Re: [Samba] PAM, PDC and Winbind
Here are my configs for RedHat 7.2.
I also have them for Mandrake 8.2.
If you want, read them and we can later discuss portions you don't
understand. There's a bunch of howto's out there on doing this.
Look for:
Samba+LDAP-Howto:
(Samba docs)
Winbind-Howto:
(Samba docs)
LDAP-Auth-Howto
http://www.yolinux.com/TUTORIALS/LinuxTutorialLDAP-BindPW.html
There may (likely, are) others, but this is one off the top of my head
PAM-Docs
It works like this:
1) Configure your Linux to do LDAP authentication (using nss_ldap,
pam_ldap from http://www.padl.com). Configuration files
(/etc/ldap.conf) are enclosed.
2) Configure Samba (at compile time) to have LDAPSAM backend, to use PAM
for password synchronization, and "unix password sync = yes", "pam
password change = yes" in smb.conf
3) Configure Samba to share the user database with the Linux user
database. This achieves storing user information in the same LDAP
record for both Samba stuff and Linux (posix) stuff
4) Configure Samba as a PDC
5) set up the PAM module config for samba to do password changes using
all necessary modules EXCEPT the Samba modules (obviously, since samba
itself would take care of this)
6) Set up the regular password change mechanisms (non-samba) to synch
with all the necessary modules including the samba module.
7) Set up SSL certificates as necessary.
8) Gloat to your friends about your setup! ;)
Key files to look at:
init.ldif -> Used to initialize the LDAP tree (if not already done)
etc/ldap.conf
etc/nsswitch.conf
etc/smb-{pdc,client}.conf
etc/openldap/slapd.conf
etc/pam.d/password
etc/pam.d/samba
etc/pam.d/system-auth-{pdc,client}
This is a "cookie-cutter" config, and I'm very interested to see if you
can succeed in using it as such. I have done no documentation on it, so
I'm very interested in your feedback to see what needs to be fixed, or
addressed.
The end result for me has been: Only one password per user for any
service, and password changes in one enviroment affects all others (some
concurrency limitations from my previous post apply).
Notes on client Linux machines: Winbind requires your machine to be
joined into a domain, so it's important you understand how to do that
(smbpasswd -j), and configure Samba for clients. A file called
"smb-client.conf" is included for this purpose. Feel free to use it as
a guideline. For PDC, a file called "smb-pdc.conf" is also included.
Please don't pass these around just yet, as I want to get feedback
before I post these on a website accompanied by a HOWTO.
I used:
Samba 2.2.7
OpenLDAP 2.0.25
nss_ldap-202
pam_ldap-153
Best
Diego
PS/ One detail - the PAM configurations need to be optimized to provide
full failover, and other safety precautions. Right now, it's very
basic, but it should allow you to: change passwords directly from
windows using the "Change Password" command, change passwords from the
Linux PDC using "passwd", change password from other linux clients using
"passwd" as well, and any other common password-change mechanisms from
Linux.
redhat-distr-auth.tar.gz
Description: GNU Zip compressed data
Re: [Samba] PAM, PDC and Winbind
On Mon, 2002-12-16 at 07:56, Diego Rivera wrote: > Hello all, > > I currently have the following setup working nicely: > > A Samba PDC, with LDAP-SAM, syncs passwords between LDAP and Samba (and > /etc/shadow when appropriate) correctly - either when changing them > through Samba (samba has PAM support enabled and working) or through > normal Unix mechanisms (/usr/bin/passwd, using pam_smbpass, pam_ldap, > etc.). > > Several other Linux machines, running Samba, using winbind/pam_winbind > (NOT nss_winbind), and nss_ldap to authenticate against the PDC. > > Using pam_winbind to sync passwords allows me to exploit the fact that > the Samba processes in the PDC does sync the LDAP and Samba passwords > for me. Avoiding nss_winbind allows me to conserve the userid's stored > in LDAP and reuse them throughout the network, without suffering from > the winbind limitation of the "first-come, first-served" userid > assignment. Windows machines do not, of course, suffer from this. > > Basically, Samba is just the auth/password change mechanism for my > client machines (local unix passwords are also affected when > appropriate). > > My dilemma is with my PDC's configuration: I currently use pam_smbpass > to do the synching of Samba passwords when the password change occurs > external to Samba. I don't particularly like this - I'd rather use > something like pam_winbind to do my password changes *through* samba as > opposed to parallel to it. > > However, I've had no success in getting winbind to do this while running > on the PDC (although I could join the machine to its own domain - some > trickery there; and get wbinfo to display the correct list of users and > groups - which means that winbind is attaching itself to the PDC > correctly). It won't, however, do password authentication and changes > correctly. > > Any ideas? Advice? Yes, this all works - I use exactly this setup. What you need to do is set 'winbind use default domain', so that pam_winbind uses the 'right' usernames etc. (ie, they don't need a domain\ prefix) This requires Samba 3.0 to operate correctly - the 2.2 implementation is an artifact of a code merge, as is not complete. Also look at the 'ldap password change' option in 3.0 - it might work better than 'unix password sync' stuff. Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net signature.asc Description: This is a digitally signed message part
[Samba] PAM, PDC and Winbind
Hello all, I currently have the following setup working nicely: A Samba PDC, with LDAP-SAM, syncs passwords between LDAP and Samba (and /etc/shadow when appropriate) correctly - either when changing them through Samba (samba has PAM support enabled and working) or through normal Unix mechanisms (/usr/bin/passwd, using pam_smbpass, pam_ldap, etc.). Several other Linux machines, running Samba, using winbind/pam_winbind (NOT nss_winbind), and nss_ldap to authenticate against the PDC. Using pam_winbind to sync passwords allows me to exploit the fact that the Samba processes in the PDC does sync the LDAP and Samba passwords for me. Avoiding nss_winbind allows me to conserve the userid's stored in LDAP and reuse them throughout the network, without suffering from the winbind limitation of the "first-come, first-served" userid assignment. Windows machines do not, of course, suffer from this. Basically, Samba is just the auth/password change mechanism for my client machines (local unix passwords are also affected when appropriate). My dilemma is with my PDC's configuration: I currently use pam_smbpass to do the synching of Samba passwords when the password change occurs external to Samba. I don't particularly like this - I'd rather use something like pam_winbind to do my password changes *through* samba as opposed to parallel to it. However, I've had no success in getting winbind to do this while running on the PDC (although I could join the machine to its own domain - some trickery there; and get wbinfo to display the correct list of users and groups - which means that winbind is attaching itself to the PDC correctly). It won't, however, do password authentication and changes correctly. Any ideas? Advice? I had run into pam_smb (pam_domain? pam_ntdom?) earlier, which supposedly could do this for me, but IIRC it wasn't being maintained, and it was pretty buggy. Best Diego PS/ If you want copy of my configs, let me know and I'll e-mail them to you directly. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
