6 <firstname>Tim</firstname><surname>Potter</surname>
8 <orgname>Samba Team</orgname>
9 <address><email>tpot@linuxcare.com.au</email></address>
13 <firstname>Andrew</firstname><surname>Trigdell</surname>
15 <orgname>Samba Team</orgname>
16 <address><email>tridge@linuxcare.com.au</email></address>
20 <firstname>John</firstname><surname>Trostel</surname>
22 <orgname>Snapserver</orgname>
23 <address><email>jtrostel@snapserver.com</email></address>
27 <firstname>Naag</firstname><surname>Mummaneni</surname>
29 <address><email>getnag@rediffmail.com</email></address>
33 <firstname>Jelmer</firstname><surname>Vernooij</surname>
35 <address><email>jelmer@nl.linux.org</email></address>
38 <pubdate>27 June 2002</pubdate>
41 <title>Unified Logons between Windows NT and UNIX using Winbind</title>
44 <title>Abstract</title>
46 <para>Integration of UNIX and Microsoft Windows NT through
47 a unified logon has been considered a "holy grail" in heterogeneous
48 computing environments for a long time. We present
49 <emphasis>winbind</emphasis>, a component of the Samba suite
50 of programs as a solution to the unified logon problem. Winbind
51 uses a UNIX implementation
52 of Microsoft RPC calls, Pluggable Authentication Modules, and the Name
53 Service Switch to allow Windows NT domain users to appear and operate
54 as UNIX users on a UNIX machine. This paper describes the winbind
55 system, explaining the functionality it provides, how it is configured,
56 and how it works internally.</para>
61 <title>Introduction</title>
63 <para>It is well known that UNIX and Microsoft Windows NT have
64 different models for representing user and group information and
65 use different technologies for implementing them. This fact has
66 made it difficult to integrate the two systems in a satisfactory
69 <para>One common solution in use today has been to create
70 identically named user accounts on both the UNIX and Windows systems
71 and use the Samba suite of programs to provide file and print services
72 between the two. This solution is far from perfect however, as
73 adding and deleting users on both sets of machines becomes a chore
74 and two sets of passwords are required both of which
75 can lead to synchronization problems between the UNIX and Windows
76 systems and confusion for users.</para>
78 <para>We divide the unified logon problem for UNIX machines into
79 three smaller problems:</para>
82 <listitem><para>Obtaining Windows NT user and group information
85 <listitem><para>Authenticating Windows NT users
88 <listitem><para>Password changing for Windows NT users
93 <para>Ideally, a prospective solution to the unified logon problem
94 would satisfy all the above components without duplication of
95 information on the UNIX machines and without creating additional
96 tasks for the system administrator when maintaining users and
97 groups on either system. The winbind system provides a simple
98 and elegant solution to all three components of the unified logon
104 <title>What Winbind Provides</title>
106 <para>Winbind unifies UNIX and Windows NT account management by
107 allowing a UNIX box to become a full member of a NT domain. Once
108 this is done the UNIX box will see NT users and groups as if
109 they were native UNIX users and groups, allowing the NT domain
110 to be used in much the same manner that NIS+ is used within
111 UNIX-only environments.</para>
113 <para>The end result is that whenever any
114 program on the UNIX machine asks the operating system to lookup
115 a user or group name, the query will be resolved by asking the
116 NT domain controller for the specified domain to do the lookup.
117 Because Winbind hooks into the operating system at a low level
118 (via the NSS name resolution modules in the C library) this
119 redirection to the NT domain controller is completely
122 <para>Users on the UNIX machine can then use NT user and group
123 names as they would use "native" UNIX names. They can chown files
124 so that they are owned by NT domain users or even login to the
125 UNIX machine and run a UNIX X-Window session as a domain user.</para>
127 <para>The only obvious indication that Winbind is being used is
128 that user and group names take the form DOMAIN\user and
129 DOMAIN\group. This is necessary as it allows Winbind to determine
130 that redirection to a domain controller is wanted for a particular
131 lookup and which trusted domain is being referenced.</para>
133 <para>Additionally, Winbind provides an authentication service
134 that hooks into the Pluggable Authentication Modules (PAM) system
135 to provide authentication via a NT domain to any PAM enabled
136 applications. This capability solves the problem of synchronizing
137 passwords between systems since all passwords are stored in a single
138 location (on the domain controller).</para>
141 <title>Target Uses</title>
143 <para>Winbind is targeted at organizations that have an
144 existing NT based domain infrastructure into which they wish
145 to put UNIX workstations or servers. Winbind will allow these
146 organizations to deploy UNIX workstations without having to
147 maintain a separate account infrastructure. This greatly
148 simplifies the administrative overhead of deploying UNIX
149 workstations into a NT based organization.</para>
151 <para>Another interesting way in which we expect Winbind to
