1<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter�10.�Adding UNIX/LINUX Servers and Clients</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.66.1"><link rel="start" href="index.html" title="Samba-3 by Example"><link rel="up" href="index.html" title="Samba-3 by Example"><link rel="prev" href="nw4migration.html" title="Chapter�9.�Migrating NetWare 4.11 Server to Samba-3"><link rel="next" href="kerberos.html" title="Chapter�11.�Active Directory, Kerberos, and Security"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter�10.�Adding UNIX/LINUX Servers and Clients</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="nw4migration.html">Prev</a>�</td><th width="60%" align="center">�</th><td width="20%" align="right">�<a accesskey="n" href="kerberos.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="unixclients"></a>Chapter�10.�Adding UNIX/LINUX Servers and Clients</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="unixclients.html#id2578114">Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="unixclients.html#id2578169">Assignment Tasks</a></span></dt></dl></dd><dt><span class="sect1"><a href="unixclients.html#id2578204">Dissection and Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="unixclients.html#id2578233">Technical Issues</a></span></dt><dt><span class="sect2"><a href="unixclients.html#id2578929">Political Issues</a></span></dt></dl></dd><dt><span class="sect1"><a href="unixclients.html#id2579029">Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using LDAP</a></span></dt><dt><span class="sect2"><a href="unixclients.html#wdcsdm">NT4/Samba Domain with Samba Domain Member Server Using Winbind</a></span></dt><dt><span class="sect2"><a href="unixclients.html#adssdm">Active Directory Domain with Samba Domain Member Server</a></span></dt><dt><span class="sect2"><a href="unixclients.html#id2583360">UNIX/Linux Client Domain Member</a></span></dt><dt><span class="sect2"><a href="unixclients.html#id2583924">Key Points Learned</a></span></dt></dl></dd><dt><span class="sect1"><a href="unixclients.html#id2583977">Questions and Answers</a></span></dt></dl></div><p><a class="indexterm" name="id2578018"></a><a class="indexterm" name="id2578026"></a> 2 The most frequently discussed Samba subjects over the past two years have focused around Domain Control and printing. 3 It is well known that Samba is a file and print server. A recent survey conducted by Open Magazine found 4 that of all respondents: 97% use Samba for file and print services, and 68% use Samba for Domain Control. See the 5 <a href="http://www.open-mag.com/cgi-bin/opencgi/surveys/survey.cgi?survey_name=samba" target="_top">Open-Mag</a> 6 Web site for current information. The survey results as found on January 14, 2004, as shown in 7 <a href="unixclients.html#ch09openmag" title="Figure�10.1.�Open Magazine Samba Survey">???</a>. 8 </p><div class="figure"><a name="ch09openmag"></a><p class="title"><b>Figure�10.1.�Open Magazine Samba Survey</b></p><div class="mediaobject"><img src="images/openmag.png" width="324" alt="Open Magazine Samba Survey"></div></div><p> 9 While Domain Control is an exciting subject, basic file and print sharing remains the staple bread-and-butter 10 function that Samba provides. Yet this book may give the appearance of having focused too much on more 11 exciting aspects of Samba deployment. This chapter directs your attention to provide important information on 12 the addition of Samba servers into your present Windows network whatever the controlling technology 13 may be. So let's get back to Abmas and our good friends Bob Jordan and company. 14 </p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2578114"></a>Introduction</h2></div></div></div><p><a class="indexterm" name="id2578121"></a><a class="indexterm" name="id2578128"></a> 15 Bob Jordan looks back over the achievements of the past year or two. Daily events are rather straightforward 16 with not too many distractions or problems. Bob, your team is doing well, but a number of employees 17 are asking for Linux desktop systems. Your network has grown and demands additional Domain Member servers. Let's 18 get on with this; Christine and Stan are ready to go. 19 </p><p><a class="indexterm" name="id2578150"></a> 20 Stan Soroka is firmly in control of the Department of the Future, while Christine is enjoying a stable and 21 predictable network environment. It is time to add more servers and to add Linux desktops. It is 22 time to meet the demands of future growth and endure trial by fire. Go on, walk the steps 23 with Stan and Company. 24 </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2578169"></a>Assignment Tasks</h3></div></div></div><p><a class="indexterm" name="id2578175"></a> 25 You must now add UNIX/Linux Domain Member servers to your network. You have a friend who has a Windows 2003 26 Active Directory Domain network who wants to add a Samba/Linux server and has asked Christine to help him 27 out. Your real objective is to help Christine to see more of the way the Microsoft world lives and use 28 her help to get validation that Samba really does live up to expectations. 29 </p><p> 30 Over the past six months, you have hired several new staff who want Linux on their desktops. You must integrate 31 these systems to make sure that Abmas is not building islands of technology. You ask Christine to 32 do likewise at Swodniw Biz NL (your friend's company) to help them to evaluate a Linux desktop. You want to make 33 the right decision, don't you? 34 </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2578204"></a>Dissection and Discussion</h2></div></div></div><p><a class="indexterm" name="id2578211"></a> 35 Recent Samba mailing list activity is witness to how many sites are using winbind. Some have no trouble 36 at all with it, yet to others the problems seem insurmountable. Periodically there are complaints concerning 37 an inability to achieve identical user and group IDs between Windows and UNIX environments. 38 </p><p> 39 You provide step-by-step implementations of the various tools that can be used for identity 40 resolution. You also provide working examples of solutions for integrated authentication for 41 both UNIX/Linux and Windows environments. 42 </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2578233"></a>Technical Issues</h3></div></div></div><p> 43 One of the great challenges we face when people ask us, “<span class="quote"><span class="emphasis"><em>What is the best way to solve 44 this problem?</em></span></span>” is to get beyond the facts so we can not only clearly comprehend 45 the immediate technical problem, but also understand how needs may change. 46 </p><p><a class="indexterm" name="id2578252"></a> 47 There are a few facts we should note when dealing with the question of how best to 48 integrate UNIX/Linux clients and servers into a Windows networking environment: 49 </p><div class="itemizedlist"><ul type="disc"><li><p><a class="indexterm" name="id2578269"></a><a class="indexterm" name="id2578277"></a><a class="indexterm" name="id2578285"></a><a class="indexterm" name="id2578297"></a><a class="indexterm" name="id2578304"></a> 50 A Domain Controller (PDC or BDC) is always authoritative for all accounts in its Domain. 51 This means that a BDC must (of necessity) be able to resolve all account UIDs and GIDs 52 to the same values that the PDC resolved them to. 53 </p></li><li><p><a class="indexterm" name="id2578320"></a><a class="indexterm" name="id2578328"></a><a class="indexterm" name="id2578344"></a><a class="indexterm" name="id2578352"></a> 54 A Domain Member can be authoritative for local accounts, but is never authoritative for 55 Domain accounts. If a user is accessing a Domain Member server and that user's account 56 is not known locally, the Domain Member server must resolve the identity of that user 57 from the Domain in which that user's account resides. It must then map that ID to a 58 UID/GID pair that it can use locally. This is handled by <span><b class="command">winbindd</b></span>. 59 </p></li><li><p> 60 Samba, when running on a Domain Member server, can resolve user identities from a 61 number of sources: 62 63 </p><div class="itemizedlist"><ul type="circle"><li><p><a class="indexterm" name="id2578384"></a><a class="indexterm" name="id2578392"></a><a class="indexterm" name="id2578400"></a><a class="indexterm" name="id2578407"></a><a class="indexterm" name="id2578415"></a> 64 By executing a system <span><b class="command">getpwnam()</b></span> or <span><b class="command">getgrnam()</b></span> call. 65 On systems that support it, this utilizes the name service switch (NSS) facility to 66 resolve names according to the configuration of the <tt class="filename">/etc/nsswitch.conf</tt> 67 file. NSS can be configured to use LDAP, winbind, NIS, or local files. 68 </p></li><li><p><a class="indexterm" name="id2578449"></a><a class="indexterm" name="id2578457"></a><a class="indexterm" name="id2578465"></a> 69 Performing, via NSS, a direct LDAP search (where an LDAP passdb backend has been configured). 70 This requires the use of the PADL nss_ldap tool (or equivalent). 71 </p></li><li><p><a class="indexterm" name="id2578480"></a><a class="indexterm" name="id2578488"></a><a class="indexterm" name="id2578496"></a><a class="indexterm" name="id2578504"></a> 72 Directly by querying <span><b class="command">winbindd</b></span>. The <span><b class="command">winbindd</b></span> 73 contact a Domain Controller to attempt to resolve the identity of the user or group. It 74 receives the Windows networking security identifier (SID) for that appropriate 75 account and then allocates a local UID or GID from the range of available IDs and 76 creates an entry in its <tt class="filename">winbindd_idmap.tdb</tt> and 77 <tt class="filename">winbindd_cache.tdb</tt> files. 78 </p><p><a class="indexterm" name="id2578550"></a><a class="indexterm" name="id2578558"></a> 79 If the parameter 80 <a class="indexterm" name="id2578568"></a>idmap backend = ldap:ldap://myserver.domain 81 was specified and the LDAP server has been configured with a container in which it may 82 store the IDMAP entries, all Domain Members may share a common mapping. 83 </p></li></ul></div><p> 84 </p><p> 85 Irrespective of how <tt class="filename">smb.conf</tt> is configured, winbind creates and caches a local copy of 86 the ID mapping database. It uses the <tt class="filename">winbindd_idmap.tdb</tt>, and 87 <tt class="filename">winbindd_cache.tdb</tt> files to do this. 88 </p><p> 89 Which of the above resolver methods is chosen is determined by the way that Samba is configured 90 in the <tt class="filename">smb.conf</tt> file. Some of the configuration options are rather less than obvious to the 91 casual user. 92 </p></li><li><p><a class="indexterm" name="id2578620"></a><a class="indexterm" name="id2578629"></a><a class="indexterm" name="id2578640"></a> 93 If you wish to make use of accounts (users and/or groups) that are local to (i.e., capable 94 of being resolved using) the name service switch (NSS) facility, it is imperative to use the 95 <a class="indexterm" name="id2578653"></a>winbind enable local accounts = Yes 96 in the <tt class="filename">smb.conf</tt> file. This parameter specifically applies only to Domain Controllers, 97 not to Domain Member servers. 98 </p></li></ul></div><p><a class="indexterm" name="id2578672"></a><a class="indexterm" name="id2578680"></a><a class="indexterm" name="id2578688"></a> 99 For many administrators, it should be plain that the use of an LDAP-based repository for all network 100 accounts (both for Posix accounts as well as for Samba accounts) provides the most elegant and 101 controllable facility. You eventually appreciate the decision to use LDAP. 102 </p><p><a class="indexterm" name="id2578704"></a><a class="indexterm" name="id2578711"></a><a class="indexterm" name="id2578719"></a> 103 If your network account information resides in an LDAP repository, you should use it ahead of any 104 alternative method. This means that if it is humanly possible to use the <span><b class="command">nss_ldap</b></span> 105 tools to resolve UNIX account UIDs/GIDs via LDAP, this is the preferred solution, as it provides 106 a more readily controllable method for asserting the exact same user and group identifiers 107 throughout the network. 108 </p><p><a class="indexterm" name="id2578743"></a><a class="indexterm" name="id2578754"></a><a class="indexterm" name="id2578763"></a><a class="indexterm" name="id2578771"></a><a class="indexterm" name="id2578778"></a><a class="indexterm" name="id2578786"></a> 109 In the situation where UNIX accounts are held on the Domain Member server itself, the only effective 110 way to use them involves the <tt class="filename">smb.conf</tt> entry 111 <a class="indexterm" name="id2578804"></a>winbind trusted domains only = Yes. This forces 112 Samba (<span><b class="command">smbd</b></span>) to perform a <span><b class="command">getpwnam()</b></span> system call that can 113 then be controlled via <tt class="filename">/etc/nsswitch.conf</tt> file settings. The use of this parameter 114 disables the use of Samba with Trusted Domains (i.e., External Domains). 