indexterm" name="id2593941"></a> 866 If the <code class="literal">tdbdump</code> is installed on your system (not essential), 867 you can look inside the <code class="filename">/etc/samba/secrets.tdb</code> file. If 868 you wish to do this, execute: 869</p><pre class="screen"> 870<code class="prompt">root# </code> tdbdump secrets.tdb 871{ 872key = "SECRETS/SID/LONDON" 873data = "\01\04\00\00\00\00\00\05\15\00\00\00\EBw\86\F1\ED\BD\ 874 F6{\5C6\E5W\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\ 875 00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\ 876 00\00\00\00\00\00\00\00" 877} 878{ 879key = "SECRETS/MACHINE_PASSWORD/LONDON" 880data = "le3Q5FPnN5.ueC\00" 881} 882{ 883key = "SECRETS/MACHINE_SEC_CHANNEL_TYPE/LONDON" 884data = "\02\00\00\00" 885} 886{ 887key = "SECRETS/MACHINE_LAST_CHANGE_TIME/LONDON" 888data = "E\89\F6?" 889} 890</pre><p> 891 This is given to demonstrate to the skeptics that this process truly does work. 892 </p></li><li><p> 893 It is now time to start Samba in the usual way (as has been done many time before 894 in this book). 895 </p></li><li><p> 896 <a class="indexterm" name="id2593998"></a> 897 This is a good time to verify that everything is working. First, check that 898 winbind is able to obtain the list of users and groups from the ADS domain controller. 899 Execute the following: 900</p><pre class="screen"> 901<code class="prompt">root# </code> wbinfo -u 902LONDON+Administrator 903LONDON+Guest 904LONDON+SUPPORT_388945a0 905LONDON+krbtgt 906LONDON+jht 907</pre><p> 908 Good, the list of users was obtained. Now do likewise for group accounts: 909</p><pre class="screen"> 910<code class="prompt">root# </code> wbinfo -g 911LONDON+Domain Computers 912LONDON+Domain Controllers 913LONDON+Schema Admins 914LONDON+Enterprise Admins 915LONDON+Domain Admins 916LONDON+Domain Users 917LONDON+Domain Guests 918LONDON+Group Policy Creator Owners 919LONDON+DnsUpdateProxy 920</pre><p> 921 Excellent. That worked also, as expected. 922 </p></li><li><p><a class="indexterm" name="id2594044"></a> 923 Now repeat this via NSS to validate that full identity resolution is 924 functional as required. Execute: 925</p><pre class="screen"> 926<code class="prompt">root# </code> getent passwd 927... 928LONDON+Administrator:x:10000:10000:Administrator: 929 /home/LONDON/administrator:/bin/bash 930LONDON+Guest:x:10001:10001:Guest: 931 /home/LONDON/guest:/bin/bash 932LONDON+SUPPORT_388945a0:x:10002:10000:SUPPORT_388945a0: 933 /home/LONDON/support_388945a0:/bin/bash 934LONDON+krbtgt:x:10003:10000:krbtgt: 935 /home/LONDON/krbtgt:/bin/bash 936LONDON+jht:x:10004:10000:John H. Terpstra: 937 /home/LONDON/jht:/bin/bash 938</pre><p> 939 Okay, ADS user accounts are being resolved. Now you try group resolution: 940</p><pre class="screen"> 941<code class="prompt">root# </code> getent group 942... 943LONDON+Domain Computers:x:10002: 944LONDON+Domain Controllers:x:10003: 945LONDON+Schema Admins:x:10004:LONDON+Administrator 946LONDON+Enterprise Admins:x:10005:LONDON+Administrator 947LONDON+Domain Admins:x:10006:LONDON+jht,LONDON+Administrator 948LONDON+Domain Users:x:10000: 949LONDON+Domain Guests:x:10001: 950LONDON+Group Policy Creator Owners:x:10007:LONDON+Administrator 951LONDON+DnsUpdateProxy:x:10008: 952</pre><p> 953 This is very pleasing. Everything works as expected. 954 </p></li><li><p> 955 <a class="indexterm" name="id2594102"></a> 956 <a class="indexterm" name="id2594113"></a> 957 <a class="indexterm" name="id2594122"></a> 958 You may now perform final verification that communications between Samba-3 winbind and 959 the Active Directory server is using Kerberos protocols. Execute the following: 960</p><pre class="screen"> 961<code class="prompt">root# </code> net ads info 962LDAP server: 192.168.2.123 963LDAP server name: w2k3s 964Realm: LONDON.ABMAS.BIZ 965Bind Path: dc=LONDON,dc=ABMAS,dc=BIZ 966LDAP port: 389 967Server time: Sat, 03 Jan 2004 02:44:44 GMT 968KDC server: 192.168.2.123 969Server time offset: 2 970</pre><p> 971 It should be noted that Kerberos protocols are time-clock critical. You should 972 keep all server time clocks synchronized using the network time protocol (NTP). 973 In any case, the output we obtained confirms that all systems are operational. 974 </p></li><li><p> 975 <a class="indexterm" name="id2594158"></a> 976 There is one more action you elect to take, just because you are paranoid and disbelieving, 977 so you execute the following command: 978</p><pre class="programlisting"> 979<code class="prompt">root# </code> net ads status -UAdministrator%not24get 980objectClass: top 981objectClass: person 982objectClass: organizationalPerson 983objectClass: user 984objectClass: computer 985cn: fran 986distinguishedName: CN=fran,CN=Computers,DC=london,DC=abmas,DC=biz 987instanceType: 4 988whenCreated: 20040103092006.0Z 989whenChanged: 20040103092006.0Z 990uSNCreated: 28713 991uSNChanged: 28717 992name: fran 993objectGUID: 58f89519-c467-49b9-acb0-f099d73696e 994userAccountControl: 69632 995badPwdCount: 0 996codePage: 0 997countryCode: 0 998badPasswordTime: 0 999lastLogoff: 0 1000lastLogon: 127175965783327936 1001localPolicyFlags: 0 1002pwdLastSet: 127175952062598496 1003primaryGroupID: 515 1004objectSid: S-1-5-21-4052121579-2079768045-1474639452-1109 1005accountExpires: 9223372036854775807 1006logonCount: 13 1007sAMAccountName: fran$ 1008sAMAccountType: 805306369 1009operatingSystem: Samba 1010operatingSystemVersion: 3.0.20-SUSE 1011dNSHostName: fran 1012userPrincipalName: HOST/fran@LONDON.ABMAS.BIZ 1013servicePrincipalName: CIFS/fran.london.abmas.biz 1014servicePrincipalName: CIFS/fran 1015servicePrincipalName: HOST/fran.london.abmas.biz 1016servicePrincipalName: HOST/fran 1017objectCategory: CN=Computer,CN=Schema,CN=Configuration, 1018 DC=london,DC=abmas,DC=biz 1019isCriticalSystemObject: FALSE 1020-------------- Security Descriptor (revision: 1, type: 0x8c14) 1021owner SID: S-1-5-21-4052121579-2079768045-1474639452-512 1022group SID: S-1-5-21-4052121579-2079768045-1474639452-513 1023------- (system) ACL (revision: 4, size: 120, number of ACEs: 2) 1024------- ACE (type: 0x07, flags: 0x5a, size: 0x38, 1025 mask: 0x20, object flags: 0x3) 1026access SID: S-1-1-0 1027access type: AUDIT OBJECT 1028Permissions: 1029 [Write All Properties] 1030------- ACE (type: 0x07, flags: 0x5a, size: 0x38, 1031 mask: 0x20, object flags: 0x3) 1032access SID: S-1-1-0 1033access type: AUDIT OBJECT 1034Permissions: 1035 [Write All Properties] 1036------- (user) ACL (revision: 4, size: 1944, number of ACEs: 40) 1037------- ACE (type: 0x00, flags: 0x00, size: 0x24, mask: 0xf01ff) 1038access SID: S-1-5-21-4052121579-2079768045-1474639452-512 1039access type: ALLOWED 1040Permissions: [Full Control] 1041------- ACE (type: 0x00, flags: 0x00, size: 0x18, mask: 0xf01ff) 1042access SID: S-1-5-32-548 1043... 1044------- ACE (type: 0x05, flags: 0x12, size: 0x38, 1045 mask: 0x10, object flags: 0x3) 1046access SID: S-1-5-9 1047access type: ALLOWED OBJECT 1048Permissions: 1049 [Read All Properties] 1050-------------- End Of Security Descriptor 1051</pre><p> 1052 And now you have conclusive proof that your Samba-3 ADS domain member server 1053 called <code class="constant">FRAN</code> is able to communicate fully with the ADS 1054 domain controllers. 1055 </p></li></ol></div><p> 1056 Your Samba-3 ADS domain member server is ready for use. During training sessions, 1057 you may be asked what is inside the <code class="filename">winbindd_cache.tdb and winbindd_idmap.tdb</code> 1058 files. Since curiosity just took hold of you, execute the following: 1059</p><pre class="programlisting"> 1060<code class="prompt">root# </code> tdbdump /var/lib/samba/winbindd_idmap.tdb 1061{ 1062key = "S-1-5-21-4052121579-2079768045-1474639452-501\00" 1063data = "UID 10001\00" 1064} 1065{ 1066key = "UID 10005\00" 1067data = "S-1-5-21-4052121579-2079768045-1474639452-1111\00" 1068} 1069{ 1070key = "GID 10004\00" 1071data = "S-1-5-21-4052121579-2079768045-1474639452-518\00" 1072} 1073{ 1074key = "S-1-5-21-4052121579-2079768045-1474639452-502\00" 1075data = "UID 10003\00" 1076} 1077... 