152 be used is as a central part of UNIX based appliances. Appliances
153 that provide file and print services to Microsoft based networks
154 will be able to use Winbind to provide seamless integration of
155 the appliance into the domain.</para>
162 <title>How Winbind Works</title>
164 <para>The winbind system is designed around a client/server
165 architecture. A long running <command>winbindd</command> daemon
166 listens on a UNIX domain socket waiting for requests
167 to arrive. These requests are generated by the NSS and PAM
168 clients and processed sequentially.</para>
170 <para>The technologies used to implement winbind are described
171 in detail below.</para>
174 <title>Microsoft Remote Procedure Calls</title>
176 <para>Over the last two years, efforts have been underway
177 by various Samba Team members to decode various aspects of
178 the Microsoft Remote Procedure Call (MSRPC) system. This
179 system is used for most network related operations between
180 Windows NT machines including remote management, user authentication
181 and print spooling. Although initially this work was done
182 to aid the implementation of Primary Domain Controller (PDC)
183 functionality in Samba, it has also yielded a body of code which
184 can be used for other purposes.</para>
186 <para>Winbind uses various MSRPC calls to enumerate domain users
187 and groups and to obtain detailed information about individual
188 users or groups. Other MSRPC calls can be used to authenticate
189 NT domain users and to change user passwords. By directly querying
190 a Windows PDC for user and group information, winbind maps the
191 NT account information onto UNIX user and group names.</para>
195 <title>Name Service Switch</title>
197 <para>The Name Service Switch, or NSS, is a feature that is
198 present in many UNIX operating systems. It allows system
199 information such as hostnames, mail aliases and user information
200 to be resolved from different sources. For example, a standalone
201 UNIX workstation may resolve system information from a series of
202 flat files stored on the local filesystem. A networked workstation
203 may first attempt to resolve system information from local files,
204 and then consult a NIS database for user information or a DNS server
205 for hostname information.</para>
207 <para>The NSS application programming interface allows winbind
208 to present itself as a source of system information when
209 resolving UNIX usernames and groups. Winbind uses this interface,
210 and information obtained from a Windows NT server using MSRPC
211 calls to provide a new source of account enumeration. Using standard
212 UNIX library calls, one can enumerate the users and groups on
213 a UNIX machine running winbind and see all users and groups in
214 a NT domain plus any trusted domain as though they were local
215 users and groups.</para>
217 <para>The primary control file for NSS is
218 <filename>/etc/nsswitch.conf</filename>.
219 When a UNIX application makes a request to do a lookup
220 the C library looks in <filename>/etc/nsswitch.conf</filename>
221 for a line which matches the service type being requested, for
222 example the "passwd" service type is used when user or group names
223 are looked up. This config line species which implementations
224 of that service should be tried and in what order. If the passwd
225 config line is:</para>
227 <para><command>passwd: files example</command></para>
229 <para>then the C library will first load a module called
230 <filename>/lib/libnss_files.so</filename> followed by
231 the module <filename>/lib/libnss_example.so</filename>. The
232 C library will dynamically load each of these modules in turn
233 and call resolver functions within the modules to try to resolve
234 the request. Once the request is resolved the C library returns the
235 result to the application.</para>
237 <para>This NSS interface provides a very easy way for Winbind
238 to hook into the operating system. All that needs to be done
239 is to put <filename>libnss_winbind.so</filename> in <filename>/lib/</filename>
240 then add "winbind" into <filename>/etc/nsswitch.conf</filename> at
241 the appropriate place. The C library will then call Winbind to
242 resolve user and group names.</para>
246 <title>Pluggable Authentication Modules</title>
248 <para>Pluggable Authentication Modules, also known as PAM,
249 is a system for abstracting authentication and authorization
250 technologies. With a PAM module it is possible to specify different
251 authentication methods for different system applications without
252 having to recompile these applications. PAM is also useful
253 for implementing a particular policy for authorization. For example,
254 a system administrator may only allow console logins from users
255 stored in the local password file but only allow users resolved from
256 a NIS database to log in over the network.</para>
258 <para>Winbind uses the authentication management and password
259 management PAM interface to integrate Windows NT users into a
260 UNIX system. This allows Windows NT users to log in to a UNIX
261 machine and be authenticated against a suitable Primary Domain
262 Controller. These users can also change their passwords and have
263 this change take effect directly on the Primary Domain Controller.
