Context Navigation

source: branches/samba-3.0/docs/htmldocs/Samba3-ByExample/unixclients.html

Visit:

Last change on this file was 286, checked in by Herwig Bauernfeind, 16 years ago
Update 3.0 to 3.0.35
File size: 136.7 KB

Line
1	<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 7. Adding Domain Member Servers and Clients</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.74.0"><link rel="home" href="index.html" title="Samba-3 by Example"><link rel="up" href="DMSMig.html" title="Part II. Domain Members, Updating Samba and Migration"><link rel="prev" href="DMSMig.html" title="Part II. Domain Members, Updating Samba and Migration"><link rel="next" href="upgrades.html" title="Chapter 8. Updating Samba-3"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 7. Adding Domain Member Servers and Clients</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="DMSMig.html">Prev</a> </td><th width="60%" align="center">Part II. Domain Members, Updating Samba and Migration</th><td width="20%" align="right"> <a accesskey="n" href="upgrades.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="unixclients"></a>Chapter 7. Adding Domain Member Servers and Clients</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="unixclients.html#id2589266">Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="unixclients.html#id2589319">Assignment Tasks</a></span></dt></dl></dd><dt><span class="sect1"><a href="unixclients.html#id2589354">Dissection and Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="unixclients.html#id2589383">Technical Issues</a></span></dt><dt><span class="sect2"><a href="unixclients.html#id2590032">Political Issues</a></span></dt></dl></dd><dt><span class="sect1"><a href="unixclients.html#id2590132">Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a></span></dt><dt><span class="sect2"><a href="unixclients.html#wdcsdm">NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind</a></span></dt><dt><span class="sect2"><a href="unixclients.html#dcwonss">NT4/Samba Domain with Samba Domain Member Server without NSS Support</a></span></dt><dt><span class="sect2"><a href="unixclients.html#adssdm">Active Directory Domain with Samba Domain Member Server</a></span></dt><dt><span class="sect2"><a href="unixclients.html#id2596338">UNIX/Linux Client Domain Member</a></span></dt><dt><span class="sect2"><a href="unixclients.html#id2596913">Key Points Learned</a></span></dt></dl></dd><dt><span class="sect1"><a href="unixclients.html#id2596967">Questions and Answers</a></span></dt></dl></div><p><a class="indexterm" name="id2589167"></a><a class="indexterm" name="id2589175"></a>
2	The most frequently discussed Samba subjects over the past 2 years have focused around domain control and printing.
3	It is well known that Samba is a file and print server. A recent survey conducted by <span class="emphasis"><em>Open Magazine</em></span> found
4	that of all respondents, 97 percent use Samba for file and print services, and 68 percent use Samba for Domain Control. See the
5	<a class="ulink" href="http://www.open-mag.com/cgi-bin/opencgi/surveys/survey.cgi?survey_name=samba" target="_top">Open-Mag</a>
6	Web site for current information. The survey results as found on January 14, 2004, are shown in
7	<a class="link" href="unixclients.html#ch09openmag" title="Figure 7.1. Open Magazine Samba Survey">“Open Magazine Samba Survey”</a>.
8	</p><div class="figure"><a name="ch09openmag"></a><p class="title"><b>Figure 7.1. Open Magazine Samba Survey</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/openmag.png" width="324" alt="Open Magazine Samba Survey"></div></div></div><br class="figure-break"><p>
9	While domain control is an exciting subject, basic file and print sharing remains the staple bread-and-butter
10	function that Samba provides. Yet this book may give the appearance of having focused too much on more
11	exciting aspects of Samba deployment. This chapter directs your attention to provide important information on
12	the addition of Samba servers into your present Windows network whatever the controlling technology
13	may be. So let's get back to our good friends at Abmas.
14	</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2589266"></a>Introduction</h2></div></div></div><p><a class="indexterm" name="id2589272"></a><a class="indexterm" name="id2589280"></a>
15	Looking back over the achievements of the past year or two, daily events at Abmas are rather straightforward
16	with not too many distractions or problems. Your team is doing well, but a number of employees
17	are asking for Linux desktop systems. Your network has grown and demands additional domain member servers. Let's
18	get on with this; Christine and Stan are ready to go.
19	</p><p><a class="indexterm" name="id2589301"></a>
20	Stan is firmly in control of the department of the future, while Christine is enjoying a stable and
21	predictable network environment. It is time to add more servers and to add Linux desktops. It is
22	time to meet the demands of future growth and endure trial by fire.
23	</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2589319"></a>Assignment Tasks</h3></div></div></div><p><a class="indexterm" name="id2589326"></a>
24	You must now add UNIX/Linux domain member servers to your network. You have a friend who has a Windows 2003
25	Active Directory domain network who wants to add a Samba/Linux server and has asked Christine to help him
26	out. Your real objective is to help Christine to see more of the way the Microsoft world lives and use
27	her help to get validation that Samba really does live up to expectations.
28	</p><p>
29	Over the past 6 months, you have hired several new staff who want Linux on their desktops. You must integrate
30	these systems to make sure that Abmas is not building islands of technology. You ask Christine to
31	do likewise at Swodniw Biz NL (your friend's company) to help them to evaluate a Linux desktop. You want to make
32	the right decision, don't you?
33	</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2589354"></a>Dissection and Discussion</h2></div></div></div><p>
34	<a class="indexterm" name="id2589362"></a>
35	Recent Samba mailing-list activity is witness to how many sites are using winbind. Some have no trouble
36	at all with it, yet to others the problems seem insurmountable. Periodically there are complaints concerning
37	an inability to achieve identical user and group IDs between Windows and UNIX environments.
38	</p><p>
39	You provide step-by-step implementations of the various tools that can be used for identity
40	resolution. You also provide working examples of solutions for integrated authentication for
41	both UNIX/Linux and Windows environments.
42	</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2589383"></a>Technical Issues</h3></div></div></div><p>
43	One of the great challenges we face when people ask us, “<span class="quote">What is the best way to solve
44	this problem?</span>” is to get beyond the facts so we not only can clearly comprehend
45	the immediate technical problem, but also can understand how needs may change.
46	</p><p>
47	<a class="indexterm" name="id2589402"></a>
48	There are a few facts we should note when dealing with the question of how best to
49	integrate UNIX/Linux clients and servers into a Windows networking environment:
50	</p><div class="itemizedlist"><ul type="disc"><li><p>
51	<a class="indexterm" name="id2589418"></a>
52	<a class="indexterm" name="id2589425"></a>
53	<a class="indexterm" name="id2589432"></a>
54	<a class="indexterm" name="id2589441"></a>
55	<a class="indexterm" name="id2589448"></a>
56	A domain controller (PDC or BDC) is always authoritative for all accounts in its domain.
57	This means that a BDC must (of necessity) be able to resolve all account UIDs and GIDs
58	to the same values that the PDC resolved them to.
59	</p></li><li><p>
60	<a class="indexterm" name="id2589462"></a>
61	<a class="indexterm" name="id2589469"></a>
62	<a class="indexterm" name="id2589481"></a>
63	<a class="indexterm" name="id2589488"></a>
64	A domain member can be authoritative for local accounts, but is never authoritative for
65	domain accounts. If a user is accessing a domain member server and that user's account
66	is not known locally, the domain member server must resolve the identity of that user
67	from the domain in which that user's account resides. It must then map that ID to a
68	UID/GID pair that it can use locally. This is handled by <code class="literal">winbindd</code>.
69	</p></li><li><p>
70	Samba, when running on a domain member server, can resolve user identities from a
71	number of sources:
72	</p><div class="itemizedlist"><ul type="circle"><li><p>
73	<a class="indexterm" name="id2589521"></a>
74	<a class="indexterm" name="id2589528"></a>
75	<a class="indexterm" name="id2589534"></a>
76	<a class="indexterm" name="id2589541"></a>
77	<a class="indexterm" name="id2589548"></a>
78	By executing a system <code class="literal">getpwnam()</code> or <code class="literal">getgrnam()</code> call.
79	On systems that support it, this utilizes the name service switch (NSS) facility to
80	resolve names according to the configuration of the <code class="filename">/etc/nsswitch.conf</code>
81	file. NSS can be configured to use LDAP, winbind, NIS, or local files.
82	</p></li><li><p>
83	<a class="indexterm" name="id2589581"></a>
84	<a class="indexterm" name="id2589588"></a>
85	<a class="indexterm" name="id2589595"></a>
86	Performing, via NSS, a direct LDAP search (where an LDAP passdb backend has been configured).
87	This requires the use of the PADL nss_ldap tool (or equivalent).
88	</p></li><li><p>
89	<a class="indexterm" name="id2589609"></a>
90	<a class="indexterm" name="id2589616"></a>
91	<a class="indexterm" name="id2589622"></a>
92	<a class="indexterm" name="id2589629"></a>
93	Directly by querying <code class="literal">winbindd</code>. The <code class="literal">winbindd</code>
94	contacts a domain controller to attempt to resolve the identity of the user or group. It
95	receives the Windows networking security identifier (SID) for that appropriate
96	account and then allocates a local UID or GID from the range of available IDs and
97	creates an entry in its <code class="filename">winbindd_idmap.tdb</code> and
98	<code class="filename">winbindd_cache.tdb</code> files.
99	</p><p>
100	<a class="indexterm" name="id2589669"></a>
101	<a class="indexterm" name="id2589676"></a>
102	If the parameter <a class="link" href="smb.conf.5.html#IDMAPBACKEND" target="_top">idmap backend = ldap:ldap://myserver.domain</a>
103	was specified and the LDAP server has been configured with a container in which it may
104	store the IDMAP entries, all domain members may share a common mapping.
105	</p></li></ul></div><p>
106	Irrespective of how <code class="filename">smb.conf</code> is configured, winbind creates and caches a local copy of
107	the ID mapping database. It uses the <code class="filename">winbindd_idmap.tdb</code> and
108	<code class="filename">winbindd_cache.tdb</code> files to do this.
109	</p><p>
110	Which of the resolver methods is chosen is determined by the way that Samba is configured
111	in the <code class="filename">smb.conf</code> file. Some of the configuration options are rather less than obvious to the
112	casual user.
113	</p></li><li><p>
114	<a class="indexterm" name="id2589741"></a>
115	<a class="indexterm" name="id2589748"></a>
116	<a class="indexterm" name="id2589757"></a>
117	If you wish to make use of accounts (users and/or groups) that are local to (i.e., capable
118	of being resolved using) the NSS facility, it is possible to use the
119	<a class="link" href="smb.conf.5.html#WINBINDTRUSTEDDOMAINSONLY" target="_top">winbind trusted domains only = Yes</a>
120	in the <code class="filename">smb.conf</code> file. This parameter specifically applies to domain controllers,
121	and to domain member servers.
122	</p></li></ul></div><p>
123	<a class="indexterm" name="id2589793"></a>
124	<a class="indexterm" name="id2589800"></a>
125	<a class="indexterm" name="id2589807"></a>
126	For many administrators, it should be plain that the use of an LDAP-based repository for all network
127	accounts (both for POSIX accounts and for Samba accounts) provides the most elegant and
128	controllable facility. You eventually appreciate the decision to use LDAP.
129	</p><p>
130	<a class="indexterm" name="id2589821"></a>
131	<a class="indexterm" name="id2589828"></a>
132	<a class="indexterm" name="id2589835"></a>
133	If your network account information resides in an LDAP repository, you should use it ahead of any
134	alternative method. This means that if it is humanly possible to use the <code class="literal">nss_ldap</code>
135	tools to resolve UNIX account UIDs/GIDs via LDAP, this is the preferred solution, because it provides
136	a more readily controllable method for asserting the exact same user and group identifiers
137	throughout the network.
138	</p><p>
139	<a class="indexterm" name="id2589858"></a>
140	<a class="indexterm" name="id2589867"></a>
141	<a class="indexterm" name="id2589874"></a>
142	<a class="indexterm" name="id2589881"></a>
143	<a class="indexterm" name="id2589888"></a>
144	<a class="indexterm" name="id2589895"></a>
145	In the situation where UNIX accounts are held on the domain member server itself, the only effective
146	way to use them involves the <code class="filename">smb.conf</code> entry
147	<a class="link" href="smb.conf.5.html#WINBINDTRUSTEDDOMAINSONLY" target="_top">winbind trusted domains only = Yes</a>. This forces
148	Samba (<code class="literal">smbd</code>) to perform a <code class="literal">getpwnam()</code> system call that can
149	then be controlled via <code class="filename">/etc/nsswitch.conf</code> file settings. The use of this parameter
150	disables the use of Samba with trusted domains (i.e., external domains).
151	</p><p>
152	<a class="indexterm" name="id2589946"></a>
153	<a class="indexterm" name="id2589953"></a>
154	<a class="indexterm" name="id2589962"></a>
155	<a class="indexterm" name="id2589969"></a>
156	Winbind can be used to create an appliance mode domain member server. In this capacity, <code class="literal">winbindd</code>
157	is configured to automatically allocate UIDs/GIDs from numeric ranges set in the <code class="filename">smb.conf</code> file. The allocation
158	is made for all accounts that connect to that domain member server, whether within its own domain or from
159	trusted domains. If not stored in an LDAP backend, each domain member maintains its own unique mapping database.
160	This means that it is almost certain that a given user who accesses two domain member servers does not have the
161	same UID/GID on both servers however, this is transparent to the Windows network user. This data
162	is stored in the <code class="filename">winbindd_idmap.tdb</code> and <code class="filename">winbindd_cache.tdb</code> files.
163	</p><p>
164	<a class="indexterm" name="id2590017"></a>
165	The use of an LDAP backend for the Winbind IDMAP facility permits Windows domain SIDs
166	mappings to UIDs/GIDs to be stored centrally. The result is a consistent mapping across all domain member
167	servers so configured. This solves one of the major headaches for network administrators who need to copy
168	files between or across network file servers.
169	</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2590032"></a>Political Issues</h3></div></div></div><p>
170	<a class="indexterm" name="id2590040"></a>
171	<a class="indexterm" name="id2590046"></a>
172	<a class="indexterm" name="id2590053"></a>
173	<a class="indexterm" name="id2590062"></a>
174	One of the most fierce conflicts recently being waged is resistance to the adoption of LDAP, in
175	particular OpenLDAP, as a replacement for UNIX NIS (previously called Yellow Pages). Let's face it, LDAP
176	is different and requires a new approach to the need for a better identity management solution. The more
177	you work with LDAP, the more its power and flexibility emerges from its dark, cavernous chasm.
178	</p><p>
179	LDAP is a most suitable solution for heterogenous environments. If you need crypto, add Kerberos.
180	The reason these are preferable is because they are heterogenous. Windows solutions of this sort are <span class="emphasis"><em>not</em></span>
181	heterogenous by design. This is fundamental it isn't religious or political. This also doesn't say that
182	you can't use Windows Active Directory in a heterogenous environment it can be done, it just requires
183	commercial integration products. But it's not what Active Directory was designed for.
184	</p><p>
185	<a class="indexterm" name="id2590101"></a>
186	<a class="indexterm" name="id2590107"></a>
187	A number of long-term UNIX devotees have recently commented in various communications that the Samba Team
188	is the first application group to almost force network administrators to use LDAP. It should be pointed
189	out that we resisted this for as long as we could. It is not out of laziness or malice that LDAP has
190	finally emerged as the preferred identity management backend for Samba. We recommend LDAP for your total
191	organizational directory needs.
192	</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2590132"></a>Implementation</h2></div></div></div><p>
193	<a class="indexterm" name="id2590140"></a>
194	<a class="indexterm" name="id2590149"></a>
195	<a class="indexterm" name="id2590159"></a>
196	The domain member server and the domain member client are at the center of focus in this chapter.
197	Configuration of Samba-3 domain controller is covered in earlier chapters, so if your
198	interest is in domain controller configuration, you will not find that here. You will find good
199	oil that helps you to add domain member servers and clients.
200	</p><p>
201	<a class="indexterm" name="id2590175"></a>
202	In practice, domain member servers and domain member workstations are very different entities, but in
203	terms of technology they share similar core infrastructure. A technologist would argue that servers
204	and workstations are identical. Many users would argue otherwise, given that in a well-disciplined
205	environment a workstation (client) is a device from which a user creates documents and files that
206	are located on servers. A workstation is frequently viewed as a disposable (easy to replace) item,
207	but a server is viewed as a core component of the business.
208	</p><p>
209	<a class="indexterm" name="id2590197"></a>
210	We can look at this another way. If a workstation breaks down, one user is affected, but if a
211	server breaks down, hundreds of users may not be able to work. The services that a workstation
212	must provide are document- and file-production oriented; a server provides information storage
213	and is distribution oriented.