1078 1079<code class="prompt">root# </code> tdbdump /var/lib/samba/winbindd_cache.tdb 1080{ 1081key = "UL/LONDON" 1082data = "\00\00\00\00bp\00\00\06\00\00\00\0DAdministrator\0D 1083 Administrator-S-1-5-21-4052121579-2079768045-1474639452-500- 1084 S-1-5-21-4052121579-2079768045-1474639452-513\05Guest\05 1085 Guest-S-1-5-21-4052121579-2079768045-1474639452-501- 1086 S-1-5-21-4052121579-2079768045-1474639452-514\10 1087 SUPPORT_388945a0\10SUPPORT_388945a0. 1088 S-1-5-21-4052121579-2079768045-1474639452-1001- 1089 S-1-5-21-4052121579-2079768045-1474639452-513\06krbtgt\06 1090 krbtgt-S-1-5-21-4052121579-2079768045-1474639452-502- 1091 S-1-5-21-4052121579-2079768045-1474639452-513\03jht\10 1092 John H. Terpstra.S-1-5-21-4052121579-2079768045-1474639452-1110- 1093 S-1-5-21-4052121579-2079768045-1474639452-513" 1094} 1095{ 1096key = "GM/S-1-5-21-4052121579-2079768045-1474639452-512" 1097data = "\00\00\00\00bp\00\00\02\00\00\00. 1098 S-1-5-21-4052121579-2079768045-1474639452-1110\03 1099 jht\01\00\00\00-S-1-5-21-4052121579-2079768045-1474639452-500\0D 1100 Administrator\01\00\00\00" 1101} 1102{ 1103key = "SN/S-1-5-21-4052121579-2079768045-1474639452-513" 1104data = "\00\00\00\00xp\00\00\02\00\00\00\0CDomain Users" 1105} 1106{ 1107key = "GM/S-1-5-21-4052121579-2079768045-1474639452-518" 1108data = "\00\00\00\00bp\00\00\01\00\00\00- 1109 S-1-5-21-4052121579-2079768045-1474639452-500\0D 1110 Administrator\01\00\00\00" 1111} 1112{ 1113key = "SEQNUM/LONDON\00" 1114data = "xp\00\00C\92\F6?" 1115} 1116{ 1117key = "U/S-1-5-21-4052121579-2079768045-1474639452-1110" 1118data = "\00\00\00\00xp\00\00\03jht\10John H. Terpstra. 1119 S-1-5-21-4052121579-2079768045-1474639452-1110- 1120 S-1-5-21-4052121579-2079768045-1474639452-513" 1121} 1122{ 1123key = "NS/S-1-5-21-4052121579-2079768045-1474639452-502" 1124data = "\00\00\00\00bp\00\00- 1125 S-1-5-21-4052121579-2079768045-1474639452-502" 1126} 1127{ 1128key = "SN/S-1-5-21-4052121579-2079768045-1474639452-1001" 1129data = "\00\00\00\00bp\00\00\01\00\00\00\10SUPPORT_388945a0" 1130} 1131{ 1132key = "SN/S-1-5-21-4052121579-2079768045-1474639452-500" 1133data = "\00\00\00\00bp\00\00\01\00\00\00\0DAdministrator" 1134} 1135{ 1136key = "U/S-1-5-21-4052121579-2079768045-1474639452-502" 1137data = "\00\00\00\00bp\00\00\06krbtgt\06krbtgt- 1138 S-1-5-21-4052121579-2079768045-1474639452-502- 1139 S-1-5-21-4052121579-2079768045-1474639452-513" 1140} 1141.... 1142</pre><p> 1143 Now all is revealed. Your curiosity, as well as that of your team, has been put at ease. 1144 May this server serve well all who happen upon it. 1145 </p><div class="example"><a name="ch9-adssdm"></a><p class="title"><b>Example�7.7.�Samba Domain Member <code class="filename">smb.conf</code> File for Active Directory Membership</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id2594415"></a><em class="parameter"><code>unix charset = LOCALE</code></em></td></tr><tr><td><a class="indexterm" name="id2594427"></a><em class="parameter"><code>workgroup = LONDON</code></em></td></tr><tr><td><a class="indexterm" name="id2594439"></a><em class="parameter"><code>realm = LONDON.ABMAS.BIZ</code></em></td></tr><tr><td><a class="indexterm" name="id2594450"></a><em class="parameter"><code>server string = Samba 3.0.20</code></em></td></tr><tr><td><a class="indexterm" name="id2594462"></a><em class="parameter"><code>security = ADS</code></em></td></tr><tr><td><a class="indexterm" name="id2594474"></a><em class="parameter"><code>username map = /etc/samba/smbusers</code></em></td></tr><tr><td><a class="indexterm" name="id2594486"></a><em class="parameter"><code>log level = 1</code></em></td></tr><tr><td><a class="indexterm" name="id2594498"></a><em class="parameter"><code>syslog = 0</code></em></td></tr><tr><td><a class="indexterm" name="id2594509"></a><em class="parameter"><code>log file = /var/log/samba/%m</code></em></td></tr><tr><td><a class="indexterm" name="id2594521"></a><em class="parameter"><code>max log size = 50</code></em></td></tr><tr><td><a class="indexterm" name="id2594533"></a><em class="parameter"><code>printcap name = CUPS</code></em></td></tr><tr><td><a class="indexterm" name="id2594544"></a><em class="parameter"><code>ldap ssl = no</code></em></td></tr><tr><td><a class="indexterm" name="id2594556"></a><em class="parameter"><code>idmap uid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id2594568"></a><em class="parameter"><code>idmap gid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id2594580"></a><em class="parameter"><code>template primary group = "Domain Users"</code></em></td></tr><tr><td><a class="indexterm" name="id2594592"></a><em class="parameter"><code>template shell = /bin/bash</code></em></td></tr><tr><td><a class="indexterm" name="id2594604"></a><em class="parameter"><code>winbind separator = +</code></em></td></tr><tr><td><a class="indexterm" name="id2594616"></a><em class="parameter"><code>printing = cups</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[homes]</code></em></td></tr><tr><td><a class="indexterm" name="id2594636"></a><em class="parameter"><code>comment = Home Directories</code></em></td></tr><tr><td><a class="indexterm" name="id2594648"></a><em class="parameter"><code>valid users = %S</code></em></td></tr><tr><td><a class="indexterm" name="id2594659"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id2594671"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[printers]</code></em></td></tr><tr><td><a class="indexterm" name="id2594692"></a><em class="parameter"><code>comment = SMB Print Spool</code></em></td></tr><tr><td><a class="indexterm" name="id2594703"></a><em class="parameter"><code>path = /var/spool/samba</code></em></td></tr><tr><td><a class="indexterm" name="id2594715"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2594727"></a><em class="parameter"><code>printable = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2594738"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[print$]</code></em></td></tr><tr><td><a class="indexterm" name="id2594759"></a><em class="parameter"><code>comment = Printer Drivers</code></em></td></tr><tr><td><a class="indexterm" name="id2594770"></a><em class="parameter"><code>path = /var/lib/samba/drivers</code></em></td></tr><tr><td><a class="indexterm" name="id2594782"></a><em class="parameter"><code>admin users = root, Administrator</code></em></td></tr><tr><td><a class="indexterm" name="id2594794"></a><em class="parameter"><code>write list = root</code></em></td></tr></table></div></div><br class="example-break"><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2594807"></a>IDMAP_RID with Winbind</h4></div></div></div><p> 1146 <a class="indexterm" name="id2594815"></a> 1147 <a class="indexterm" name="id2594822"></a> 1148 <a class="indexterm" name="id2594828"></a> 1149 <a class="indexterm" name="id2594835"></a> 1150 The <code class="literal">idmap_rid</code> facility is a new tool that, unlike native winbind, creates a 1151 predictable mapping of MS Windows SIDs to UNIX UIDs and GIDs. The key benefit of this method 1152 of implementing the Samba IDMAP facility is that it eliminates the need to store the IDMAP data 1153 in a central place. The downside is that it can be used only within a single ADS domain and 1154 is not compatible with trusted domain implementations. 1155 </p><p> 1156 <a class="indexterm" name="id2594859"></a> 1157 <a class="indexterm" name="id2594865"></a> 1158 <a class="indexterm" name="id2594872"></a> 1159 <a class="indexterm" name="id2594879"></a> 1160 This alternate method of SID to UID/GID mapping can be achieved with the idmap_rid 1161 plug-in. This plug-in uses the RID of the user SID to derive the UID and GID by adding the 1162 RID to a base value specified. This utility requires that the parameter 1163 “<span class="quote">allow trusted domains = No</span>” must be specified, as it is not compatible 1164 with multiple domain environments. The <em class="parameter"><code>idmap uid</code></em> and 1165 <em class="parameter"><code>idmap gid</code></em> ranges must be specified. 