115 </p><p><a class="indexterm" name="id2578835"></a><a class="indexterm" name="id2578843"></a><a class="indexterm" name="id2578855"></a><a class="indexterm" name="id2578862"></a> 116 Winbind can be used to create an appliance mode Domain Member server. In this capacity, <span><b class="command">winbindd</b></span> 117 is configured to automatically allocate UIDs/GIDs from numeric ranges set in the <tt class="filename">smb.conf</tt> file. The allocation 118 is made for all accounts that connect to that Domain Member server, whether within its own Domain or from 119 Trusted Domains. If not stored in an LDAP backend, each Domain Member maintains its own unique mapping database. 120 This means that it is almost certain that a given user who accesses two Domain Member servers does not have the 121 same UID/GID on both servers however, this is transparent to the Windows network user. This data 122 is stored in the <tt class="filename">winbindd_idmap.tdb</tt> and <tt class="filename">winbindd_cache.tdb</tt> files. 123 </p><p><a class="indexterm" name="id2578912"></a> 124 The use of an LDAP backend for the Winbind IDMAP facility permits Windows Domain security identifiers (SIDs) 125 mappings to UIDs/GIDs to be stored centrally. The result is a consistent mapping across all Domain Member 126 servers so configured. This solves one of the major headaches for network administrators who need to copy 127 files between/across network file servers. 128 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2578929"></a>Political Issues</h3></div></div></div><p><a class="indexterm" name="id2578936"></a><a class="indexterm" name="id2578944"></a><a class="indexterm" name="id2578951"></a><a class="indexterm" name="id2578962"></a> 129 One of the most fierce conflicts recently being waged is one of resistance to the adoption of LDAP, in 130 particular OpenLDAP, as a replacement for UNIX NIS (previously called Yellow Pages). Let's face it, LDAP 131 is different and requires a new approach to the need for a better identity management solution. The more 132 you work with LDAP, the more its power and flexibility emerges from its dark, cavernous chasm. 133 </p><p> 134 LDAP is a most suitable solution for heterogenous environments. If you need crypto, add Kerberos. 135 The reason these are preferable is because they are heterogenous. Windows solutions of this sort are NOT 136 heterogenous by design. This is fundamental it isn't religious or political. This also doesn't say that 137 you can't use Windows Active Directory in a heterogenous environment it can be done, it just requires 138 commercial integration products it's just not what Active Directory was designed for. 139 </p><p><a class="indexterm" name="id2579002"></a><a class="indexterm" name="id2579009"></a> 140 A number of long-term UNIX devotees have recently commented in various communications that the Samba Team 141 is the first application group to almost force network administrators to use LDAP. It should be pointed 142 out that we resisted this as long as we could. It is not out of laziness or out of malice that LDAP has 143 finally emerged as the preferred identity management backend for Samba. We recommend LDAP for your total 144 organizational directory needs. 145 </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2579029"></a>Implementation</h2></div></div></div><p><a class="indexterm" name="id2579035"></a><a class="indexterm" name="id2579047"></a><a class="indexterm" name="id2579058"></a> 146 The Domain Member server and the Domain Member client are at the center of focus in this chapter. 147 Configuration of Samba-3 Domain Controller has been covered in earlier chapters, so if your 148 interest is in Domain Controller configuration, you will not find that here. You will find good 149 oil that helps you to add Domain Member servers and clients. 150 </p><p><a class="indexterm" name="id2579076"></a> 151 In practice, Domain Member servers and Domain Member workstations are very different entities, but in 152 terms of technology they share similar core infrastructure. A technologist would argue that servers 153 and workstations are identical. Many users would argue otherwise, given that in a well-disciplined 154 environment a workstation (client) is a device from which a user creates documents and files that 155 are located on servers. A workstation is frequently viewed as a disposable (easy to replace) item, 156 but a server is viewed as a core component of the business. 157 </p><p><a class="indexterm" name="id2579100"></a> 158 One can look at this another way. If a workstation breaks down, one user is affected, but if a 159 server breaks down, hundreds of users may not be able to work. The services that a workstation 160 must provide are document and file production oriented; a server provides information storage 161 and is distribution oriented. 162 </p><p><a class="indexterm" name="id2579116"></a><a class="indexterm" name="id2579125"></a><a class="indexterm" name="id2579133"></a> 163 <span class="emphasis"><em>Why is this important?</em></span> For starters, we must identify what 164 components of the operating system and its environment must be configured. Also, it is necessary 165 to recognize where the interdependencies between the various services to be used are. 166 In particular, it is important to understand the operation of each critical part of the 167 authentication process, the logon process, and how user identities get resolved and applied 168 within the operating system and applications (like Samba) that depend on this and may 169 actually contribute to it. 170 </p><p> 171 So, while here we demonstrate how to implement the technology. It is done within a context of 172 what type of service need must be fulfilled. 173 </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="sdcsdmldap"></a>Samba Domain with Samba Domain Member Server Using LDAP</h3></div></div></div><p><a class="indexterm" name="id2579178"></a><a class="indexterm" name="id2579185"></a><a class="indexterm" name="id2579193"></a><a class="indexterm" name="id2579201"></a><a class="indexterm" name="id2579212"></a><a class="indexterm" name="id2579220"></a> 174 In this example, it is assumed that you have Samba PDC/BDC servers. This means you are using 175 an LDAP ldapsam backend. In this example, we are adding to the LDAP backend database (directory) 176 containers for use by the IDMAP facility. This makes it possible to have globally consistent 177 mapping of SIDs to/from UIDs/GIDs. This means that you are running <span><b class="command">winbindd</b></span> 178 as part of your configuration. The primary purpose of running <span><b class="command">winbindd</b></span> (within 179 this operational context) is to permit mapping of foreign SIDs (those not originating from our 180 own Domain). Foreign SIDs can come from any external Domain or from Windows clients that do not 181 belong to a Domain. 182 </p><p><a class="indexterm" name="id2579253"></a><a class="indexterm" name="id2579261"></a><a class="indexterm" name="id2579269"></a> 183 If your installation is accessed only from clients that are members of your own domain, then 184 it is not necessary to run <span><b class="command">winbindd</b></span> as long as all users can be resolved 185 locally via the <span><b class="command">getpwnam()</b></span> system call. On NSS-enabled systems, this condition 186 is met by having: 187 </p><div class="itemizedlist"><ul type="disc"><li><p><a class="indexterm" name="id2579299"></a><a class="indexterm" name="id2579307"></a> 188 All accounts in <tt class="filename">/etc/passwd</tt> or in <tt class="filename">/etc/group</tt>. 189 </p></li><li><p><a class="indexterm" name="id2579332"></a><a class="indexterm" name="id2579339"></a><a class="indexterm" name="id2579347"></a><a class="indexterm" name="id2579355"></a><a class="indexterm" name="id2579363"></a><a class="indexterm" name="id2579371"></a><a class="indexterm" name="id2579379"></a><a class="indexterm" name="id2579386"></a><a class="indexterm" name="id2579394"></a><a class="indexterm" name="id2579402"></a> 190 Resolution via NSS. On NSS-enabled systems, there is usually a facility to resolve IDs 191 via multiple methods. The methods typically include: <span><b class="command">files, compat, db, ldap, 192 nis, nisplus, hesoid.</b></span> When correctly installed, Samba adds to this list 193 the <span><b class="command">winbindd</b></span> facility. The ldap facility is frequently the nss_ldap 194 tool provided by PADL Software. 195 </p></li></ul></div><p><a class="indexterm" name="id2579432"></a> 196 The diagram in <a href="unixclients.html#ch9-sambadc" title="Figure�10.2.�Samba Domain: Samba Member Server">???</a> demonstrates the relationship of samba and system 197 components that are involved in the Identity resolution process where Samba is used as a Domain 198 Member server within a Samba Domain Control network. 199 </p><div class="figure"><a name="ch9-sambadc"></a><p class="title"><b>Figure�10.2.�Samba Domain: Samba Member Server</b></p><div class="mediaobject"><img src="images/chap9-SambaDC.png" width="324" alt="Samba Domain: Samba Member Server"></div></div><p><a class="indexterm" name="id2579497"></a><a class="indexterm" name="id2579504"></a> 200 In this example configuration, Samba will directly search the LDAP-based passwd backend ldapsam 201 to obtain authentication and user identity information. The IDMAP information is stored in the LDAP 202 backend so that it can be shared by all Domain Member servers so that every user will have a 203 consistent UID and GID across all of them. The IDMAP facility will be used for all foreign 204 (i.e., not having the same SID as the Domain it is a member of) Domains. The configuration of 205 NSS will ensure that all unix processes will obtain a consistent UID/GID. 206 </p><p> 207 The instructions given here apply to the Samba environment as shown in Chapters 6 and 7. 208 If your network does not have an LDAP slave server (i.e., Chapter 6 configuration), you 209 must change the target LDAP server from <tt class="constant">lapdc</tt> to <tt class="constant">massive.</tt> 210 </p><div class="procedure"><a name="id2579538"></a><p class="title"><b>Procedure�10.1.�Configuration of LDAP-Based Identity Resolution</b></p><ol type="1"><li><p> 211 Create the <tt class="filename">smb.conf</tt> file as shown in <a href="unixclients.html#ch9-sdmsdc" title="Example�10.1.�Samba Domain Member in Samba Domain Control Context smb.conf File">???</a>. Locate 212 this file in the directory <tt class="filename">/etc/samba</tt>. 213 </p></li><li><p><a class="indexterm" name="id2579575"></a> 214 Configure the file that will be used by <tt class="constant">nss_ldap</tt> to 215 locate and communicate with the LDAP server. This file is called <tt class="filename">ldap.conf</tt>. 216 If your implementation of <tt class="constant">nss_ldap</tt> is consistent with 217 the defaults suggested by PADL (the authors), it will be located in the 218 <tt class="filename">/etc</tt> directory. On some systems, the default location is 219 the <tt class="filename">/etc/openldap</tt> directory. Change the parameters inside 220 the file that is located on your OS so it matches <a href="unixclients.html#ch9-sdmlcnf" title="Example�10.3.�Configuration File for NSS LDAP Support /etc/ldap.conf">???</a>. 221 To find the correct location of this file, you can obtain this from the 222 library that will be used by executing the following: 223</p><pre class="screen"> 224<tt class="prompt">root# </tt> strings /lib/libnss_ldap* | grep ldap.conf 225/etc/ldap.conf 226</pre><p> 227 </p></li><li><p> 228 Configure the name service switch (NSS) control file so it matches the one shown 229 in <a href="unixclients.html#ch9-sdmnss" title="Example�10.4.�NSS using LDAP for Identity Resolution File: /etc/nsswitch.conf">???</a>. 230 </p></li><li><p><a class="indexterm" name="id2579656"></a><a class="indexterm" name="id2579664"></a> 231 Before proceeding to configure Samba, validate the operation of the NSS Identity 232 resolution via LDAP by executing: 233</p><pre class="screen"> 234<tt class="prompt">root# </tt> getent passwd 235... 236root:x:0:512:Netbios Domain Administrator:/root:/bin/false 237nobody:x:999:514:nobody:/dev/null:/bin/false 238bobj:x:1000:513:Robert Jordan:/home/bobj:/bin/bash 239stans:x:1001:513:Stanley Soroka:/home/stans:/bin/bash 240chrisr:x:1002:513:Christine Roberson:/home/chrisr:/bin/bash 241maryv:x:1003:513:Mary Vortexis:/home/maryv:/bin/bash 242jht:x:1004:513:John H Terpstra:/home/jht:/bin/bash 243bldg1$:x:1006:553:bldg1$:/dev/null:/bin/false 244temptation$:x:1009:553:temptation$:/dev/null:/bin/false 245vaioboss$:x:1005:553:vaioboss$:/dev/null:/bin/false 246fran$:x:1008:553:fran$:/dev/null:/bin/false 247josephj:x:1007:513:Joseph James:/home/josephj:/bin/bash 248</pre><p> 249 You should notice the location of the users' home directories. First, make certain that 250 the home directories exist on the Domain Member server; otherwise, the home directory 251 share is not available. The home directories could be mounted off a domain controller 252 using NFS, or by any other suitable means. Second, the absence of the Domain name in the 253 home directory path is indicative that Identity resolution is not being done via Winbind. 