214	</p><p>
215	<a class="indexterm" name="id2590212"></a>
216	<a class="indexterm" name="id2590220"></a>
217	<a class="indexterm" name="id2590226"></a>
218	<span class="emphasis"><em>Why is this important?</em></span> For starters, we must identify what
219	components of the operating system and its environment must be configured. Also, it is necessary
220	to recognize where the interdependencies between the various services to be used are.
221	In particular, it is important to understand the operation of each critical part of the
222	authentication process, the logon process, and how user identities get resolved and applied
223	within the operating system and applications (like Samba) that depend on this and may
224	actually contribute to it.
225	</p><p>
226	So, in this chapter we demonstrate how to implement the technology. It is done within a context of
227	what type of service need must be fulfilled.
228	</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="sdcsdmldap"></a>Samba Domain with Samba Domain Member Server Using NSS LDAP</h3></div></div></div><p>
229	<a class="indexterm" name="id2590267"></a>
230	<a class="indexterm" name="id2590274"></a>
231	<a class="indexterm" name="id2590281"></a>
232	<a class="indexterm" name="id2590288"></a>
233	<a class="indexterm" name="id2590297"></a>
234	<a class="indexterm" name="id2590304"></a>
235	In this example, it is assumed that you have Samba PDC/BDC servers. This means you are using
236	an LDAP ldapsam backend. We are adding to the LDAP backend database (directory)
237	containers for use by the IDMAP facility. This makes it possible to have globally consistent
238	mapping of SIDs to and from UIDs and GIDs. This means that it is necessary to run
239	<code class="literal">winbindd</code> as part of your configuration. The primary purpose of running
240	<code class="literal">winbindd</code> (within this operational context) is to permit mapping of foreign
241	SIDs (those not originating from the the local Samba server). Foreign SIDs can come from any
242	domain member client or server, or from Windows clients that do not belong to a domain. Another
243	way to explain the necessity to run <code class="literal">winbindd</code> is that Samba can locally
244	resolve only accounts that belong to the security context of its own machine SID. Winbind
245	handles all non-local SIDs and maps them to a local UID/GID value. The UID and GID are allocated
246	from the parameter values set in the <code class="filename">smb.conf</code> file for the <em class="parameter"><code>idmap uid</code></em> and
247	<em class="parameter"><code>idmap gid</code></em> ranges. Where LDAP is used, the mappings can be stored in LDAP
248	so that all domain member servers can use a consistent mapping.
249	</p><p>
250	<a class="indexterm" name="id2590368"></a>
251	<a class="indexterm" name="id2590374"></a>
252	<a class="indexterm" name="id2590381"></a>
253	If your installation is accessed only from clients that are members of your own domain, and all
254	user accounts are present in a local passdb backend then it is not necessary to run
255	<code class="literal">winbindd</code>. The local passdb backend can be in smbpasswd, tdbsam, or in ldapsam.
256	</p><p>
257	It is possible to use a local passdb backend with any convenient means of resolving the POSIX
258	user and group account information. The POSIX information is usually obtained using the
259	<code class="literal">getpwnam()</code> system call. On NSS-enabled systems, the actual POSIX account
260	source can be provided from
261	</p><div class="itemizedlist"><ul type="disc"><li><p>
262	<a class="indexterm" name="id2590418"></a>
263	<a class="indexterm" name="id2590425"></a>
264	Accounts in <code class="filename">/etc/passwd</code> or in <code class="filename">/etc/group</code>.
265	</p></li><li><p>
266	<a class="indexterm" name="id2590449"></a>
267	<a class="indexterm" name="id2590455"></a>
268	<a class="indexterm" name="id2590462"></a>
269	<a class="indexterm" name="id2590469"></a>
270	<a class="indexterm" name="id2590475"></a>
271	<a class="indexterm" name="id2590482"></a>
272	<a class="indexterm" name="id2590489"></a>
273	<a class="indexterm" name="id2590496"></a>
274	<a class="indexterm" name="id2590502"></a>
275	Resolution via NSS. On NSS-enabled systems, there is usually a facility to resolve IDs
276	via multiple methods. The methods typically include <code class="literal">files</code>,
277	<code class="literal">compat</code>, <code class="literal">db</code>, <code class="literal">ldap</code>,
278	<code class="literal">nis</code>, <code class="literal">nisplus</code>, <code class="literal">hesiod.</code> When
279	correctly installed, Samba adds to this list the <code class="literal">winbindd</code> facility.
280	The ldap facility is frequently the nss_ldap tool provided by PADL Software.
281	</p></li></ul></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
282	To advoid confusion the use of the term <code class="literal">local passdb backend</code> means that
283	the user account backend is not shared by any other Samba server instead, it is
284	used only locally on the Samba domain member server under discussion.
285	</p></div><p>
286	<a class="indexterm" name="id2590582"></a>
287	The diagram in <a class="link" href="unixclients.html#ch9-sambadc" title="Figure 7.2. Samba Domain: Samba Member Server">“Samba Domain: Samba Member Server”</a> demonstrates the relationship of Samba and system
288	components that are involved in the identity resolution process where Samba is used as a domain
289	member server within a Samba domain control network.
290	</p><div class="figure"><a name="ch9-sambadc"></a><p class="title"><b>Figure 7.2. Samba Domain: Samba Member Server</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/chap9-SambaDC.png" width="324" alt="Samba Domain: Samba Member Server"></div></div></div><br class="figure-break"><p>
291	<a class="indexterm" name="id2590644"></a>
292	<a class="indexterm" name="id2590651"></a>
293	In this example configuration, Samba will directly search the LDAP-based passwd backend ldapsam
294	to obtain authentication and user identity information. The IDMAP information is stored in the LDAP
295	backend so that it can be shared by all domain member servers so that every user will have a
296	consistent UID and GID across all of them. The IDMAP facility will be used for all foreign
297	(i.e., not having the same SID as the domain it is a member of) domains. The configuration of
298	NSS will ensure that all UNIX processes will obtain a consistent UID/GID.
299	</p><p>
300	The instructions given here apply to the Samba environment shown in <a class="link" href="happy.html" title="Chapter 5. Making Happy Users">“Making Happy Users”</a> and <a class="link" href="2000users.html" title="Chapter 6. A Distributed 2000-User Network">“A Distributed 2000-User Network”</a>.
301	If the network does not have an LDAP slave server (i.e., <a class="link" href="happy.html" title="Chapter 5. Making Happy Users">“Making Happy Users”</a> configuration),
302	change the target LDAP server from <code class="constant">lapdc</code> to <code class="constant">massive.</code>
303	</p><div class="procedure"><a name="id2590699"></a><p class="title"><b>Procedure 7.1. Configuration of NSS_LDAP-Based Identity Resolution</b></p><ol type="1"><li><p>
304	Create the <code class="filename">smb.conf</code> file as shown in <a class="link" href="unixclients.html#ch9-sdmsdc" title="Example 7.1. Samba Domain Member in Samba Domain Using LDAP smb.conf File">“Samba Domain Member in Samba Domain Using LDAP smb.conf File”</a>. Locate
305	this file in the directory <code class="filename">/etc/samba</code>.
306	</p></li><li><p>
307	<a class="indexterm" name="id2590737"></a>
308	Configure the file that will be used by <code class="constant">nss_ldap</code> to
309	locate and communicate with the LDAP server. This file is called <code class="filename">ldap.conf</code>.
310	If your implementation of <code class="constant">nss_ldap</code> is consistent with
311	the defaults suggested by PADL (the authors), it will be located in the
312	<code class="filename">/etc</code> directory. On some systems, the default location is
313	the <code class="filename">/etc/openldap</code> directory, however this file is intended
314	for use by the OpenLDAP utilities and should not really be used by the nss_ldap
315	utility since its content and structure serves the specific purpose of enabling
316	the resolution of user and group IDs via NSS.
317	</p><p>
318	Change the parameters inside the file that is located on your OS so it matches
319	<a class="link" href="unixclients.html#ch9-sdmlcnf" title="Example 7.3. Configuration File for NSS LDAP Support /etc/ldap.conf">“Configuration File for NSS LDAP Support /etc/ldap.conf”</a>. To find the correct location of this file, you
320	can obtain this from the library that will be used by executing the following:
321	</p><pre class="screen">
322	<code class="prompt">root# </code> strings /lib/libnss_ldap* \| grep ldap.conf
323	/etc/ldap.conf
324	</pre><p>
325	</p></li><li><p>
326	Configure the NSS control file so it matches the one shown in
327	<a class="link" href="unixclients.html#ch9-sdmnss" title="Example 7.4. NSS using LDAP for Identity Resolution File: /etc/nsswitch.conf">“NSS using LDAP for Identity Resolution File: /etc/nsswitch.conf”</a>.
328	</p></li><li><p>
329	<a class="indexterm" name="id2590824"></a>
330	<a class="indexterm" name="id2590831"></a>
331	Before proceeding to configure Samba, validate the operation of the NSS identity
332	resolution via LDAP by executing:
333	</p><pre class="screen">
334	<code class="prompt">root# </code> getent passwd
335	...
336	root:x:0:512:Netbios Domain Administrator:/root:/bin/false
337	nobody:x:999:514:nobody:/dev/null:/bin/false
338	bobj:x:1000:513:Robert Jordan:/home/bobj:/bin/bash
339	stans:x:1001:513:Stanley Soroka:/home/stans:/bin/bash
340	chrisr:x:1002:513:Christine Roberson:/home/chrisr:/bin/bash
341	maryv:x:1003:513:Mary Vortexis:/home/maryv:/bin/bash
342	jht:x:1004:513:John H Terpstra:/home/jht:/bin/bash
343	bldg1$:x:1006:553:bldg1$:/dev/null:/bin/false
344	temptation$:x:1009:553:temptation$:/dev/null:/bin/false
345	vaioboss$:x:1005:553:vaioboss$:/dev/null:/bin/false
346	fran$:x:1008:553:fran$:/dev/null:/bin/false
347	josephj:x:1007:513:Joseph James:/home/josephj:/bin/bash
348	</pre><p>
349	You should notice the location of the users' home directories. First, make certain that
350	the home directories exist on the domain member server; otherwise, the home directory
351	share is not available. The home directories could be mounted off a domain controller
352	using NFS or by any other suitable means. Second, the absence of the domain name in the
353	home directory path is indicative that identity resolution is not being done via winbind.
354	</p><pre class="screen">
355	<code class="prompt">root# </code> getent group
356	...
357	Domain Admins:x:512:root,jht
358	Domain Users:x:513:bobj,stans,chrisr,maryv,jht,josephj
359	Domain Guests:x:514:
360	Accounts:x:1000:
361	Finances:x:1001:
362	PIOps:x:1002:
363	sammy:x:4321:
364	</pre><p>
365	<a class="indexterm" name="id2590895"></a>
366	<a class="indexterm" name="id2590902"></a>
367	<a class="indexterm" name="id2590909"></a>
368	This shows that all is working as it should be. Notice that in the LDAP database
369	the users' primary and secondary group memberships are identical. It is not
370	necessary to add secondary group memberships (in the group database) if the
371	user is already a member via primary group membership in the password database.
372	When using winbind, it is in fact undesirable to do this because it results in
373	doubling up of group memberships and may cause problems with winbind under certain
374	conditions. It is intended that these limitations with winbind will be resolved soon
375	after Samba-3.0.20 has been released.
376	</p></li><li><p>
377	<a class="indexterm" name="id2590933"></a>
378	The LDAP directory must have a container object for IDMAP data. There are several ways you can
379	check that your LDAP database is able to receive IDMAP information. One of the simplest is to
380	execute:
381	</p><pre class="screen">
382	<code class="prompt">root# </code> slapcat \| grep -i idmap
383	dn: ou=Idmap,dc=abmas,dc=biz
384	ou: idmap
385	</pre><p>
386	<a class="indexterm" name="id2590956"></a>
387	If the execution of this command does not return IDMAP entries, you need to create an LDIF
388	template file (see <a class="link" href="unixclients.html#ch9-ldifadd" title="Example 7.2. LDIF IDMAP Add-On Load File File: /etc/openldap/idmap.LDIF">“LDIF IDMAP Add-On Load File File: /etc/openldap/idmap.LDIF”</a>). You can add the required entries using
389	the following command:
390	</p><pre class="screen">
391	<code class="prompt">root# </code> ldapadd -x -D "cn=Manager,dc=abmas,dc=biz" \
392	-w not24get < /etc/openldap/idmap.LDIF
393	</pre><p>
394	</p></li><li><p>
395	Samba automatically populates the LDAP directory container when it needs to. To permit Samba
396	write access to the LDAP directory it is necessary to set the LDAP administrative password
397	in the <code class="filename">secrets.tdb</code> file as shown here:
398	</p><pre class="screen">
399	<code class="prompt">root# </code> smbpasswd -w not24get
400	</pre><p>
401	</p></li><li><p>
402	<a class="indexterm" name="id2591020"></a>
403	<a class="indexterm" name="id2591031"></a>
404	The system is ready to join the domain. Execute the following:
405	</p><pre class="screen">
406	<code class="prompt">root# </code> net rpc join -U root%not24get
407	Joined domain MEGANET2.
408	</pre><p>
409	This indicates that the domain join succeeded.
410	</p><p>
411	Failure to join the domain could be caused by any number of variables. The most common
412	causes of failure to join are:
413	</p><p>
414	</p><div class="itemizedlist"><ul type="disc"><li><p>Broken resolution of NetBIOS names to the respective IP address.</p></li><li><p>Incorrect username and password credentials.</p></li><li><p>The NT4 <em class="parameter"><code>restrict anonymous</code></em> is set to exclude anonymous
415	connections.</p></li></ul></div><p>
416	</p><p>
417	The connection setup can be diagnosed by executing:
418	</p><pre class="screen">
419	<code class="prompt">root# </code> net rpc join -S 'pdc-name' -U administrator%password -d 5
420	</pre><p>
421	<a class="indexterm" name="id2591103"></a>
422	<a class="indexterm" name="id2591110"></a>
423	<a class="indexterm" name="id2591117"></a>
424	<a class="indexterm" name="id2591124"></a>
425	Note: Use "root" for UNIX/Linux and Samba, use "Administrator" for Windows NT4/200X. If the cause of
426	the failure appears to be related to a rejected or failed NT_SESSION_SETUP* or an error message that
427	says NT_STATUS_ACCESS_DENIED immediately check the Windows registry setting that controls the
428	<code class="constant">restrict anonymous</code> setting. Set this to the value 0 so that an anonymous connection
429	can be sustained, then try again.
430	</p><p>
431	It is possible (perhaps even recommended) to use the following to validate the ability to connect
432	to an NT4 PDC/BDC:
433	</p><pre class="screen">
434	<code class="prompt">root# </code> net rpc info -S 'pdc-name' -U Administrator%not24get
435	Domain Name: MEGANET2
436	Domain SID: S-1-5-21-422319763-4138913805-7168186429
437	Sequence number: 1519909596
438	Num users: 7003
439	Num domain groups: 821
440	Num local groups: 8
441
442	<code class="prompt">root# </code> net rpc testjoin -S 'pdc-name' -U Administrator%not24get
443	Join to 'MEGANET2' is OK
444	</pre><p>
445	If for any reason the following response is obtained to the last command above,it is time to
446	call in the Networking Super-Snooper task force (i.e., start debugging):
447	</p><pre class="screen">
448	NT_STATUS_ACCESS_DENIED
449	Join to 'MEGANET2' failed.
450	</pre><p>
451	</p></li><li><p>
452	<a class="indexterm" name="id2591185"></a>
453	Just joining the domain is not quite enough; you must now provide a privileged set
454	of credentials through which <code class="literal">winbindd</code> can interact with the
455	domain servers. Execute the following to implant the necessary credentials:
456	</p><pre class="screen">
457	<code class="prompt">root# </code> wbinfo --set-auth-user=Administrator%not24get
458	</pre><p>
459	The configuration is now ready to obtain the Samba domain user and group information.
460	</p></li><li><p>
461	You may now start Samba in the usual manner, and your Samba domain member server
462	is ready for use. Just add shares as required.