1166 </p><p> 1167 <a class="indexterm" name="id2594912"></a> 1168 <a class="indexterm" name="id2594919"></a> 1169 The idmap_rid facility can be used both for NT4/Samba-style domains as well as with Active Directory. 1170 To use this with an NT4 domain, the <em class="parameter"><code>realm</code></em> is not used. Additionally the 1171 method used to join the domain uses the <code class="constant">net rpc join</code> process. 1172 </p><p> 1173 An example <code class="filename">smb.conf</code> file for an ADS domain environment is shown in <a class="link" href="unixclients.html#sbe-idmapridex" title="Example�7.8.�Example smb.conf File Using idmap_rid">“Example smb.conf File Using idmap_rid”</a>. 1174 </p><div class="example"><a name="sbe-idmapridex"></a><p class="title"><b>Example�7.8.�Example <code class="filename">smb.conf</code> File Using <code class="constant">idmap_rid</code></b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id2594993"></a><em class="parameter"><code>workgroup = KPAK</code></em></td></tr><tr><td><a class="indexterm" name="id2595005"></a><em class="parameter"><code>netbios name = BIGJOE</code></em></td></tr><tr><td><a class="indexterm" name="id2595016"></a><em class="parameter"><code>realm = CORP.KPAK.COM</code></em></td></tr><tr><td><a class="indexterm" name="id2595028"></a><em class="parameter"><code>server string = Office Server</code></em></td></tr><tr><td><a class="indexterm" name="id2595040"></a><em class="parameter"><code>security = ADS</code></em></td></tr><tr><td><a class="indexterm" name="id2595052"></a><em class="parameter"><code>allow trusted domains = No</code></em></td></tr><tr><td><a class="indexterm" name="id2595064"></a><em class="parameter"><code>idmap backend = idmap_rid:KPAK=500-100000000</code></em></td></tr><tr><td><a class="indexterm" name="id2595076"></a><em class="parameter"><code>idmap uid = 500-100000000</code></em></td></tr><tr><td><a class="indexterm" name="id2595088"></a><em class="parameter"><code>idmap gid = 500-100000000</code></em></td></tr><tr><td><a class="indexterm" name="id2595100"></a><em class="parameter"><code>template shell = /bin/bash</code></em></td></tr><tr><td><a class="indexterm" name="id2595111"></a><em class="parameter"><code>winbind use default domain = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2595124"></a><em class="parameter"><code>winbind enum users = No</code></em></td></tr><tr><td><a class="indexterm" name="id2595135"></a><em class="parameter"><code>winbind enum groups = No</code></em></td></tr><tr><td><a class="indexterm" name="id2595147"></a><em class="parameter"><code>winbind nested groups = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2595159"></a><em class="parameter"><code>printer admin = "KPAK\Domain Admins"</code></em></td></tr></table></div></div><br class="example-break"><p> 1175 <a class="indexterm" name="id2595175"></a> 1176 <a class="indexterm" name="id2595182"></a> 1177 <a class="indexterm" name="id2595188"></a> 1178 <a class="indexterm" name="id2595195"></a> 1179 In a large domain with many users, it is imperative to disable enumeration of users and groups. 1180 For example, at a site that has 22,000 users in Active Directory the winbind-based user and 1181 group resolution is unavailable for nearly 12 minutes following first start-up of 1182 <code class="literal">winbind</code>. Disabling of such enumeration results in instantaneous response. 1183 The disabling of user and group enumeration means that it will not be possible to list users 1184 or groups using the <code class="literal">getent passwd</code> and <code class="literal">getent group</code> 1185 commands. It will be possible to perform the lookup for individual users, as shown in the procedure 1186 below. 1187 </p><p> 1188 <a class="indexterm" name="id2595234"></a> 1189 <a class="indexterm" name="id2595241"></a> 1190 The use of this tool requires configuration of NSS as per the native use of winbind. Edit the 1191 <code class="filename">/etc/nsswitch.conf</code> so it has the following parameters: 1192</p><pre class="screen"> 1193... 1194passwd: files winbind 1195shadow: files winbind 1196group: files winbind 1197... 1198hosts: files wins 1199... 1200</pre><p> 1201 </p><p> 1202 The following procedure can be used to utilize the idmap_rid facility: 1203 </p><div class="procedure"><ol type="1"><li><p> 1204 Create or install and <code class="filename">smb.conf</code> file with the above configuration. 1205 </p></li><li><p> 1206 Edit the <code class="filename">/etc/nsswitch.conf</code> file as shown above. 1207 </p></li><li><p> 1208 Execute: 1209</p><pre class="screen"> 1210<code class="prompt">root# </code> net ads join -UAdministrator%password 1211Using short domain name -- KPAK 1212Joined 'BIGJOE' to realm 'CORP.KPAK.COM' 1213</pre><p> 1214 </p><p> 1215 <a class="indexterm" name="id2595322"></a> 1216 An invalid or failed join can be detected by executing: 1217</p><pre class="screen"> 1218<code class="prompt">root# </code> net ads testjoin 1219BIGJOE$@'s password: 1220[2004/11/05 16:53:03, 0] utils/net_ads.c:ads_startup(186) 1221 ads_connect: No results returned 1222Join to domain is not valid 1223</pre><p> 1224 The specific error message may differ from the above because it depends on the type of failure that 1225 may have occurred. Increase the <em class="parameter"><code>log level</code></em> to 10, repeat the above test, 1226 and then examine the log files produced to identify the nature of the failure. 1227 </p></li><li><p> 1228 Start the <code class="literal">nmbd</code>, <code class="literal">winbind,</code> and <code class="literal">smbd</code> daemons in the order shown. 1229 </p></li><li><p> 1230 Validate the operation of this configuration by executing: 1231 <a class="indexterm" name="id2595389"></a> 1232</p><pre class="screen"> 1233<code class="prompt">root# </code> getent passwd administrator 1234administrator:x:1000:1013:Administrator:/home/BE/administrator:/bin/bash 1235</pre><p> 1236 </p></li></ol></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2595411"></a>IDMAP Storage in LDAP using Winbind</h4></div></div></div><p> 1237 <a class="indexterm" name="id2595419"></a> 1238 <a class="indexterm" name="id2595426"></a> 1239 The storage of IDMAP information in LDAP can be used with both NT4/Samba-3-style domains as well as 1240 with ADS domains. OpenLDAP is a commonly used LDAP server for this purpose, although any standards-compliant 1241 LDAP server can be used. It is therefore possible to deploy this IDMAP configuration using 1242 the Sun iPlanet LDAP server, Novell eDirectory, Microsoft ADS plus ADAM, and so on. 1243 </p><p> 1244 The example in <a class="link" href="unixclients.html#sbeunxa" title="Example�7.9.�Typical ADS Style Domain smb.conf File">“Typical ADS Style Domain smb.conf File”</a> is for an ADS-style domain. 1245 </p><div class="example"><a name="sbeunxa"></a><p class="title"><b>Example�7.9.