254</p><pre class="screen"> 255<tt class="prompt">root# </tt> getent group 256... 257Domain Admins:x:512:root,jht 258Domain Users:x:513:bobj,stans,chrisr,maryv,jht,josephj 259Domain Guests:x:514: 260Accounts:x:1000: 261Finances:x:1001: 262PIOps:x:1002: 263sammy:x:4321: 264</pre><p> 265 <a class="indexterm" name="id2579720"></a><a class="indexterm" name="id2579728"></a><a class="indexterm" name="id2579736"></a> 266 This shows that all is working as it should. Notice that in the LDAP database 267 the users primary and secondary group memberships are identical. It is not 268 necessary to add secondary group memberships (in the group database) if the 269 user is already a member via primary group membership in the password database. 270 When using winbind, it is in fact undesirable to do this as it results in 271 doubling up of group memberships and may break winbind under certain conditions. 272 </p></li><li><p><a class="indexterm" name="id2579758"></a> 273 The LDAP directory must have a container object for IDMAP data. There are several ways you can 274 check that your LDAP database is able to receive IDMAP information. One of the simplest is to 275 execute: 276</p><pre class="screen"> 277<tt class="prompt">root# </tt> slapcat | grep -i idmap 278dn: ou=Idmap,dc=abmas,dc=biz 279ou: idmap 280</pre><p> 281 <a class="indexterm" name="id2579784"></a> 282 If the execution of this command does not return IDMAP entries, you need to create an LDIF 283 template file (see <a href="unixclients.html#ch9-ldifadd" title="Example�10.2.�LDIF IDMAP Add-On Load File File: /etc/openldap/idmap.LDIF">???</a>). You can add the required entries using the following command: 284</p><pre class="screen"> 285<tt class="prompt">root# </tt> ldapadd -x -D "cn=Manager,dc=abmas,dc=biz" \ 286 -w not24get < /etc/openldap/idmap.LDIF 287</pre><p> 288 Samba automatically populates this LDAP directory container when it needs to. 289 </p></li><li><p><a class="indexterm" name="id2579822"></a><a class="indexterm" name="id2579837"></a> 290 The system is ready to join the Domain. Execute the following: 291</p><pre class="screen"> 292<tt class="prompt">root# </tt> net rpc join -U root%not24et 293Joined domain MEGANET2. 294</pre><p> 295 This indicates that the Domain join succeeded. 296 </p></li><li><p> 297 <a class="indexterm" name="id2579867"></a> 298 Just joining the Domain is not quite enough, you must now provide a privilidged set 299 of credentials through which <span><b class="command">winbindd</b></span> can interact with the ADS 300 Domain servers. Execute the following to implant the necessary credentials: 301</p><pre class="screen"> 302<tt class="prompt">root# </tt> wbinfo --set-auth-user=Administrator%not24get 303</pre><p> 304- The configuration is now ready to obtain ADS Domain user and group information. 305 </p></li><li><p> 306 You may now start Samba in the usual manner and your Samba Domain Member server 307 is ready for use. Just add shares as required. 308 </p></li></ol></div><div class="example"><a name="ch9-sdmsdc"></a><p class="title"><b>Example�10.1.�Samba Domain Member in Samba Domain Control Context smb.conf File</b></p><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[global]</tt></i></td></tr><tr><td><a class="indexterm" name="id2579936"></a><i class="parameter"><tt> 309 310 unix charset = LOCALE</tt></i></td></tr><tr><td><a class="indexterm" name="id2579952"></a><i class="parameter"><tt> 311 312 workgroup = MEGANET2</tt></i></td></tr><tr><td><a class="indexterm" name="id2579968"></a><i class="parameter"><tt> 313 314 security = DOMAIN</tt></i></td></tr><tr><td><a class="indexterm" name="id2579983"></a><i class="parameter"><tt> 315 316 username map = /etc/samba/smbusers</tt></i></td></tr><tr><td><a class="indexterm" name="id2579999"></a><i class="parameter"><tt> 317 318 log level = 10</tt></i></td></tr><tr><td><a class="indexterm" name="id2580014"></a><i class="parameter"><tt> 319 320 syslog = 0</tt></i></td></tr><tr><td><a class="indexterm" name="id2580030"></a><i class="parameter"><tt> 321 322 log file = /var/log/samba/%m</tt></i></td></tr><tr><td><a class="indexterm" name="id2580045"></a><i class="parameter"><tt> 323 324 max log size = 50</tt></i></td></tr><tr><td><a class="indexterm" name="id2580060"></a><i class="parameter"><tt> 325 326 smb ports = 139 445</tt></i></td></tr><tr><td><a class="indexterm" name="id2580076"></a><i class="parameter"><tt> 327 328 name resolve order = wins bcast hosts</tt></i></td></tr><tr><td><a class="indexterm" name="id2580092"></a><i class="parameter"><tt> 329 330 printcap name = CUPS</tt></i></td></tr><tr><td><a class="indexterm" name="id2580107"></a><i class="parameter"><tt> 331 332 wins server = 192.168.2.1</tt></i></td></tr><tr><td><a class="indexterm" name="id2580123"></a><i class="parameter"><tt> 333 334 ldap suffix = dc=abmas,dc=biz</tt></i></td></tr><tr><td><a class="indexterm" name="id2580138"></a><i class="parameter"><tt> 335 336 ldap machine suffix = ou=People</tt></i></td></tr><tr><td><a class="indexterm" name="id2580154"></a><i class="parameter"><tt> 337 338 ldap user suffix = ou=People</tt></i></td></tr><tr><td><a class="indexterm" name="id2580169"></a><i class="parameter"><tt> 339 340 ldap group suffix = ou=Groups</tt></i></td></tr><tr><td><a class="indexterm" name="id2580185"></a><i class="parameter"><tt> 341 342 ldap idmap suffix = ou=Idmap</tt></i></td></tr><tr><td><a class="indexterm" name="id2580201"></a><i class="parameter"><tt> 343 344 ldap admin dn = cn=Manager,dc=abmas,dc=biz</tt></i></td></tr><tr><td><a class="indexterm" name="id2580217"></a><i class="parameter"><tt> 345 346 idmap backend = ldap:ldap://lapdc.abmas.biz</tt></i></td></tr><tr><td><a class="indexterm" name="id2580233"></a><i class="parameter"><tt> 347 348 idmap uid = 10000-20000</tt></i></td></tr><tr><td><a class="indexterm" name="id2580248"></a><i class="parameter"><tt> 349 350 idmap gid = 10000-20000</tt></i></td></tr><tr><td><a class="indexterm" name="id2580263"></a><i class="parameter"><tt> 351 352 winbind trusted domains only = Yes</tt></i></td></tr><tr><td><a class="indexterm" name="id2580280"></a><i class="parameter"><tt> 353 354 printer admin = root</tt></i></td></tr><tr><td><a class="indexterm" name="id2580295"></a><i class="parameter"><tt> 355 356 printing = cups</tt></i></td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[homes]</tt></i></td></tr><tr><td><a class="indexterm" name="id2580319"></a><i class="parameter"><tt> 357 358 comment = Home Directories</tt></i></td></tr><tr><td><a class="indexterm" name="id2580335"></a><i class="parameter"><tt> 359 360 valid users = %S</tt></i></td></tr><tr><td><a class="indexterm" name="id2580350"></a><i class="parameter"><tt> 361 362 read only = No</tt></i></td></tr><tr><td><a class="indexterm" name="id2580366"></a><i class="parameter"><tt> 363 364 browseable = No</tt></i></td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[printers]</tt></i></td></tr><tr><td><a class="indexterm" name="id2580390"></a><i class="parameter"><tt> 365 366 comment = SMB Print Spool</tt></i></td></tr><tr><td><a class="indexterm" name="id2580405"></a><i class="parameter"><tt> 367 368 path = /var/spool/samba</tt></i></td></tr><tr><td><a class="indexterm" name="id2580421"></a><i class="parameter"><tt> 369 370 guest ok = Yes</tt></i></td></tr><tr><td><a class="indexterm" name="id2580436"></a><i class="parameter"><tt> 371 372 printable = Yes</tt></i></td></tr><tr><td><a class="indexterm" name="id2580452"></a><i class="parameter"><tt> 373 374 browseable = No</tt></i></td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[print$]</tt></i></td></tr><tr><td><a class="indexterm" name="id2580476"></a><i class="parameter"><tt> 375 376 comment = Printer Drivers</tt></i></td></tr><tr><td><a class="indexterm" name="id2580491"></a><i class="parameter"><tt> 377 378 path = /var/lib/samba/drivers</tt></i></td></tr><tr><td><a class="indexterm" name="id2580507"></a><i class="parameter"><tt> 379 380 admin users = root, Administrator</tt></i></td></tr><tr><td><a class="indexterm" name="id2580523"></a><i class="parameter"><tt> 381 382 write list = root</tt></i></td></tr></table></div><div class="example"><a name="ch9-ldifadd"></a><p class="title"><b>Example�10.2.�LDIF IDMAP Add-On Load File File: /etc/openldap/idmap.LDIF</b></p><pre class="screen"> 383dn: ou=Idmap,dc=abmas,dc=biz 384objectClass: organizationalUnit 385ou: idmap 386structuralObjectClass: organizationalUnit 387</pre></div><div class="example"><a name="ch9-sdmlcnf"></a><p class="title"><b>Example�10.3.�Configuration File for NSS LDAP Support <tt class="filename">/etc/ldap.conf</tt></b></p><pre class="screen"> 388URI ldap://massive.abmas.biz ldap://massive.abmas.biz:636 389host 192.168.2.1 390base dc=abmas,dc=biz 391binddn cn=Manager,dc=abmas,dc=biz 392bindpw not24get 393 394pam_password exop 395 396nss_base_passwd ou=People,dc=abmas,dc=biz?one 397nss_base_shadow ou=People,dc=abmas,dc=biz?one 398nss_base_group ou=Groups,dc=abmas,dc=biz?one 399ssl no 400</pre></div><div class="example"><a name="ch9-sdmnss"></a><p class="title"><b>Example�10.4.�NSS using LDAP for Identity Resolution File: <tt class="filename">/etc/nsswitch.conf</tt></b></p><pre class="screen"> 401passwd: compat ldap 402group: compat ldap 403 404hosts: files dns wins 405networks: files dns 406 407services: files 408protocols: files 409rpc: files 410ethers: files 411netmasks: files 412netgroup: files 413publickey: files 414 415bootparams: files 416automount: files 417aliases: files 418</pre></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="wdcsdm"></a>NT4/Samba Domain with Samba Domain Member Server Using Winbind</h3></div></div></div><p> 419 You need to use this method for creating a Samba Domain Member server if any of the following conditions 420 prevail: 421 </p><div class="itemizedlist"><ul type="disc"><li><p> 422 LDAP support (client) is not installed on the system. 423 </p></li><li><p> 424 There are mitigating circumstances forcing a decision not to use LDAP. 425 </p></li><li><p> 426 The Samba Domain Member server must be part of a Windows NT4 Domain. 427 </p></li></ul></div><p><a class="indexterm" name="id2580658"></a><a class="indexterm" name="id2580666"></a><a class="indexterm" name="id2580674"></a> 428 Later in the chapter, you can see how to configure a Samba Domain Member server for a Windows ADS Domain. 429 Right now your objective is to configure a Samba server that can be a member of a Windows NT4 style 430 Domain and/or does not use LDAP. 431 </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p><a class="indexterm" name="id2580690"></a> 432 If you use <span><b class="command">winbind</b></span> for Identity resolution, do make sure that there are no 433 duplicate accounts. 434 </p><p><a class="indexterm" name="id2580709"></a> 435 For example, do not have more than one account that has UID=0 in the password database. If there 436 is an account called <tt class="constant">root</tt> in the <tt class="filename">/etc/passwd</tt> database, 437 it is okay to have an account called <tt class="constant">root</tt> in the LDAP ldapsam or in the 438 tdbsam. But if there are two accounts in the passdb backend that have the same UID, winbind will 439 break. This means that the <tt class="constant">Administrator</tt> account must be called 440 <tt class="constant">root</tt>. 441 </p><p><a class="indexterm" name="id2580746"></a><a class="indexterm" name="id2580754"></a><a class="indexterm" name="id2580762"></a> 442 Winbind will break if there is an account in <tt class="filename">/etc/passwd</tt> that has 443 the same UID as an account that is in LDAP ldapsam (or in tdbsam) but that differs in name only. 444 </p></div><p><a class="indexterm" name="id2580782"></a><a class="indexterm" name="id2580790"></a><a class="indexterm" name="id2580798"></a><a class="indexterm" name="id2580806"></a><a class="indexterm" name="id2580817"></a> 445 The following configuration uses CIFS/SMB protocols alone to obtain user and group credentials. 446 The winbind information is locally cached in the <tt class="filename">winbindd_cache.tdb winbindd_idmap.tdb</tt> 447 files. This provides considerable performance benefits compared with the LDAP solution, particularly 448 where the LDAP lookups must traverse wide-area network links. You may examine the contents of these 449 files using the tool <span><b class="command">tdbdump</b></span>, though you may have to build this from the Samba 450 source code if it has not been supplied as part of a binary package distribution that you may be using. 451 </p><div class="procedure"><a name="id2580848"></a><p class="title"><b>Procedure�10.2.�Configuration of Winbind-Based Identity Resolution</b></p><ol type="1"><li><p> 452 Using your favorite text editor, create the <tt class="filename">smb.conf</tt> file so it has the contents 453 shown in <a href="unixclients.html#ch0-NT4DSDM" title="Example�10.5.�Samba Domain Member Server smb.conf File for NT4 Domain">???</a>. 