463	</p></li></ol></div><div class="example"><a name="ch9-sdmsdc"></a><p class="title"><b>Example 7.1. Samba Domain Member in Samba Domain Using LDAP <code class="filename">smb.conf</code> File</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id2591263"></a><em class="parameter"><code>unix charset = LOCALE</code></em></td></tr><tr><td><a class="indexterm" name="id2591275"></a><em class="parameter"><code>workgroup = MEGANET2</code></em></td></tr><tr><td><a class="indexterm" name="id2591286"></a><em class="parameter"><code>security = DOMAIN</code></em></td></tr><tr><td><a class="indexterm" name="id2591298"></a><em class="parameter"><code>username map = /etc/samba/smbusers</code></em></td></tr><tr><td><a class="indexterm" name="id2591310"></a><em class="parameter"><code>log level = 10</code></em></td></tr><tr><td><a class="indexterm" name="id2591322"></a><em class="parameter"><code>syslog = 0</code></em></td></tr><tr><td><a class="indexterm" name="id2591333"></a><em class="parameter"><code>log file = /var/log/samba/%m</code></em></td></tr><tr><td><a class="indexterm" name="id2591345"></a><em class="parameter"><code>max log size = 50</code></em></td></tr><tr><td><a class="indexterm" name="id2591357"></a><em class="parameter"><code>smb ports = 139</code></em></td></tr><tr><td><a class="indexterm" name="id2591368"></a><em class="parameter"><code>name resolve order = wins bcast hosts</code></em></td></tr><tr><td><a class="indexterm" name="id2591380"></a><em class="parameter"><code>printcap name = CUPS</code></em></td></tr><tr><td><a class="indexterm" name="id2591392"></a><em class="parameter"><code>wins server = 192.168.2.1</code></em></td></tr><tr><td><a class="indexterm" name="id2591404"></a><em class="parameter"><code>ldap suffix = dc=abmas,dc=biz</code></em></td></tr><tr><td><a class="indexterm" name="id2591416"></a><em class="parameter"><code>ldap machine suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id2591428"></a><em class="parameter"><code>ldap user suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id2591440"></a><em class="parameter"><code>ldap group suffix = ou=Groups</code></em></td></tr><tr><td><a class="indexterm" name="id2591452"></a><em class="parameter"><code>ldap idmap suffix = ou=Idmap</code></em></td></tr><tr><td><a class="indexterm" name="id2591464"></a><em class="parameter"><code>ldap admin dn = cn=Manager,dc=abmas,dc=biz</code></em></td></tr><tr><td><a class="indexterm" name="id2591476"></a><em class="parameter"><code>idmap backend = ldap:ldap://lapdc.abmas.biz</code></em></td></tr><tr><td><a class="indexterm" name="id2591488"></a><em class="parameter"><code>idmap uid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id2591500"></a><em class="parameter"><code>idmap gid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id2591512"></a><em class="parameter"><code>winbind trusted domains only = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2591524"></a><em class="parameter"><code>printer admin = root</code></em></td></tr><tr><td><a class="indexterm" name="id2591536"></a><em class="parameter"><code>printing = cups</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[homes]</code></em></td></tr><tr><td><a class="indexterm" name="id2591556"></a><em class="parameter"><code>comment = Home Directories</code></em></td></tr><tr><td><a class="indexterm" name="id2591568"></a><em class="parameter"><code>valid users = %S</code></em></td></tr><tr><td><a class="indexterm" name="id2591580"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id2591591"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[printers]</code></em></td></tr><tr><td><a class="indexterm" name="id2591612"></a><em class="parameter"><code>comment = SMB Print Spool</code></em></td></tr><tr><td><a class="indexterm" name="id2591623"></a><em class="parameter"><code>path = /var/spool/samba</code></em></td></tr><tr><td><a class="indexterm" name="id2591635"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2591647"></a><em class="parameter"><code>printable = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2591658"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[print$]</code></em></td></tr><tr><td><a class="indexterm" name="id2591679"></a><em class="parameter"><code>comment = Printer Drivers</code></em></td></tr><tr><td><a class="indexterm" name="id2591691"></a><em class="parameter"><code>path = /var/lib/samba/drivers</code></em></td></tr><tr><td><a class="indexterm" name="id2591702"></a><em class="parameter"><code>admin users = root, Administrator</code></em></td></tr><tr><td><a class="indexterm" name="id2591714"></a><em class="parameter"><code>write list = root</code></em></td></tr></table></div></div><br class="example-break"><div class="example"><a name="ch9-ldifadd"></a><p class="title"><b>Example 7.2. LDIF IDMAP Add-On Load File File: /etc/openldap/idmap.LDIF</b></p><div class="example-contents"><pre class="screen">
464	dn: ou=Idmap,dc=abmas,dc=biz
465	objectClass: organizationalUnit
466	ou: idmap
467	structuralObjectClass: organizationalUnit
468	</pre></div></div><br class="example-break"><div class="example"><a name="ch9-sdmlcnf"></a><p class="title"><b>Example 7.3. Configuration File for NSS LDAP Support <code class="filename">/etc/ldap.conf</code></b></p><div class="example-contents"><pre class="screen">
469	URI ldap://massive.abmas.biz ldap://massive.abmas.biz:636
470	host 192.168.2.1
471	base dc=abmas,dc=biz
472	binddn cn=Manager,dc=abmas,dc=biz
473	bindpw not24get
474
475	pam_password exop
476
477	nss_base_passwd ou=People,dc=abmas,dc=biz?one
478	nss_base_shadow ou=People,dc=abmas,dc=biz?one
479	nss_base_group ou=Groups,dc=abmas,dc=biz?one
480	ssl no
481	</pre></div></div><br class="example-break"><div class="example"><a name="ch9-sdmnss"></a><p class="title"><b>Example 7.4. NSS using LDAP for Identity Resolution File: <code class="filename">/etc/nsswitch.conf</code></b></p><div class="example-contents"><pre class="screen">
482	passwd: files ldap
483	shadow: files ldap
484	group: files ldap
485
486	hosts: files dns wins
487	networks: files dns
488
489	services: files
490	protocols: files
491	rpc: files
492	ethers: files
493	netmasks: files
494	netgroup: files
495	publickey: files
496
497	bootparams: files
498	automount: files
499	aliases: files
500	</pre></div></div><br class="example-break"></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="wdcsdm"></a>NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind</h3></div></div></div><p>
501	You need to use this method for creating a Samba domain member server if any of the following conditions
502	prevail:
503	</p><div class="itemizedlist"><ul type="disc"><li><p>
504	LDAP support (client) is not installed on the system.
505	</p></li><li><p>
506	There are mitigating circumstances forcing a decision not to use LDAP.
507	</p></li><li><p>
508	The Samba domain member server must be part of a Windows NT4 Domain, or a Samba Domain.
509	</p></li></ul></div><p>
510	<a class="indexterm" name="id2591845"></a>
511	<a class="indexterm" name="id2591852"></a>
512	<a class="indexterm" name="id2591859"></a>
513	Later in the chapter, you can see how to configure a Samba domain member server for a Windows ADS domain.
514	Right now your objective is to configure a Samba server that can be a member of a Windows NT4-style
515	domain and/or does not use LDAP.
516	</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
517	<a class="indexterm" name="id2591874"></a>
518	If you use <code class="literal">winbind</code> for identity resolution, make sure that there are no
519	duplicate accounts.
520	</p><p>
521	<a class="indexterm" name="id2591892"></a>
522	For example, do not have more than one account that has UID=0 in the password database. If there
523	is an account called <code class="constant">root</code> in the <code class="filename">/etc/passwd</code> database,
524	it is okay to have an account called <code class="constant">root</code> in the LDAP ldapsam or in the
525	tdbsam. But if there are two accounts in the passdb backend that have the same UID, winbind will
526	break. This means that the <code class="constant">Administrator</code> account must be called
527	<code class="constant">root</code>.
528	</p><p>
529	<a class="indexterm" name="id2591928"></a>
530	<a class="indexterm" name="id2591935"></a>
531	<a class="indexterm" name="id2591942"></a>
532	Winbind will break if there is an account in <code class="filename">/etc/passwd</code> that has
533	the same UID as an account that is in LDAP ldapsam (or in tdbsam) but that differs in name only.
534	</p></div><p>
535	<a class="indexterm" name="id2591961"></a>
536	<a class="indexterm" name="id2591968"></a>
537	<a class="indexterm" name="id2591974"></a>
538	<a class="indexterm" name="id2591981"></a>
539	<a class="indexterm" name="id2591990"></a>
540	The following configuration uses CIFS/SMB protocols alone to obtain user and group credentials.
541	The winbind information is locally cached in the <code class="filename">winbindd_cache.tdb winbindd_idmap.tdb</code>
542	files. This provides considerable performance benefits compared with the LDAP solution, particularly
543	where the LDAP lookups must traverse WAN links. You may examine the contents of these
544	files using the tool <code class="literal">tdbdump</code>, though you may have to build this from the Samba
545	source code if it has not been supplied as part of a binary package distribution that you may be using.
546	</p><div class="procedure"><a name="id2592019"></a><p class="title"><b>Procedure 7.2. Configuration of Winbind-Based Identity Resolution</b></p><ol type="1"><li><p>
547	Using your favorite text editor, create the <code class="filename">smb.conf</code> file so it has the contents
548	shown in <a class="link" href="unixclients.html#ch0-NT4DSDM" title="Example 7.5. Samba Domain Member Server Using Winbind smb.conf File for NT4 Domain">“Samba Domain Member Server Using Winbind smb.conf File for NT4 Domain”</a>.
549	</p></li><li><p>
550	<a class="indexterm" name="id2592052"></a>
551	Edit the <code class="filename">/etc/nsswitch.conf</code> so it has the entries shown in
552	<a class="link" href="unixclients.html#ch9-sdmnss" title="Example 7.4. NSS using LDAP for Identity Resolution File: /etc/nsswitch.conf">“NSS using LDAP for Identity Resolution File: /etc/nsswitch.conf”</a>.
553	</p></li><li><p>
554	<a class="indexterm" name="id2592078"></a>
555	The system is ready to join the domain. Execute the following:
556	</p><pre class="screen">
557	net rpc join -U root%not2g4et
558	Joined domain MEGANET2.
559	</pre><p>
560	This indicates that the domain join succeed.
561
562	</p></li><li><p>
563	<a class="indexterm" name="id2592104"></a>
564	<a class="indexterm" name="id2592111"></a>
565	Validate operation of <code class="literal">winbind</code> using the <code class="literal">wbinfo</code>
566	tool as follows:
567	</p><pre class="screen">
568	<code class="prompt">root# </code> wbinfo -u
569	MEGANET2+root
570	MEGANET2+nobody
571	MEGANET2+jht
572	MEGANET2+maryv
573	MEGANET2+billr
574	MEGANET2+jelliott
575	MEGANET2+dbrady
576	MEGANET2+joeg
577	MEGANET2+balap
578	</pre><p>
579	This shows that domain users have been listed correctly.
580	</p><pre class="screen">
581	<code class="prompt">root# </code> wbinfo -g
582	MEGANET2+Domain Admins
583	MEGANET2+Domain Users
584	MEGANET2+Domain Guests
585	MEGANET2+Accounts
586	MEGANET2+Finances
587	MEGANET2+PIOps
588	</pre><p>
589	This shows that domain groups have been correctly obtained also.
590	</p></li><li><p>
591	<a class="indexterm" name="id2592167"></a>
592	<a class="indexterm" name="id2592174"></a>
593	<a class="indexterm" name="id2592180"></a>
594	The next step verifies that NSS is able to obtain this information
595	correctly from <code class="literal">winbind</code> also.
596	</p><pre class="screen">
597	<code class="prompt">root# </code> getent passwd
598	...
599	MEGANET2+root:x:10000:10001:NetBIOS Domain Admin:
600	/home/MEGANET2/root:/bin/bash
601	MEGANET2+nobody:x:10001:10001:nobody:
602	/home/MEGANET2/nobody:/bin/bash
603	MEGANET2+jht:x:10002:10001:John H Terpstra:
604	/home/MEGANET2/jht:/bin/bash
605	MEGANET2+maryv:x:10003:10001:Mary Vortexis:
606	/home/MEGANET2/maryv:/bin/bash
607	MEGANET2+billr:x:10004:10001:William Randalph:
608	/home/MEGANET2/billr:/bin/bash
609	MEGANET2+jelliott:x:10005:10001:John G Elliott:
610	/home/MEGANET2/jelliott:/bin/bash
611	MEGANET2+dbrady:x:10006:10001:Darren Brady:
612	/home/MEGANET2/dbrady:/bin/bash
613	MEGANET2+joeg:x:10007:10001:Joe Green:
614	/home/MEGANET2/joeg:/bin/bash
615	MEGANET2+balap:x:10008:10001:Bala Pillay:
616	/home/MEGANET2/balap:/bin/bash
617	</pre><p>
618	The user account information has been correctly obtained. This information has
619	been merged with the winbind template information configured in the <code class="filename">smb.conf</code> file.
620	</p><pre class="screen">
621	<code class="prompt">root# </code># getent group
622	...
623	MEGANET2+Domain Admins:x:10000:MEGANET2+root,MEGANET2+jht
624	MEGANET2+Domain Users:x:10001:MEGANET2+jht,MEGANET2+maryv,\
625	MEGANET2+billr,MEGANET2+jelliott,MEGANET2+dbrady,\
626	MEGANET2+joeg,MEGANET2+balap
627	MEGANET2+Domain Guests:x:10002:MEGANET2+nobody
628	MEGANET2+Accounts:x:10003:
629	MEGANET2+Finances:x:10004:
630	MEGANET2+PIOps:x:10005:
631	</pre><p>
632	</p></li><li><p>
633	The Samba member server of a Windows NT4 domain is ready for use.
634	</p></li></ol></div><div class="example"><a name="ch0-NT4DSDM"></a><p class="title"><b>Example 7.5. Samba Domain Member Server Using Winbind <code class="filename">smb.conf</code> File for NT4 Domain</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id2592291"></a><em class="parameter"><code>unix charset = LOCALE</code></em></td></tr><tr><td><a class="indexterm" name="id2592303"></a><em class="parameter"><code>workgroup = MEGANET2</code></em></td></tr><tr><td><a class="indexterm" name="id2592315"></a><em class="parameter"><code>security = DOMAIN</code></em></td></tr><tr><td><a class="indexterm" name="id2592327"></a><em class="parameter"><code>username map = /etc/samba/smbusers</code></em></td></tr><tr><td><a class="indexterm" name="id2592339"></a><em class="parameter"><code>log level = 1</code></em></td></tr><tr><td><a class="indexterm" name="id2592350"></a><em class="parameter"><code>syslog = 0</code></em></td></tr><tr><td><a class="indexterm" name="id2592362"></a><em class="parameter"><code>log file = /var/log/samba/%m</code></em></td></tr><tr><td><a class="indexterm" name="id2592374"></a><em class="parameter"><code>max log size = 0</code></em></td></tr><tr><td><a class="indexterm" name="id2592385"></a><em class="parameter"><code>smb ports = 139</code></em></td></tr><tr><td><a class="indexterm" name="id2592397"></a><em class="parameter"><code>name resolve order = wins bcast hosts</code></em></td></tr><tr><td><a class="indexterm" name="id2592409"></a><em class="parameter"><code>printcap name = CUPS</code></em></td></tr><tr><td><a class="indexterm" name="id2592421"></a><em class="parameter"><code>wins server = 192.168.2.1</code></em></td></tr><tr><td><a class="indexterm" name="id2592433"></a><em class="parameter"><code>idmap uid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id2592444"></a><em class="parameter"><code>idmap gid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id2592456"></a><em class="parameter"><code>template primary group = "Domain Users"</code></em></td></tr><tr><td><a class="indexterm" name="id2592468"></a><em class="parameter"><code>template shell = /bin/bash</code></em></td></tr><tr><td><a class="indexterm" name="id2592480"></a><em class="parameter"><code>winbind separator = +</code></em></td></tr><tr><td><a class="indexterm" name="id2592492"></a><em class="parameter"><code>printer admin = root</code></em></td></tr><tr><td><a class="indexterm" name="id2592504"></a><em class="parameter"><code>hosts allow = 192.168.2., 192.168.3., 127.</code></em></td></tr><tr><td><a class="indexterm" name="id2592516"></a><em class="parameter"><code>printing = cups</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[homes]</code></em></td></tr><tr><td><a class="indexterm" name="id2592536"></a><em class="parameter"><code>comment = Home Directories</code></em></td></tr><tr><td><a class="indexterm" name="id2592548"></a><em class="parameter"><code>valid users = %S</code></em></td></tr><tr><td><a class="indexterm" name="id2592560"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id2592571"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[printers]</code></em></td></tr><tr><td><a class="indexterm" name="id2592592"></a><em class="parameter"><code>comment = SMB Print Spool</code></em></td></tr><tr><td><a class="indexterm" name="id2592604"></a><em class="parameter"><code>path = /var/spool/samba</code></em></td></tr><tr><td><a class="indexterm" name="id2592615"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2592627"></a><em class="parameter"><code>printable = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2592639"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[print$]</code></em></td></tr><tr><td><a class="indexterm" name="id2592659"></a><em class="parameter"><code>comment = Printer Drivers</code></em></td></tr><tr><td><a class="indexterm" name="id2592671"></a><em class="parameter"><code>path = /var/lib/samba/drivers</code></em></td></tr><tr><td><a class="indexterm" name="id2592683"></a><em class="parameter"><code>admin users = root, Administrator</code></em></td></tr><tr><td><a class="indexterm" name="id2592695"></a><em class="parameter"><code>write list = root</code></em></td></tr></table></div></div><br class="example-break"></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="dcwonss"></a>NT4/Samba Domain with Samba Domain Member Server without NSS Support</h3></div></div></div><p>
635	No matter how many UNIX/Linux administrators there may be who believe that a UNIX operating
636	system that does not have NSS and PAM support to be outdated, the fact is there
637	are still many such systems in use today. Samba can be used without NSS support, but this
638	does limit it to the use of local user and group accounts only.