�Typical ADS Style Domain <code class="filename">smb.conf</code> File</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id2595486"></a><em class="parameter"><code>workgroup = SNOWSHOW</code></em></td></tr><tr><td><a class="indexterm" name="id2595498"></a><em class="parameter"><code>netbios name = GOODELF</code></em></td></tr><tr><td><a class="indexterm" name="id2595510"></a><em class="parameter"><code>realm = SNOWSHOW.COM</code></em></td></tr><tr><td><a class="indexterm" name="id2595521"></a><em class="parameter"><code>server string = Samba Server</code></em></td></tr><tr><td><a class="indexterm" name="id2595533"></a><em class="parameter"><code>security = ADS</code></em></td></tr><tr><td><a class="indexterm" name="id2595545"></a><em class="parameter"><code>log level = 1 ads:10 auth:10 sam:10 rpc:10</code></em></td></tr><tr><td><a class="indexterm" name="id2595557"></a><em class="parameter"><code>ldap admin dn = cn=Manager,dc=SNOWSHOW,dc=COM</code></em></td></tr><tr><td><a class="indexterm" name="id2595569"></a><em class="parameter"><code>ldap idmap suffix = ou=Idmap</code></em></td></tr><tr><td><a class="indexterm" name="id2595581"></a><em class="parameter"><code>ldap suffix = dc=SNOWSHOW,dc=COM</code></em></td></tr><tr><td><a class="indexterm" name="id2595593"></a><em class="parameter"><code>idmap backend = ldap:ldap://ldap.snowshow.com</code></em></td></tr><tr><td><a class="indexterm" name="id2595605"></a><em class="parameter"><code>idmap uid = 150000-550000</code></em></td></tr><tr><td><a class="indexterm" name="id2595617"></a><em class="parameter"><code>idmap gid = 150000-550000</code></em></td></tr><tr><td><a class="indexterm" name="id2595629"></a><em class="parameter"><code>template shell = /bin/bash</code></em></td></tr><tr><td><a class="indexterm" name="id2595641"></a><em class="parameter"><code>winbind use default domain = Yes</code></em></td></tr></table></div></div><br class="example-break"><p> 1246 <a class="indexterm" name="id2595656"></a> 1247 In the case of an NT4 or Samba-3-style domain the <em class="parameter"><code>realm</code></em> is not used, and the 1248 command used to join the domain is <code class="literal">net rpc join</code>. The above example also demonstrates 1249 advanced error reporting techniques that are documented in the chapter called "Reporting Bugs" in 1250 “<span class="quote">The Official Samba-3 HOWTO and Reference Guide, Second Edition</span>” (TOSHARG2). 1251 </p><p> 1252 <a class="indexterm" name="id2595687"></a> 1253 <a class="indexterm" name="id2595694"></a> 1254 <a class="indexterm" name="id2595701"></a> 1255 Where MIT kerberos is installed (version 1.3.4 or later), edit the <code class="filename">/etc/krb5.conf</code> 1256 file so it has the following contents: 1257</p><pre class="screen"> 1258[logging] 1259 default = FILE:/var/log/krb5libs.log 1260 kdc = FILE:/var/log/krb5kdc.log 1261 admin_server = FILE:/var/log/kadmind.log 1262 1263[libdefaults] 1264 default_realm = SNOWSHOW.COM 1265 dns_lookup_realm = false 1266 dns_lookup_kdc = true 1267 1268[appdefaults] 1269 pam = { 1270 debug = false 1271 ticket_lifetime = 36000 1272 renew_lifetime = 36000 1273 forwardable = true 1274 krb4_convert = false 1275 } 1276</pre><p> 1277 </p><p> 1278 Where Heimdal kerberos is installed, edit the <code class="filename">/etc/krb5.conf</code> 1279 file so it is either empty (i.e., no contents) or it has the following contents: 1280</p><pre class="screen"> 1281[libdefaults] 1282 default_realm = SNOWSHOW.COM 1283 clockskew = 300 1284 1285[realms] 1286 SNOWSHOW.COM = { 1287 kdc = ADSDC.SHOWSHOW.COM 1288 } 1289 1290[domain_realm] 1291 .snowshow.com = SNOWSHOW.COM 1292</pre><p> 1293 </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> 1294 Samba cannot use the Heimdal libraries if there is no <code class="filename">/etc/krb5.conf</code> file. 1295 So long as there is an empty file, the Heimdal kerberos libraries will be usable. There is no 1296 need to specify any settings because Samba, using the Heimdal libraries, can figure this out automatically. 1297 </p></div><p> 1298 Edit the NSS control file <code class="filename">/etc/nsswitch.conf</code> so it has the following entries: 1299</p><pre class="screen"> 1300... 1301passwd: files ldap 1302shadow: files ldap 1303group: files ldap 1304... 1305hosts: files wins 1306... 1307</pre><p> 1308 </p><p> 1309 <a class="indexterm" name="id2595785"></a> 1310 <a class="indexterm" name="id2595792"></a> 1311 You will need the <a class="ulink" href="http://www.padl.com" target="_top">PADL</a> <code class="literal">nss_ldap</code> 1312 tool set for this solution. Configure the <code class="filename">/etc/ldap.conf</code> file so it has 1313 the information needed. The following is an example of a working file: 1314</p><pre class="screen"> 1315host 192.168.2.1 1316base dc=snowshow,dc=com 1317binddn cn=Manager,dc=snowshow,dc=com 1318bindpw not24get 1319 1320pam_password exop 1321 1322nss_base_passwd ou=People,dc=snowshow,dc=com?one 1323nss_base_shadow ou=People,dc=snowshow,dc=com?one 1324nss_base_group ou=Groups,dc=snowshow,dc=com?one 1325ssl no 1326</pre><p> 1327 </p><p> 1328 The following procedure may be followed to affect a working configuration: 1329 </p><div class="procedure"><ol type="1"><li><p> 1330 Configure the <code class="filename">smb.conf</code> file as shown above. 1331 </p></li><li><p> 1332 Create the <code class="filename">/etc/krb5.conf</code> file following the indications above. 1333 </p></li><li><p> 1334 Configure the <code class="filename">/etc/nsswitch.conf</code> file as shown above. 1335 </p></li><li><p> 1336 Download, build, and install the PADL nss_ldap tool set. Configure the 1337 <code class="filename">/etc/ldap.conf</code> file as shown above. 1338 </p></li><li><p> 1339 Configure an LDAP server and initialize the directory with the top-level entries needed by IDMAP 1340 as shown in the following LDIF file: 1341</p><pre class="screen"> 1342dn: dc=snowshow,dc=com 1343objectClass: dcObject 1344objectClass: organization 1345dc: snowshow 1346o: The Greatest Snow Show in Singapore. 1347description: Posix and Samba LDAP Identity Database 1348 1349dn: cn=Manager,dc=snowshow,dc=com 1350objectClass: organizationalRole 1351cn: Manager 1352description: Directory Manager 1353 1354dn: ou=Idmap,dc=snowshow,dc=com 1355objectClass: organizationalUnit 1356ou: idmap 1357</pre><p> 1358 </p></li><li><p> 1359 Execute the command to join the Samba domain member server to the ADS domain as shown here: 1360</p><pre class="screen"> 1361<code class="prompt">root# </code> net ads testjoin 1362Using short domain name -- SNOWSHOW 1363Joined 'GOODELF' to realm 'SNOWSHOW.COM' 1364</pre><p> 1365 </p></li><li><p> 1366 Store the LDAP server access password in the Samba <code class="filename">secrets.tdb</code> file as follows: 1367</p><pre class="screen"> 1368<code class="prompt">root# </code> smbpasswd -w not24get 1369</pre><p> 1370 </p></li><li><p> 1371 Start the <code class="literal">nmbd</code>, <code class="literal">winbind</code>, and <code class="literal">smbd</code> daemons in the order shown. 1372 </p></li></ol></div><p> 1373 <a class="indexterm" name="id2595993"></a> 1374 Follow the diagnostic procedures shown earlier in this chapter to identify success or failure of the join. 1375 In many cases a failure is indicated by a silent return to the command prompt with no indication of the 1376 reason for failure. 1377 </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2596006"></a>IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension</h4></div></div></div><p> 1378 <a class="indexterm" name="id2596015"></a> 1379 <a class="indexterm" name="id2596022"></a> 1380 The use of this method is messy. The information provided in this section is for guidance only 1381 and is very definitely not complete. This method does work; it is used in a number of large sites 1382 and has an acceptable level of performance. 1383 </p><p> 1384 An example <code class="filename">smb.conf</code> file is shown in <a class="link" href="unixclients.html#sbewinbindex" title="Example�7.10.�ADS Membership Using RFC2307bis Identity Resolution smb.conf File">“ADS Membership Using RFC2307bis Identity Resolution smb.conf File”</a>. 1385 </p><div class="example"><a name="sbewinbindex"></a><p class="title"><b>Example�7.10.