454 </p></li><li><p><a class="indexterm" name="id2580879"></a> 455 Edit the <tt class="filename">/etc/nsswitch.conf</tt> so it has the entries shown in 456 <a href="unixclients.html#ch9-nsswbnd" title="Example�10.6.�Name Service Switch Control File: /etc/nsswitch.conf">???</a>. 457 </p></li><li><p><a class="indexterm" name="id2580907"></a> 458 The system is ready to join the Domain. Execute the following: 459</p><pre class="screen"> 460net rpc join -U root%not24et 461Joined domain MEGANET2. 462</pre><p> 463 This indicates that the Domain join succeed. 464 465 </p></li><li><p><a class="indexterm" name="id2580937"></a><a class="indexterm" name="id2580945"></a> 466 Validate operation of <span><b class="command">winbind</b></span> using the <span><b class="command">wbinfo</b></span> 467 tool as follows: 468</p><pre class="screen"> 469<tt class="prompt">root# </tt> wbinfo -u 470MEGANET2+root 471MEGANET2+nobody 472MEGANET2+jht 473MEGANET2+maryv 474MEGANET2+billr 475MEGANET2+jelliott 476MEGANET2+dbrady 477MEGANET2+joeg 478MEGANET2+balap 479</pre><p> 480 This shows that Domain users have been listed correctly. 481</p><pre class="screen"> 482<tt class="prompt">root# </tt> wbinfo -g 483MEGANET2+Domain Admins 484MEGANET2+Domain Users 485MEGANET2+Domain Guests 486MEGANET2+Accounts 487MEGANET2+Finances 488MEGANET2+PIOps 489</pre><p> 490 This shows that Domain groups have been correctly obtained also. 491 </p></li><li><p><a class="indexterm" name="id2581002"></a><a class="indexterm" name="id2581010"></a><a class="indexterm" name="id2581018"></a> 492 The next step verifies that NSS is able to obtain this information 493 correctly from <span><b class="command">winbind</b></span> also. 494</p><pre class="screen"> 495<tt class="prompt">root# </tt> getent passwd 496... 497MEGANET2+root:x:10000:10001:NetBIOS Domain Admin: 498 /home/MEGANET2/root:/bin/bash 499MEGANET2+nobody:x:10001:10001:nobody: 500 /home/MEGANET2/nobody:/bin/bash 501MEGANET2+jht:x:10002:10001:John H Terpstra: 502 /home/MEGANET2/jht:/bin/bash 503MEGANET2+maryv:x:10003:10001:Mary Vortexis: 504 /home/MEGANET2/maryv:/bin/bash 505MEGANET2+billr:x:10004:10001:William Randalph: 506 /home/MEGANET2/billr:/bin/bash 507MEGANET2+jelliott:x:10005:10001:John G Elliott: 508 /home/MEGANET2/jelliott:/bin/bash 509MEGANET2+dbrady:x:10006:10001:Darren Brady: 510 /home/MEGANET2/dbrady:/bin/bash 511MEGANET2+joeg:x:10007:10001:Joe Green: 512 /home/MEGANET2/joeg:/bin/bash 513MEGANET2+balap:x:10008:10001:Bala Pillay: 514 /home/MEGANET2/balap:/bin/bash 515</pre><p> 516 The user account information has been correctly obtained. This information has 517 been merged with the winbind template information configured in the <tt class="filename">smb.conf</tt> file. 518</p><pre class="screen"> 519<tt class="prompt">root# </tt># getent group 520... 521MEGANET2+Domain Admins:x:10000:MEGANET2+root,MEGANET2+jht 522MEGANET2+Domain Users:x:10001:MEGANET2+jht,MEGANET2+maryv,\ 523 MEGANET2+billr,MEGANET2+jelliott,MEGANET2+dbrady,\ 524 MEGANET2+joeg,MEGANET2+balap 525MEGANET2+Domain Guests:x:10002:MEGANET2+nobody 526MEGANET2+Accounts:x:10003: 527MEGANET2+Finances:x:10004: 528MEGANET2+PIOps:x:10005: 529</pre><p> 530 </p></li><li><p> 531 The Samba member server of a Windows NT4 Domain is ready for use. 532 </p></li></ol></div><div class="example"><a name="ch0-NT4DSDM"></a><p class="title"><b>Example�10.5.�Samba Domain Member Server smb.conf File for NT4 Domain</b></p><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[global]</tt></i></td></tr><tr><td><a class="indexterm" name="id2581125"></a><i class="parameter"><tt> 533 534 unix charset = LOCALE</tt></i></td></tr><tr><td><a class="indexterm" name="id2581140"></a><i class="parameter"><tt> 535 536 workgroup = MEGANET2</tt></i></td></tr><tr><td><a class="indexterm" name="id2581156"></a><i class="parameter"><tt> 537 538 security = DOMAIN</tt></i></td></tr><tr><td><a class="indexterm" name="id2581171"></a><i class="parameter"><tt> 539 540 username map = /etc/samba/smbusers</tt></i></td></tr><tr><td><a class="indexterm" name="id2581188"></a><i class="parameter"><tt> 541 542 log level = 1</tt></i></td></tr><tr><td><a class="indexterm" name="id2581203"></a><i class="parameter"><tt> 543 544 syslog = 0</tt></i></td></tr><tr><td><a class="indexterm" name="id2581218"></a><i class="parameter"><tt> 545 546 log file = /var/log/samba/%m</tt></i></td></tr><tr><td><a class="indexterm" name="id2581233"></a><i class="parameter"><tt> 547 548 max log size = 0</tt></i></td></tr><tr><td><a class="indexterm" name="id2581249"></a><i class="parameter"><tt> 549 550 smb ports = 139 445</tt></i></td></tr><tr><td><a class="indexterm" name="id2581264"></a><i class="parameter"><tt> 551 552 name resolve order = wins bcast hosts</tt></i></td></tr><tr><td><a class="indexterm" name="id2581280"></a><i class="parameter"><tt> 553 554 printcap name = CUPS</tt></i></td></tr><tr><td><a class="indexterm" name="id2581295"></a><i class="parameter"><tt> 555 556 wins server = 192.168.2.1</tt></i></td></tr><tr><td><a class="indexterm" name="id2581311"></a><i class="parameter"><tt> 557 558 idmap uid = 10000-20000</tt></i></td></tr><tr><td><a class="indexterm" name="id2581326"></a><i class="parameter"><tt> 559 560 idmap gid = 10000-20000</tt></i></td></tr><tr><td><a class="indexterm" name="id2581342"></a><i class="parameter"><tt> 561 562 template primary group = "Domain Users"</tt></i></td></tr><tr><td><a class="indexterm" name="id2581358"></a><i class="parameter"><tt> 563 564 template shell = /bin/bash</tt></i></td></tr><tr><td><a class="indexterm" name="id2581373"></a><i class="parameter"><tt> 565 566 winbind separator = +</tt></i></td></tr><tr><td><a class="indexterm" name="id2581389"></a><i class="parameter"><tt> 567 568 printer admin = root</tt></i></td></tr><tr><td><a class="indexterm" name="id2581405"></a><i class="parameter"><tt> 569 570 hosts allow = 192.168.2., 192.168.3., 127.</tt></i></td></tr><tr><td><a class="indexterm" name="id2581421"></a><i class="parameter"><tt> 571 572 printing = cups</tt></i></td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[homes]</tt></i></td></tr><tr><td><a class="indexterm" name="id2581445"></a><i class="parameter"><tt> 573 574 comment = Home Directories</tt></i></td></tr><tr><td><a class="indexterm" name="id2581460"></a><i class="parameter"><tt> 575 576 valid users = %S</tt></i></td></tr><tr><td><a class="indexterm" name="id2581476"></a><i class="parameter"><tt> 577 578 read only = No</tt></i></td></tr><tr><td><a class="indexterm" name="id2581491"></a><i class="parameter"><tt> 579 580 browseable = No</tt></i></td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[printers]</tt></i></td></tr><tr><td><a class="indexterm" name="id2581515"></a><i class="parameter"><tt> 581 582 comment = SMB Print Spool</tt></i></td></tr><tr><td><a class="indexterm" name="id2581531"></a><i class="parameter"><tt> 583 584 path = /var/spool/samba</tt></i></td></tr><tr><td><a class="indexterm" name="id2581546"></a><i class="parameter"><tt> 585 586 guest ok = Yes</tt></i></td></tr><tr><td><a class="indexterm" name="id2581562"></a><i class="parameter"><tt> 587 588 printable = Yes</tt></i></td></tr><tr><td><a class="indexterm" name="id2581577"></a><i class="parameter"><tt> 589 590 browseable = No</tt></i></td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[print$]</tt></i></td></tr><tr><td><a class="indexterm" name="id2581601"></a><i class="parameter"><tt> 591 592 comment = Printer Drivers</tt></i></td></tr><tr><td><a class="indexterm" name="id2581617"></a><i class="parameter"><tt> 593 594 path = /var/lib/samba/drivers</tt></i></td></tr><tr><td><a class="indexterm" name="id2581632"></a><i class="parameter"><tt> 595 596 admin users = root, Administrator</tt></i></td></tr><tr><td><a class="indexterm" name="id2581649"></a><i class="parameter"><tt> 597 598 write list = root</tt></i></td></tr></table></div><div class="example"><a name="ch9-nsswbnd"></a><p class="title"><b>Example�10.6.�Name Service Switch Control File: <tt class="filename">/etc/nsswitch.conf</tt></b></p><pre class="screen"> 599# /etc/nsswitch.conf 600 601passwd: compat winbind 602group: compat winbind 603 604hosts: files dns wins 605networks: files dns 606 607services: files 608protocols: files 609rpc: files 610ethers: files 611netmasks: files 612netgroup: files 613publickey: files 614 615bootparams: files 616automount: files 617aliases: files 618</pre></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="adssdm"></a>Active Directory Domain with Samba Domain Member Server</h3></div></div></div><p><a class="indexterm" name="id2581703"></a><a class="indexterm" name="id2581714"></a><a class="indexterm" name="id2581722"></a> 619 One of the much-sought-after features new to Samba-3 is the ability to join an Active Directory 620 Domain using Kerberos protocols. This makes it possible to operate an entire Windows network 621 without the need to run NetBIOS over TCP/IP and permits more secure networking in general. An 622 exhaustively complete discussion of the protocols is not possible in this book; perhaps a 623 later book may explore the intricacies of the NetBIOS-less operation that Samba-3 can participate 624 in. For now, we simply focus on how a Samba-3 server can be made a Domain Member server. 625 </p><p><a class="indexterm" name="id2581746"></a><a class="indexterm" name="id2581754"></a><a class="indexterm" name="id2581762"></a><a class="indexterm" name="id2581770"></a> 626 The diagram in <a href="unixclients.html#ch9-adsdc" title="Figure�10.3.�Active Directory Domain: Samba Member Server">???</a> demonstrates how Samba-3 interfaces with 627 Microsoft Active Directory components. It should be noted that if Microsoft Windows Services 628 for UNIX has been installed and correctly configured, it is possible to use client LDAP 629 for Identity resolution just as can be done with Samba-3 when using an LDAP passdb backend. 630 The UNIX tool that you need for this, as in the case of LDAP on UNIX/Linux, is the PADL 631 Software nss_ldap tool-set. Compared with use of winbind and Kerberos, the use of 632 LDAP-based Identity resolution is a little less secure. In view of the fact that this solution 633 requires additional software to be installed on the Windows 200x ADS Domain Controllers, 634 and that means more management overhead, it is likely that most Samba-3 ADS client sites 635 may elect to use winbind. 636 </p><p> 637 Do not attempt to use this procedure if you are not 100 percent certain that the build of Samba-3 638 you are using has been compiled and linked with all the tools necessary for this to work. 639 Given the importance of this step, you must first validate that the Samba-3 message block 640 daemon (<span><b class="command">smbd</b></span>) has the necessary features. 641 </p><p> 642 The hypothetical domain you are using in this example assumes that the Abmas London office 643 decided to take their own lead (some would say this is a typical behavior in a global 644 corporate world; besides, a little divergence and conflict makes for an interesting life). 645 The Windows Server 2003 ADS Domain is called <tt class="constant">london.abmas.biz</tt> and the 646 name of the server is <tt class="constant">W2K3S</tt>. In ADS realm terms, the Domain Controller 647 is known as <tt class="constant">w2k3s.london.abmas.biz</tt>. In NetBIOS nomenclature, the 648 Domain Name is <tt class="constant">LONDON</tt> and the server name is <tt class="constant">W2K3S</tt>. 649 </p><div class="figure"><a name="ch9-adsdc"></a><p class="title"><b>Figure�10.3.�Active Directory Domain: Samba Member Server</b></p><div class="mediaobject"><img src="images/chap9-ADSDC.png" width="324" alt="Active Directory Domain: Samba Member Server"></div></div><div class="procedure"><ol type="1"><li><p><a class="indexterm" name="id2581894"></a> 650 Before you try to use Samba-3, you want to know for certain that your executables have 651 support for Kerberos and for LDAP. Execute the following to identify whether or 652 not this build is perhaps suitable for use: 653</p><pre class="screen"> 654<tt class="prompt">root# </tt> cd /usr/sbin 655<tt class="prompt">root# </tt> smbd -b | grep KRB 656 HAVE_KRB5_H 657 HAVE_ADDR_TYPE_IN_KRB5_ADDRESS 658 HAVE_KRB5 659 HAVE_KRB5_AUTH_CON_SETKEY 660 HAVE_KRB5_GET_DEFAULT_IN_TKT_ETYPES 661 HAVE_KRB5_GET_PW_SALT 662 HAVE_KRB5_KEYBLOCK_KEYVALUE 663 HAVE_KRB5_KEYTAB_ENTRY_KEYBLOCK 664 HAVE_KRB5_MK_REQ_EXTENDED 665 HAVE_KRB5_PRINCIPAL_GET_COMP_STRING 666 HAVE_KRB5_SET_DEFAULT_IN_TKT_ETYPES 667 HAVE_KRB5_STRING_TO_KEY 668 HAVE_KRB5_STRING_TO_KEY_SALT 669 HAVE_LIBKRB5 670</pre><p> 671 The above output was obtained on a SuSE Linux system and shows the output for 672 Samba that has been compiled and linked with the Heimdal Kerberos libraries. 