mistofeles wrote:
We have a small Ubuntu 9.10 file server in a large Win 2003/2008 domain.
There is no X nor web browser in the server.
I have rights to join machines to the domain, but I'm not an Administrator
There is about 10 users in this server, who want to authenticate with domain
passwords when they mount their home directories to WindowsXP workstations.
The ssh passwords should be local and separated from domain passwords.
The server should not try to play any master roles.
Just deliver directories to windows.
http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/ServerType.html#id2560147
ADS server type will allow domain authentication for samba directories
We have tried this for about a month and gone through many books, web pages
and forums.
You will need Samba which provides winbindd, sasl, openldap, kerberos.
Samba should be configured with ads, acl, ldap, kerberos, pam, winbind
options if you are building from source.
I would configure it with the following options for optimum scalability:
kerberos, acl, caps, cups, ipv6, ldap, pam, python, readline, winbind,
ads, async, automount, doc, examples, fam, quotas, selinux, swat, syslog.
In gentoo linux the following will give you everything you need:
%> USE="kerberos acl caps cups ipv6 ldap pam python readline winbind ads async
automount doc examples fam quotas selinux swat syslog" /
emerge mit-krb5 pam_krb5 pam_ldap openldap nss_ldap openssl cyrus-sasl
ntp samba -va
After reading Samba documentation we don't even understand what programs we
need. in some documents we are told to use PAM, LDAP, krb or winbind. In
some documents you are advised NOT to use this if you are using that. It is
a total chaos.
Is there any example of a working case like this ?
Is there any script which takes care of the configuration ?
Here is are a few file configuration examples to get you going:
/etc/krb5.conf
========
[libdefaults]
default_realm = DOMAIN.COM
[realms]
UTAH.EDU = {
kdc = 192.168.xxx.xxx
}
[domain_realm]
.domain.com = DOMAIN.COM
[loggin]
default = FILE:/var/log/krb5.log
[appdefaults]
pam = {
ticket_lifetime = 365d
renew_lifetime = 365d
forwardable = true
proxiable = false
retain_after_close = true
minimum_uid = 0
}
=========
/etc/nsswitch.conf
=========
passwd: compat winbind
shadow: compat
group: compat winbind
# passwd: db files nis
# shadow: db files nis
# group: db files nis
hosts: files dns wins
networks: files dns
services: db files
protocols: db files
rpc: db files
ethers: db files
netmasks: files
netgroup: files
bootparams: files
automount: files
aliases: files
==========
/etc/samba/smb.conf
Change anything with DOMAIN.COM to match your own domain
==========
[global]
workgroup = DOMAIN
realm = DOMAIN.COM
server string = servername.domain.com
netbios name = servername
password server = *
encrypt passwords = true
security = ads
lanman auth = no
ntlm auth = no
os level = 20
allow trusted domains = yes
auth methods = winbind
interfaces = eth0, lo
bind interfaces only = yes
socket options = TCP_NODELAY
hosts allow = 192.168.xxx.xxx/24 #add more subnets if needed
hosts deny = 0.0.0.0/0
log level = 40
log file = /var/log/samba/log.%m
max log size = 50
client signing = yes
client schannel = no
client use spnego = yes
client lanman auth = no
client NTLMv2 auth = yes
client plaintext auth = no
preferred master = no
local master = no
domain master = no
wins proxy = no
dns proxy = No
obey pam restrictions = yes
template shell = /bin/bash
nt acl support = yes
inherit permissions = yes
create mask = 0022
template homedir = /home/Authenticated Users/%U
winbind uid = 1000-2000000
winbind gid = 500-2000000
winbind separator = +
winbind enum users = yes
winbind enum groups = yes
winbind nested groups = yes
winbind use default domain = yes
winbind offline logon = true
winbind nss info = rfc2307
idmap uid = 1000-2000000
idmap gid = 500-2000000
idmap domains = SCL
idmap config DOMAIN:backend = ad
idmap config DOMAIN:default = yes
idmap config DOMAIN:schema_mode = rfc2307
idmap config DOMAIN:range = 1000 - 300000000
[classes]
comment = Class software
browsable = yes
writeable = no
create mask = 0022
force create mode = 0022
directory mask = 0022
force directory mode = 0022
inherit permissions = yes
path = /path/to/share
[staff]
comment = Staff folders
browsable = yes
writeable = yes
create mask = 0022
force create mode = 0022
directory mask = 0022
force directory mode = 0022
inherit permissions = yes
valid users = @DOMAIN+Grouname
path = /path/to/another/share
===========
/etc/pam.d/system-auth
===========
#%PAM-1.0
auth required pam_mount.so
auth required pam_env.so
auth sufficient pam_winbind.so
auth sufficient pam_unix.so try_first_pass likeauth nullok
auth sufficient pam_krb5.so use_first_pass
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_krb5.so ignore_root
account sufficient pam_winbind.so
password optional pam_krb5.so
password required pam_mount.so use_authtok
password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2
try_first_pass retry=3
password sufficient pam_unix.so try_first_pass use_authtok nullok md5 shadow
password required pam_deny.so
session required pam_mkhomedir.so umask=0022 skel=/etc/skel/
session required pam_limits.so
session required pam_unix.so
session optional pam_mount.so use_authtok
session optional pam_krb5.so
I hope that helps. Also if you look at the pam configuration above you
will see some of the best pam modules to install with ubunu package manager.
--
Jas
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