�ADS Membership Using RFC2307bis Identity Resolution <code class="filename">smb.conf</code> File</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id2596085"></a><em class="parameter"><code>workgroup = BUBBAH</code></em></td></tr><tr><td><a class="indexterm" name="id2596096"></a><em class="parameter"><code>netbios name = MADMAX</code></em></td></tr><tr><td><a class="indexterm" name="id2596108"></a><em class="parameter"><code>realm = BUBBAH.COM</code></em></td></tr><tr><td><a class="indexterm" name="id2596120"></a><em class="parameter"><code>server string = Samba Server</code></em></td></tr><tr><td><a class="indexterm" name="id2596132"></a><em class="parameter"><code>security = ADS</code></em></td></tr><tr><td><a class="indexterm" name="id2596143"></a><em class="parameter"><code>idmap uid = 150000-550000</code></em></td></tr><tr><td><a class="indexterm" name="id2596155"></a><em class="parameter"><code>idmap gid = 150000-550000</code></em></td></tr><tr><td><a class="indexterm" name="id2596167"></a><em class="parameter"><code>template shell = /bin/bash</code></em></td></tr><tr><td><a class="indexterm" name="id2596179"></a><em class="parameter"><code>winbind use default domain = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2596191"></a><em class="parameter"><code>winbind trusted domains only = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2596203"></a><em class="parameter"><code>winbind nested groups = Yes</code></em></td></tr></table></div></div><br class="example-break"><p> 1386 <a class="indexterm" name="id2596218"></a> 1387 The DMS must be joined to the domain using the usual procedure. Additionally, it is necessary 1388 to build and install the PADL nss_ldap tool set. Be sure to build this tool set with the 1389 following: 1390</p><pre class="screen"> 1391./configure --enable-rfc2307bis --enable-schema-mapping 1392make install 1393</pre><p> 1394 </p><p> 1395 <a class="indexterm" name="id2596239"></a> 1396 The following <code class="filename">/etc/nsswitch.conf</code> file contents are required: 1397</p><pre class="screen"> 1398... 1399passwd: files ldap 1400shadow: files ldap 1401group: files ldap 1402... 1403hosts: files wins 1404... 1405</pre><p> 1406 </p><p> 1407 <a class="indexterm" name="id2596263"></a> 1408 <a class="indexterm" name="id2596270"></a> 1409 The <code class="filename">/etc/ldap.conf</code> file must be configured also. Refer to the PADL documentation 1410 and source code for nss_ldap instructions. 1411 </p><p> 1412 The next step involves preparation on the ADS schema. This is briefly discussed in the remaining 1413 part of this chapter. 1414 </p><div class="sect4" lang="en"><div class="titlepage"><div><div><h5 class="title"><a name="id2596292"></a>IDMAP, Active Directory, and MS Services for UNIX 3.5</h5></div></div></div><p> 1415 <a class="indexterm" name="id2596301"></a> 1416 The Microsoft Windows Service for UNIX version 3.5 is available for free 1417 <a class="ulink" href="http://www.microsoft.com/windows/sfu/" target="_top">download</a> 1418 from the Microsoft Web site. You will need to download this tool and install it following 1419 Microsoft instructions. 1420 </p></div><div class="sect4" lang="en"><div class="titlepage"><div><div><h5 class="title"><a name="id2596321"></a>IDMAP, Active Directory, and AD4UNIX</h5></div></div></div><p> 1421 Instructions for obtaining and installing the AD4UNIX tool set can be found from the 1422 <a class="ulink" href="http://www.geekcomix.com/cgi-bin/classnotes/wiki.pl?LDAP01/An_Alternative_Approach" target="_top"> 1423 Geekcomix</a> Web site. 1424 </p></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2596343"></a>UNIX/Linux Client Domain Member</h3></div></div></div><p><a class="indexterm" name="id2596350"></a> 1425 So far this chapter has been mainly concerned with the provision of file and print 1426 services for domain member servers. However, an increasing number of UNIX/Linux 1427 workstations are being installed that do not act as file or print servers to anyone 1428 other than a single desktop user. The key demand for desktop systems is to be able 1429 to log onto any UNIX/Linux or Windows desktop using the same network user credentials. 1430 </p><p><a class="indexterm" name="id2596369"></a> 1431 The ability to use a common set of user credential across a variety of network systems 1432 is generally regarded as a single sign-on (SSO) solution. SSO systems are sold by a 1433 large number of vendors and include a range of technologies such as: 1434 </p><div class="itemizedlist"><ul type="disc"><li><p> 1435 Proxy sign-on 1436 </p></li><li><p> 1437 Federated directory provisioning 1438 </p></li><li><p> 1439 Metadirectory server solutions 1440 </p></li><li><p> 1441 Replacement authentication systems 1442 </p></li></ul></div><p><a class="indexterm" name="id2596411"></a> 1443 There are really four solutions that provide integrated authentication and 1444 user identity management facilities: 1445 </p><div class="itemizedlist"><ul type="disc"><li><p> 1446 Samba winbind (free). Samba-3.0.20 introduced a complete replacement for Winbind that now 1447 provides a greater level of scalability in large ADS environments. 1448 </p></li><li><p> 1449 <a class="ulink" href="http://www.padl.com" target="_top">PADL</a> PAM and LDAP tools (free). 1450 </p></li><li><p> 1451 <a class="ulink" href="http://www.vintela.com" target="_top">Vintela</a> Authentication Services (commercial). 1452 </p></li><li><p> 1453 <a class="ulink" href="http://www.centrify.com" target="_top">Centrify</a> DirectControl (commercial). 1454 Centrify's commercial product allows UNIX and Linux systems to use Active Directory 1455 security, directory and policy services. Enhancements include a centralized ID mapping that 1456 allows Samba, DirectControl and Active Directory to seamlessly work together. 1457 </p></li></ul></div><p> 1458 The following guidelines are pertinent to the deployment of winbind-based authentication 1459 and identity resolution with the express purpose of allowing users to log on to UNIX/Linux desktops 1460 using Windows network domain user credentials (username and password). 1461 </p><p> 1462 You should note that it is possible to use LDAP-based PAM and NSS tools to permit distributed 1463 systems logons (SSO), providing user and group accounts are stored in an LDAP directory. This 1464 provides logon services for UNIX/Linux users, while Windows users obtain their sign-on 1465 support via Samba-3. 1466 </p><p> 1467 <a class="indexterm" name="id2596490"></a> 1468 On the other hand, if the authentication and identity resolution backend must be provided by 1469 a Windows NT4-style domain or from an Active Directory Domain that does not have the Microsoft 1470 Windows Services for UNIX installed, winbind is your best friend. Specific guidance for these 1471 situations now follows. 1472 </p><p> 1473 <a class="indexterm" name="id2596508"></a> 1474 <a class="indexterm" name="id2596514"></a> 1475 <a class="indexterm" name="id2596521"></a> 1476 To permit users to log on to a Linux system using Windows network credentials, you need to 1477 configure identity resolution (NSS) and PAM. This means that the basic steps include those 1478 outlined above with the addition of PAM configuration. Given that most workstations (desktop/client) 1479 usually do not need to provide file and print services to a group of users, the configuration 1480 of shares and printers is generally less important. Often this allows the share specifications 1481 to be entirely removed from the <code class="filename">smb.conf</code> file. That is obviously an administrator decision. 1482 </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2596544"></a>NT4 Domain Member</h4></div></div></div><p> 1483 The following steps provide a Linux system that users can log onto using 1484 Windows NT4 (or Samba-3) domain network credentials: 1485 </p><div class="procedure"><ol type="1"><li><p> 1486 Follow the steps outlined in <a class="link" href="unixclients.html#wdcsdm" title="NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind">“NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind”</a> and ensure that 1487 all validation tests function as shown. 1488 </p></li><li><p> 1489 Identify what services users must log on to. On Red Hat Linux, if it is 1490 intended that the user shall be given access to all services, it may be 1491 most expeditious to simply configure the file 1492 <code class="filename">/etc/pam.d/system-auth</code>. 1493 </p></li><li><p> 1494 Carefully make a backup copy of all PAM configuration files before you 1495 begin making changes. If you break the PAM configuration, please note 1496 that you may need to use an emergency boot process to recover your Linux 1497 system. It is possible to break the ability to log into the system if 1498 PAM files are incorrectly configured. The entire directory 1499 <code class="filename">/etc/pam.d</code> should be backed up to a safe location. 