639	</p><p>
640	The following steps may be followed to implement Samba with support for local accounts.
641	In this configuration Samba is made a domain member server. All incoming connections
642	to the Samba server will cause the look-up of the incoming username. If the account
643	is found, it is used. If the account is not found, one will be automatically created
644	on the local machine so that it can then be used for all access controls.
645	</p><div class="procedure"><a name="id2592738"></a><p class="title"><b>Procedure 7.3. Configuration Using Local Accounts Only</b></p><ol type="1"><li><p>
646	Using your favorite text editor, create the <code class="filename">smb.conf</code> file so it has the contents
647	shown in <a class="link" href="unixclients.html#ch0-NT4DSCM" title="Example 7.6. Samba Domain Member Server Using Local Accounts smb.conf File for NT4 Domain">“Samba Domain Member Server Using Local Accounts smb.conf File for NT4 Domain”</a>.
648	</p></li><li><p><a class="indexterm" name="id2592770"></a>
649	The system is ready to join the domain. Execute the following:
650	</p><pre class="screen">
651	net rpc join -U root%not24get
652	Joined domain MEGANET2.
653	</pre><p>
654	This indicates that the domain join succeed.
655	</p></li><li><p>
656	Be sure to run all three Samba daemons: <code class="literal">smbd</code>, <code class="literal">nmbd</code>, <code class="literal">winbindd</code>.
657	</p></li><li><p>
658	The Samba member server of a Windows NT4 domain is ready for use.
659	</p></li></ol></div><div class="example"><a name="ch0-NT4DSCM"></a><p class="title"><b>Example 7.6. Samba Domain Member Server Using Local Accounts <code class="filename">smb.conf</code> File for NT4 Domain</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id2592859"></a><em class="parameter"><code>unix charset = LOCALE</code></em></td></tr><tr><td><a class="indexterm" name="id2592871"></a><em class="parameter"><code>workgroup = MEGANET3</code></em></td></tr><tr><td><a class="indexterm" name="id2592883"></a><em class="parameter"><code>netbios name = BSDBOX</code></em></td></tr><tr><td><a class="indexterm" name="id2592895"></a><em class="parameter"><code>security = DOMAIN</code></em></td></tr><tr><td><a class="indexterm" name="id2592906"></a><em class="parameter"><code>username map = /etc/samba/smbusers</code></em></td></tr><tr><td><a class="indexterm" name="id2592918"></a><em class="parameter"><code>log level = 1</code></em></td></tr><tr><td><a class="indexterm" name="id2592930"></a><em class="parameter"><code>syslog = 0</code></em></td></tr><tr><td><a class="indexterm" name="id2592941"></a><em class="parameter"><code>add user script = /usr/sbin/useradd -m '%u'</code></em></td></tr><tr><td><a class="indexterm" name="id2592954"></a><em class="parameter"><code>add machine script = /usr/sbin/useradd -M '%u'</code></em></td></tr><tr><td><a class="indexterm" name="id2592966"></a><em class="parameter"><code>add group script = /usr/sbin/groupadd '%g'</code></em></td></tr><tr><td><a class="indexterm" name="id2592978"></a><em class="parameter"><code>log file = /var/log/samba/%m</code></em></td></tr><tr><td><a class="indexterm" name="id2592990"></a><em class="parameter"><code>max log size = 0</code></em></td></tr><tr><td><a class="indexterm" name="id2593002"></a><em class="parameter"><code>smb ports = 139</code></em></td></tr><tr><td><a class="indexterm" name="id2593013"></a><em class="parameter"><code>name resolve order = wins bcast hosts</code></em></td></tr><tr><td><a class="indexterm" name="id2593025"></a><em class="parameter"><code>printcap name = CUPS</code></em></td></tr><tr><td><a class="indexterm" name="id2593037"></a><em class="parameter"><code>wins server = 192.168.2.1</code></em></td></tr><tr><td><a class="indexterm" name="id2593049"></a><em class="parameter"><code>printer admin = root</code></em></td></tr><tr><td><a class="indexterm" name="id2593061"></a><em class="parameter"><code>hosts allow = 192.168.2., 192.168.3., 127.</code></em></td></tr><tr><td><a class="indexterm" name="id2593073"></a><em class="parameter"><code>printing = cups</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[homes]</code></em></td></tr><tr><td><a class="indexterm" name="id2593093"></a><em class="parameter"><code>comment = Home Directories</code></em></td></tr><tr><td><a class="indexterm" name="id2593105"></a><em class="parameter"><code>valid users = %S</code></em></td></tr><tr><td><a class="indexterm" name="id2593117"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id2593128"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[printers]</code></em></td></tr><tr><td><a class="indexterm" name="id2593149"></a><em class="parameter"><code>comment = SMB Print Spool</code></em></td></tr><tr><td><a class="indexterm" name="id2593160"></a><em class="parameter"><code>path = /var/spool/samba</code></em></td></tr><tr><td><a class="indexterm" name="id2593172"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2593184"></a><em class="parameter"><code>printable = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2593195"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[print$]</code></em></td></tr><tr><td><a class="indexterm" name="id2593216"></a><em class="parameter"><code>comment = Printer Drivers</code></em></td></tr><tr><td><a class="indexterm" name="id2593228"></a><em class="parameter"><code>path = /var/lib/samba/drivers</code></em></td></tr><tr><td><a class="indexterm" name="id2593240"></a><em class="parameter"><code>admin users = root, Administrator</code></em></td></tr><tr><td><a class="indexterm" name="id2593251"></a><em class="parameter"><code>write list = root</code></em></td></tr></table></div></div><br class="example-break"></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="adssdm"></a>Active Directory Domain with Samba Domain Member Server</h3></div></div></div><p>
660	<a class="indexterm" name="id2593277"></a>
661	<a class="indexterm" name="id2593286"></a>
662	<a class="indexterm" name="id2593293"></a>
663	One of the much-sought-after features new to Samba-3 is the ability to join an Active Directory
664	domain using Kerberos protocols. This makes it possible to operate an entire Windows network
665	without the need to run NetBIOS over TCP/IP and permits more secure networking in general. An
666	exhaustively complete discussion of the protocols is not possible in this book; perhaps a
667	later book may explore the intricacies of the NetBIOS-less operation that Samba-3 can participate
668	in. For now, we simply focus on how a Samba-3 server can be made a domain member server.
669	</p><p>
670	<a class="indexterm" name="id2593315"></a>
671	<a class="indexterm" name="id2593322"></a>
672	<a class="indexterm" name="id2593329"></a>
673	<a class="indexterm" name="id2593336"></a>
674	The diagram in <a class="link" href="unixclients.html#ch9-adsdc" title="Figure 7.3. Active Directory Domain: Samba Member Server">“Active Directory Domain: Samba Member Server”</a> demonstrates how Samba-3 interfaces with
675	Microsoft Active Directory components. It should be noted that if Microsoft Windows Services
676	for UNIX (SFU) has been installed and correctly configured, it is possible to use client LDAP
677	for identity resolution just as can be done with Samba-3 when using an LDAP passdb backend.
678	The UNIX tool that you need for this, as in the case of LDAP on UNIX/Linux, is the PADL
679	Software nss_ldap tool-set. Compared with use of winbind and Kerberos, the use of
680	LDAP-based identity resolution is a little less secure. In view of the fact that this solution
681	requires additional software to be installed on the Windows 200x ADS domain controllers,
682	and that means more management overhead, it is likely that most Samba-3 ADS client sites
683	may elect to use winbind.
684	</p><p>
685	Do not attempt to use this procedure if you are not 100 percent certain that the build of Samba-3
686	you are using has been compiled and linked with all the tools necessary for this to work.
687	Given the importance of this step, you must first validate that the Samba-3 message block
688	daemon (<code class="literal">smbd</code>) has the necessary features.
689	</p><p>
690	The hypothetical domain you are using in this example assumes that the Abmas London office
691	decided to take its own lead (some would say this is a typical behavior in a global
692	corporate world; besides, a little divergence and conflict makes for an interesting life).
693	The Windows Server 2003 ADS domain is called <code class="constant">london.abmas.biz</code> and the
694	name of the server is <code class="constant">W2K3S</code>. In ADS realm terms, the domain controller
695	is known as <code class="constant">w2k3s.london.abmas.biz</code>. In NetBIOS nomenclature, the
696	domain name is <code class="constant">LONDON</code> and the server name is <code class="constant">W2K3S</code>.
697	</p><div class="figure"><a name="ch9-adsdc"></a><p class="title"><b>Figure 7.3. Active Directory Domain: Samba Member Server</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/chap9-ADSDC.png" width="324" alt="Active Directory Domain: Samba Member Server"></div></div></div><br class="figure-break"><div class="procedure"><a name="id2593449"></a><p class="title"><b>Procedure 7.4. Joining a Samba Server as an ADS Domain Member</b></p><ol type="1"><li><p>
698	<a class="indexterm" name="id2593460"></a>
699	Before you try to use Samba-3, you want to know for certain that your executables have
700	support for Kerberos and for LDAP. Execute the following to identify whether or
701	not this build is perhaps suitable for use:
702	</p><pre class="screen">
703	<code class="prompt">root# </code> cd /usr/sbin
704	<code class="prompt">root# </code> smbd -b \| grep KRB
705	HAVE_KRB5_H
706	HAVE_ADDR_TYPE_IN_KRB5_ADDRESS
707	HAVE_KRB5
708	HAVE_KRB5_AUTH_CON_SETKEY
709	HAVE_KRB5_GET_DEFAULT_IN_TKT_ETYPES
710	HAVE_KRB5_GET_PW_SALT
711	HAVE_KRB5_KEYBLOCK_KEYVALUE
712	HAVE_KRB5_KEYTAB_ENTRY_KEYBLOCK
713	HAVE_KRB5_MK_REQ_EXTENDED
714	HAVE_KRB5_PRINCIPAL_GET_COMP_STRING
715	HAVE_KRB5_SET_DEFAULT_IN_TKT_ETYPES
716	HAVE_KRB5_STRING_TO_KEY
717	HAVE_KRB5_STRING_TO_KEY_SALT
718	HAVE_LIBKRB5
719	</pre><p>
720	This output was obtained on a SUSE Linux system and shows the output for
721	Samba that has been compiled and linked with the Heimdal Kerberos libraries.
722	The following is a typical output that will be found on a Red Hat Linux system that
723	has been linked with the MIT Kerberos libraries:
724	</p><pre class="screen">
725	<code class="prompt">root# </code> cd /usr/sbin
726	<code class="prompt">root# </code> smbd -b \| grep KRB
727	HAVE_KRB5_H
728	HAVE_ADDRTYPE_IN_KRB5_ADDRESS
729	HAVE_KRB5
730	HAVE_KRB5_AUTH_CON_SETUSERUSERKEY
731	HAVE_KRB5_ENCRYPT_DATA
732	HAVE_KRB5_FREE_DATA_CONTENTS
733	HAVE_KRB5_FREE_KTYPES
734	HAVE_KRB5_GET_PERMITTED_ENCTYPES
735	HAVE_KRB5_KEYTAB_ENTRY_KEY
736	HAVE_KRB5_LOCATE_KDC
737	HAVE_KRB5_MK_REQ_EXTENDED
738	HAVE_KRB5_PRINCIPAL2SALT
739	HAVE_KRB5_PRINC_COMPONENT
740	HAVE_KRB5_SET_DEFAULT_TGS_KTYPES
741	HAVE_KRB5_SET_REAL_TIME
742	HAVE_KRB5_STRING_TO_KEY
743	HAVE_KRB5_TKT_ENC_PART2
744	HAVE_KRB5_USE_ENCTYPE
745	HAVE_LIBGSSAPI_KRB5
746	HAVE_LIBKRB5
747	</pre><p>
748	You can validate that Samba has been compiled and linked with LDAP support
749	by executing:
750	</p><pre class="screen">
751	<code class="prompt">root# </code> smbd -b \| grep LDAP
752	massive:/usr/sbin # smbd -b \| grep LDAP
753	HAVE_LDAP_H
754	HAVE_LDAP
755	HAVE_LDAP_DOMAIN2HOSTLIST
756	HAVE_LDAP_INIT
757	HAVE_LDAP_INITIALIZE
758	HAVE_LDAP_SET_REBIND_PROC
759	HAVE_LIBLDAP
760	LDAP_SET_REBIND_PROC_ARGS
761	</pre><p>
762	This does look promising; <code class="literal">smbd</code> has been built with Kerberos and LDAP
763	support. You are relieved to know that it is safe to progress.
764	</p></li><li><p>
765	<a class="indexterm" name="id2593559"></a>
766	<a class="indexterm" name="id2593569"></a>
767	<a class="indexterm" name="id2593576"></a>
768	<a class="indexterm" name="id2593582"></a>
769	<a class="indexterm" name="id2593592"></a>
770	<a class="indexterm" name="id2593601"></a>
771	<a class="indexterm" name="id2593608"></a>
772	<a class="indexterm" name="id2593615"></a>
773	<a class="indexterm" name="id2593622"></a>
774	The next step is to identify which version of the Kerberos libraries have been used.
775	In order to permit Samba-3 to interoperate with Windows 2003 Active Directory, it is
776	essential that it has been linked with either MIT Kerberos version 1.3.1 or later,
777	or that it has been linked with Heimdal Kerberos 0.6 plus specific patches. You may
778	identify what version of the MIT Kerberos libraries are installed on your system by
779	executing (on Red Hat Linux):
780	</p><pre class="screen">
781	<code class="prompt">root# </code> rpm -q krb5
782	</pre><p>
783	Or on SUSE Linux, execute:
784	</p><pre class="screen">
785	<code class="prompt">root# </code> rpm -q heimdal
786	</pre><p>
787	Please note that the RPMs provided by the Samba-Team are known to be working and have
788	been validated. Red Hat Linux RPMs may be obtained from the Samba FTP sites. SUSE
789	Linux RPMs may be obtained from <a class="ulink" href="ftp://ftp.sernet.de" target="_top">Sernet</a> in
790	Germany.
791	</p><p>
792	From this point on, you are certain that the Samba-3 build you are using has the
793	necessary capabilities. You can now configure Samba-3 and the NSS.
794	</p></li><li><p>
795	Using you favorite editor, configure the <code class="filename">smb.conf</code> file that is located in the
796	<code class="filename">/etc/samba</code> directory so that it has the contents shown
797	in <a class="link" href="unixclients.html#ch9-adssdm" title="Example 7.7. Samba Domain Member smb.conf File for Active Directory Membership">“Samba Domain Member smb.conf File for Active Directory Membership”</a>.
798	</p></li><li><p>
799	Edit or create the NSS control file so it has the contents shown in <a class="link" href="unixclients.html#ch9-sdmnss" title="Example 7.4. NSS using LDAP for Identity Resolution File: /etc/nsswitch.conf">“NSS using LDAP for Identity Resolution File: /etc/nsswitch.conf”</a>.
800	</p></li><li><p>
801	<a class="indexterm" name="id2593723"></a>
802	Delete the file <code class="filename">/etc/samba/secrets.tdb</code> if it exists. Of course, you
803	do keep a backup, don't you?
804	</p></li><li><p>
805	Delete the tdb files that cache Samba information. You keep a backup of the old
806	files, of course. You also remove all files to ensure that nothing can pollute your
807	nice, new configuration. Execute the following (example is for SUSE Linux):
808	</p><pre class="screen">
809	<code class="prompt">root# </code> rm /var/lib/samba/*tdb
810	</pre><p>
811	</p></li><li><p>
812	<a class="indexterm" name="id2593767"></a>
813	Validate your <code class="filename">smb.conf</code> file using <code class="literal">testparm</code> (as you have
814	done previously). Correct all errors reported before proceeding. The command you
815	execute is:
816	</p><pre class="screen">
817	<code class="prompt">root# </code> testparm -s \| less
818	</pre><p>
819	Now that you are satisfied that your Samba server is ready to join the Windows
820	ADS domain, let's move on.
821	</p></li><li><p>
822	<a class="indexterm" name="id2593809"></a>
823	<a class="indexterm" name="id2593820"></a>
824	This is a good time to double-check everything and then execute the following
825	command when everything you have done has checked out okay:
826	</p><pre class="screen">
827	<code class="prompt">root# </code> net ads join -UAdministrator%not24get
828	Using short domain name -- LONDON
829	Joined 'FRAN' to realm 'LONDON.ABMAS.BIZ'
830	</pre><p>
831	You have successfully made your Samba-3 server a member of the ADS domain
832	using Kerberos protocols.