266 <para>PAM is configured by providing control files in the directory
267 <filename>/etc/pam.d/</filename> for each of the services that
268 require authentication. When an authentication request is made
269 by an application the PAM code in the C library looks up this
270 control file to determine what modules to load to do the
271 authentication check and in what order. This interface makes adding
272 a new authentication service for Winbind very easy, all that needs
273 to be done is that the <filename>pam_winbind.so</filename> module
274 is copied to <filename>/lib/security/</filename> and the PAM
275 control files for relevant services are updated to allow
276 authentication via winbind. See the PAM documentation
277 for more details.</para>
282 <title>User and Group ID Allocation</title>
284 <para>When a user or group is created under Windows NT
285 is it allocated a numerical relative identifier (RID). This is
286 slightly different to UNIX which has a range of numbers that are
287 used to identify users, and the same range in which to identify
288 groups. It is winbind's job to convert RIDs to UNIX id numbers and
289 vice versa. When winbind is configured it is given part of the UNIX
290 user id space and a part of the UNIX group id space in which to
291 store Windows NT users and groups. If a Windows NT user is
292 resolved for the first time, it is allocated the next UNIX id from
293 the range. The same process applies for Windows NT groups. Over
294 time, winbind will have mapped all Windows NT users and groups
295 to UNIX user ids and group ids.</para>
297 <para>The results of this mapping are stored persistently in
298 an ID mapping database held in a tdb database). This ensures that
299 RIDs are mapped to UNIX IDs in a consistent way.</para>
304 <title>Result Caching</title>
306 <para>An active system can generate a lot of user and group
307 name lookups. To reduce the network cost of these lookups winbind
308 uses a caching scheme based on the SAM sequence number supplied
309 by NT domain controllers. User or group information returned
310 by a PDC is cached by winbind along with a sequence number also
311 returned by the PDC. This sequence number is incremented by
312 Windows NT whenever any user or group information is modified. If
313 a cached entry has expired, the sequence number is requested from
314 the PDC and compared against the sequence number of the cached entry.
315 If the sequence numbers do not match, then the cached information
316 is discarded and up to date information is requested directly
323 <title>Installation and Configuration</title>
326 Many thanks to John Trostel <ulink
327 url="mailto:jtrostel@snapserver.com">jtrostel@snapserver.com</ulink>
328 for providing the HOWTO for this section.
332 This HOWTO describes how to get winbind services up and running
333 to control access and authenticate users on your Linux box using
334 the winbind services which come with SAMBA 2.2.2.
338 There is also some Solaris specific information in
339 <filename>docs/textdocs/Solaris-Winbind-HOWTO.txt</filename>.
340 Future revisions of this document will incorporate that
347 <title>Introduction</title>
350 This HOWTO describes the procedures used to get winbind up and
351 running on my RedHat 7.1 system. Winbind is capable of providing access
352 and authentication control for Windows Domain users through an NT
353 or Win2K PDC for 'regular' services, such as telnet a nd ftp, as
354 well for SAMBA services.
358 This HOWTO has been written from a 'RedHat-centric' perspective, so if
359 you are using another distribution, you may have to modify the instructions
360 somewhat to fit the way your distribution works.
367 <emphasis>Why should I to this?</emphasis>
370 <para>This allows the SAMBA administrator to rely on the
371 authentication mechanisms on the NT/Win2K PDC for the authentication
372 of domain members. NT/Win2K users no longer need to have separate
373 accounts on the SAMBA server.
379 <emphasis>Who should be reading this document?</emphasis>
383 This HOWTO is designed for system administrators. If you are
384 implementing SAMBA on a file server and wish to (fairly easily)
385 integrate existing NT/Win2K users from your PDC onto the
386 SAMBA server, this HOWTO is for you. That said, I am no NT or PAM
387 expert, so you may find a better or easier way to accomplish
396 <title>Requirements</title>
399 If you have a samba configuration file that you are currently
400 using... <emphasis>BACK IT UP!</emphasis> If your system already uses PAM,
401 <emphasis>back up the <filename>/etc/pam.d</filename> directory
402 contents!</emphasis> If you haven't already made a boot disk,
403 <emphasis>MAKE ONE NOW!</emphasis>
407 Messing with the pam configuration files can make it nearly impossible
408 to log in to yourmachine. That's why you want to be able to boot back
409 into your machine in single user mode and restore your
410 <filename>/etc/pam.d</filename> back to the original state they were in if
411 you get frustrated with the way things are going. ;-)
415 The latest version of SAMBA (version 2.2.2 as of this writing), now
416 includes a functioning winbindd daemon. Please refer to the
417 <ulink url="http://samba.org/">main SAMBA web page</ulink> or,
418 better yet, your closest SAMBA mirror site for instructions on
419 downloading the source code.
423 To allow Domain users the ability to access SAMBA shares and
424 files, as well as potentially other services provided by your
425 SAMBA machine, PAM (pluggable authentication modules) must
426 be setup properly on your machine. In order to compile the
427 winbind modules, you should have at least the pam libraries resident
428 on your system. For recent RedHat systems (7.1, for instance), that
429 means <filename>pam-0.74-22</filename>. For best results, it is helpful to also
430 install the development packages in <filename>pam-devel-0.74-22</filename>.
437 <title>Testing Things Out</title>
440 Before starting, it is probably best to kill off all the SAMBA
441 related daemons running on your server. Kill off all <command>smbd</command>,
442 <command>nmbd</command>, and <command>winbindd</command> processes that may
443 be running. To use PAM, you will want to make sure that you have the
444 standard PAM package (for RedHat) which supplies the <filename>/etc/pam.d</filename>
445 directory structure, including the pam modules are used by pam-aware
446 services, several pam libraries, and the <filename>/usr/doc</filename>
447 and <filename>/usr/man</filename> entries for pam. Winbind built better
448 in SAMBA if the pam-devel package was also installed. This package includes
449 the header files needed to compile pam-aware applications. For instance,
450 my RedHat system has both <filename>pam-0.74-22</filename> and
451 <filename>pam-devel-0.74-22</filename> RPMs installed.
455 <title>Configure and compile SAMBA</title>
458 The configuration and compilation of SAMBA is pretty straightforward.
459 The first three steps may not be necessary depending upon
460 whether or not you have previously built the Samba binaries.
463 <para><programlisting>
464 <prompt>root#</prompt> <command>autoconf</command>
465 <prompt>root#</prompt> <command>make clean</command>
466 <prompt>root#</prompt> <command>rm config.cache</command>
467 <prompt>root#</prompt> <command>./configure --with-winbind</command>
468 <prompt>root#</prompt> <command>make</command>
469 <prompt>root#</prompt> <command>make install</command>
470 </programlisting></para>
474 This will, by default, install SAMBA in <filename>/usr/local/samba</filename>.
475 See the main SAMBA documentation if you want to install SAMBA somewhere else.
476 It will also build the winbindd executable and libraries.
482 <title>Configure <filename>nsswitch.conf</filename> and the
483 winbind libraries</title>
486 The libraries needed to run the <command>winbindd</command> daemon
487 through nsswitch need to be copied to their proper locations, so
491 <prompt>root#</prompt> <command>cp ../samba/source/nsswitch/libnss_winbind.so /lib</command>
495 I also found it necessary to make the following symbolic link:
499 <prompt>root#</prompt> <command>ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2</command>
502 <para>And, in the case of Sun solaris:</para>
504 <prompt>root#</prompt> <command>ln -s /usr/lib/libnss_winbind.so /usr/lib/libnss_winbind.so.1</command>
505 <prompt>root#</prompt> <command>ln -s /usr/lib/libnss_winbind.so /usr/lib/nss_winbind.so.1</command>
506 <prompt>root#</prompt> <command>ln -s /usr/lib/libnss_winbind.so /usr/lib/nss_winbind.so.2</command>
510 Now, as root you need to edit <filename>/etc/nsswitch.conf</filename> to
511 allow user and group entries to be visible from the <command>winbindd</command>
512 daemon. My <filename>/etc/nsswitch.conf</filename> file look like
516 <para><programlisting>
517 passwd: files winbind
520 </programlisting></para>
523 The libraries needed by the winbind daemon will be automatically
524 entered into the <command>ldconfig</command> cache the next time
525 your system reboots, but it
526 is faster (and you don't need to reboot) if you do it manually:
530 <prompt>root#</prompt> <command>/sbin/ldconfig -v | grep winbind</command>
534 This makes <filename>libnss_winbind</filename> available to winbindd
535 and echos back a check to you.
542 <title>Configure smb.conf</title>
545 Several parameters are needed in the smb.conf file to control
546 the behavior of <command>winbindd</command>. Configure
547 <filename>smb.conf</filename> These are described in more detail in
548 the <ulink url="winbindd.8.html">winbindd(8)</ulink> man page. My
549 <filename>smb.conf</filename> file was modified to
550 include the following entries in the [global] section:
553 <para><programlisting>
556 # separate domain and username with '+', like DOMAIN+username
557 <ulink url="winbindd.8.html#WINBINDSEPARATOR">winbind separator</ulink> = +
558 # use uids from 10000 to 20000 for domain users
559 <ulink url="winbindd.8.html#WINBINDUID">winbind uid</ulink> = 10000-20000
560 # use gids from 10000 to 20000 for domain groups
561 <ulink url="winbindd.8.html#WINBINDGID">winbind gid</ulink> = 10000-20000
562 # allow enumeration of winbind users and groups
563 <ulink url="winbindd.8.html#WINBINDENUMUSERS">winbind enum users</ulink> = yes
564 <ulink url="winbindd.8.html#WINBINDENUMGROUP">winbind enum groups</ulink> = yes
565 # give winbind users a real shell (only needed if they have telnet access)
566 <ulink url="winbindd.8.html#TEMPLATEHOMEDIR">template homedir</ulink> = /home/winnt/%D/%U
567 <ulink url="winbindd.8.html#TEMPLATESHELL">template shell</ulink> = /bin/bash
568 </programlisting></para>
574 <title>Join the SAMBA server to the PDC domain</title>
577 Enter the following command to make the SAMBA server join the
578 PDC domain, where <replaceable>DOMAIN</replaceable> is the name of
579 your Windows domain and <replaceable>Administrator</replaceable> is
580 a domain user who has administrative privileges in the domain.
585 <prompt>root#</prompt> <command>/usr/local/samba/bin/net rpc join -S PDC -U Administrator</command>
590 The proper response to the command should be: "Joined the domain
591 <replaceable>DOMAIN</replaceable>" where <replaceable>DOMAIN</replaceable>
599 <title>Start up the winbindd daemon and test it!</title>
602 Eventually, you will want to modify your smb startup script to
603 automatically invoke the winbindd daemon when the other parts of
604 SAMBA start, but it is possible to test out just the winbind
605 portion first. To start up winbind services, enter the following
610 <prompt>root#</prompt> <command>/usr/local/samba/bin/winbindd</command>
614 I'm always paranoid and like to make sure the daemon
619 <prompt>root#</prompt> <command>ps -ae | grep winbindd</command>
622 This command should produce output like this, if the daemon is running
625 3025 ? 00:00:00 winbindd
629 Now... for the real test, try to get some information about the
634 <prompt>root#</prompt> <command>/usr/local/samba/bin/wbinfo -u</command>
638 This should echo back a list of users on your Windows users on
639 your PDC. For example, I get the following response:
642 <para><programlisting>
649 </programlisting></para>
652 Obviously, I have named my domain 'CEO' and my <parameter>winbind
653 separator</parameter> is '+'.
657 You can do the same sort of thing to get group information from
661 <para><programlisting>
662 <prompt>root#</prompt> <command>/usr/local/samba/bin/wbinfo -g</command>
667 CEO+Domain Controllers
670 CEO+Enterprise Admins
671 CEO+Group Policy Creator Owners
672 </programlisting></para>
675 The function 'getent' can now be used to get unified
676 lists of both local and PDC users and groups.
677 Try the following command:
681 <prompt>root#</prompt> <command>getent passwd</command>
685 You should get a list that looks like your <filename>/etc/passwd</filename>
686 list followed by the domain users with their new uids, gids, home
687 directories and default shells.
691 The same thing can be done for groups with the command
695 <prompt>root#</prompt> <command>getent group</command>
702 <title>Fix the init.d startup scripts</title>
708 The <command>winbindd</command> daemon needs to start up after the
709 <command>smbd</command> and <command>nmbd</command> daemons are running.
710 To accomplish this task, you need to modify the startup scripts of your system. They are located at <filename>/etc/init.d/smb</filename> in RedHat and
711 <filename>/etc/init.d/samba</filename> in Debian.
712 script to add commands to invoke this daemon in the proper sequence. My
713 startup script starts up <command>smbd</command>,
714 <command>nmbd</command>, and <command>winbindd</command> from the
715 <filename>/usr/local/samba/bin</filename> directory directly. The 'start'
716 function in the script looks like this:
719 <para><programlisting>
722 echo -n $"Starting $KIND services: "
723 daemon /usr/local/samba/bin/smbd $SMBDOPTIONS
727 echo -n $"Starting $KIND services: "
728 daemon /usr/local/samba/bin/nmbd $NMBDOPTIONS
732 echo -n $"Starting $KIND services: "
733 daemon /usr/local/samba/bin/winbindd
736 [ $RETVAL -eq 0 -a $RETVAL2 -eq 0 -a $RETVAL3 -eq 0 ] && touch /var/lock/subsys/smb || \
740 </programlisting></para>
743 The 'stop' function has a corresponding entry to shut down the
744 services and look s like this:
747 <para><programlisting>
750 echo -n $"Shutting down $KIND services: "
755 echo -n $"Shutting down $KIND services: "
760 echo -n $"Shutting down $KIND services: "
763 [ $RETVAL -eq 0 -a $RETVAL2 -eq 0 -a $RETVAL3 -eq 0 ] && rm -f /var/lock/subsys/smb
767 </programlisting></para>
771 <title>Solaris</title>
773 <para>On solaris, you need to modify the
774 <filename>/etc/init.d/samba.server</filename> startup script. It usually
775 only starts smbd and nmbd but should now start winbindd too. If you
776 have samba installed in <filename>/usr/local/samba/bin</filename>,
777 the file could contains something like this:
780 <para><programlisting>
786 then # /usr not mounted
790 killproc() { # kill the named process(es)
791 pid=`/usr/bin/ps -e |
792 /usr/bin/grep -w $1 |
793 /usr/bin/sed -e 's/^ *//' -e 's/ .*//'`
794 [ "$pid" != "" ] && kill $pid
797 # Start/stop processes required for samba server
803 # Edit these lines to suit your installation (paths, workgroup, host)
806 /usr/local/samba/bin/smbd -D -s \
807 /usr/local/samba/smb.conf
810 /usr/local/samba/bin/nmbd -D -l \
811 /usr/local/samba/var/log -s /usr/local/samba/smb.conf
813 echo Starting Winbind Daemon
814 /usr/local/samba/bin/winbindd
824 echo "Usage: /etc/init.d/samba.server { start | stop }"
827 </programlisting></para>
831 <title>Restarting</title>
833 If you restart the <command>smbd</command>, <command>nmbd</command>,
834 and <command>winbindd</command> daemons at this point, you
835 should be able to connect to the samba server as a domain member just as
836 if you were a local user.
842 <title>Configure Winbind and PAM</title>
845 If you have made it this far, you know that winbindd and samba are working
846 together. If you want to use winbind to provide authentication for other
847 services, keep reading. The pam configuration files need to be altered in
848 this step. (Did you remember to make backups of your original
849 <filename>/etc/pam.d</filename> files? If not, do it now.)
853 You will need a pam module to use winbindd with these other services. This
854 module will be compiled in the <filename>../source/nsswitch</filename> directory
855 by invoking the command
859 <prompt>root#</prompt> <command>make nsswitch/pam_winbind.so</command>
863 from the <filename>../source</filename> directory. The
864 <filename>pam_winbind.so</filename> file should be copied to the location of
865 your other pam security modules. On my RedHat system, this was the
866 <filename>/lib/security</filename> directory. On Solaris, the pam security
867 modules reside in <filename>/usr/lib/security</filename>.
871 <prompt>root#</prompt> <command>cp ../samba/source/nsswitch/pam_winbind.so /lib/security</command>
875 <title>Linux/FreeBSD-specific PAM configuration</title>
878 The <filename>/etc/pam.d/samba</filename> file does not need to be changed. I
879 just left this fileas it was:
883 <para><programlisting>
884 auth required /lib/security/pam_stack.so service=system-auth
885 account required /lib/security/pam_stack.so service=system-auth
886 </programlisting></para>
889 The other services that I modified to allow the use of winbind
890 as an authentication service were the normal login on the console (or a terminal
891 session), telnet logins, and ftp service. In order to enable these
892 services, you may first need to change the entries in
893 <filename>/etc/xinetd.d</filename> (or <filename>/etc/inetd.conf</filename>).
894 RedHat 7.1 uses the new xinetd.d structure, in this case you need
895 to change the lines in <filename>/etc/xinetd.d/telnet</filename>
896 and <filename>/etc/xinetd.d/wu-ftp</filename> from
899 <para><programlisting>
901 </programlisting></para>
907 <para><programlisting>
909 </programlisting></para>
912 For ftp services to work properly, you will also need to either
913 have individual directories for the domain users already present on
914 the server, or change the home directory template to a general
915 directory for all domain users. These can be easily set using
916 the <filename>smb.conf</filename> global entry
917 <command>template homedir</command>.
921 The <filename>/etc/pam.d/ftp</filename> file can be changed
922 to allow winbind ftp access in a manner similar to the
923 samba file. My <filename>/etc/pam.d/ftp</filename> file was
924 changed to look like this:
927 <para><programlisting>
928 auth required /lib/security/pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed
929 auth sufficient /lib/security/pam_winbind.so
930 auth required /lib/security/pam_stack.so service=system-auth
931 auth required /lib/security/pam_shells.so
932 account sufficient /lib/security/pam_winbind.so
933 account required /lib/security/pam_stack.so service=system-auth
934 session required /lib/security/pam_stack.so service=system-auth
935 </programlisting></para>
938 The <filename>/etc/pam.d/login</filename> file can be changed nearly the
939 same way. It now looks like this:
942 <para><programlisting>
943 auth required /lib/security/pam_securetty.so
944 auth sufficient /lib/security/pam_winbind.so
945 auth sufficient /lib/security/pam_unix.so use_first_pass
946 auth required /lib/security/pam_stack.so service=system-auth
947 auth required /lib/security/pam_nologin.so
948 account sufficient /lib/security/pam_winbind.so
949 account required /lib/security/pam_stack.so service=system-auth
950 password required /lib/security/pam_stack.so service=system-auth
951 session required /lib/security/pam_stack.so service=system-auth
952 session optional /lib/security/pam_console.so
953 </programlisting></para>
956 In this case, I added the <command>auth sufficient /lib/security/pam_winbind.so</command>
957 lines as before, but also added the <command>required pam_securetty.so</command>
958 above it, to disallow root logins over the network. I also added a
959 <command>sufficient /lib/security/pam_unix.so use_first_pass</command>
960 line after the <command>winbind.so</command> line to get rid of annoying
961 double prompts for passwords.
967 <title>Solaris-specific configuration</title>
970 The /etc/pam.conf needs to be changed. I changed this file so that my Domain
971 users can logon both locally as well as telnet.The following are the changes
972 that I made.You can customize the pam.conf file as per your requirements,but
973 be sure of those changes because in the worst case it will leave your system
974 nearly impossible to boot.
977 <para><programlisting>
979 #ident "@(#)pam.conf 1.14 99/09/16 SMI"
981 # Copyright (c) 1996-1999, Sun Microsystems, Inc.