673 The following is a typical output that will be found on a Red Hat Linux system that 674 has been linked with the MIT Kerberos libraries: 675</p><pre class="screen"> 676<tt class="prompt">root# </tt> cd /usr/sbin 677<tt class="prompt">root# </tt> smbd -b | grep KRB 678 HAVE_KRB5_H 679 HAVE_ADDRTYPE_IN_KRB5_ADDRESS 680 HAVE_KRB5 681 HAVE_KRB5_AUTH_CON_SETUSERUSERKEY 682 HAVE_KRB5_ENCRYPT_DATA 683 HAVE_KRB5_FREE_DATA_CONTENTS 684 HAVE_KRB5_FREE_KTYPES 685 HAVE_KRB5_GET_PERMITTED_ENCTYPES 686 HAVE_KRB5_KEYTAB_ENTRY_KEY 687 HAVE_KRB5_LOCATE_KDC 688 HAVE_KRB5_MK_REQ_EXTENDED 689 HAVE_KRB5_PRINCIPAL2SALT 690 HAVE_KRB5_PRINC_COMPONENT 691 HAVE_KRB5_SET_DEFAULT_TGS_KTYPES 692 HAVE_KRB5_SET_REAL_TIME 693 HAVE_KRB5_STRING_TO_KEY 694 HAVE_KRB5_TKT_ENC_PART2 695 HAVE_KRB5_USE_ENCTYPE 696 HAVE_LIBGSSAPI_KRB5 697 HAVE_LIBKRB5 698</pre><p> 699 You can validate that Samba has been compiled and linked with LDAP support 700 by executing: 701</p><pre class="screen"> 702<tt class="prompt">root# </tt> smbd -b | grep LDAP 703massive:/usr/sbin # smbd -b | grep LDAP 704 HAVE_LDAP_H 705 HAVE_LDAP 706 HAVE_LDAP_DOMAIN2HOSTLIST 707 HAVE_LDAP_INIT 708 HAVE_LDAP_INITIALIZE 709 HAVE_LDAP_SET_REBIND_PROC 710 HAVE_LIBLDAP 711 LDAP_SET_REBIND_PROC_ARGS 712</pre><p> 713 This does look promising; <span><b class="command">smbd</b></span> has been built with Kerberos and LDAP 714 support. You are relieved to know that it is safe to progress. 715 </p></li><li><p><a class="indexterm" name="id2581994"></a><a class="indexterm" name="id2582006"></a><a class="indexterm" name="id2582014"></a><a class="indexterm" name="id2582022"></a><a class="indexterm" name="id2582033"></a><a class="indexterm" name="id2582044"></a><a class="indexterm" name="id2582052"></a><a class="indexterm" name="id2582060"></a><a class="indexterm" name="id2582068"></a> 716 The next step is to identify which version of the Kerberos libraries have been used. 717 In order to permit Samba-3 to interoperate with Windows 2003 Active Directory, it is 718 essential that it has been linked with either MIT Kerberos version 1.3.1 or later, 719 or that it has been linked with Heimdal Kerberos 0.6 plus specific patches. You may 720 identify what version of the MIT Kerberos libraries are installed on your system by 721 executing (on Red Hat Linux): 722</p><pre class="screen"> 723<tt class="prompt">root# </tt> rpm -q krb5 724</pre><p> 725 Or on SUSE Linux, execute: 726</p><pre class="screen"> 727<tt class="prompt">root# </tt> rpm -q heimdal 728</pre><p> 729 Please note that the RPMs provided by the Samba-Team are known to be working and have 730 been validated. Red Hat Linux RPMs may be obtained from the Samba FTP sites. SUSE 731 Linux RPMs may be obtained from <a href="ftp://ftp.sernet.de" target="_top">Sernet</a> in 732 Germany. 733 </p><p> 734 From this point on, you are certain that the Samba-3 build you are using has the 735 necessary capabilities. You can now configure Samba-3 and the name service 736 switcher (NSS). 737 </p></li><li><p> 738 Using you favorite editor, configure the <tt class="filename">smb.conf</tt> file that is located in the 739 <tt class="filename">/etc/samba</tt> directory so that it has the contents shown 740 in <a href="unixclients.html#ch9-adssdm" title="Example�10.7.�Samba Domain Member smb.conf File for Active Directory Membership">???</a>. 741 </p></li><li><p> 742 Edit or create the NSS control file so it has the contents shown in <a href="unixclients.html#ch9-nsswbnd" title="Example�10.6.�Name Service Switch Control File: /etc/nsswitch.conf">???</a>. 743 </p></li><li><p><a class="indexterm" name="id2582172"></a> 744 Delete the file <tt class="filename">/etc/samba/secrets.tdb</tt>, if it exists. Of course, you 745 do keep a backup, don't you? 746 </p></li><li><p> 747 Delete the tdb files that cache Samba information. You keep a backup of the old 748 files, of course. You also remove all files to ensure that nothing can pollute your 749 nice, new configuration. Execute the following (example is for SUSE Linux): 750</p><pre class="screen"> 751<tt class="prompt">root# </tt> rm /var/lib/samba/*tdb 752</pre><p> 753 </p></li><li><p><a class="indexterm" name="id2582217"></a> 754 Validate your <tt class="filename">smb.conf</tt> file using <span><b class="command">testparm</b></span> (as you have 755 done previously). Correct all errors reported before proceeding. The command you 756 execute is: 757</p><pre class="screen"> 758<tt class="prompt">root# </tt> testparm -s | less 759</pre><p> 760 Now that you are satisfied that your Samba server is ready to join the Windows 761 ADS Domain, let's move on. 762 </p></li><li><p><a class="indexterm" name="id2582259"></a><a class="indexterm" name="id2582273"></a> 763 This is a good time to double-check everything and then execute the following 764 command when everything you have done has checked out okay: 765</p><pre class="screen"> 766<tt class="prompt">root# </tt> net ads join -UAdministrator%not24get 767Using short domain name -- LONDON 768Joined 'FRAN' to realm 'LONDON.ABMAS.BIZ' 769</pre><p> 770 You have successfully made your Samba-3 server a member of the ADS Domain 771 using Kerberos protocols. 772 </p><p><a class="indexterm" name="id2582302"></a><a class="indexterm" name="id2582310"></a> 773 In the event that you receive no output messages, a silent return means that the 774 Domain join failed. You should use <span><b class="command">ethereal</b></span> to identify what 775 may be failing. Common causes of a failed join include: 776 777 </p><div class="itemizedlist"><ul type="disc"><li><p><a class="indexterm" name="id2582333"></a> 778 Defective or misconfigured DNS name resolution. 779 </p></li><li><p><a class="indexterm" name="id2582350"></a> 780 Restrictive security settings on the Windows 200x ADS Domain controller 781 preventing needed communications protocols. You can check this by searching 782 the Windows Server 200x Event Viewer. 783 </p></li><li><p> 784 Incorrectly configured <tt class="filename">smb.conf</tt> file settings. 785 </p></li><li><p> 786 Lack of support of necessary Kerberos protocols because the version of MIT 787 Kerberos (or Heimdal) in use is not up to date enough to support the necessary 788 functionality. 789 </p></li></ul></div><p> 790 <a class="indexterm" name="id2582383"></a><a class="indexterm" name="id2582397"></a><a class="indexterm" name="id2582405"></a> 791 In any case, never execute the <span><b class="command">net rpc join</b></span> command in an attempt 792 to join the Samba server to the Domain, unless you wish not to use the Kerberos 793 security protocols. Use of the older RPC-based Domain join facility requires that 794 Windows Server 200x ADS has been configured appropriately for mixed mode operation. 795 </p></li><li><p><a class="indexterm" name="id2582431"></a><a class="indexterm" name="id2582439"></a> 796 If the <span><b class="command">tdbdump</b></span> is installed on your system (not essential), 797 you can look inside the <tt class="filename">/etc/samba/secrets.tdb</tt> file. If 798 you wish to do this, execute: 799</p><pre class="screen"> 800<tt class="prompt">root# </tt> tdbdump secrets.tdb 801{ 802key = "SECRETS/SID/LONDON" 803data = "\01\04\00\00\00\00\00\05\15\00\00\00\EBw\86\F1\ED\BD\ 804 F6{\5C6\E5W\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\ 805 00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\ 806 00\00\00\00\00\00\00\00" 807} 808{ 809key = "SECRETS/MACHINE_PASSWORD/LONDON" 810data = "le3Q5FPnN5.ueC\00" 811} 812{ 813key = "SECRETS/MACHINE_SEC_CHANNEL_TYPE/LONDON" 814data = "\02\00\00\00" 815} 816{ 817key = "SECRETS/MACHINE_LAST_CHANGE_TIME/LONDON" 818data = "E\89\F6?" 819} 820</pre><p> 821 This is given to demonstrate to the skeptics that this process truly does work. 822 </p></li><li><p> 823 It is now time to start Samba in the usual way (as has been done many time before 824 in this book). 825 </p></li><li><p><a class="indexterm" name="id2582497"></a> 826 This is a good time to verify that everything is working. First, check that 827 winbind is able to obtain the list of users and groups from the ADS Domain Controller. 828 Execute the following: 829</p><pre class="screen"> 830<tt class="prompt">root# </tt> wbinfo -u 831LONDON+Administrator 832LONDON+Guest 833LONDON+SUPPORT_388945a0 834LONDON+krbtgt 835LONDON+jht 836</pre><p> 837 Good, the list of users was obtained. Now do likewise for group accounts: 838</p><pre class="screen"> 839<tt class="prompt">root# </tt> wbinfo -g 840LONDON+Domain Computers 841LONDON+Domain Controllers 842LONDON+Schema Admins 843LONDON+Enterprise Admins 844LONDON+Domain Admins 845LONDON+Domain Users 846LONDON+Domain Guests 847LONDON+Group Policy Creator Owners 848LONDON+DnsUpdateProxy 849</pre><p> 850 Excellent. That worked also, as expected. 851 </p></li><li><p><a class="indexterm" name="id2582545"></a> 852 Now repeat this via NSS to validate that full Identity resolution is 853 functional as required. Execute: 854</p><pre class="screen"> 855<tt class="prompt">root# </tt> getent passwd 856... 857LONDON+Administrator:x:10000:10000:Administrator: 858 /home/LONDON/administrator:/bin/bash 859LONDON+Guest:x:10001:10001:Guest: 860 /home/LONDON/guest:/bin/bash 861LONDON+SUPPORT_388945a0:x:10002:10000:SUPPORT_388945a0: 862 /home/LONDON/support_388945a0:/bin/bash 863LONDON+krbtgt:x:10003:10000:krbtgt: 864 /home/LONDON/krbtgt:/bin/bash 865LONDON+jht:x:10004:10000:John H. Terpstra: 866 /home/LONDON/jht:/bin/bash 867</pre><p> 868 Okay, ADS user accounts are being resolved. Now you try group resolution as follows: 869</p><pre class="screen"> 870<tt class="prompt">root# </tt> getent group 871... 872LONDON+Domain Computers:x:10002: 873LONDON+Domain Controllers:x:10003: 874LONDON+Schema Admins:x:10004:LONDON+Administrator 875LONDON+Enterprise Admins:x:10005:LONDON+Administrator 876LONDON+Domain Admins:x:10006:LONDON+jht,LONDON+Administrator 877LONDON+Domain Users:x:10000: 878LONDON+Domain Guests:x:10001: 879LONDON+Group Policy Creator Owners:x:10007:LONDON+Administrator 880LONDON+DnsUpdateProxy:x:10008: 881</pre><p> 882 This is very pleasing. Everything works as expected. 883 </p></li><li><p><a class="indexterm" name="id2582602"></a><a class="indexterm" name="id2582616"></a><a class="indexterm" name="id2582628"></a> 884 You may now perform final verification that communications between Samba-3 winbind and 885 the Active Directory server is using Kerberos protocols. Execute the following: 886</p><pre class="screen"> 887<tt class="prompt">root# </tt> net ads info 888LDAP server: 192.168.2.123 889LDAP server name: w2k3s 890Realm: LONDON.ABMAS.BIZ 891Bind Path: dc=LONDON,dc=ABMAS,dc=BIZ 892LDAP port: 389 893Server time: Sat, 03 Jan 2004 02:44:44 GMT 894KDC server: 192.168.2.123 895Server time offset: 2 896</pre><p> 897 It should be noted that Kerberos protocols are time-clock critical. You should 898 keep all server time clocks synchronized using the network time protocol (NTP). 899 In any case, the output we obtained confirms that all systems are operational. 900 </p></li><li><p><a class="indexterm" name="id2582665"></a> 901 There is one more action you elect to take, just because you are paranoid and disbelieving, 902 so you execute the following command: 903</p><pre class="programlisting"> 904<tt class="prompt">root# </tt> net ads status -UAdministrator%not24get 905objectClass: top 906objectClass: person 907objectClass: organizationalPerson 908objectClass: user 909objectClass: computer 910cn: fran 911distinguishedName: CN=fran,CN=Computers,DC=london,DC=abmas,DC=biz 912instanceType: 4 913whenCreated: 20040103092006.0Z 914whenChanged: 20040103092006.0Z 915uSNCreated: 28713 916uSNChanged: 28717 917name: fran 918objectGUID: 58f89519-c467-49b9-acb0-f099d73696e 919userAccountControl: 69632 920badPwdCount: 0 921codePage: 0 922countryCode: 0 923badPasswordTime: 0 924lastLogoff: 0 925lastLogon: 127175965783327936 926localPolicyFlags: 0 927pwdLastSet: 127175952062598496 928primaryGroupID: 515 929objectSid: S-1-5-21-4052121579-2079768045-1474639452-1109 930accountExpires: 9223372036854775807 931logonCount: 13 932sAMAccountName: fran$ 933sAMAccountType: 805306369 934operatingSystem: Samba 935operatingSystemVersion: 3.0.12-SUSE 936dNSHostName: fran 937userPrincipalName: HOST/fran@LONDON.ABMAS.BIZ 938servicePrincipalName: CIFS/fran.london.abmas.biz 939servicePrincipalName: CIFS/fran 940servicePrincipalName: HOST/fran.london.abmas.biz 941servicePrincipalName: HOST/fran 942objectCategory: CN=Computer,CN=Schema,CN=Configuration, 943 DC=london,DC=abmas,DC=biz 944isCriticalSystemObject: FALSE 945-------------- Security Descriptor (revision: 1, type: 0x8c14) 946owner SID: S-1-5-21-4052121579-2079768045-1474639452-512 947group SID: S-1-5-21-4052121579-2079768045-1474639452-513 948------- (system) ACL (revision: 4, size: 120, number of ACEs: 2) 949------- ACE (type: 0x07, flags: 0x5a, size: 0x38, 950 mask: 0x20, object flags: 0x3) 951access SID: S-1-1-0 952access type: AUDIT OBJECT 953Permissions: 954 [Write All Properties] 955------- ACE (type: 0x07, flags: 0x5a, size: 0x38, 956 mask: 0x20, object flags: 0x3) 957access SID: S-1-1-0 958access type: AUDIT OBJECT 959Permissions: 960 [Write All Properties] 961------- (user) ACL (revision: 4, size: 1944, number of ACEs: 40) 962------- ACE (type: 0x00, flags: 0x00, size: 0x24, mask: 0xf01ff) 963access SID: S-1-5-21-4052121579-2079768045-1474639452-512 964access type: ALLOWED 965Permissions: [Full Control] 966------- ACE (type: 0x00, flags: 0x00, size: 0x18, mask: 0xf01ff) 967access SID: S-1-5-32-548 968... 969------- ACE (type: 0x05, flags: 0x12, size: 0x38, 970 mask: 0x10, object flags: 0x3) 971access SID: S-1-5-9 972access type: ALLOWED OBJECT 973Permissions: 974 [Read All Properties] 975-------------- End Of Security Descriptor 976</pre><p> 977 And now you have conclusive proof that your Samba-3 ADS Domain Member Server 978 called <tt class="constant">FRAN</tt>, is able to communicate fully with the ADS 979 Domain Controllers. 980 </p></li></ol></div><p> 981 Your Samba-3 ADS Domain Member server is ready for use. During training sessions, 982 you may be asked what is inside the <tt class="filename">winbindd_cache.tdb and winbindd_idmap.tdb</tt> 983 files. Since curiosity just took hold of you, execute the following: 984</p><pre class="programlisting"> 985<tt class="prompt">root# </tt> tdbdump /var/lib/samba/winbindd_idmap.tdb 986{ 987key = "S-1-5-21-4052121579-2079768045-1474639452-501\00" 988data = "UID 10001\00" 989} 990{ 991key = "UID 10005\00" 992data = "S-1-5-21-4052121579-2079768045-1474639452-1111\00" 993} 994{ 995key = "GID 10004\00" 996data = "S-1-5-21-4052121579-2079768045-1474639452-518\00" 997} 998{ 999key = "S-1-5-21-4052121579-2079768045-1474639452-502\00" 1000data = "UID 10003\00" 1001} 1002... 1003 1004<tt class="prompt">root# </tt> tdbdump /var/lib/samba/winbindd_cache.tdb 1005{ 1006key = "UL/LONDON" 1007data = "\00\00\00\00bp\00\00\06\00\00\00\0DAdministrator\0D 1008 Administrator-S-1-5-21-4052121579-2079768045-1474639452-500- 1009 S-1-5-21-4052121579-2079768045-1474639452-513\05Guest\05 1010 Guest-S-1-5-21-4052121579-2079768045-1474639452-501- 1011 S-1-5-21-4052121579-2079768045-1474639452-514\10 1012 SUPPORT_388945a0\10SUPPORT_388945a0. 1013 S-1-5-21-4052121579-2079768045-1474639452-1001- 1014 S-1-5-21-4052121579-2079768045-1474639452-513\06krbtgt\06 1015 krbtgt-S-1-5-21-4052121579-2079768045-1474639452-502- 1016 S-1-5-21-4052121579-2079768045-1474639452-513\03jht\10 1017 John H. Terpstra.S-1-5-21-4052121579-2079768045-1474639452-1110- 1018 S-1-5-21-4052121579-2079768045-1474639452-513" 1019} 1020{ 1021key = "GM/S-1-5-21-4052121579-2079768045-1474639452-512" 1022data = "\00\00\00\00bp\00\00\02\00\00\00. 1023 S-1-5-21-4052121579-2079768045-1474639452-1110\03 1024 jht\01\00\00\00-S-1-5-21-4052121579-2079768045-1474639452-500\0D 1025 Administrator\01\00\00\00" 1026} 1027{ 1028key = "SN/S-1-5-21-4052121579-2079768045-1474639452-513" 1029data = "\00\00\00\00xp\00\00\02\00\00\00\0CDomain Users" 1030} 1031{ 1032key = "GM/S-1-5-21-4052121579-2079768045-1474639452-518" 1033data = "\00\00\00\00bp\00\00\01\00\00\00- 1034 S-1-5-21-4052121579-2079768045-1474639452-500\0D 1035 Administrator\01\00\00\00" 1036} 1037{ 1038key = "SEQNUM/LONDON\00" 1039data = "xp\00\00C\92\F6?" 1040} 1041{ 1042key = "U/S-1-5-21-4052121579-2079768045-1474639452-1110" 1043data = "\00\00\00\00xp\00\00\03jht\10John H. Terpstra. 1044 S-1-5-21-4052121579-2079768045-1474639452-1110- 1045 S-1-5-21-4052121579-2079768045-1474639452-513" 1046} 1047{ 1048key = "NS/S-1-5-21-4052121579-2079768045-1474639452-502" 1049data = "\00\00\00\00bp\00\00- 1050 S-1-5-21-4052121579-2079768045-1474639452-502" 1051} 1052{ 1053key = "SN/S-1-5-21-4052121579-2079768045-1474639452-1001" 1054data = "\00\00\00\00bp\00\00\01\00\00\00\10SUPPORT_388945a0" 1055} 1056{ 1057key = "SN/S-1-5-21-4052121579-2079768045-1474639452-500" 1058data = "\00\00\00\00bp\00\00\01\00\00\00\0DAdministrator" 1059} 1060{ 1061key = "U/S-1-5-21-4052121579-2079768045-1474639452-502" 1062data = "\00\00\00\00bp\00\00\06krbtgt\06krbtgt- 1063 S-1-5-21-4052121579-2079768045-1474639452-502- 1064 S-1-5-21-4052121579-2079768045-1474639452-513" 1065} 1066.... 1067</pre><p> 1068 Now all is revealed. Your curiosity, as well as that of those with you, has been put at ease. 1069 May this server serve well all who happen upon it. 1070 </p><div class="example"><a name="ch9-adssdm"></a><p class="title"><b>Example�10.7.�Samba Domain Member smb.conf File for Active Directory Membership</b></p><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[global]</tt></i></td></tr><tr><td><a class="indexterm" name="id2582852"></a><i class="parameter"><tt> 1071 1072 unix charset = LOCALE</tt></i></td></tr><tr><td><a class="indexterm" name="id2582868"></a><i class="parameter"><tt> 1073 1074 workgroup = LONDON</tt></i></td></tr><tr><td><a class="indexterm" name="id2582883"></a><i class="parameter"><tt> 1075 1076 realm = LONDON.ABMAS.BIZ</tt></i></td></tr><tr><td><a class="indexterm" name="id2582899"></a><i class="parameter"><tt> 1077 1078 server string = Samba 3.0.12</tt></i></td></tr><tr><td><a class="indexterm" name="id2582914"></a><i class="parameter"><tt> 1079 1080 security = ADS</tt></i></td></tr><tr><td><a class="indexterm" name="id2582930"></a><i class="parameter"><tt> 1081 1082 username map = /etc/samba/smbusers</tt></i></td></tr><tr><td><a class="indexterm" name="id2582946"></a><i class="parameter"><tt> 1083 1084 log level = 1</tt></i></td></tr><tr><td><a class="indexterm" name="id2582961"></a><i class="parameter"><tt> 1085 1086 syslog = 0</tt></i></td></tr><tr><td><a class="indexterm" name="id2582976"></a><i class="parameter"><tt> 1087 1088 log file = /var/log/samba/%m</tt></i></td></tr><tr><td><a class="indexterm" name="id2582991"></a><i class="parameter"><tt> 1089 1090 max log size = 50</tt></i></td></tr><tr><td><a class="indexterm" name="id2583007"></a><i class="parameter"><tt> 1091 1092 printcap name = CUPS</tt></i></td></tr><tr><td><a class="indexterm" name="id2583023"></a><i class="parameter"><tt> 1093 1094 ldap ssl = no</tt></i></td></tr><tr><td><a class="indexterm" name="id2583038"></a><i class="parameter"><tt> 1095 1096 idmap uid = 10000-20000</tt></i></td></tr><tr><td><a class="indexterm" name="id2583053"></a><i class="parameter"><tt> 1097 1098 idmap gid = 10000-20000</tt></i></td></tr><tr><td><a class="indexterm" name="id2583069"></a><i class="parameter"><tt> 1099 1100 template primary group = "Domain Users"</tt></i></td></tr><tr><td><a class="indexterm" name="id2583085"></a><i class="parameter"><tt> 1101 1102 template shell = /bin/bash</tt></i></td></tr><tr><td><a class="indexterm" name="id2583100"></a><i class="parameter"><tt> 1103 1104 winbind separator = +</tt></i></td></tr><tr><td><a class="indexterm" name="id2583116"></a><i class="parameter"><tt> 1105 1106 printing = cups</tt></i></td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[homes]</tt></i></td></tr><tr><td><a class="indexterm" name="id2583140"></a><i class="parameter"><tt> 1107 1108 comment = Home Directories</tt></i></td></tr><tr><td><a class="indexterm" name="id2583156"></a><i class="parameter"><tt> 1109 1110 valid users = %S</tt></i></td></tr><tr><td><a class="indexterm" name="id2583171"></a><i class="parameter"><tt> 1111 1112 read only = No</tt></i></td></tr><tr><td><a class="indexterm" name="id2583187"></a><i class="parameter"><tt> 1113 1114 browseable = No</tt></i></td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[printers]</tt></i></td></tr><tr><td><a class="indexterm" name="id2583211"></a><i class="parameter"><tt> 1115 1116 comment = SMB Print Spool</tt></i></td></tr><tr><td><a class="indexterm" name="id2583226"></a><i class="parameter"><tt> 1117 1118 path = /var/spool/samba</tt></i></td></tr><tr><td><a class="indexterm" name="id2583242"></a><i class="parameter"><tt> 1119 1120 guest ok = Yes</tt></i></td></tr><tr><td><a class="indexterm" name="id2583257"></a><i class="parameter"><tt> 1121 1122 printable = Yes</tt></i></td></tr><tr><td><a class="indexterm" name="id2583272"></a><i class="parameter"><tt> 1123 1124 browseable = No</tt></i></td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[print$]</tt></i></td></tr><tr><td><a class="indexterm" name="id2583297"></a><i class="parameter"><tt> 1125 1126 comment = Printer Drivers</tt></i></td></tr><tr><td><a class="indexterm" name="id2583312"></a><i class="parameter"><tt> 1127 1128 path = /var/lib/samba/drivers</tt></i></td></tr><tr><td><a class="indexterm" name="id2583328"></a><i class="parameter"><tt> 1129 1130 admin users = root, Administrator</tt></i></td></tr><tr><td><a class="indexterm" name="id2583344"></a><i class="parameter"><tt> 1131 1132 write list = root</tt></i></td></tr></table></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2583360"></a>UNIX/Linux Client Domain Member</h3></div></div></div><p><a class="indexterm" name="id2583367"></a> 1133 So far this chapter has been mainly concerned with the provision of file and print 1134 services for Domain Member servers. However, an increasing number of UNIX/Linux 1135 workstations are being installed that do not act as file or print servers to anyone 1136 other than a single desktop user. The key demand for desktop systems is to be able 1137 to log onto any UNIX/Linux or Windows desktop using the same network user credentials. 1138 </p><p><a class="indexterm" name="id2583393"></a> 1139 The ability to use a common set of user credential across a variety of network systems 1140 is generally regarded as a Single Sign-On (SOS) solution. SOS systems are sold by a 1141 large number of vendors and include a range of technologies such as: 1142 </p><div class="itemizedlist"><ul type="disc"><li><p> 1143 Proxy sign-on 1144 </p></li><li><p> 1145 Federated directory provisioning 1146 </p></li><li><p> 1147 Meta-directory server solutions 1148 </p></li><li><p> 1149 Replacement authentication systems 1150 </p></li></ul></div><p><a class="indexterm" name="id2583434"></a> 1151 There are really only three solutions that provide integrated authentication and 1152 user Identity management facilities: 1153 </p><div class="itemizedlist"><ul type="disc"><li><p> 1154 Samba Winbind (free) 1155 </p></li><li><p> 1156 <a href="http://www.padl.com" target="_top">PADL</a> PAM and LDAP Tools (free) 1157 </p></li><li><p> 1158 <a href="http://www.vintela.com" target="_top">Vintela</a> Authentication Services (Commercial) 1159 </p></li></ul></div><p> 1160 The following guidelines are pertinent in respect of the deployment of winbind-based authentication 1161 and Identity resolution with the express purpose of allowing users to log onto UNIX/Linux desktops 1162 using Windows network Domain user credentials (username and password). 1163 </p><p> 1164 You should note that it is possible to use LDAP-based PAM and NSS tools to permit distributed 1165 systems logons (SSO) providing user and group accounts are stored in an LDAP directory. This 1166 provides logon services for UNIX/Linux users, while Windows users obtain their sign-on 1167 support via Samba-3. 1168 </p><p><a class="indexterm" name="id2583494"></a> 1169 On the other hand, if the authentication and Identity resolution backend must be provided by 1170 a Windows NT4 style Domain or from an Active Directory Domain that does not have the Microsoft 1171 Windows Services for UNIX (SUS) installed, winbind is your best friend. Specific guidance for these 1172 situations now follows. 1173 </p><p><a class="indexterm" name="id2583514"></a><a class="indexterm" name="id2583522"></a><a class="indexterm" name="id2583530"></a> 1174 To permit users to log onto a Linux system using Windows network credentials, you need to 1175 configure Identity resolution (NSS) and PAM. This means that the basic steps include those 1176 outlined above with the addition of PAM configuration. Given that most workstations (desktop/client) 1177 usually do not need to provide file and print services to a group of users, the configuration 1178 of shares and printers is generally less important. Often this allows the share specifications 1179 to be entirely removed from the <tt class="filename">smb.conf</tt> file. That is obviously an administrator decision. 1180 </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2583555"></a>NT4 Domain Member</h4></div></div></div><p> 1181 The following steps provide a Linux system that users can log onto using 1182 Windows NT4 Domain (or Samba-3) Domain network credentials: 1183 </p><div class="procedure"><ol type="1"><li><p> 1184 Follow the steps outlined in <a href="unixclients.html#wdcsdm" title="NT4/Samba Domain with Samba Domain Member Server Using Winbind">???</a> and ensure that 1185 all validation tests function as shown. 1186 </p></li><li><p> 1187 Identify what services users must log onto. On Red Hat Linux, if it is 1188 intended that the user shall be given access to all services, it may be 1189 most expeditious to simply configure the file 1190 <tt class="filename">/etc/pam.d/system-auth</tt>. 1191 </p></li><li><p> 1192 Carefully make a backup copy of all PAM configuration files before you 1193 begin making changes. If you break the PAM configuration, please note 1194 that you may need to use an emergency boot process to recover your Linux 1195 system. It is possible to break the ability to log into the system if 1196 PAM files are incorrectly configured. The entire directory 1197 <tt class="filename">/etc/pam.d</tt> should be backed up to a safe location. 1198 </p></li><li><p> 1199 If you require only console login support, edit the <tt class="filename">/etc/pam.d/login</tt> 1200 so it matches <a href="unixclients.html#ch9-pamwnbdlogin" title="Example�10.8.�SUSE: PAM login Module Using Winbind">???</a>. 1201 </p></li><li><p> 1202 To provide the ability to log onto the graphical desktop interface, you must edit 1203 the files <tt class="filename">gdm</tt> and <tt class="filename">xdm</tt> in the 1204 <tt class="filename">/etc/pam.d</tt> directory. 1205 </p></li><li><p> 1206 Edit only one file at a time. Carefully validate its operation before attempting 1207 to reboot the machine. 1208 </p></li></ol></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2583678"></a>ADS Domain Member</h4></div></div></div><p> 1209 This procedure should be followed to permit a Linux network client (workstation/desktop) 1210 to permit users to log on using Microsoft Active Directory based user credentials. 1211 </p><div class="procedure"><ol type="1"><li><p> 1212 Follow the steps outlined in <a href="unixclients.html#adssdm" title="Active Directory Domain with Samba Domain Member Server">???</a> and ensure that 1213 all validation tests function as shown. 1214 </p></li><li><p> 1215 Identify what services users must log onto. On Red Hat Linux, if it is 1216 intended that the user shall be given access to all services, it may be 1217 most expeditious to simply configure the file 1218 <tt class="filename">/etc/pam.d/system-auth</tt> as shown in <a href="unixclients.html#ch9-rhsysauth" title="Example�10.10.�Red Hat 9: PAM System Authentication File: /etc/pam.d/system-auth Module Using Winbind">???</a>. 1219 </p></li><li><p> 1220 Carefully make a backup copy of all PAM configuration files before you 1221 begin making changes. If you break the PAM configuration, please note 1222 that you may need to use an emergency boot process to recover your Linux 1223 system. It is possible to break the ability to log into the system if 1224 PAM files are incorrectly configured. The entire directory 1225 <tt class="filename">/etc/pam.d</tt> should be backed up to a safe location. 1226 </p></li><li><p> 1227 If you require only console login support, edit the <tt class="filename">/etc/pam.d/login</tt> 1228 so it matches <a href="unixclients.html#ch9-pamwnbdlogin" title="Example�10.8.�SUSE: PAM login Module Using Winbind">???</a>. 1229 </p></li><li><p> 1230 To provide the ability to log onto the graphical desktop interface, you must edit 1231 the files <tt class="filename">gdm</tt> and <tt class="filename">xdm</tt> in the 1232 <tt class="filename">/etc/pam.d</tt> directory. 1233 </p></li><li><p> 1234 Edit only one file at a time. Carefully validate its operation before attempting 1235 to reboot the machine. 1236 </p></li></ol></div></div><div class="example"><a name="ch9-pamwnbdlogin"></a><p class="title"><b>Example�10.8.�SUSE: PAM <tt class="filename">login</tt> Module Using Winbind</b></p><pre class="screen"> 1237# /etc/pam.d/login 1238 1239#%PAM-1.0 1240auth sufficient pam_unix2.so nullok 1241auth sufficient pam_winbind.so use_first_pass use_authtok 1242auth required pam_securetty.so 1243auth required pam_nologin.so 1244auth required pam_env.so 1245auth required pam_mail.so 1246account sufficient pam_unix2.so 1247account sufficient pam_winbind.so user_first_pass use_authtok 1248password required pam_pwcheck.so nullok 1249password sufficient pam_unix2.so nullok use_first_pass use_authtok 1250password sufficient pam_winbind.so use_first_pass use_authtok 1251session sufficient pam_unix2.so none 1252session sufficient pam_winbind.so use_first_pass use_authtok 1253session required pam_limits.so 1254</pre></div><div class="example"><a name="ch9-pamwbndxdm"></a><p class="title"><b>Example�10.9.�SUSE: PAM <tt class="filename">xdm</tt> Module Using Winbind</b></p><pre class="screen"> 1255# /etc/pam.d/gdm (/etc/pam.d/xdm) 1256 1257#%PAM-1.0 1258auth sufficient pam_unix2.so nullok 1259auth sufficient pam_winbind.so use_first_pass use_authtok 1260account sufficient pam_unix2.so 1261account sufficient pam_winbind.so use_first_pass use_authtok 1262password sufficient pam_unix2.so 1263password sufficient pam_winbind.so use_first_pass use_authtok 1264session sufficient pam_unix2.so 1265session sufficient pam_winbind.so use_first_pass use_authtok 1266session required pam_dev perm.so 1267session required pam_resmgr.so 1268</pre></div><div class="example"><a name="ch9-rhsysauth"></a><p class="title"><b>Example�10.10.�Red Hat 9: PAM System Authentication File: <tt class="filename">/etc/pam.d/system-auth</tt> Module Using Winbind</b></p><pre class="screen"> 1269#%PAM-1.0 1270auth required /lib/security/$ISA/pam_env.so 1271auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok 1272auth sufficient /lib/security/$ISA/pam_winbind.so use_first_pass 1273auth required /lib/security/$ISA/pam_deny.so 1274 1275account required /lib/security/$ISA/pam_unix.so 1276account sufficient /lib/security/$ISA/pam_winbind.so use_first_pass 1277 1278password required /lib/security/$ISA/pam_cracklib.so retry=3 type= 1279# Note: The above line is complete. There is nothing following the '=' 1280password sufficient /lib/security/$ISA/pam_unix.so \ 1281 nullok use_authtok md5 shadow 1282password sufficient /lib/security/$ISA/pam_winbind.so use_first_pass 1283password required /lib/security/$ISA/pam_deny.so 1284 1285session required /lib/security/$ISA/pam_limits.so 1286session sufficient /lib/security/$ISA/pam_unix.so 1287session sufficient /lib/security/$ISA/pam_winbind.so use_first_pass 1288</pre></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2583924"></a>Key Points Learned</h3></div></div></div><p> 1289 The addition of UNIX/Linux Samba servers and clients is a common requirement. In this chapter, you 1290 learned how to integrate such servers so that the UID/GID mappings they use can be consistent 1291 across all Domain Member servers. You also discovered how to implement the ability to use Samba 1292 or Windows Domain account credentials to log onto a UNIX/Linux client. 1293 </p><p> 1294 The following are key points noted: 1295 </p><div class="itemizedlist"><ul type="disc"><li><p> 1296 Domain Controllers are always authoritative for the Domain. 1297 </p></li><li><p> 1298 Domain Members may have local accounts and must be able to resolve the identity of 1299 Domain user accounts. Domain user account identity must map to a local UID/GID. That 1300 local UID/GID can be stored in LDAP. This way, it is possible to share the IDMAP data 1301 across all Domain Member machines. 1302 </p></li><li><p> 1303 Resolution of user and group identities on Domain Member machines may be implemented 1304 using direct LDAP services or using winbind. 1305 </p></li><li><p> 1306 On NSS/PAM enabled UNIX/Linux systems, NSS is responsible for Identity management 1307 and PAM is responsible for authentication of logon credentials (user name and password). 1308 </p></li></ul></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2583977"></a>Questions and Answers</h2></div></div></div><p> 1309 The following questions were obtained from the mailing list and also from private discussions 1310 with Windows network administrators. 1311 </p><div class="qandaset"><dl><dt> <a href="unixclients.html#id2583996"> 1312 We use NIS for all UNIX accounts. Why do we need winbind? 1313 </a></dt><dt> <a href="unixclients.html#id2584119"> 1314 Our IT management people do not like LDAP, but are looking at Microsoft Active Directory. 1315 Which is better?Active Directory 1316 </a></dt><dt> <a href="unixclients.html#id2584204"> 1317 We want to implement a Samba PDC, four Samba BDCs, and 10 Samba servers. Is it possible 1318 to use NIS in place of LDAP? 1319 </a></dt><dt> <a href="unixclients.html#id2584315"> 1320 Are you suggesting that users should not log onto a Domain Member server? If so, why? 1321 </a></dt><dt> <a href="unixclients.html#id2584436">winbind enable local accounts/etc/passwdoptions listACLshare 1322 In my smb.conf file, I enabled the parameter winbind enable local accounts 1323 on all Domain Member servers, but it does not work. The accounts I put in 1324 /etc/passwd do not show up in the options list when I try to set an 1325 ACL on a share. What have I done wrong? 1326 </a></dt><dt> <a href="unixclients.html#id2584659">trusted domainsdomaintrustedwinbind trusted domains onlydomain members 1327 We want to ensure that only users from our own domain plus from trusted domains can use our 1328 Samba servers. In the smb.conf file on all servers, we have enabled the winbind 1329 trusted domains only parameter. We now find that users from trusted domains 1330 cannot access our servers, and users from Windows clients that are not domain members 1331 can also access our servers. Is this a Samba bug? 1332 </a></dt><dt> <a href="unixclients.html#id2584836"> 1333 What are the benefits of using LDAP for my Domain Member servers? 1334 </a></dt><dt> <a href="unixclients.html#id2585019"> 1335 Is proper DNS operation necessary for Samba-3 plus LDAP? If so, what must I put into 1336 my DNS configuration? 1337 </a></dt><dt> <a href="unixclients.html#id2585177"> 1338 Our Windows 2003 Server Active Directory Domain runs with NetBIOS disabled. Can we 1339 use Samba-3 with that configuration? 1340 </a></dt><dt> <a href="unixclients.html#id2585195">netadsjoinnetrpcjoin 1341 When I tried to execute net ads join, I got no output. It did not work, so 1342 I think that it failed. I then executed net rpc join and that worked fine. 1343 That is okay, isn't it? 1344 </a></dt></dl><table border="0" summary="Q and A Set"><col align="left" width="1%"><tbody><tr class="question"><td align="left" valign="top"><a name="id2583996"></a><a name="id2583998"></a><b></b></td><td align="left" valign="top"><p> 1345 We use NIS for all UNIX accounts. Why do we need winbind? 1346 </p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p><a class="indexterm" name="id2584008"></a><a class="indexterm" name="id2584016"></a><a class="indexterm" name="id2584024"></a><a class="indexterm" name="id2584032"></a><a class="indexterm" name="id2584040"></a><a class="indexterm" name="id2584048"></a> 1347 You can use NIS for your UNIX accounts. NIS does not store the Windows encrypted 1348 passwords that need to be stored in one of the acceptable passdb backends. 1349 Your choice of backend is limited to <i class="parameter"><tt>smbpasswd</tt></i> or 1350 <i class="parameter"><tt>tdbsam</tt></i>. Winbind is needed to handle the resolution of 1351 SIDs from trusted domains to local UID/GID values. 1352 </p><p><a class="indexterm" name="id2584076"></a><a class="indexterm" name="id2584084"></a> 1353 On a Domain Member server, you effectively map Windows Domain users to local users 1354 that are in your NIS database by specifying the <i class="parameter"><tt>winbind trusted domains 1355 only</tt></i>. This causes user and group account lookups to be routed via 1356 the <span><b class="command">getpwnam()</b></span> family of systems calls. On an NIS-enabled client, 1357 this pushes the resolution of users and groups out through NIS. 1358 </p><p> 1359 As a general rule, it is always a good idea to run winbind on all Samba servers. 1360 </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2584119"></a><a name="id2584121"></a><b></b></td><td align="left" valign="top"><p> 1361 Our IT management people do not like LDAP, but are looking at Microsoft Active Directory. 1362 Which is better?<a class="indexterm" name="id2584127"></a> 1363 </p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p><a class="indexterm" name="id2584142"></a><a class="indexterm" name="id2584153"></a><a class="indexterm" name="id2584161"></a> 1364 Microsoft Active Directory is an LDAP server that is intricately tied to a Kerberos 1365 infrastructure. Most IT managers who object to LDAP do so because of the fact that 1366 an LDAP server is most often supplied as a raw tool that needs to be configured, and 1367 for which the administrator must create the schema, create the administration tools and 1368 devise the backup and recovery facilities in a site dependent manner. LDAP servers 1369 in general are seen as a high-energy, high-risk facility. 1370 </p><p><a class="indexterm" name="id2584180"></a> 1371 Microsoft Active Directory by comparison is easy to install, configure, and 1372 is supplied with all tools necessary to implement and manage the directory. For sites 1373 that lack a lot of technical competence, Active Directory is a good choice. For sites 1374 that have the technical competence to handle Active Directory well, LDAP is a good 1375 alternative. The real issue that needs to be addressed is what type of solution does 1376 the site want? If management wants a choice to use an alternative, they may want to 1377 consider the options. On the other hand, if management just wants a solution that works, 1378 Microsoft Active Directory is a good solution. 1379 </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2584204"></a><a name="id2584206"></a><b></b></td><td align="left" valign="top"><p> 1380 We want to implement a Samba PDC, four Samba BDCs, and 10 Samba servers. Is it possible 1381 to use NIS in place of LDAP? 1382 </p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p><a class="indexterm" name="id2584218"></a><a class="indexterm" name="id2584225"></a><a class="indexterm" name="id2584233"></a><a class="indexterm" name="id2584241"></a><a class="indexterm" name="id2584249"></a><a class="indexterm" name="id2584257"></a><a class="indexterm" name="id2584265"></a> 1383 Yes, it is possible to use NIS in place of LDAP, but there may be problems with keeping 1384 the Windows (SMB) encrypted passwords database correctly synchronized across the entire 1385 network. Workstations (Windows client machines) periodically change their Domain 1386 Membership secure account password. How can you keep changes that are on remote BDCs 1387 synchronized on the PDC? 1388 </p><p><a class="indexterm" name="id2584282"></a><a class="indexterm" name="id2584290"></a><a class="indexterm" name="id2584298"></a> 1389 LDAP is a more elegant solution because it permits centralized storage and management 1390 of all network Identities (user, group and machine accounts) together with all information 1391 Samba needs to provide to network clients and their users. 1392 </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2584315"></a><a name="id2584317"></a><b></b></td><td align="left" valign="top"><p> 1393 Are you suggesting that users should not log onto a Domain Member server? If so, why? 1394 </p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p><a class="indexterm" name="id2584328"></a><a class="indexterm" name="id2584336"></a><a class="indexterm" name="id2584347"></a> 1395 Many UNIX administrators mock the model that the Personal Computer industry has adopted 1396 as normative since the early days of Novell Netware. One may well argue that the old 1397 perception of the necessity to keep users off file and print servers was a result of 1398 fears concerning the security and integrity of data. It was a simple and generally 1399 effective measure to keep users away from servers, except through mapped drives. 1400 </p><p><a class="indexterm" name="id2584366"></a><a class="indexterm" name="id2584374"></a><a class="indexterm" name="id2584381"></a><a class="indexterm" name="id2584389"></a><a class="indexterm" name="id2584397"></a> 1401 UNIX administrators are fully correct in asserting that UNIX servers and workstations 1402 are identical in terms of the software that is installed. They correctly assert that 1403 in a well secured environment it is safe to store files on a system that has hundreds 1404 of users. But all network administrators must factor into the decision to allow or 1405 reject general user logins to a UNIX system that is principally a file and print 1406 server. One must take account of the risk to operations through simple user errors. 1407 Only then can one begin to appraise the best strategy and adopt a site-specific 1408 policy that best protects the needs of users and of the organization alike. 1409 </p><p><a class="indexterm" name="id2584420"></a> 1410 From experience, it is my recommendation to keep general system level logins to a 1411 practical minimum and to eliminate them if possible. This should not be taken as a 1412 hard rule, though. The better question is, what works best for the site? 1413 </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2584436"></a><a name="id2584438"></a><b></b></td><td align="left" valign="top"><p><a class="indexterm" name="id2584442"></a><a class="indexterm" name="id2584450"></a><a class="indexterm" name="id2584458"></a><a class="indexterm" name="id2584466"></a><a class="indexterm" name="id2584473"></a> 1414 In my <tt class="filename">smb.conf</tt> file, I enabled the parameter <i class="parameter"><tt>winbind enable local accounts 1415 </tt></i> on all Domain Member servers, but it does not work. The accounts I put in 1416 <tt class="filename">/etc/passwd</tt> do not show up in the options list when I try to set an 1417 ACL on a share. What have I done wrong? 1418 </p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p><a class="indexterm" name="id2584509"></a><a class="indexterm" name="id2584517"></a><a class="indexterm" name="id2584525"></a><a class="indexterm" name="id2584533"></a><a class="indexterm" name="id2584541"></a><a class="indexterm" name="id2584549"></a><a class="indexterm" name="id2584557"></a><a class="indexterm" name="id2584565"></a> 1419 The manual page for this <tt class="filename">smb.conf</tt> file parameter clearly says, “<span class="quote"><span class="emphasis"><em>This parameter 1420 controls whether or not winbindd will act as a stand in replacement for the various 1421 account management hooks in smb.conf (for example, add user script). If enabled, winbindd 1422 will support the creation of local users and groups as another source of UNIX account 1423 information available via getpwnam() or getgrgid(), etc...</em></span></span>” By default this 1424 parameter is already enabled; therefore, the action you are seeing is a result of a failure 1425 of Identity resolution in the Domain. 1426 </p><p><a class="indexterm" name="id2584596"></a><a class="indexterm" name="id2584604"></a><a class="indexterm" name="id2584612"></a><a class="indexterm" name="id2584623"></a><a class="indexterm" name="id2584634"></a><a class="indexterm" name="id2584642"></a> 1427 These are the accounts that are available for Windows network Domain logons. Providing 1428 Identity resolution has been correctly configured on the Domain Controllers, as well as 1429 on Domain Member servers. The Domain user and group identities automatically map 1430 to a valid local UID and GID pair. 1431 </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2584659"></a><a name="id2584661"></a><b></b></td><td align="left" valign="top"><p><a class="indexterm" name="id2584664"></a><a class="indexterm" name="id2584672"></a><a class="indexterm" name="id2584684"></a><a class="indexterm" name="id2584692"></a> 1432 We want to ensure that only users from our own domain plus from trusted domains can use our 1433 Samba servers. In the <tt class="filename">smb.conf</tt> file on all servers, we have enabled the <i class="parameter"><tt>winbind 1434 trusted domains only</tt></i> parameter. We now find that users from trusted domains 1435 cannot access our servers, and users from Windows clients that are not domain members 1436 can also access our servers. Is this a Samba bug? 1437 </p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p><a class="indexterm" name="id2584725"></a><a class="indexterm" name="id2584733"></a><a class="indexterm" name="id2584740"></a><a class="indexterm" name="id2584748"></a><a class="indexterm" name="id2584756"></a><a class="indexterm" name="id2584764"></a> 1438 The manual page for this <i class="parameter"><tt>winbind trusted domains only</tt></i> parameter says, 1439 “<span class="quote"><span class="emphasis"><em>This parameter is designed to allow Samba servers that are members of a Samba controlled 1440 domain to use UNIX accounts distributed vi NIS, rsync, or LDAP as the UIDs for winbindd users 1441 in the hosts primary domain. Therefore, the user <tt class="constant">SAMBA\user1</tt> would be 1442 mapped to the account <tt class="constant">user1</tt> in <tt class="filename">/etc/passwd</tt> instead 1443 of allocating a new UID for him or her.</em></span></span>” This would clearly suggest that you are trying 1444 to use this parameter inappropriately. 1445 </p><p><a class="indexterm" name="id2584807"></a> 1446 A far better solution would be to use the <i class="parameter"><tt>valid users</tt></i> by specifying 1447 precisely the Domain users and groups that should be permitted access to the shares. You could, 1448 for example, set the following parameters: 1449</p><pre class="screen"> 1450[demoshare] 1451 path = /export/demodata 1452 valid users = @"Domain Users", @"OTHERDOMAIN\Domain Users" 1453</pre><p> 1454 </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2584836"></a><a name="id2584838"></a><b></b></td><td align="left" valign="top"><p> 1455 What are the benefits of using LDAP for my Domain Member servers? 1456 </p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p><a class="indexterm" name="id2584849"></a><a class="indexterm" name="id2584856"></a><a class="indexterm" name="id2584864"></a><a class="indexterm" name="id2584872"></a><a class="indexterm" name="id2584880"></a><a class="indexterm" name="id2584888"></a><a class="indexterm" name="id2584896"></a><a class="indexterm" name="id2584904"></a><a class="indexterm" name="id2584911"></a> 1457 The key benefit of using LDAP is that the UID of all users and the GID of all groups 1458 are globally consistent on Domain Controllers as well as on Domain Member servers. 1459 This means that it is possible to copy/replicate files across servers without 1460 loss of identity. 1461 </p><p><a class="indexterm" name="id2584927"></a><a class="indexterm" name="id2584935"></a><a class="indexterm" name="id2584943"></a><a class="indexterm" name="id2584951"></a><a class="indexterm" name="id2584959"></a><a class="indexterm" name="id2584967"></a><a class="indexterm" name="id2584978"></a><a class="indexterm" name="id2584986"></a> 1462 When use is made of account Identity resolution via winbind, even when an IDMAP backend 1463 is stored in LDAP, the UID/GID on Domain Member servers is consistent, but differs 1464 from the ID that the user/group has on Domain Controllers. The winbind allocated UID/GID 1465 that is stored in LDAP (or locally) will be in the numeric range specified in the <i class="parameter"><tt> 1466 idmap uid/gid</tt></i> in the <tt class="filename">smb.conf</tt> file. On Domain Controllers, the UID/GID is 1467 that of the Posix value assigned in the LDAP directory as part of the Posix account information. 1468 </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2585019"></a><a name="id2585021"></a><b></b></td><td align="left" valign="top"><p> 1469 Is proper DNS operation necessary for Samba-3 plus LDAP? If so, what must I put into 1470 my DNS configuration? 1471 </p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p><a class="indexterm" name="id2585033"></a><a class="indexterm" name="id2585044"></a><a class="indexterm" name="id2585055"></a><a class="indexterm" name="id2585063"></a><a class="indexterm" name="id2585071"></a><a class="indexterm" name="id2585078"></a><a class="indexterm" name="id2585086"></a> 1472 Samba depends on correctly functioning resolution of host names to their IP address. Samba 1473 makes no direct DNS lookup calls, but rather redirects all name to address calls via the 1474 <span><b class="command">getXXXbyXXX()</b></span> function calls. The configuration of the <tt class="constant">hosts</tt> 1475 entry in the NSS <tt class="filename">/etc/nsswitch.conf</tt> file determines how the underlying 1476 resolution process is implemented. If the <tt class="constant">hosts</tt> entry in your NSS 1477 control file says: 1478</p><pre class="screen"> 1479hosts: files dns wins 1480</pre><p> 1481 This means that a host name lookup first tries the <tt class="filename">/etc/hosts</tt>. 1482 If this fails to resolve, it attempts a DNS lookup and if that fails, it tries a 1483 WINS lookup. 1484 </p><p><a class="indexterm" name="id2585141"></a><a class="indexterm" name="id2585149"></a><a class="indexterm" name="id2585157"></a> 1485 The addition of the WINS-based name lookup makes sense only if NetBIOS over TCP/IP has 1486 been enabled on all Windows clients. Where NetBIOS over TCP/IP has been disabled, DNS 1487 is the preferred name resolution technology. This usually makes most sense when Samba 1488 is a client of an Active Directory Domain, where NetBIOS use has been disabled. In this 1489 case, the Windows 200x auto-registers all locator records it needs with its own DNS 1490 server/s. 1491 </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2585177"></a><a name="id2585179"></a><b></b></td><td align="left" valign="top"><p> 1492 Our Windows 2003 Server Active Directory Domain runs with NetBIOS disabled. Can we 1493 use Samba-3 with that configuration? 1494 </p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p> 1495 Yes. 1496 </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2585195"></a><a name="id2585197"></a><b></b></td><td align="left" valign="top"><p><a class="indexterm" name="id2585201"></a><a class="indexterm" name="id2585215"></a> 1497 When I tried to execute “<span class="quote"><span class="emphasis"><em>net ads join</em></span></span>”, I got no output. It did not work, so 1498 I think that it failed. I then executed “<span class="quote"><span class="emphasis"><em>net rpc join</em></span></span>” and that worked fine. 1499 That is okay, isn't it? 1500 </p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p><a class="indexterm" name="id2585248"></a><a class="indexterm" name="id2585256"></a> 1501 No. This is not okay. It means that your Samba-3 client has joined the ADS Domain as 1502 a Windows NT4 client, and Samba-3 will not be using Kerberos-based authentication. 1503 </p></td></tr></tbody></table></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="nw4migration.html">Prev</a>�</td><td width="20%" align="center"><a accesskey="u" href="index.html">Up</a></td><td width="40%" align="right">�<a accesskey="n" href="kerberos.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter�9.�Migrating NetWare 4.11 Server to Samba-3�</td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top">�Chapter�11.�Active Directory, Kerberos, and Security</td></tr></table></div></body></html> 1504