1500 </p></li><li><p> 1501 If you require only console login support, edit the <code class="filename">/etc/pam.d/login</code> 1502 so it matches <a class="link" href="unixclients.html#ch9-pamwnbdlogin" title="Example�7.11.�SUSE: PAM login Module Using Winbind">“SUSE: PAM login Module Using Winbind”</a>. 1503 </p></li><li><p> 1504 To provide the ability to log onto the graphical desktop interface, you must edit 1505 the files <code class="filename">gdm</code> and <code class="filename">xdm</code> in the 1506 <code class="filename">/etc/pam.d</code> directory. 1507 </p></li><li><p> 1508 Edit only one file at a time. Carefully validate its operation before attempting 1509 to reboot the machine. 1510 </p></li></ol></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2596666"></a>ADS Domain Member</h4></div></div></div><p> 1511 This procedure should be followed to permit a Linux network client (workstation/desktop) 1512 to permit users to log on using Microsoft Active Directory-based user credentials. 1513 </p><div class="procedure"><ol type="1"><li><p> 1514 Follow the steps outlined in <a class="link" href="unixclients.html#adssdm" title="Active Directory Domain with Samba Domain Member Server">“Active Directory Domain with Samba Domain Member Server”</a> and ensure that 1515 all validation tests function as shown. 1516 </p></li><li><p> 1517 Identify what services users must log on to. On Red Hat Linux, if it is 1518 intended that the user shall be given access to all services, it may be 1519 most expeditious to simply configure the file 1520 <code class="filename">/etc/pam.d/system-auth</code> as shown in <a class="link" href="unixclients.html#ch9-rhsysauth" title="Example�7.13.�Red Hat 9: PAM System Authentication File: /etc/pam.d/system-auth Module Using Winbind">“Red Hat 9: PAM System Authentication File: /etc/pam.d/system-auth Module Using Winbind”</a>. 1521 </p></li><li><p> 1522 Carefully make a backup copy of all PAM configuration files before you 1523 begin making changes. If you break the PAM configuration, please note 1524 that you may need to use an emergency boot process to recover your Linux 1525 system. It is possible to break the ability to log into the system if 1526 PAM files are incorrectly configured. The entire directory 1527 <code class="filename">/etc/pam.d</code> should be backed up to a safe location. 1528 </p></li><li><p> 1529 If you require only console login support, edit the <code class="filename">/etc/pam.d/login</code> 1530 so it matches <a class="link" href="unixclients.html#ch9-pamwnbdlogin" title="Example�7.11.�SUSE: PAM login Module Using Winbind">“SUSE: PAM login Module Using Winbind”</a>. 1531 </p></li><li><p> 1532 To provide the ability to log onto the graphical desktop interface, you must edit 1533 the files <code class="filename">gdm</code> and <code class="filename">xdm</code> in the 1534 <code class="filename">/etc/pam.d</code> directory. 1535 </p></li><li><p> 1536 Edit only one file at a time. Carefully validate its operation before attempting 1537 to reboot the machine. 1538 </p></li></ol></div></div><div class="example"><a name="ch9-pamwnbdlogin"></a><p class="title"><b>Example�7.11.�SUSE: PAM <code class="filename">login</code> Module Using Winbind</b></p><div class="example-contents"><pre class="screen"> 1539# /etc/pam.d/login 1540 1541#%PAM-1.0 1542auth sufficient pam_unix2.so nullok 1543auth sufficient pam_winbind.so use_first_pass use_authtok 1544auth required pam_securetty.so 1545auth required pam_nologin.so 1546auth required pam_env.so 1547auth required pam_mail.so 1548account sufficient pam_unix2.so 1549account sufficient pam_winbind.so user_first_pass use_authtok 1550password required pam_pwcheck.so nullok 1551password sufficient pam_unix2.so nullok use_first_pass use_authtok 1552password sufficient pam_winbind.so use_first_pass use_authtok 1553session sufficient pam_unix2.so none 1554session sufficient pam_winbind.so use_first_pass use_authtok 1555session required pam_limits.so 1556</pre></div></div><br class="example-break"><div class="example"><a name="ch9-pamwbndxdm"></a><p class="title"><b>Example�7.12.�SUSE: PAM <code class="filename">xdm</code> Module Using Winbind</b></p><div class="example-contents"><pre class="screen"> 1557# /etc/pam.d/gdm (/etc/pam.d/xdm) 1558 1559#%PAM-1.0 1560auth sufficient pam_unix2.so nullok 1561auth sufficient pam_winbind.so use_first_pass use_authtok 1562account sufficient pam_unix2.so 1563account sufficient pam_winbind.so use_first_pass use_authtok 1564password sufficient pam_unix2.so 1565password sufficient pam_winbind.so use_first_pass use_authtok 1566session sufficient pam_unix2.so 1567session sufficient pam_winbind.so use_first_pass use_authtok 1568session required pam_dev perm.so 1569session required pam_resmgr.so 1570</pre></div></div><br class="example-break"><div class="example"><a name="ch9-rhsysauth"></a><p class="title"><b>Example�7.13.�Red Hat 9: PAM System Authentication File: <code class="filename">/etc/pam.d/system-auth</code> Module Using Winbind</b></p><div class="example-contents"><pre class="screen"> 1571#%PAM-1.0 1572auth required /lib/security/$ISA/pam_env.so 1573auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok 1574auth sufficient /lib/security/$ISA/pam_winbind.so use_first_pass 1575auth required /lib/security/$ISA/pam_deny.so 1576 1577account required /lib/security/$ISA/pam_unix.so 1578account sufficient /lib/security/$ISA/pam_winbind.so use_first_pass 1579 1580password required /lib/security/$ISA/pam_cracklib.so retry=3 type= 1581# Note: The above line is complete. There is nothing following the '=' 1582password sufficient /lib/security/$ISA/pam_unix.so \ 1583 nullok use_authtok md5 shadow 1584password sufficient /lib/security/$ISA/pam_winbind.so use_first_pass 1585password required /lib/security/$ISA/pam_deny.so 1586 1587session required /lib/security/$ISA/pam_limits.so 1588session sufficient /lib/security/$ISA/pam_unix.so 1589session sufficient /lib/security/$ISA/pam_winbind.so use_first_pass 1590</pre></div></div><br class="example-break"></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2596918"></a>Key Points Learned</h3></div></div></div><p> 1591 The addition of UNIX/Linux Samba servers and clients is a common requirement. In this chapter, you 1592 learned how to integrate such servers so that the UID/GID mappings they use can be consistent 1593 across all domain member servers. You also discovered how to implement the ability to use Samba 1594 or Windows domain account credentials to log on to a UNIX/Linux client. 1595 </p><p> 1596 The following are key points made in this chapter: 1597 </p><div class="itemizedlist"><ul type="disc"><li><p> 1598 Domain controllers are always authoritative for the domain. 1599 </p></li><li><p> 1600 Domain members may have local accounts and must be able to resolve the identity of 1601 domain user accounts. Domain user account identity must map to a local UID/GID. That 1602 local UID/GID can be stored in LDAP. This way, it is possible to share the IDMAP data 1603 across all domain member machines. 1604 </p></li><li><p> 1605 Resolution of user and group identities on domain member machines may be implemented 1606 using direct LDAP services or using winbind. 1607 </p></li><li><p> 1608 On NSS/PAM enabled UNIX/Linux systems, NSS is responsible for identity management 1609 and PAM is responsible for authentication of logon credentials (username and password). 1610 </p></li></ul></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2596972"></a>Questions and Answers</h2></div></div></div><p> 1611 The following questions were obtained from the mailing list and also from private discussions 1612 with Windows network administrators. 1613 </p><div class="qandaset"><dl><dt> <a href="unixclients.html#id2596990"> 1614 We use NIS for all UNIX accounts. Why do we need winbind? 