982 # All Rights Reserved.
986 # Authentication management
988 login auth required /usr/lib/security/pam_winbind.so
989 login auth required /usr/lib/security/$ISA/pam_unix.so.1 try_first_pass
990 login auth required /usr/lib/security/$ISA/pam_dial_auth.so.1 try_first_pass
992 rlogin auth sufficient /usr/lib/security/pam_winbind.so
993 rlogin auth sufficient /usr/lib/security/$ISA/pam_rhosts_auth.so.1
994 rlogin auth required /usr/lib/security/$ISA/pam_unix.so.1 try_first_pass
996 dtlogin auth sufficient /usr/lib/security/pam_winbind.so
997 dtlogin auth required /usr/lib/security/$ISA/pam_unix.so.1 try_first_pass
999 rsh auth required /usr/lib/security/$ISA/pam_rhosts_auth.so.1
1000 other auth sufficient /usr/lib/security/pam_winbind.so
1001 other auth required /usr/lib/security/$ISA/pam_unix.so.1 try_first_pass
1003 # Account management
1005 login account sufficient /usr/lib/security/pam_winbind.so
1006 login account requisite /usr/lib/security/$ISA/pam_roles.so.1
1007 login account required /usr/lib/security/$ISA/pam_unix.so.1
1009 dtlogin account sufficient /usr/lib/security/pam_winbind.so
1010 dtlogin account requisite /usr/lib/security/$ISA/pam_roles.so.1
1011 dtlogin account required /usr/lib/security/$ISA/pam_unix.so.1
1013 other account sufficient /usr/lib/security/pam_winbind.so
1014 other account requisite /usr/lib/security/$ISA/pam_roles.so.1
1015 other account required /usr/lib/security/$ISA/pam_unix.so.1
1017 # Session management
1019 other session required /usr/lib/security/$ISA/pam_unix.so.1
1021 # Password management
1023 #other password sufficient /usr/lib/security/pam_winbind.so
1024 other password required /usr/lib/security/$ISA/pam_unix.so.1
1025 dtsession auth required /usr/lib/security/$ISA/pam_unix.so.1
1027 # Support for Kerberos V5 authentication (uncomment to use Kerberos)
1029 #rlogin auth optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
1030 #login auth optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
1031 #dtlogin auth optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
1032 #other auth optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
1033 #dtlogin account optional /usr/lib/security/$ISA/pam_krb5.so.1
1034 #other account optional /usr/lib/security/$ISA/pam_krb5.so.1
1035 #other session optional /usr/lib/security/$ISA/pam_krb5.so.1
1036 #other password optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
1037 </programlisting></para>
1040 I also added a try_first_pass line after the winbind.so line to get rid of
1041 annoying double prompts for passwords.
1045 Now restart your Samba & try connecting through your application that you
1046 configured in the pam.conf.
1058 <title>Limitations</title>
1060 <para>Winbind has a number of limitations in its current
1061 released version that we hope to overcome in future
1065 <listitem><para>Winbind is currently only available for
1066 the Linux operating system, although ports to other operating
1067 systems are certainly possible. For such ports to be feasible,
1068 we require the C library of the target operating system to
1069 support the Name Service Switch and Pluggable Authentication
1070 Modules systems. This is becoming more common as NSS and
1071 PAM gain support among UNIX vendors.</para></listitem>
1073 <listitem><para>The mappings of Windows NT RIDs to UNIX ids
1074 is not made algorithmically and depends on the order in which
1075 unmapped users or groups are seen by winbind. It may be difficult
1076 to recover the mappings of rid to UNIX id mapping if the file
1077 containing this information is corrupted or destroyed.</para>
1080 <listitem><para>Currently the winbind PAM module does not take
1081 into account possible workstation and logon time restrictions
1082 that may be been set for Windows NT users.</para></listitem>
1088 <title>Conclusion</title>
1090 <para>The winbind system, through the use of the Name Service
1091 Switch, Pluggable Authentication Modules, and appropriate
1092 Microsoft RPC calls have allowed us to provide seamless
1093 integration of Microsoft Windows NT domain users on a
1094 UNIX system. The result is a great reduction in the administrative
1095 cost of running a mixed UNIX and NT network.</para>