833	</p><p>
834	<a class="indexterm" name="id2593848"></a>
835	<a class="indexterm" name="id2593855"></a>
836	In the event that you receive no output messages, a silent return means that the
837	domain join failed. You should use <code class="literal">ethereal</code> to identify what
838	may be failing. Common causes of a failed join include:
839
840	</p><div class="itemizedlist"><ul type="disc"><li><p>
841	<a class="indexterm" name="id2593876"></a>
842	Defective or misconfigured DNS name resolution.
843	</p></li><li><p>
844	<a class="indexterm" name="id2593891"></a>
845	Restrictive security settings on the Windows 200x ADS domain controller
846	preventing needed communications protocols. You can check this by searching
847	the Windows Server 200x Event Viewer.
848	</p></li><li><p>
849	Incorrectly configured <code class="filename">smb.conf</code> file settings.
850	</p></li><li><p>
851	Lack of support of necessary Kerberos protocols because the version of MIT
852	Kerberos (or Heimdal) in use is not up to date enough to support the necessary
853	functionality.
854	</p></li></ul></div><p>
855
856	<a class="indexterm" name="id2593922"></a>
857	<a class="indexterm" name="id2593933"></a>
858	<a class="indexterm" name="id2593940"></a>
859	In any case, never execute the <code class="literal">net rpc join</code> command in an attempt
860	to join the Samba server to the domain, unless you wish not to use the Kerberos
861	security protocols. Use of the older RPC-based domain join facility requires that
862	Windows Server 200x ADS has been configured appropriately for mixed mode operation.
863	</p></li><li><p>
864	<a class="indexterm" name="id2593965"></a>
865	<a class="indexterm" name="id2593971"></a>
866	If the <code class="literal">tdbdump</code> is installed on your system (not essential),
867	you can look inside the <code class="filename">/etc/samba/secrets.tdb</code> file. If
868	you wish to do this, execute:
869	</p><pre class="screen">
870	<code class="prompt">root# </code> tdbdump secrets.tdb
871	{
872	key = "SECRETS/SID/LONDON"
873	data = "\01\04\00\00\00\00\00\05\15\00\00\00\EBw\86\F1\ED\BD\
874	F6{\5C6\E5W\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\
875	00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\
876	00\00\00\00\00\00\00\00"
877	}
878	{
879	key = "SECRETS/MACHINE_PASSWORD/LONDON"
880	data = "le3Q5FPnN5.ueC\00"
881	}
882	{
883	key = "SECRETS/MACHINE_SEC_CHANNEL_TYPE/LONDON"
884	data = "\02\00\00\00"
885	}
886	{
887	key = "SECRETS/MACHINE_LAST_CHANGE_TIME/LONDON"
888	data = "E\89\F6?"
889	}
890	</pre><p>
891	This is given to demonstrate to the skeptics that this process truly does work.
892	</p></li><li><p>
893	It is now time to start Samba in the usual way (as has been done many time before
894	in this book).
895	</p></li><li><p>
896	<a class="indexterm" name="id2594029"></a>
897	This is a good time to verify that everything is working. First, check that
898	winbind is able to obtain the list of users and groups from the ADS domain controller.
899	Execute the following:
900	</p><pre class="screen">
901	<code class="prompt">root# </code> wbinfo -u
902	LONDON+Administrator
903	LONDON+Guest
904	LONDON+SUPPORT_388945a0
905	LONDON+krbtgt
906	LONDON+jht
907	</pre><p>
908	Good, the list of users was obtained. Now do likewise for group accounts:
909	</p><pre class="screen">
910	<code class="prompt">root# </code> wbinfo -g
911	LONDON+Domain Computers
912	LONDON+Domain Controllers
913	LONDON+Schema Admins
914	LONDON+Enterprise Admins
915	LONDON+Domain Admins
916	LONDON+Domain Users
917	LONDON+Domain Guests
918	LONDON+Group Policy Creator Owners
919	LONDON+DnsUpdateProxy
920	</pre><p>
921	Excellent. That worked also, as expected.
922	</p></li><li><p><a class="indexterm" name="id2594075"></a>
923	Now repeat this via NSS to validate that full identity resolution is
924	functional as required. Execute:
925	</p><pre class="screen">
926	<code class="prompt">root# </code> getent passwd
927	...
928	LONDON+Administrator:x:10000:10000:Administrator:
929	/home/LONDON/administrator:/bin/bash
930	LONDON+Guest:x:10001:10001:Guest:
931	/home/LONDON/guest:/bin/bash
932	LONDON+SUPPORT_388945a0:x:10002:10000:SUPPORT_388945a0:
933	/home/LONDON/support_388945a0:/bin/bash
934	LONDON+krbtgt:x:10003:10000:krbtgt:
935	/home/LONDON/krbtgt:/bin/bash
936	LONDON+jht:x:10004:10000:John H. Terpstra:
937	/home/LONDON/jht:/bin/bash
938	</pre><p>
939	Okay, ADS user accounts are being resolved. Now you try group resolution:
940	</p><pre class="screen">
941	<code class="prompt">root# </code> getent group
942	...
943	LONDON+Domain Computers:x:10002:
944	LONDON+Domain Controllers:x:10003:
945	LONDON+Schema Admins:x:10004:LONDON+Administrator
946	LONDON+Enterprise Admins:x:10005:LONDON+Administrator
947	LONDON+Domain Admins:x:10006:LONDON+jht,LONDON+Administrator
948	LONDON+Domain Users:x:10000:
949	LONDON+Domain Guests:x:10001:
950	LONDON+Group Policy Creator Owners:x:10007:LONDON+Administrator
951	LONDON+DnsUpdateProxy:x:10008:
952	</pre><p>
953	This is very pleasing. Everything works as expected.
954	</p></li><li><p>
955	<a class="indexterm" name="id2594132"></a>
956	<a class="indexterm" name="id2594143"></a>
957	<a class="indexterm" name="id2594153"></a>
958	You may now perform final verification that communications between Samba-3 winbind and
959	the Active Directory server is using Kerberos protocols. Execute the following:
960	</p><pre class="screen">
961	<code class="prompt">root# </code> net ads info
962	LDAP server: 192.168.2.123
963	LDAP server name: w2k3s
964	Realm: LONDON.ABMAS.BIZ
965	Bind Path: dc=LONDON,dc=ABMAS,dc=BIZ
966	LDAP port: 389
967	Server time: Sat, 03 Jan 2004 02:44:44 GMT
968	KDC server: 192.168.2.123
969	Server time offset: 2
970	</pre><p>
971	It should be noted that Kerberos protocols are time-clock critical. You should
972	keep all server time clocks synchronized using the network time protocol (NTP).
973	In any case, the output we obtained confirms that all systems are operational.
974	</p></li><li><p>
975	<a class="indexterm" name="id2594189"></a>
976	There is one more action you elect to take, just because you are paranoid and disbelieving,
977	so you execute the following command:
978	</p><pre class="programlisting">
979	<code class="prompt">root# </code> net ads status -UAdministrator%not24get
980	objectClass: top
981	objectClass: person
982	objectClass: organizationalPerson
983	objectClass: user
984	objectClass: computer
985	cn: fran
986	distinguishedName: CN=fran,CN=Computers,DC=london,DC=abmas,DC=biz
987	instanceType: 4
988	whenCreated: 20040103092006.0Z
989	whenChanged: 20040103092006.0Z
990	uSNCreated: 28713
991	uSNChanged: 28717
992	name: fran
993	objectGUID: 58f89519-c467-49b9-acb0-f099d73696e
994	userAccountControl: 69632
995	badPwdCount: 0
996	codePage: 0
997	countryCode: 0
998	badPasswordTime: 0
999	lastLogoff: 0
1000	lastLogon: 127175965783327936
1001	localPolicyFlags: 0
1002	pwdLastSet: 127175952062598496
1003	primaryGroupID: 515
1004	objectSid: S-1-5-21-4052121579-2079768045-1474639452-1109
1005	accountExpires: 9223372036854775807
1006	logonCount: 13
1007	sAMAccountName: fran$
1008	sAMAccountType: 805306369
1009	operatingSystem: Samba
1010	operatingSystemVersion: 3.0.20-SUSE
1011	dNSHostName: fran
1012	userPrincipalName: HOST/fran@LONDON.ABMAS.BIZ
1013	servicePrincipalName: CIFS/fran.london.abmas.biz
1014	servicePrincipalName: CIFS/fran
1015	servicePrincipalName: HOST/fran.london.abmas.biz
1016	servicePrincipalName: HOST/fran
1017	objectCategory: CN=Computer,CN=Schema,CN=Configuration,
1018	DC=london,DC=abmas,DC=biz
1019	isCriticalSystemObject: FALSE
1020	-------------- Security Descriptor (revision: 1, type: 0x8c14)
1021	owner SID: S-1-5-21-4052121579-2079768045-1474639452-512
1022	group SID: S-1-5-21-4052121579-2079768045-1474639452-513
1023	------- (system) ACL (revision: 4, size: 120, number of ACEs: 2)
1024	------- ACE (type: 0x07, flags: 0x5a, size: 0x38,
1025	mask: 0x20, object flags: 0x3)
1026	access SID: S-1-1-0
1027	access type: AUDIT OBJECT
1028	Permissions:
1029	[Write All Properties]
1030	------- ACE (type: 0x07, flags: 0x5a, size: 0x38,
1031	mask: 0x20, object flags: 0x3)
1032	access SID: S-1-1-0
1033	access type: AUDIT OBJECT
1034	Permissions:
1035	[Write All Properties]
1036	------- (user) ACL (revision: 4, size: 1944, number of ACEs: 40)
1037	------- ACE (type: 0x00, flags: 0x00, size: 0x24, mask: 0xf01ff)
1038	access SID: S-1-5-21-4052121579-2079768045-1474639452-512
1039	access type: ALLOWED
1040	Permissions: [Full Control]
1041	------- ACE (type: 0x00, flags: 0x00, size: 0x18, mask: 0xf01ff)
1042	access SID: S-1-5-32-548
1043	...
1044	------- ACE (type: 0x05, flags: 0x12, size: 0x38,
1045	mask: 0x10, object flags: 0x3)
1046	access SID: S-1-5-9
1047	access type: ALLOWED OBJECT
1048	Permissions:
1049	[Read All Properties]
1050	-------------- End Of Security Descriptor
1051	</pre><p>
1052	And now you have conclusive proof that your Samba-3 ADS domain member server
1053	called <code class="constant">FRAN</code> is able to communicate fully with the ADS
1054	domain controllers.
1055	</p></li></ol></div><p>
1056	Your Samba-3 ADS domain member server is ready for use. During training sessions,
1057	you may be asked what is inside the <code class="filename">winbindd_cache.tdb and winbindd_idmap.tdb</code>
1058	files. Since curiosity just took hold of you, execute the following:
1059	</p><pre class="programlisting">
1060	<code class="prompt">root# </code> tdbdump /var/lib/samba/winbindd_idmap.tdb
1061	{
1062	key = "S-1-5-21-4052121579-2079768045-1474639452-501\00"
1063	data = "UID 10001\00"
1064	}
1065	{
1066	key = "UID 10005\00"
1067	data = "S-1-5-21-4052121579-2079768045-1474639452-1111\00"
1068	}
1069	{
1070	key = "GID 10004\00"
1071	data = "S-1-5-21-4052121579-2079768045-1474639452-518\00"
1072	}
1073	{
1074	key = "S-1-5-21-4052121579-2079768045-1474639452-502\00"
1075	data = "UID 10003\00"
1076	}
1077	...
1078
1079	<code class="prompt">root# </code> tdbdump /var/lib/samba/winbindd_cache.tdb
1080	{
1081	key = "UL/LONDON"
1082	data = "\00\00\00\00bp\00\00\06\00\00\00\0DAdministrator\0D
1083	Administrator-S-1-5-21-4052121579-2079768045-1474639452-500-
1084	S-1-5-21-4052121579-2079768045-1474639452-513\05Guest\05
1085	Guest-S-1-5-21-4052121579-2079768045-1474639452-501-
1086	S-1-5-21-4052121579-2079768045-1474639452-514\10
1087	SUPPORT_388945a0\10SUPPORT_388945a0.
1088	S-1-5-21-4052121579-2079768045-1474639452-1001-
1089	S-1-5-21-4052121579-2079768045-1474639452-513\06krbtgt\06
1090	krbtgt-S-1-5-21-4052121579-2079768045-1474639452-502-
1091	S-1-5-21-4052121579-2079768045-1474639452-513\03jht\10
1092	John H. Terpstra.S-1-5-21-4052121579-2079768045-1474639452-1110-
1093	S-1-5-21-4052121579-2079768045-1474639452-513"
1094	}
1095	{
1096	key = "GM/S-1-5-21-4052121579-2079768045-1474639452-512"
1097	data = "\00\00\00\00bp\00\00\02\00\00\00.
1098	S-1-5-21-4052121579-2079768045-1474639452-1110\03
1099	jht\01\00\00\00-S-1-5-21-4052121579-2079768045-1474639452-500\0D
1100	Administrator\01\00\00\00"
1101	}
1102	{
1103	key = "SN/S-1-5-21-4052121579-2079768045-1474639452-513"
1104	data = "\00\00\00\00xp\00\00\02\00\00\00\0CDomain Users"
1105	}
1106	{
1107	key = "GM/S-1-5-21-4052121579-2079768045-1474639452-518"
1108	data = "\00\00\00\00bp\00\00\01\00\00\00-
1109	S-1-5-21-4052121579-2079768045-1474639452-500\0D
1110	Administrator\01\00\00\00"
1111	}
1112	{
1113	key = "SEQNUM/LONDON\00"
1114	data = "xp\00\00C\92\F6?"
1115	}
1116	{
1117	key = "U/S-1-5-21-4052121579-2079768045-1474639452-1110"
1118	data = "\00\00\00\00xp\00\00\03jht\10John H. Terpstra.
1119	S-1-5-21-4052121579-2079768045-1474639452-1110-
1120	S-1-5-21-4052121579-2079768045-1474639452-513"
1121	}
1122	{
1123	key = "NS/S-1-5-21-4052121579-2079768045-1474639452-502"
1124	data = "\00\00\00\00bp\00\00-
1125	S-1-5-21-4052121579-2079768045-1474639452-502"
1126	}
1127	{
1128	key = "SN/S-1-5-21-4052121579-2079768045-1474639452-1001"
1129	data = "\00\00\00\00bp\00\00\01\00\00\00\10SUPPORT_388945a0"
1130	}
1131	{
1132	key = "SN/S-1-5-21-4052121579-2079768045-1474639452-500"
1133	data = "\00\00\00\00bp\00\00\01\00\00\00\0DAdministrator"
1134	}
1135	{
1136	key = "U/S-1-5-21-4052121579-2079768045-1474639452-502"
1137	data = "\00\00\00\00bp\00\00\06krbtgt\06krbtgt-
1138	S-1-5-21-4052121579-2079768045-1474639452-502-
1139	S-1-5-21-4052121579-2079768045-1474639452-513"
1140	}
1141	....