1615 </a></dt><dt> <a href="unixclients.html#id2597105"> 1616 Our IT management people do not like LDAP but are looking at Microsoft Active Directory. 1617 Which is better? 1618 </a></dt><dt> <a href="unixclients.html#id2597189"> 1619 We want to implement a Samba PDC, four Samba BDCs, and 10 Samba servers. Is it possible 1620 to use NIS in place of LDAP? 1621 </a></dt><dt> <a href="unixclients.html#id2597300"> 1622 Are you suggesting that users should not log on to a domain member server? If so, why? 1623 </a></dt><dt> <a href="unixclients.html#id2597421"> 1624 We want to ensure that only users from our own domain plus from trusted domains can use our 1625 Samba servers. In the smb.conf file on all servers, we have enabled the winbind 1626 trusted domains only parameter. We now find that users from trusted domains 1627 cannot access our servers, and users from Windows clients that are not domain members 1628 can also access our servers. Is this a Samba bug? 1629 </a></dt><dt> <a href="unixclients.html#id2597596"> 1630 What are the benefits of using LDAP for my domain member servers? 1631 </a></dt><dt> <a href="unixclients.html#id2597780"> 1632 Is proper DNS operation necessary for Samba-3 plus LDAP? If so, what must I put into 1633 my DNS configuration? 1634 </a></dt><dt> <a href="unixclients.html#id2597938"> 1635 Our Windows 2003 Server Active Directory domain runs with NetBIOS disabled. Can we 1636 use Samba-3 with that configuration? 1637 </a></dt><dt> <a href="unixclients.html#id2597956"> 1638 When I tried to execute net ads join, I got no output. It did not work, so 1639 I think that it failed. I then executed net rpc join and that worked fine. 1640 That is okay, isn't it? 1641 </a></dt></dl><table border="0" summary="Q and A Set"><col align="left" width="1%"><tbody><tr class="question"><td align="left" valign="top"><a name="id2596990"></a><a name="id2596992"></a></td><td align="left" valign="top"><p> 1642 We use NIS for all UNIX accounts. Why do we need winbind? 1643 </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> 1644 <a class="indexterm" name="id2597004"></a> 1645 <a class="indexterm" name="id2597011"></a> 1646 <a class="indexterm" name="id2597018"></a> 1647 <a class="indexterm" name="id2597025"></a> 1648 <a class="indexterm" name="id2597031"></a> 1649 <a class="indexterm" name="id2597038"></a> 1650 You can use NIS for your UNIX accounts. NIS does not store the Windows encrypted 1651 passwords that need to be stored in one of the acceptable passdb backends. 1652 Your choice of backend is limited to <em class="parameter"><code>smbpasswd</code></em> or 1653 <em class="parameter"><code>tdbsam</code></em>. Winbind is needed to handle the resolution of 1654 SIDs from trusted domains to local UID/GID values. 1655 </p><p> 1656 <a class="indexterm" name="id2597065"></a> 1657 <a class="indexterm" name="id2597073"></a> 1658 On a domain member server, you effectively map Windows domain users to local users 1659 that are in your NIS database by specifying the <em class="parameter"><code>winbind trusted domains 1660 only</code></em>. This causes user and group account lookups to be routed via 1661 the <code class="literal">getpwnam()</code> family of systems calls. On an NIS-enabled client, 1662 this pushes the resolution of users and groups out through NIS. 1663 </p><p> 1664 As a general rule, it is always a good idea to run winbind on all Samba servers. 1665 </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2597105"></a><a name="id2597107"></a></td><td align="left" valign="top"><p> 1666 Our IT management people do not like LDAP but are looking at Microsoft Active Directory. 1667 Which is better?<a class="indexterm" name="id2597114"></a> 1668 </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id2597128"></a><a class="indexterm" name="id2597139"></a><a class="indexterm" name="id2597147"></a> 1669 Microsoft Active Directory is an LDAP server that is intricately tied to a Kerberos 1670 infrastructure. Most IT managers who object to LDAP do so because 1671 an LDAP server is most often supplied as a raw tool that needs to be configured and 1672 for which the administrator must create the schema, create the administration tools, and 1673 devise the backup and recovery facilities in a site-dependent manner. LDAP servers 1674 in general are seen as a high-energy, high-risk facility. 1675 </p><p><a class="indexterm" name="id2597166"></a> 1676 Microsoft Active Directory by comparison is easy to install and configure and 1677 is supplied with all tools necessary to implement and manage the directory. For sites 1678 that lack a lot of technical competence, Active Directory is a good choice. For sites 1679 that have the technical competence to handle Active Directory well, LDAP is a good 1680 alternative. The real issue is, What type of solution does 1681 the site want? If management wants a choice to use an alternative, they may want to 1682 consider the options. On the other hand, if management just wants a solution that works, 1683 Microsoft Active Directory is a good solution. 1684 </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2597189"></a><a name="id2597191"></a></td><td align="left" valign="top"><p> 1685 We want to implement a Samba PDC, four Samba BDCs, and 10 Samba servers. Is it possible 1686 to use NIS in place of LDAP? 1687 </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id2597203"></a><a class="indexterm" name="id2597211"></a><a class="indexterm" name="id2597219"></a><a class="indexterm" name="id2597227"></a><a class="indexterm" name="id2597235"></a><a class="indexterm" name="id2597243"></a><a class="indexterm" name="id2597250"></a> 1688 Yes, it is possible to use NIS in place of LDAP, but there may be problems with keeping 1689 the Windows (SMB) encrypted passwords database correctly synchronized across the entire 1690 network. Workstations (Windows client machines) periodically change their domain 1691 membership secure account password. How can you keep changes that are on remote BDCs 1692 synchronized on the PDC? 1693 </p><p><a class="indexterm" name="id2597268"></a><a class="indexterm" name="id2597276"></a><a class="indexterm" name="id2597284"></a> 1694 LDAP is a more elegant solution because it permits centralized storage and management 1695 of all network identities (user, group, and machine accounts) together with all information 1696 Samba needs to provide to network clients and their users. 1697 </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2597300"></a><a name="id2597302"></a></td><td align="left" valign="top"><p> 1698 Are you suggesting that users should not log on to a domain member server? If so, why? 1699 </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id2597314"></a><a class="indexterm" name="id2597322"></a><a class="indexterm" name="id2597333"></a> 1700 Many UNIX administrators mock the model that the personal computer industry has adopted 1701 as normative since the early days of Novell NetWare. The old 1702 perception of the necessity to keep users off file and print servers was a result of 1703 fears concerning the security and integrity of data. It was a simple and generally 1704 effective measure to keep users away from servers, except through mapped drives. 1705 </p><p><a class="indexterm" name="id2597351"></a><a class="indexterm" name="id2597359"></a><a class="indexterm" name="id2597367"></a><a class="indexterm" name="id2597375"></a><a class="indexterm" name="id2597382"></a> 1706 UNIX administrators are fully correct in asserting that UNIX servers and workstations 1707 are identical in terms of the software that is installed. They correctly assert that 1708 in a well-secured environment it is safe to store files on a system that has hundreds 1709 of users. But all network administrators must factor into the decision to allow or 1710 reject general user logins to a UNIX system that is principally a file and print 1711 server the risk to operations through simple user errors. 