1142	</pre><p>
1143	Now all is revealed. Your curiosity, as well as that of your team, has been put at ease.
1144	May this server serve well all who happen upon it.
1145	</p><div class="example"><a name="ch9-adssdm"></a><p class="title"><b>Example 7.7. Samba Domain Member <code class="filename">smb.conf</code> File for Active Directory Membership</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id2594410"></a><em class="parameter"><code>unix charset = LOCALE</code></em></td></tr><tr><td><a class="indexterm" name="id2594422"></a><em class="parameter"><code>workgroup = LONDON</code></em></td></tr><tr><td><a class="indexterm" name="id2594433"></a><em class="parameter"><code>realm = LONDON.ABMAS.BIZ</code></em></td></tr><tr><td><a class="indexterm" name="id2594445"></a><em class="parameter"><code>server string = Samba 3.0.20</code></em></td></tr><tr><td><a class="indexterm" name="id2594457"></a><em class="parameter"><code>security = ADS</code></em></td></tr><tr><td><a class="indexterm" name="id2594469"></a><em class="parameter"><code>username map = /etc/samba/smbusers</code></em></td></tr><tr><td><a class="indexterm" name="id2594481"></a><em class="parameter"><code>log level = 1</code></em></td></tr><tr><td><a class="indexterm" name="id2594492"></a><em class="parameter"><code>syslog = 0</code></em></td></tr><tr><td><a class="indexterm" name="id2594504"></a><em class="parameter"><code>log file = /var/log/samba/%m</code></em></td></tr><tr><td><a class="indexterm" name="id2594516"></a><em class="parameter"><code>max log size = 50</code></em></td></tr><tr><td><a class="indexterm" name="id2594527"></a><em class="parameter"><code>printcap name = CUPS</code></em></td></tr><tr><td><a class="indexterm" name="id2594539"></a><em class="parameter"><code>ldap ssl = no</code></em></td></tr><tr><td><a class="indexterm" name="id2594551"></a><em class="parameter"><code>idmap uid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id2594562"></a><em class="parameter"><code>idmap gid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id2594574"></a><em class="parameter"><code>template primary group = "Domain Users"</code></em></td></tr><tr><td><a class="indexterm" name="id2594586"></a><em class="parameter"><code>template shell = /bin/bash</code></em></td></tr><tr><td><a class="indexterm" name="id2594598"></a><em class="parameter"><code>winbind separator = +</code></em></td></tr><tr><td><a class="indexterm" name="id2594610"></a><em class="parameter"><code>printing = cups</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[homes]</code></em></td></tr><tr><td><a class="indexterm" name="id2594631"></a><em class="parameter"><code>comment = Home Directories</code></em></td></tr><tr><td><a class="indexterm" name="id2594642"></a><em class="parameter"><code>valid users = %S</code></em></td></tr><tr><td><a class="indexterm" name="id2594654"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id2594666"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[printers]</code></em></td></tr><tr><td><a class="indexterm" name="id2594686"></a><em class="parameter"><code>comment = SMB Print Spool</code></em></td></tr><tr><td><a class="indexterm" name="id2594698"></a><em class="parameter"><code>path = /var/spool/samba</code></em></td></tr><tr><td><a class="indexterm" name="id2594710"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2594721"></a><em class="parameter"><code>printable = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2594733"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[print$]</code></em></td></tr><tr><td><a class="indexterm" name="id2594753"></a><em class="parameter"><code>comment = Printer Drivers</code></em></td></tr><tr><td><a class="indexterm" name="id2594765"></a><em class="parameter"><code>path = /var/lib/samba/drivers</code></em></td></tr><tr><td><a class="indexterm" name="id2594777"></a><em class="parameter"><code>admin users = root, Administrator</code></em></td></tr><tr><td><a class="indexterm" name="id2594789"></a><em class="parameter"><code>write list = root</code></em></td></tr></table></div></div><br class="example-break"><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2594802"></a>IDMAP_RID with Winbind</h4></div></div></div><p>
1146	<a class="indexterm" name="id2594810"></a>
1147	<a class="indexterm" name="id2594816"></a>
1148	<a class="indexterm" name="id2594823"></a>
1149	<a class="indexterm" name="id2594830"></a>
1150	The <code class="literal">idmap_rid</code> facility is a new tool that, unlike native winbind, creates a
1151	predictable mapping of MS Windows SIDs to UNIX UIDs and GIDs. The key benefit of this method
1152	of implementing the Samba IDMAP facility is that it eliminates the need to store the IDMAP data
1153	in a central place. The downside is that it can be used only within a single ADS domain and
1154	is not compatible with trusted domain implementations.
1155	</p><p>
1156	<a class="indexterm" name="id2594853"></a>
1157	<a class="indexterm" name="id2594860"></a>
1158	<a class="indexterm" name="id2594867"></a>
1159	<a class="indexterm" name="id2594874"></a>
1160	This alternate method of SID to UID/GID mapping can be achieved with the idmap_rid
1161	plug-in. This plug-in uses the RID of the user SID to derive the UID and GID by adding the
1162	RID to a base value specified. This utility requires that the parameter
1163	“<span class="quote">allow trusted domains = No</span>” must be specified, as it is not compatible
1164	with multiple domain environments. The <em class="parameter"><code>idmap uid</code></em> and
1165	<em class="parameter"><code>idmap gid</code></em> ranges must be specified.
1166	</p><p>
1167	<a class="indexterm" name="id2594906"></a>
1168	<a class="indexterm" name="id2594913"></a>
1169	The idmap_rid facility can be used both for NT4/Samba-style domains as well as with Active Directory.
1170	To use this with an NT4 domain, the <em class="parameter"><code>realm</code></em> is not used. Additionally the
1171	method used to join the domain uses the <code class="constant">net rpc join</code> process.
1172	</p><p>
1173	An example <code class="filename">smb.conf</code> file for an ADS domain environment is shown in <a class="link" href="unixclients.html#sbe-idmapridex" title="Example 7.8. Example smb.conf File Using idmap_rid">“Example smb.conf File Using idmap_rid”</a>.
1174	</p><div class="example"><a name="sbe-idmapridex"></a><p class="title"><b>Example 7.8. Example <code class="filename">smb.conf</code> File Using <code class="constant">idmap_rid</code></b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id2594988"></a><em class="parameter"><code>workgroup = KPAK</code></em></td></tr><tr><td><a class="indexterm" name="id2594999"></a><em class="parameter"><code>netbios name = BIGJOE</code></em></td></tr><tr><td><a class="indexterm" name="id2595011"></a><em class="parameter"><code>realm = CORP.KPAK.COM</code></em></td></tr><tr><td><a class="indexterm" name="id2595023"></a><em class="parameter"><code>server string = Office Server</code></em></td></tr><tr><td><a class="indexterm" name="id2595035"></a><em class="parameter"><code>security = ADS</code></em></td></tr><tr><td><a class="indexterm" name="id2595046"></a><em class="parameter"><code>allow trusted domains = No</code></em></td></tr><tr><td><a class="indexterm" name="id2595058"></a><em class="parameter"><code>idmap backend = idmap_rid:KPAK=500-100000000</code></em></td></tr><tr><td><a class="indexterm" name="id2595071"></a><em class="parameter"><code>idmap uid = 500-100000000</code></em></td></tr><tr><td><a class="indexterm" name="id2595082"></a><em class="parameter"><code>idmap gid = 500-100000000</code></em></td></tr><tr><td><a class="indexterm" name="id2595094"></a><em class="parameter"><code>template shell = /bin/bash</code></em></td></tr><tr><td><a class="indexterm" name="id2595106"></a><em class="parameter"><code>winbind use default domain = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2595118"></a><em class="parameter"><code>winbind enum users = No</code></em></td></tr><tr><td><a class="indexterm" name="id2595130"></a><em class="parameter"><code>winbind enum groups = No</code></em></td></tr><tr><td><a class="indexterm" name="id2595142"></a><em class="parameter"><code>winbind nested groups = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2595154"></a><em class="parameter"><code>printer admin = "KPAK\Domain Admins"</code></em></td></tr></table></div></div><br class="example-break"><p>
1175	<a class="indexterm" name="id2595169"></a>
1176	<a class="indexterm" name="id2595176"></a>
1177	<a class="indexterm" name="id2595183"></a>
1178	<a class="indexterm" name="id2595190"></a>
1179	In a large domain with many users, it is imperative to disable enumeration of users and groups.
1180	For example, at a site that has 22,000 users in Active Directory the winbind-based user and
1181	group resolution is unavailable for nearly 12 minutes following first start-up of
1182	<code class="literal">winbind</code>. Disabling of such enumeration results in instantaneous response.
1183	The disabling of user and group enumeration means that it will not be possible to list users
1184	or groups using the <code class="literal">getent passwd</code> and <code class="literal">getent group</code>
1185	commands. It will be possible to perform the lookup for individual users, as shown in the procedure
1186	below.
1187	</p><p>
1188	<a class="indexterm" name="id2595229"></a>
1189	<a class="indexterm" name="id2595235"></a>
1190	The use of this tool requires configuration of NSS as per the native use of winbind. Edit the
1191	<code class="filename">/etc/nsswitch.conf</code> so it has the following parameters:
1192	</p><pre class="screen">
1193	...
1194	passwd: files winbind
1195	shadow: files winbind
1196	group: files winbind
1197	...
1198	hosts: files wins
1199	...
1200	</pre><p>
1201	</p><p>
1202	The following procedure can be used to utilize the idmap_rid facility:
1203	</p><div class="procedure"><ol type="1"><li><p>
1204	Create or install and <code class="filename">smb.conf</code> file with the above configuration.
1205	</p></li><li><p>
1206	Edit the <code class="filename">/etc/nsswitch.conf</code> file as shown above.
1207	</p></li><li><p>
1208	Execute:
1209	</p><pre class="screen">
1210	<code class="prompt">root# </code> net ads join -UAdministrator%password
1211	Using short domain name -- KPAK
1212	Joined 'BIGJOE' to realm 'CORP.KPAK.COM'
1213	</pre><p>
1214	</p><p>
1215	<a class="indexterm" name="id2595317"></a>
1216	An invalid or failed join can be detected by executing:
1217	</p><pre class="screen">
1218	<code class="prompt">root# </code> net ads testjoin
1219	BIGJOE$@'s password:
1220	[2004/11/05 16:53:03, 0] utils/net_ads.c:ads_startup(186)
1221	ads_connect: No results returned
1222	Join to domain is not valid
1223	</pre><p>
1224	The specific error message may differ from the above because it depends on the type of failure that
1225	may have occurred. Increase the <em class="parameter"><code>log level</code></em> to 10, repeat the above test,
1226	and then examine the log files produced to identify the nature of the failure.
1227	</p></li><li><p>
1228	Start the <code class="literal">nmbd</code>, <code class="literal">winbind,</code> and <code class="literal">smbd</code> daemons in the order shown.
1229	</p></li><li><p>
1230	Validate the operation of this configuration by executing:
1231	<a class="indexterm" name="id2595384"></a>
1232	</p><pre class="screen">
1233	<code class="prompt">root# </code> getent passwd administrator
1234	administrator:x:1000:1013:Administrator:/home/BE/administrator:/bin/bash
1235	</pre><p>
1236	</p></li></ol></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2595406"></a>IDMAP Storage in LDAP using Winbind</h4></div></div></div><p>
1237	<a class="indexterm" name="id2595414"></a>
1238	<a class="indexterm" name="id2595421"></a>
1239	The storage of IDMAP information in LDAP can be used with both NT4/Samba-3-style domains as well as
1240	with ADS domains. OpenLDAP is a commonly used LDAP server for this purpose, although any standards-compliant
1241	LDAP server can be used. It is therefore possible to deploy this IDMAP configuration using
1242	the Sun iPlanet LDAP server, Novell eDirectory, Microsoft ADS plus ADAM, and so on.
1243	</p><p>
1244	The example in <a class="link" href="unixclients.html#sbeunxa" title="Example 7.9. Typical ADS Style Domain smb.conf File">“Typical ADS Style Domain smb.conf File”</a> is for an ADS-style domain.
1245	</p><div class="example"><a name="sbeunxa"></a><p class="title"><b>Example 7.9. Typical ADS Style Domain <code class="filename">smb.conf</code> File</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id2595481"></a><em class="parameter"><code>workgroup = SNOWSHOW</code></em></td></tr><tr><td><a class="indexterm" name="id2595492"></a><em class="parameter"><code>netbios name = GOODELF</code></em></td></tr><tr><td><a class="indexterm" name="id2595504"></a><em class="parameter"><code>realm = SNOWSHOW.COM</code></em></td></tr><tr><td><a class="indexterm" name="id2595516"></a><em class="parameter"><code>server string = Samba Server</code></em></td></tr><tr><td><a class="indexterm" name="id2595528"></a><em class="parameter"><code>security = ADS</code></em></td></tr><tr><td><a class="indexterm" name="id2595540"></a><em class="parameter"><code>log level = 1 ads:10 auth:10 sam:10 rpc:10</code></em></td></tr><tr><td><a class="indexterm" name="id2595552"></a><em class="parameter"><code>ldap admin dn = cn=Manager,dc=SNOWSHOW,dc=COM</code></em></td></tr><tr><td><a class="indexterm" name="id2595564"></a><em class="parameter"><code>ldap idmap suffix = ou=Idmap</code></em></td></tr><tr><td><a class="indexterm" name="id2595576"></a><em class="parameter"><code>ldap suffix = dc=SNOWSHOW,dc=COM</code></em></td></tr><tr><td><a class="indexterm" name="id2595588"></a><em class="parameter"><code>idmap backend = ldap:ldap://ldap.snowshow.com</code></em></td></tr><tr><td><a class="indexterm" name="id2595600"></a><em class="parameter"><code>idmap uid = 150000-550000</code></em></td></tr><tr><td><a class="indexterm" name="id2595612"></a><em class="parameter"><code>idmap gid = 150000-550000</code></em></td></tr><tr><td><a class="indexterm" name="id2595623"></a><em class="parameter"><code>template shell = /bin/bash</code></em></td></tr><tr><td><a class="indexterm" name="id2595635"></a><em class="parameter"><code>winbind use default domain = Yes</code></em></td></tr></table></div></div><br class="example-break"><p>
1246	<a class="indexterm" name="id2595651"></a>
1247	In the case of an NT4 or Samba-3-style domain the <em class="parameter"><code>realm</code></em> is not used, and the
1248	command used to join the domain is <code class="literal">net rpc join</code>. The above example also demonstrates
1249	advanced error reporting techniques that are documented in the chapter called "Reporting Bugs" in
1250	“<span class="quote">The Official Samba-3 HOWTO and Reference Guide, Second Edition</span>” (TOSHARG2).
1251	</p><p>
1252	<a class="indexterm" name="id2595682"></a>
1253	<a class="indexterm" name="id2595689"></a>
1254	<a class="indexterm" name="id2595696"></a>
1255	Where MIT kerberos is installed (version 1.3.4 or later), edit the <code class="filename">/etc/krb5.conf</code>
1256	file so it has the following contents:
1257	</p><pre class="screen">
1258	[logging]
1259	default = FILE:/var/log/krb5libs.log
1260	kdc = FILE:/var/log/krb5kdc.log
1261	admin_server = FILE:/var/log/kadmind.log
1262
1263	[libdefaults]
1264	default_realm = SNOWSHOW.COM
1265	dns_lookup_realm = false
1266	dns_lookup_kdc = true
1267
1268	[appdefaults]
1269	pam = {
1270	debug = false
1271	ticket_lifetime = 36000
1272	renew_lifetime = 36000
1273	forwardable = true
1274	krb4_convert = false
1275	}
1276	</pre><p>
1277	</p><p>
1278	Where Heimdal kerberos is installed, edit the <code class="filename">/etc/krb5.conf</code>
1279	file so it is either empty (i.e., no contents) or it has the following contents:
1280	</p><pre class="screen">
1281	[libdefaults]
1282	default_realm = SNOWSHOW.COM
1283	clockskew = 300
1284
1285	[realms]
1286	SNOWSHOW.COM = {
1287	kdc = ADSDC.SHOWSHOW.COM
1288	}
1289
1290	[domain_realm]
1291	.snowshow.com = SNOWSHOW.COM
1292	</pre><p>
1293	</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
1294	Samba cannot use the Heimdal libraries if there is no <code class="filename">/etc/krb5.conf</code> file.
1295	So long as there is an empty file, the Heimdal kerberos libraries will be usable. There is no
1296	need to specify any settings because Samba, using the Heimdal libraries, can figure this out automatically.
1297	</p></div><p>
1298	Edit the NSS control file <code class="filename">/etc/nsswitch.conf</code> so it has the following entries:
1299	</p><pre class="screen">
1300	...
1301	passwd: files ldap
1302	shadow: files ldap
1303	group: files ldap
1304	...
1305	hosts: files wins
1306	...
1307	</pre><p>
1308	</p><p>
1309	<a class="indexterm" name="id2595780"></a>
1310	<a class="indexterm" name="id2595787"></a>
1311	You will need the <a class="ulink" href="http://www.padl.com" target="_top">PADL</a> <code class="literal">nss_ldap</code>
1312	tool set for this solution. Configure the <code class="filename">/etc/ldap.conf</code> file so it has
1313	the information needed. The following is an example of a working file:
1314	</p><pre class="screen">
1315	host 192.168.2.1
1316	base dc=snowshow,dc=com
1317	binddn cn=Manager,dc=snowshow,dc=com
1318	bindpw not24get
1319
1320	pam_password exop
1321
1322	nss_base_passwd ou=People,dc=snowshow,dc=com?one
1323	nss_base_shadow ou=People,dc=snowshow,dc=com?one
1324	nss_base_group ou=Groups,dc=snowshow,dc=com?one
1325	ssl no
1326	</pre><p>
1327	</p><p>
1328	The following procedure may be followed to affect a working configuration:
1329	</p><div class="procedure"><ol type="1"><li><p>
1330	Configure the <code class="filename">smb.conf</code> file as shown above.
1331	</p></li><li><p>
1332	Create the <code class="filename">/etc/krb5.conf</code> file following the indications above.
1333	</p></li><li><p>
1334	Configure the <code class="filename">/etc/nsswitch.conf</code> file as shown above.
1335	</p></li><li><p>
1336	Download, build, and install the PADL nss_ldap tool set. Configure the
1337	<code class="filename">/etc/ldap.conf</code> file as shown above.