1712 Only then can one begin to appraise the best strategy and adopt a site-specific 1713 policy that best protects the needs of users and of the organization alike. 1714 </p><p><a class="indexterm" name="id2597405"></a> 1715 From experience, it is my recommendation to keep general system-level logins to a 1716 practical minimum and to eliminate them if possible. This should not be taken as a 1717 hard rule, though. The better question is, what works best for the site? 1718 </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2597421"></a><a name="id2597423"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id2597426"></a><a class="indexterm" name="id2597434"></a><a class="indexterm" name="id2597446"></a><a class="indexterm" name="id2597454"></a> 1719 We want to ensure that only users from our own domain plus from trusted domains can use our 1720 Samba servers. In the <code class="filename">smb.conf</code> file on all servers, we have enabled the <em class="parameter"><code>winbind 1721 trusted domains only</code></em> parameter. We now find that users from trusted domains 1722 cannot access our servers, and users from Windows clients that are not domain members 1723 can also access our servers. Is this a Samba bug? 1724 </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id2597487"></a><a class="indexterm" name="id2597495"></a><a class="indexterm" name="id2597502"></a><a class="indexterm" name="id2597510"></a><a class="indexterm" name="id2597518"></a><a class="indexterm" name="id2597526"></a> 1725 The manual page for this <em class="parameter"><code>winbind trusted domains only</code></em> parameter says, 1726 “<span class="quote">This parameter is designed to allow Samba servers that are members of a Samba-controlled 1727 domain to use UNIX accounts distributed vi NIS, rsync, or LDAP as the UIDs for winbindd users 1728 in the hosts primary domain. Therefore, the user <code class="constant">SAMBA\user1</code> would be 1729 mapped to the account <code class="constant">user1</code> in <code class="filename">/etc/passwd</code> instead 1730 of allocating a new UID for him or her.</span>” This clearly suggests that you are trying 1731 to use this parameter inappropriately. 1732 </p><p><a class="indexterm" name="id2597568"></a> 1733 A far better solution is to use the <em class="parameter"><code>valid users</code></em> by specifying 1734 precisely the domain users and groups that should be permitted access to the shares. You could, 1735 for example, set the following parameters: 1736</p><pre class="screen"> 1737[demoshare] 1738 path = /export/demodata 1739 valid users = @"Domain Users", @"OTHERDOMAIN\Domain Users" 1740</pre><p> 1741 </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2597596"></a><a name="id2597598"></a></td><td align="left" valign="top"><p> 1742 What are the benefits of using LDAP for my domain member servers? 1743 </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id2597609"></a><a class="indexterm" name="id2597617"></a><a class="indexterm" name="id2597625"></a><a class="indexterm" name="id2597633"></a><a class="indexterm" name="id2597640"></a><a class="indexterm" name="id2597648"></a><a class="indexterm" name="id2597656"></a><a class="indexterm" name="id2597664"></a><a class="indexterm" name="id2597672"></a> 1744 The key benefit of using LDAP is that the UID of all users and the GID of all groups 1745 are globally consistent on domain controllers as well as on domain member servers. 1746 This means that it is possible to copy/replicate files across servers without 1747 loss of identity. 1748 </p><p><a class="indexterm" name="id2597688"></a><a class="indexterm" name="id2597696"></a><a class="indexterm" name="id2597704"></a><a class="indexterm" name="id2597712"></a><a class="indexterm" name="id2597720"></a><a class="indexterm" name="id2597728"></a><a class="indexterm" name="id2597739"></a><a class="indexterm" name="id2597747"></a> 1749 When use is made of account identity resolution via winbind, even when an IDMAP backend 1750 is stored in LDAP, the UID/GID on domain member servers is consistent, but differs 1751 from the ID that the user/group has on domain controllers. The winbind allocated UID/GID 1752 that is stored in LDAP (or locally) will be in the numeric range specified in the <em class="parameter"><code> 1753 idmap uid/gid</code></em> in the <code class="filename">smb.conf</code> file. On domain controllers, the UID/GID is 1754 that of the POSIX value assigned in the LDAP directory as part of the POSIX account information. 1755 </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2597780"></a><a name="id2597782"></a></td><td align="left" valign="top"><p> 1756 Is proper DNS operation necessary for Samba-3 plus LDAP? If so, what must I put into 1757 my DNS configuration? 1758 </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id2597793"></a><a class="indexterm" name="id2597805"></a><a class="indexterm" name="id2597816"></a><a class="indexterm" name="id2597824"></a><a class="indexterm" name="id2597832"></a><a class="indexterm" name="id2597839"></a><a class="indexterm" name="id2597847"></a> 1759 Samba depends on correctly functioning resolution of hostnames to their IP address. Samba 1760 makes no direct DNS lookup calls, but rather redirects all name-to-address calls via the 1761 <code class="literal">getXXXbyXXX()</code> function calls. The configuration of the <code class="constant">hosts</code> 1762 entry in the NSS <code class="filename">/etc/nsswitch.conf</code> file determines how the underlying 1763 resolution process is implemented. If the <code class="constant">hosts</code> entry in your NSS 1764 control file says: 1765</p><pre class="screen"> 1766hosts: files dns wins 1767</pre><p> 1768 this means that a hostname lookup first tries the <code class="filename">/etc/hosts</code>. 1769 If this fails to resolve, it attempts a DNS lookup, and if that fails, it tries a 1770 WINS lookup. 1771 </p><p><a class="indexterm" name="id2597902"></a><a class="indexterm" name="id2597910"></a><a class="indexterm" name="id2597918"></a> 1772 The addition of the WINS-based name lookup makes sense only if NetBIOS over TCP/IP has 1773 been enabled on all Windows clients. Where NetBIOS over TCP/IP has been disabled, DNS 1774 is the preferred name resolution technology. This usually makes most sense when Samba 1775 is a client of an Active Directory domain, where NetBIOS use has been disabled. In this 1776 case, the Windows 200x autoregisters all locator records it needs with its own DNS 1777 server or servers. 1778 </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2597938"></a><a name="id2597940"></a></td><td align="left" valign="top"><p> 1779 Our Windows 2003 Server Active Directory domain runs with NetBIOS disabled. Can we 1780 use Samba-3 with that configuration? 1781 </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> 1782 Yes. 1783 </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2597956"></a><a name="id2597958"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id2597962"></a><a class="indexterm" name="id2597976"></a> 1784 When I tried to execute net ads join, I got no output. It did not work, so 1785 I think that it failed. I then executed net rpc join and that worked fine. 1786 That is okay, isn't it? 1787 </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id2598000"></a><a class="indexterm" name="id2598008"></a> 1788 No. This is not okay. It means that your Samba-3 client has joined the ADS domain as 1789 a Windows NT4 client, and Samba-3 will not be using Kerberos-based authentication. 1790 </p></td></tr></tbody></table></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="DMSMig.html">Prev</a>�</td><td width="20%" align="center"><a accesskey="u" href="DMSMig.html">Up</a></td><td width="40%" align="right">�<a accesskey="n" href="upgrades.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Part�II.�Domain Members, Updating Samba and Migration�</td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top">�Chapter�8.�Updating Samba-3</td></tr></table></div></body></html> 1791