1338	</p></li><li><p>
1339	Configure an LDAP server and initialize the directory with the top-level entries needed by IDMAP
1340	as shown in the following LDIF file:
1341	</p><pre class="screen">
1342	dn: dc=snowshow,dc=com
1343	objectClass: dcObject
1344	objectClass: organization
1345	dc: snowshow
1346	o: The Greatest Snow Show in Singapore.
1347	description: Posix and Samba LDAP Identity Database
1348
1349	dn: cn=Manager,dc=snowshow,dc=com
1350	objectClass: organizationalRole
1351	cn: Manager
1352	description: Directory Manager
1353
1354	dn: ou=Idmap,dc=snowshow,dc=com
1355	objectClass: organizationalUnit
1356	ou: idmap
1357	</pre><p>
1358	</p></li><li><p>
1359	Execute the command to join the Samba domain member server to the ADS domain as shown here:
1360	</p><pre class="screen">
1361	<code class="prompt">root# </code> net ads testjoin
1362	Using short domain name -- SNOWSHOW
1363	Joined 'GOODELF' to realm 'SNOWSHOW.COM'
1364	</pre><p>
1365	</p></li><li><p>
1366	Store the LDAP server access password in the Samba <code class="filename">secrets.tdb</code> file as follows:
1367	</p><pre class="screen">
1368	<code class="prompt">root# </code> smbpasswd -w not24get
1369	</pre><p>
1370	</p></li><li><p>
1371	Start the <code class="literal">nmbd</code>, <code class="literal">winbind</code>, and <code class="literal">smbd</code> daemons in the order shown.
1372	</p></li></ol></div><p>
1373	<a class="indexterm" name="id2595987"></a>
1374	Follow the diagnostic procedures shown earlier in this chapter to identify success or failure of the join.
1375	In many cases a failure is indicated by a silent return to the command prompt with no indication of the
1376	reason for failure.
1377	</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2596001"></a>IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension</h4></div></div></div><p>
1378	<a class="indexterm" name="id2596010"></a>
1379	<a class="indexterm" name="id2596016"></a>
1380	The use of this method is messy. The information provided in this section is for guidance only
1381	and is very definitely not complete. This method does work; it is used in a number of large sites
1382	and has an acceptable level of performance.
1383	</p><p>
1384	An example <code class="filename">smb.conf</code> file is shown in <a class="link" href="unixclients.html#sbewinbindex" title="Example 7.10. ADS Membership Using RFC2307bis Identity Resolution smb.conf File">“ADS Membership Using RFC2307bis Identity Resolution smb.conf File”</a>.
1385	</p><div class="example"><a name="sbewinbindex"></a><p class="title"><b>Example 7.10. ADS Membership Using RFC2307bis Identity Resolution <code class="filename">smb.conf</code> File</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id2596079"></a><em class="parameter"><code>workgroup = BUBBAH</code></em></td></tr><tr><td><a class="indexterm" name="id2596091"></a><em class="parameter"><code>netbios name = MADMAX</code></em></td></tr><tr><td><a class="indexterm" name="id2596103"></a><em class="parameter"><code>realm = BUBBAH.COM</code></em></td></tr><tr><td><a class="indexterm" name="id2596114"></a><em class="parameter"><code>server string = Samba Server</code></em></td></tr><tr><td><a class="indexterm" name="id2596126"></a><em class="parameter"><code>security = ADS</code></em></td></tr><tr><td><a class="indexterm" name="id2596138"></a><em class="parameter"><code>idmap uid = 150000-550000</code></em></td></tr><tr><td><a class="indexterm" name="id2596150"></a><em class="parameter"><code>idmap gid = 150000-550000</code></em></td></tr><tr><td><a class="indexterm" name="id2596161"></a><em class="parameter"><code>template shell = /bin/bash</code></em></td></tr><tr><td><a class="indexterm" name="id2596173"></a><em class="parameter"><code>winbind use default domain = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2596185"></a><em class="parameter"><code>winbind trusted domains only = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2596198"></a><em class="parameter"><code>winbind nested groups = Yes</code></em></td></tr></table></div></div><br class="example-break"><p>
1386	<a class="indexterm" name="id2596213"></a>
1387	The DMS must be joined to the domain using the usual procedure. Additionally, it is necessary
1388	to build and install the PADL nss_ldap tool set. Be sure to build this tool set with the
1389	following:
1390	</p><pre class="screen">
1391	./configure --enable-rfc2307bis --enable-schema-mapping
1392	make install
1393	</pre><p>
1394	</p><p>
1395	<a class="indexterm" name="id2596234"></a>
1396	The following <code class="filename">/etc/nsswitch.conf</code> file contents are required:
1397	</p><pre class="screen">
1398	...
1399	passwd: files ldap
1400	shadow: files ldap
1401	group: files ldap
1402	...
1403	hosts: files wins
1404	...
1405	</pre><p>
1406	</p><p>
1407	<a class="indexterm" name="id2596258"></a>
1408	<a class="indexterm" name="id2596265"></a>
1409	The <code class="filename">/etc/ldap.conf</code> file must be configured also. Refer to the PADL documentation
1410	and source code for nss_ldap instructions.
1411	</p><p>
1412	The next step involves preparation on the ADS schema. This is briefly discussed in the remaining
1413	part of this chapter.
1414	</p><div class="sect4" lang="en"><div class="titlepage"><div><div><h5 class="title"><a name="id2596287"></a>IDMAP, Active Directory, and MS Services for UNIX 3.5</h5></div></div></div><p>
1415	<a class="indexterm" name="id2596295"></a>
1416	The Microsoft Windows Service for UNIX version 3.5 is available for free
1417	<a class="ulink" href="http://www.microsoft.com/windows/sfu/" target="_top">download</a>
1418	from the Microsoft Web site. You will need to download this tool and install it following
1419	Microsoft instructions.
1420	</p></div><div class="sect4" lang="en"><div class="titlepage"><div><div><h5 class="title"><a name="id2596315"></a>IDMAP, Active Directory, and AD4UNIX</h5></div></div></div><p>
1421	Instructions for obtaining and installing the AD4UNIX tool set can be found from the
1422	<a class="ulink" href="http://www.geekcomix.com/cgi-bin/classnotes/wiki.pl?LDAP01/An_Alternative_Approach" target="_top">
1423	Geekcomix</a> Web site.
1424	</p></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2596338"></a>UNIX/Linux Client Domain Member</h3></div></div></div><p><a class="indexterm" name="id2596345"></a>
1425	So far this chapter has been mainly concerned with the provision of file and print
1426	services for domain member servers. However, an increasing number of UNIX/Linux
1427	workstations are being installed that do not act as file or print servers to anyone
1428	other than a single desktop user. The key demand for desktop systems is to be able
1429	to log onto any UNIX/Linux or Windows desktop using the same network user credentials.
1430	</p><p><a class="indexterm" name="id2596363"></a>
1431	The ability to use a common set of user credential across a variety of network systems
1432	is generally regarded as a single sign-on (SSO) solution. SSO systems are sold by a
1433	large number of vendors and include a range of technologies such as:
1434	</p><div class="itemizedlist"><ul type="disc"><li><p>
1435	Proxy sign-on
1436	</p></li><li><p>
1437	Federated directory provisioning
1438	</p></li><li><p>
1439	Metadirectory server solutions
1440	</p></li><li><p>
1441	Replacement authentication systems
1442	</p></li></ul></div><p><a class="indexterm" name="id2596405"></a>
1443	There are really four solutions that provide integrated authentication and
1444	user identity management facilities:
1445	</p><div class="itemizedlist"><ul type="disc"><li><p>
1446	Samba winbind (free). Samba-3.0.20 introduced a complete replacement for Winbind that now
1447	provides a greater level of scalability in large ADS environments.
1448	</p></li><li><p>
1449	<a class="ulink" href="http://www.padl.com" target="_top">PADL</a> PAM and LDAP tools (free).
1450	</p></li><li><p>
1451	<a class="ulink" href="http://www.vintela.com" target="_top">Vintela</a> Authentication Services (commercial).
1452	</p></li><li><p>
1453	<a class="ulink" href="http://www.centrify.com" target="_top">Centrify</a> DirectControl (commercial).
1454	Centrify's commercial product allows UNIX and Linux systems to use Active Directory
1455	security, directory and policy services. Enhancements include a centralized ID mapping that
1456	allows Samba, DirectControl and Active Directory to seamlessly work together.
1457	</p></li></ul></div><p>
1458	The following guidelines are pertinent to the deployment of winbind-based authentication
1459	and identity resolution with the express purpose of allowing users to log on to UNIX/Linux desktops
1460	using Windows network domain user credentials (username and password).
1461	</p><p>
1462	You should note that it is possible to use LDAP-based PAM and NSS tools to permit distributed
1463	systems logons (SSO), providing user and group accounts are stored in an LDAP directory. This
1464	provides logon services for UNIX/Linux users, while Windows users obtain their sign-on
1465	support via Samba-3.
1466	</p><p>
1467	<a class="indexterm" name="id2596484"></a>
1468	On the other hand, if the authentication and identity resolution backend must be provided by
1469	a Windows NT4-style domain or from an Active Directory Domain that does not have the Microsoft
1470	Windows Services for UNIX installed, winbind is your best friend. Specific guidance for these
1471	situations now follows.
1472	</p><p>
1473	<a class="indexterm" name="id2596502"></a>
1474	<a class="indexterm" name="id2596509"></a>
1475	<a class="indexterm" name="id2596516"></a>
1476	To permit users to log on to a Linux system using Windows network credentials, you need to
1477	configure identity resolution (NSS) and PAM. This means that the basic steps include those
1478	outlined above with the addition of PAM configuration. Given that most workstations (desktop/client)
1479	usually do not need to provide file and print services to a group of users, the configuration
1480	of shares and printers is generally less important. Often this allows the share specifications
1481	to be entirely removed from the <code class="filename">smb.conf</code> file. That is obviously an administrator decision.
1482	</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2596539"></a>NT4 Domain Member</h4></div></div></div><p>
1483	The following steps provide a Linux system that users can log onto using
1484	Windows NT4 (or Samba-3) domain network credentials:
1485	</p><div class="procedure"><ol type="1"><li><p>
1486	Follow the steps outlined in <a class="link" href="unixclients.html#wdcsdm" title="NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind">“NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind”</a> and ensure that
1487	all validation tests function as shown.
1488	</p></li><li><p>
1489	Identify what services users must log on to. On Red Hat Linux, if it is
1490	intended that the user shall be given access to all services, it may be
1491	most expeditious to simply configure the file
1492	<code class="filename">/etc/pam.d/system-auth</code>.
1493	</p></li><li><p>
1494	Carefully make a backup copy of all PAM configuration files before you
1495	begin making changes. If you break the PAM configuration, please note
1496	that you may need to use an emergency boot process to recover your Linux
1497	system. It is possible to break the ability to log into the system if
1498	PAM files are incorrectly configured. The entire directory
1499	<code class="filename">/etc/pam.d</code> should be backed up to a safe location.
1500	</p></li><li><p>
1501	If you require only console login support, edit the <code class="filename">/etc/pam.d/login</code>
1502	so it matches <a class="link" href="unixclients.html#ch9-pamwnbdlogin" title="Example 7.11. SUSE: PAM login Module Using Winbind">“SUSE: PAM login Module Using Winbind”</a>.
1503	</p></li><li><p>
1504	To provide the ability to log onto the graphical desktop interface, you must edit
1505	the files <code class="filename">gdm</code> and <code class="filename">xdm</code> in the
1506	<code class="filename">/etc/pam.d</code> directory.
1507	</p></li><li><p>
1508	Edit only one file at a time. Carefully validate its operation before attempting
1509	to reboot the machine.
1510	</p></li></ol></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2596661"></a>ADS Domain Member</h4></div></div></div><p>
1511	This procedure should be followed to permit a Linux network client (workstation/desktop)
1512	to permit users to log on using Microsoft Active Directory-based user credentials.
1513	</p><div class="procedure"><ol type="1"><li><p>
1514	Follow the steps outlined in <a class="link" href="unixclients.html#adssdm" title="Active Directory Domain with Samba Domain Member Server">“Active Directory Domain with Samba Domain Member Server”</a> and ensure that
1515	all validation tests function as shown.
1516	</p></li><li><p>
1517	Identify what services users must log on to. On Red Hat Linux, if it is
1518	intended that the user shall be given access to all services, it may be
1519	most expeditious to simply configure the file
1520	<code class="filename">/etc/pam.d/system-auth</code> as shown in <a class="link" href="unixclients.html#ch9-rhsysauth" title="Example 7.13. Red Hat 9: PAM System Authentication File: /etc/pam.d/system-auth Module Using Winbind">“Red Hat 9: PAM System Authentication File: /etc/pam.d/system-auth Module Using Winbind”</a>.
1521	</p></li><li><p>
1522	Carefully make a backup copy of all PAM configuration files before you
1523	begin making changes. If you break the PAM configuration, please note
1524	that you may need to use an emergency boot process to recover your Linux
1525	system. It is possible to break the ability to log into the system if
1526	PAM files are incorrectly configured. The entire directory
1527	<code class="filename">/etc/pam.d</code> should be backed up to a safe location.
1528	</p></li><li><p>
1529	If you require only console login support, edit the <code class="filename">/etc/pam.d/login</code>
1530	so it matches <a class="link" href="unixclients.html#ch9-pamwnbdlogin" title="Example 7.11. SUSE: PAM login Module Using Winbind">“SUSE: PAM login Module Using Winbind”</a>.
1531	</p></li><li><p>
1532	To provide the ability to log onto the graphical desktop interface, you must edit
1533	the files <code class="filename">gdm</code> and <code class="filename">xdm</code> in the
1534	<code class="filename">/etc/pam.d</code> directory.
1535	</p></li><li><p>
1536	Edit only one file at a time. Carefully validate its operation before attempting
1537	to reboot the machine.
1538	</p></li></ol></div></div><div class="example"><a name="ch9-pamwnbdlogin"></a><p class="title"><b>Example 7.11. SUSE: PAM <code class="filename">login</code> Module Using Winbind</b></p><div class="example-contents"><pre class="screen">
1539	# /etc/pam.d/login
1540
1541	#%PAM-1.0
1542	auth sufficient pam_unix2.so nullok
1543	auth sufficient pam_winbind.so use_first_pass use_authtok
1544	auth required pam_securetty.so
1545	auth required pam_nologin.so
1546	auth required pam_env.so
1547	auth required pam_mail.so
1548	account sufficient pam_unix2.so
1549	account sufficient pam_winbind.so user_first_pass use_authtok
1550	password required pam_pwcheck.so nullok
1551	password sufficient pam_unix2.so nullok use_first_pass use_authtok
1552	password sufficient pam_winbind.so use_first_pass use_authtok
1553	session sufficient pam_unix2.so none
1554	session sufficient pam_winbind.so use_first_pass use_authtok
1555	session required pam_limits.so
1556	</pre></div></div><br class="example-break"><div class="example"><a name="ch9-pamwbndxdm"></a><p class="title"><b>Example 7.12. SUSE: PAM <code class="filename">xdm</code> Module Using Winbind</b></p><div class="example-contents"><pre class="screen">
1557	# /etc/pam.d/gdm (/etc/pam.d/xdm)
1558
1559	#%PAM-1.0
1560	auth sufficient pam_unix2.so nullok
1561	auth sufficient pam_winbind.so use_first_pass use_authtok
1562	account sufficient pam_unix2.so
1563	account sufficient pam_winbind.so use_first_pass use_authtok
1564	password sufficient pam_unix2.so
1565	password sufficient pam_winbind.so use_first_pass use_authtok
1566	session sufficient pam_unix2.so
1567	session sufficient pam_winbind.so use_first_pass use_authtok
1568	session required pam_dev perm.so
1569	session required pam_resmgr.so
1570	</pre></div></div><br class="example-break"><div class="example"><a name="ch9-rhsysauth"></a><p class="title"><b>Example 7.13. Red Hat 9: PAM System Authentication File: <code class="filename">/etc/pam.d/system-auth</code> Module Using Winbind</b></p><div class="example-contents"><pre class="screen">
1571	#%PAM-1.0
1572	auth required /lib/security/$ISA/pam_env.so
1573	auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
1574	auth sufficient /lib/security/$ISA/pam_winbind.so use_first_pass
1575	auth required /lib/security/$ISA/pam_deny.so
1576
1577	account required /lib/security/$ISA/pam_unix.so
1578	account sufficient /lib/security/$ISA/pam_winbind.so use_first_pass
1579
1580	password required /lib/security/$ISA/pam_cracklib.so retry=3 type=
1581	# Note: The above line is complete. There is nothing following the '='
1582	password sufficient /lib/security/$ISA/pam_unix.so \
1583	nullok use_authtok md5 shadow
1584	password sufficient /lib/security/$ISA/pam_winbind.so use_first_pass
1585	password required /lib/security/$ISA/pam_deny.so
1586
1587	session required /lib/security/$ISA/pam_limits.so
1588	session sufficient /lib/security/$ISA/pam_unix.so
1589	session sufficient /lib/security/$ISA/pam_winbind.so use_first_pass
1590	</pre></div></div><br class="example-break"></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2596913"></a>Key Points Learned</h3></div></div></div><p>
1591	The addition of UNIX/Linux Samba servers and clients is a common requirement. In this chapter, you
1592	learned how to integrate such servers so that the UID/GID mappings they use can be consistent
1593	across all domain member servers. You also discovered how to implement the ability to use Samba
1594	or Windows domain account credentials to log on to a UNIX/Linux client.
1595	</p><p>
1596	The following are key points made in this chapter:
1597	</p><div class="itemizedlist"><ul type="disc"><li><p>
1598	Domain controllers are always authoritative for the domain.
1599	</p></li><li><p>
1600	Domain members may have local accounts and must be able to resolve the identity of
1601	domain user accounts. Domain user account identity must map to a local UID/GID. That
1602	local UID/GID can be stored in LDAP. This way, it is possible to share the IDMAP data
1603	across all domain member machines.
1604	</p></li><li><p>
1605	Resolution of user and group identities on domain member machines may be implemented
1606	using direct LDAP services or using winbind.
1607	</p></li><li><p>
1608	On NSS/PAM enabled UNIX/Linux systems, NSS is responsible for identity management
1609	and PAM is responsible for authentication of logon credentials (username and password).
1610	</p></li></ul></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2596967"></a>Questions and Answers</h2></div></div></div><p>
1611	The following questions were obtained from the mailing list and also from private discussions
1612	with Windows network administrators.
1613	</p><div class="qandaset"><dl><dt> <a href="unixclients.html#id2596985">
1614	We use NIS for all UNIX accounts. Why do we need winbind?
1615	</a></dt><dt> <a href="unixclients.html#id2597100">
1616	Our IT management people do not like LDAP but are looking at Microsoft Active Directory.
1617	Which is better?
1618	</a></dt><dt> <a href="unixclients.html#id2597184">
1619	We want to implement a Samba PDC, four Samba BDCs, and 10 Samba servers. Is it possible
1620	to use NIS in place of LDAP?
1621	</a></dt><dt> <a href="unixclients.html#id2597295">
1622	Are you suggesting that users should not log on to a domain member server? If so, why?
1623	</a></dt><dt> <a href="unixclients.html#id2597423">
1624	We want to ensure that only users from our own domain plus from trusted domains can use our
1625	Samba servers. In the smb.conf file on all servers, we have enabled the winbind
1626	trusted domains only parameter. We now find that users from trusted domains
1627	cannot access our servers, and users from Windows clients that are not domain members
1628	can also access our servers. Is this a Samba bug?
1629	</a></dt><dt> <a href="unixclients.html#id2597598">
1630	What are the benefits of using LDAP for my domain member servers?
1631	</a></dt><dt> <a href="unixclients.html#id2597781">
1632	Is proper DNS operation necessary for Samba-3 plus LDAP? If so, what must I put into
1633	my DNS configuration?
1634	</a></dt><dt> <a href="unixclients.html#id2597939">
1635	Our Windows 2003 Server Active Directory domain runs with NetBIOS disabled. Can we
1636	use Samba-3 with that configuration?
1637	</a></dt><dt> <a href="unixclients.html#id2597958">
1638	When I tried to execute net ads join, I got no output. It did not work, so
1639	I think that it failed. I then executed net rpc join and that worked fine.
1640	That is okay, isn't it?
1641	</a></dt></dl><table border="0" summary="Q and A Set"><col align="left" width="1%"><tbody><tr class="question"><td align="left" valign="top"><a name="id2596985"></a><a name="id2596987"></a></td><td align="left" valign="top"><p>
1642	We use NIS for all UNIX accounts. Why do we need winbind?
1643	</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p>
1644	<a class="indexterm" name="id2596999"></a>
1645	<a class="indexterm" name="id2597006"></a>
1646	<a class="indexterm" name="id2597012"></a>
1647	<a class="indexterm" name="id2597019"></a>
1648	<a class="indexterm" name="id2597026"></a>
1649	<a class="indexterm" name="id2597033"></a>
1650	You can use NIS for your UNIX accounts. NIS does not store the Windows encrypted
1651	passwords that need to be stored in one of the acceptable passdb backends.
1652	Your choice of backend is limited to <em class="parameter"><code>smbpasswd</code></em> or
1653	<em class="parameter"><code>tdbsam</code></em>. Winbind is needed to handle the resolution of
1654	SIDs from trusted domains to local UID/GID values.
1655	</p><p>
1656	<a class="indexterm" name="id2597060"></a>
1657	<a class="indexterm" name="id2597067"></a>
1658	On a domain member server, you effectively map Windows domain users to local users
1659	that are in your NIS database by specifying the <em class="parameter"><code>winbind trusted domains
1660	only</code></em>. This causes user and group account lookups to be routed via
1661	the <code class="literal">getpwnam()</code> family of systems calls. On an NIS-enabled client,
1662	this pushes the resolution of users and groups out through NIS.
1663	</p><p>
1664	As a general rule, it is always a good idea to run winbind on all Samba servers.
1665	</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2597100"></a><a name="id2597102"></a></td><td align="left" valign="top"><p>
1666	Our IT management people do not like LDAP but are looking at Microsoft Active Directory.
1667	Which is better?<a class="indexterm" name="id2597108"></a>
1668	</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id2597123"></a><a class="indexterm" name="id2597134"></a><a class="indexterm" name="id2597142"></a>
1669	Microsoft Active Directory is an LDAP server that is intricately tied to a Kerberos
1670	infrastructure. Most IT managers who object to LDAP do so because
1671	an LDAP server is most often supplied as a raw tool that needs to be configured and
1672	for which the administrator must create the schema, create the administration tools, and
1673	devise the backup and recovery facilities in a site-dependent manner. LDAP servers
1674	in general are seen as a high-energy, high-risk facility.
1675	</p><p><a class="indexterm" name="id2597161"></a>
1676	Microsoft Active Directory by comparison is easy to install and configure and
1677	is supplied with all tools necessary to implement and manage the directory. For sites
1678	that lack a lot of technical competence, Active Directory is a good choice. For sites
1679	that have the technical competence to handle Active Directory well, LDAP is a good
1680	alternative. The real issue is, What type of solution does
1681	the site want? If management wants a choice to use an alternative, they may want to
1682	consider the options. On the other hand, if management just wants a solution that works,
1683	Microsoft Active Directory is a good solution.
1684	</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2597184"></a><a name="id2597186"></a></td><td align="left" valign="top"><p>
1685	We want to implement a Samba PDC, four Samba BDCs, and 10 Samba servers. Is it possible
1686	to use NIS in place of LDAP?
1687	</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id2597198"></a><a class="indexterm" name="id2597206"></a><a class="indexterm" name="id2597213"></a><a class="indexterm" name="id2597221"></a><a class="indexterm" name="id2597229"></a><a class="indexterm" name="id2597238"></a><a class="indexterm" name="id2597245"></a>
1688	Yes, it is possible to use NIS in place of LDAP, but there may be problems with keeping
1689	the Windows (SMB) encrypted passwords database correctly synchronized across the entire
1690	network. Workstations (Windows client machines) periodically change their domain
1691	membership secure account password. How can you keep changes that are on remote BDCs
1692	synchronized on the PDC?
1693	</p><p><a class="indexterm" name="id2597262"></a><a class="indexterm" name="id2597270"></a><a class="indexterm" name="id2597278"></a>
1694	LDAP is a more elegant solution because it permits centralized storage and management
1695	of all network identities (user, group, and machine accounts) together with all information
1696	Samba needs to provide to network clients and their users.
1697	</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2597295"></a><a name="id2597297"></a></td><td align="left" valign="top"><p>
1698	Are you suggesting that users should not log on to a domain member server? If so, why?
1699	</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id2597308"></a><a class="indexterm" name="id2597316"></a><a class="indexterm" name="id2597328"></a>
1700	Many UNIX administrators mock the model that the personal computer industry has adopted
1701	as normative since the early days of Novell NetWare. The old
1702	perception of the necessity to keep users off file and print servers was a result of
1703	fears concerning the security and integrity of data. It was a simple and generally
1704	effective measure to keep users away from servers, except through mapped drives.
1705	</p><p><a class="indexterm" name="id2597353"></a><a class="indexterm" name="id2597360"></a><a class="indexterm" name="id2597368"></a><a class="indexterm" name="id2597376"></a><a class="indexterm" name="id2597384"></a>
1706	UNIX administrators are fully correct in asserting that UNIX servers and workstations
1707	are identical in terms of the software that is installed. They correctly assert that
1708	in a well-secured environment it is safe to store files on a system that has hundreds
1709	of users. But all network administrators must factor into the decision to allow or
1710	reject general user logins to a UNIX system that is principally a file and print
1711	server the risk to operations through simple user errors.
1712	Only then can one begin to appraise the best strategy and adopt a site-specific
1713	policy that best protects the needs of users and of the organization alike.
1714	</p><p><a class="indexterm" name="id2597406"></a>
1715	From experience, it is my recommendation to keep general system-level logins to a
1716	practical minimum and to eliminate them if possible. This should not be taken as a
1717	hard rule, though. The better question is, what works best for the site?
1718	</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2597423"></a><a name="id2597425"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id2597428"></a><a class="indexterm" name="id2597436"></a><a class="indexterm" name="id2597447"></a><a class="indexterm" name="id2597456"></a>
1719	We want to ensure that only users from our own domain plus from trusted domains can use our
1720	Samba servers. In the <code class="filename">smb.conf</code> file on all servers, we have enabled the <em class="parameter"><code>winbind
1721	trusted domains only</code></em> parameter. We now find that users from trusted domains
1722	cannot access our servers, and users from Windows clients that are not domain members
1723	can also access our servers. Is this a Samba bug?
1724	</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id2597488"></a><a class="indexterm" name="id2597496"></a><a class="indexterm" name="id2597504"></a><a class="indexterm" name="id2597512"></a><a class="indexterm" name="id2597520"></a><a class="indexterm" name="id2597527"></a>
1725	The manual page for this <em class="parameter"><code>winbind trusted domains only</code></em> parameter says,
1726	“<span class="quote">This parameter is designed to allow Samba servers that are members of a Samba-controlled
1727	domain to use UNIX accounts distributed vi NIS, rsync, or LDAP as the UIDs for winbindd users
1728	in the hosts primary domain. Therefore, the user <code class="constant">SAMBA\user1</code> would be
1729	mapped to the account <code class="constant">user1</code> in <code class="filename">/etc/passwd</code> instead
1730	of allocating a new UID for him or her.</span>” This clearly suggests that you are trying
1731	to use this parameter inappropriately.
1732	</p><p><a class="indexterm" name="id2597569"></a>
1733	A far better solution is to use the <em class="parameter"><code>valid users</code></em> by specifying
1734	precisely the domain users and groups that should be permitted access to the shares. You could,
1735	for example, set the following parameters:
1736	</p><pre class="screen">
1737	[demoshare]
1738	path = /export/demodata
1739	valid users = @"Domain Users", @"OTHERDOMAIN\Domain Users"
1740	</pre><p>
1741	</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2597598"></a><a name="id2597600"></a></td><td align="left" valign="top"><p>
1742	What are the benefits of using LDAP for my domain member servers?
1743	</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id2597611"></a><a class="indexterm" name="id2597619"></a><a class="indexterm" name="id2597627"></a><a class="indexterm" name="id2597634"></a><a class="indexterm" name="id2597642"></a><a class="indexterm" name="id2597650"></a><a class="indexterm" name="id2597658"></a><a class="indexterm" name="id2597666"></a><a class="indexterm" name="id2597674"></a>
1744	The key benefit of using LDAP is that the UID of all users and the GID of all groups
1745	are globally consistent on domain controllers as well as on domain member servers.
1746	This means that it is possible to copy/replicate files across servers without
1747	loss of identity.
1748	</p><p><a class="indexterm" name="id2597690"></a><a class="indexterm" name="id2597698"></a><a class="indexterm" name="id2597705"></a><a class="indexterm" name="id2597713"></a><a class="indexterm" name="id2597721"></a><a class="indexterm" name="id2597729"></a><a class="indexterm" name="id2597741"></a><a class="indexterm" name="id2597749"></a>
1749	When use is made of account identity resolution via winbind, even when an IDMAP backend
1750	is stored in LDAP, the UID/GID on domain member servers is consistent, but differs
1751	from the ID that the user/group has on domain controllers. The winbind allocated UID/GID
1752	that is stored in LDAP (or locally) will be in the numeric range specified in the <em class="parameter"><code>
1753	idmap uid/gid</code></em> in the <code class="filename">smb.conf</code> file. On domain controllers, the UID/GID is
1754	that of the POSIX value assigned in the LDAP directory as part of the POSIX account information.
1755	</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2597781"></a><a name="id2597783"></a></td><td align="left" valign="top"><p>
1756	Is proper DNS operation necessary for Samba-3 plus LDAP? If so, what must I put into
1757	my DNS configuration?
1758	</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id2597795"></a><a class="indexterm" name="id2597806"></a><a class="indexterm" name="id2597817"></a><a class="indexterm" name="id2597825"></a><a class="indexterm" name="id2597833"></a><a class="indexterm" name="id2597841"></a><a class="indexterm" name="id2597849"></a>
1759	Samba depends on correctly functioning resolution of hostnames to their IP address. Samba
1760	makes no direct DNS lookup calls, but rather redirects all name-to-address calls via the
1761	<code class="literal">getXXXbyXXX()</code> function calls. The configuration of the <code class="constant">hosts</code>
1762	entry in the NSS <code class="filename">/etc/nsswitch.conf</code> file determines how the underlying
1763	resolution process is implemented. If the <code class="constant">hosts</code> entry in your NSS
1764	control file says:
1765	</p><pre class="screen">
1766	hosts: files dns wins
1767	</pre><p>
1768	this means that a hostname lookup first tries the <code class="filename">/etc/hosts</code>.
1769	If this fails to resolve, it attempts a DNS lookup, and if that fails, it tries a
1770	WINS lookup.
1771	</p><p><a class="indexterm" name="id2597903"></a><a class="indexterm" name="id2597911"></a><a class="indexterm" name="id2597919"></a>
1772	The addition of the WINS-based name lookup makes sense only if NetBIOS over TCP/IP has
1773	been enabled on all Windows clients. Where NetBIOS over TCP/IP has been disabled, DNS
1774	is the preferred name resolution technology. This usually makes most sense when Samba
1775	is a client of an Active Directory domain, where NetBIOS use has been disabled. In this
1776	case, the Windows 200x autoregisters all locator records it needs with its own DNS
1777	server or servers.
1778	</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2597939"></a><a name="id2597941"></a></td><td align="left" valign="top"><p>
1779	Our Windows 2003 Server Active Directory domain runs with NetBIOS disabled. Can we
1780	use Samba-3 with that configuration?
1781	</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p>
1782	Yes.
1783	</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2597958"></a><a name="id2597960"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id2597963"></a><a class="indexterm" name="id2597977"></a>
1784	When I tried to execute net ads join, I got no output. It did not work, so
1785	I think that it failed. I then executed net rpc join and that worked fine.
1786	That is okay, isn't it?
1787	</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id2598001"></a><a class="indexterm" name="id2598009"></a>
1788	No. This is not okay. It means that your Samba-3 client has joined the ADS domain as
1789	a Windows NT4 client, and Samba-3 will not be using Kerberos-based authentication.
1790	</p></td></tr></tbody></table></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="DMSMig.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="DMSMig.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="upgrades.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Part II. Domain Members, Updating Samba and Migration </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 8. Updating Samba-3</td></tr></table></div></body></html>

Note: See TracBrowser for help on using the repository browser.

Download in other formats: