1 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
5 >Unified Logons between Windows NT and UNIX using Winbind</TITLE
8 CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK
10 TITLE="SAMBA Project Documentation"
11 HREF="samba-howto-collection.html"><LINK
13 TITLE="Advanced Configuration"
14 HREF="optional.html"><LINK
16 TITLE="CUPS Printing Support"
17 HREF="cups-printing.html"><LINK
19 TITLE="Advanced Network Manangement"
20 HREF="advancednetworkmanagement.html"></HEAD
31 SUMMARY="Header navigation table"
40 >SAMBA Project Documentation</TH
48 HREF="cups-printing.html"
62 HREF="advancednetworkmanagement.html"
77 >Chapter 15. Unified Logons between Windows NT and UNIX using Winbind</H1
87 HREF="winbind.html#AEN2516"
92 HREF="winbind.html#AEN2520"
97 HREF="winbind.html#AEN2533"
98 >What Winbind Provides</A
102 HREF="winbind.html#AEN2544"
103 >How Winbind Works</A
109 HREF="winbind.html#AEN2549"
110 >Microsoft Remote Procedure Calls</A
114 HREF="winbind.html#AEN2553"
115 >Microsoft Active Directory Services</A
119 HREF="winbind.html#AEN2556"
120 >Name Service Switch</A
124 HREF="winbind.html#AEN2572"
125 >Pluggable Authentication Modules</A
129 HREF="winbind.html#AEN2580"
130 >User and Group ID Allocation</A
134 HREF="winbind.html#AEN2584"
141 HREF="winbind.html#AEN2587"
142 >Installation and Configuration</A
148 HREF="winbind.html#AEN2592"
153 HREF="winbind.html#AEN2605"
158 HREF="winbind.html#AEN2619"
159 >Testing Things Out</A
165 HREF="winbind.html#AEN2630"
166 >Configure and compile SAMBA</A
170 HREF="winbind.html#AEN2649"
179 HREF="winbind.html#AEN2682"
180 >Configure smb.conf</A
184 HREF="winbind.html#AEN2698"
185 >Join the SAMBA server to the PDC domain</A
189 HREF="winbind.html#AEN2709"
190 >Start up the winbindd daemon and test it!</A
194 HREF="winbind.html#AEN2749"
195 >Fix the init.d startup scripts</A
199 HREF="winbind.html#AEN2787"
200 >Configure Winbind and PAM</A
208 HREF="winbind.html#AEN2844"
213 HREF="winbind.html#AEN2854"
227 >Integration of UNIX and Microsoft Windows NT through
228 a unified logon has been considered a "holy grail" in heterogeneous
229 computing environments for a long time. We present
236 >, a component of the Samba suite
237 of programs as a solution to the unified logon problem. Winbind
238 uses a UNIX implementation
239 of Microsoft RPC calls, Pluggable Authentication Modules, and the Name
240 Service Switch to allow Windows NT domain users to appear and operate
241 as UNIX users on a UNIX machine. This paper describes the winbind
242 system, explaining the functionality it provides, how it is configured,
243 and how it works internally.</P
251 >15.2. Introduction</A
254 >It is well known that UNIX and Microsoft Windows NT have
255 different models for representing user and group information and
256 use different technologies for implementing them. This fact has
257 made it difficult to integrate the two systems in a satisfactory
260 >One common solution in use today has been to create
261 identically named user accounts on both the UNIX and Windows systems
262 and use the Samba suite of programs to provide file and print services
263 between the two. This solution is far from perfect however, as
264 adding and deleting users on both sets of machines becomes a chore
265 and two sets of passwords are required both of which
266 can lead to synchronization problems between the UNIX and Windows
267 systems and confusion for users.</P
269 >We divide the unified logon problem for UNIX machines into
270 three smaller problems:</P
276 >Obtaining Windows NT user and group information
281 >Authenticating Windows NT users
286 >Password changing for Windows NT users
291 >Ideally, a prospective solution to the unified logon problem
292 would satisfy all the above components without duplication of
293 information on the UNIX machines and without creating additional
294 tasks for the system administrator when maintaining users and
295 groups on either system. The winbind system provides a simple
296 and elegant solution to all three components of the unified logon
305 >15.3. What Winbind Provides</A
308 >Winbind unifies UNIX and Windows NT account management by
309 allowing a UNIX box to become a full member of a NT domain. Once
310 this is done the UNIX box will see NT users and groups as if
311 they were native UNIX users and groups, allowing the NT domain
312 to be used in much the same manner that NIS+ is used within
313 UNIX-only environments.</P
315 >The end result is that whenever any
316 program on the UNIX machine asks the operating system to lookup
317 a user or group name, the query will be resolved by asking the
318 NT domain controller for the specified domain to do the lookup.
319 Because Winbind hooks into the operating system at a low level
320 (via the NSS name resolution modules in the C library) this
321 redirection to the NT domain controller is completely
324 >Users on the UNIX machine can then use NT user and group
325 names as they would use "native" UNIX names. They can chown files
326 so that they are owned by NT domain users or even login to the
327 UNIX machine and run a UNIX X-Window session as a domain user.</P
329 >The only obvious indication that Winbind is being used is
330 that user and group names take the form DOMAIN\user and
331 DOMAIN\group. This is necessary as it allows Winbind to determine
332 that redirection to a domain controller is wanted for a particular
333 lookup and which trusted domain is being referenced.</P
335 >Additionally, Winbind provides an authentication service
336 that hooks into the Pluggable Authentication Modules (PAM) system
337 to provide authentication via a NT domain to any PAM enabled
338 applications. This capability solves the problem of synchronizing
339 passwords between systems since all passwords are stored in a single
340 location (on the domain controller).</P
347 >15.3.1. Target Uses</A
350 >Winbind is targeted at organizations that have an
351 existing NT based domain infrastructure into which they wish
352 to put UNIX workstations or servers. Winbind will allow these
353 organizations to deploy UNIX workstations without having to
354 maintain a separate account infrastructure. This greatly
355 simplifies the administrative overhead of deploying UNIX
356 workstations into a NT based organization.</P
358 >Another interesting way in which we expect Winbind to
359 be used is as a central part of UNIX based appliances. Appliances
360 that provide file and print services to Microsoft based networks
361 will be able to use Winbind to provide seamless integration of
362 the appliance into the domain.</P
371 >15.4. How Winbind Works</A
374 >The winbind system is designed around a client/server
375 architecture. A long running <B
379 listens on a UNIX domain socket waiting for requests
380 to arrive. These requests are generated by the NSS and PAM
381 clients and processed sequentially.</P
383 >The technologies used to implement winbind are described
391 >15.4.1. Microsoft Remote Procedure Calls</A
394 >Over the last few years, efforts have been underway
395 by various Samba Team members to decode various aspects of
396 the Microsoft Remote Procedure Call (MSRPC) system. This
397 system is used for most network related operations between
398 Windows NT machines including remote management, user authentication
399 and print spooling. Although initially this work was done
400 to aid the implementation of Primary Domain Controller (PDC)
401 functionality in Samba, it has also yielded a body of code which
402 can be used for other purposes.</P
404 >Winbind uses various MSRPC calls to enumerate domain users
405 and groups and to obtain detailed information about individual
406 users or groups. Other MSRPC calls can be used to authenticate
407 NT domain users and to change user passwords. By directly querying
408 a Windows PDC for user and group information, winbind maps the
409 NT account information onto UNIX user and group names.</P
417 >15.4.2. Microsoft Active Directory Services</A
420 > Since late 2001, Samba has gained the ability to
421 interact with Microsoft Windows 2000 using its 'Native
422 Mode' protocols, rather than the NT4 RPC services.
423 Using LDAP and Kerberos, a domain member running
424 winbind can enumerate users and groups in exactly the
425 same way as a Win2k client would, and in so doing
426 provide a much more efficient and
427 effective winbind implementation.
436 >15.4.3. Name Service Switch</A
439 >The Name Service Switch, or NSS, is a feature that is
440 present in many UNIX operating systems. It allows system
441 information such as hostnames, mail aliases and user information
442 to be resolved from different sources. For example, a standalone
443 UNIX workstation may resolve system information from a series of
444 flat files stored on the local filesystem. A networked workstation
445 may first attempt to resolve system information from local files,
446 and then consult a NIS database for user information or a DNS server
447 for hostname information.</P
449 >The NSS application programming interface allows winbind
450 to present itself as a source of system information when
451 resolving UNIX usernames and groups. Winbind uses this interface,
452 and information obtained from a Windows NT server using MSRPC
453 calls to provide a new source of account enumeration. Using standard
454 UNIX library calls, one can enumerate the users and groups on
455 a UNIX machine running winbind and see all users and groups in
456 a NT domain plus any trusted domain as though they were local
459 >The primary control file for NSS is
462 >/etc/nsswitch.conf</TT
464 When a UNIX application makes a request to do a lookup
465 the C library looks in <TT
467 >/etc/nsswitch.conf</TT
469 for a line which matches the service type being requested, for
470 example the "passwd" service type is used when user or group names
471 are looked up. This config line species which implementations
472 of that service should be tried and in what order. If the passwd
477 >passwd: files example</B
480 >then the C library will first load a module called
483 >/lib/libnss_files.so</TT
487 >/lib/libnss_example.so</TT
489 C library will dynamically load each of these modules in turn
490 and call resolver functions within the modules to try to resolve
491 the request. Once the request is resolved the C library returns the
492 result to the application.</P
494 >This NSS interface provides a very easy way for Winbind
495 to hook into the operating system. All that needs to be done
498 >libnss_winbind.so</TT
503 then add "winbind" into <TT
505 >/etc/nsswitch.conf</TT
507 the appropriate place. The C library will then call Winbind to
508 resolve user and group names.</P
516 >15.4.4. Pluggable Authentication Modules</A
519 >Pluggable Authentication Modules, also known as PAM,
520 is a system for abstracting authentication and authorization
521 technologies. With a PAM module it is possible to specify different
522 authentication methods for different system applications without
523 having to recompile these applications. PAM is also useful
524 for implementing a particular policy for authorization. For example,
525 a system administrator may only allow console logins from users
526 stored in the local password file but only allow users resolved from
527 a NIS database to log in over the network.</P
529 >Winbind uses the authentication management and password
530 management PAM interface to integrate Windows NT users into a
531 UNIX system. This allows Windows NT users to log in to a UNIX
532 machine and be authenticated against a suitable Primary Domain
533 Controller. These users can also change their passwords and have
534 this change take effect directly on the Primary Domain Controller.
537 >PAM is configured by providing control files in the directory
541 > for each of the services that
542 require authentication. When an authentication request is made
543 by an application the PAM code in the C library looks up this
544 control file to determine what modules to load to do the
545 authentication check and in what order. This interface makes adding
546 a new authentication service for Winbind very easy, all that needs
547 to be done is that the <TT
555 control files for relevant services are updated to allow
556 authentication via winbind. See the PAM documentation
565 >15.4.5. User and Group ID Allocation</A
568 >When a user or group is created under Windows NT
569 is it allocated a numerical relative identifier (RID). This is
570 slightly different to UNIX which has a range of numbers that are
571 used to identify users, and the same range in which to identify
572 groups. It is winbind's job to convert RIDs to UNIX id numbers and
573 vice versa. When winbind is configured it is given part of the UNIX
574 user id space and a part of the UNIX group id space in which to
575 store Windows NT users and groups. If a Windows NT user is
576 resolved for the first time, it is allocated the next UNIX id from
577 the range. The same process applies for Windows NT groups. Over
578 time, winbind will have mapped all Windows NT users and groups
579 to UNIX user ids and group ids.</P
581 >The results of this mapping are stored persistently in
582 an ID mapping database held in a tdb database). This ensures that
583 RIDs are mapped to UNIX IDs in a consistent way.</P
591 >15.4.6. Result Caching</A
594 >An active system can generate a lot of user and group
595 name lookups. To reduce the network cost of these lookups winbind
596 uses a caching scheme based on the SAM sequence number supplied
597 by NT domain controllers. User or group information returned
598 by a PDC is cached by winbind along with a sequence number also
599 returned by the PDC. This sequence number is incremented by
600 Windows NT whenever any user or group information is modified. If
601 a cached entry has expired, the sequence number is requested from
602 the PDC and compared against the sequence number of the cached entry.
603 If the sequence numbers do not match, then the cached information
604 is discarded and up to date information is requested directly
614 >15.5. Installation and Configuration</A
617 >Many thanks to John Trostel <A
618 HREF="mailto:jtrostel@snapserver.com"
620 >jtrostel@snapserver.com</A
622 for providing the HOWTO for this section.</P
624 >This HOWTO describes how to get winbind services up and running
625 to control access and authenticate users on your Linux box using
626 the winbind services which come with SAMBA 2.2.2.</P
633 >15.5.1. Introduction</A
636 >This HOWTO describes the procedures used to get winbind up and
637 running on my RedHat 7.1 system. Winbind is capable of providing access
638 and authentication control for Windows Domain users through an NT
639 or Win2K PDC for 'regular' services, such as telnet a nd ftp, as
640 well for SAMBA services.</P
642 >This HOWTO has been written from a 'RedHat-centric' perspective, so if
643 you are using another distribution, you may have to modify the instructions
644 somewhat to fit the way your distribution works.</P
654 >Why should I to this?</I
659 >This allows the SAMBA administrator to rely on the
660 authentication mechanisms on the NT/Win2K PDC for the authentication
661 of domain members. NT/Win2K users no longer need to have separate
662 accounts on the SAMBA server.
671 >Who should be reading this document?</I
676 > This HOWTO is designed for system administrators. If you are
677 implementing SAMBA on a file server and wish to (fairly easily)
678 integrate existing NT/Win2K users from your PDC onto the
679 SAMBA server, this HOWTO is for you. That said, I am no NT or PAM
680 expert, so you may find a better or easier way to accomplish
692 >15.5.2. Requirements</A
695 >If you have a samba configuration file that you are currently
702 > If your system already uses PAM,
713 > If you haven't already made a boot disk,
722 >Messing with the pam configuration files can make it nearly impossible
723 to log in to yourmachine. That's why you want to be able to boot back
724 into your machine in single user mode and restore your
728 > back to the original state they were in if
729 you get frustrated with the way things are going. ;-)</P
731 >The latest version of SAMBA (version 3.0 as of this writing), now
732 includes a functioning winbindd daemon. Please refer to the
734 HREF="http://samba.org/"
736 >main SAMBA web page</A
738 better yet, your closest SAMBA mirror site for instructions on
739 downloading the source code.</P
741 >To allow Domain users the ability to access SAMBA shares and
742 files, as well as potentially other services provided by your
743 SAMBA machine, PAM (pluggable authentication modules) must
744 be setup properly on your machine. In order to compile the
745 winbind modules, you should have at least the pam libraries resident
746 on your system. For recent RedHat systems (7.1, for instance), that
750 >. For best results, it is helpful to also
751 install the development packages in <TT
753 >pam-devel-0.74-22</TT
762 >15.5.3. Testing Things Out</A
765 >Before starting, it is probably best to kill off all the SAMBA
766 related daemons running on your server. Kill off all <B
777 be running. To use PAM, you will want to make sure that you have the
778 standard PAM package (for RedHat) which supplies the <TT
782 directory structure, including the pam modules are used by pam-aware
783 services, several pam libraries, and the <TT
790 > entries for pam. Winbind built better
791 in SAMBA if the pam-devel package was also installed. This package includes
792 the header files needed to compile pam-aware applications. For instance,
793 my RedHat system has both <TT
799 >pam-devel-0.74-22</TT
807 >15.5.3.1. Configure and compile SAMBA</A
810 >The configuration and compilation of SAMBA is pretty straightforward.
811 The first three steps may not be necessary depending upon
812 whether or not you have previously built the Samba binaries.</P
815 CLASS="PROGRAMLISTING"
860 >This will, by default, install SAMBA in <TT
862 >/usr/local/samba</TT
864 See the main SAMBA documentation if you want to install SAMBA somewhere else.
865 It will also build the winbindd executable and libraries. </P
873 >15.5.3.2. Configure <TT
880 >The libraries needed to run the <B
884 through nsswitch need to be copied to their proper locations, so</P
891 >cp ../samba/source/nsswitch/libnss_winbind.so /lib</B
894 >I also found it necessary to make the following symbolic link:</P
901 >ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2</B
904 >And, in the case of Sun solaris:</P
911 >ln -s /usr/lib/libnss_winbind.so /usr/lib/libnss_winbind.so.1</B
918 >ln -s /usr/lib/libnss_winbind.so /usr/lib/nss_winbind.so.1</B
925 >ln -s /usr/lib/libnss_winbind.so /usr/lib/nss_winbind.so.2</B
928 >Now, as root you need to edit <TT
930 >/etc/nsswitch.conf</TT
932 allow user and group entries to be visible from the <B
938 >/etc/nsswitch.conf</TT
940 this after editing:</P
943 CLASS="PROGRAMLISTING"
944 > passwd: files winbind
946 group: files winbind</PRE
950 The libraries needed by the winbind daemon will be automatically
954 > cache the next time
955 your system reboots, but it
956 is faster (and you don't need to reboot) if you do it manually:</P
963 >/sbin/ldconfig -v | grep winbind</B
969 > available to winbindd
970 and echos back a check to you.</P
978 >15.5.3.3. Configure smb.conf</A
981 >Several parameters are needed in the smb.conf file to control
989 > These are described in more detail in
991 HREF="winbindd.8.html"
998 > file was modified to
999 include the following entries in the [global] section:</P
1002 CLASS="PROGRAMLISTING"
1005 # separate domain and username with '+', like DOMAIN+username
1007 HREF="winbindd.8.html#WINBINDSEPARATOR"
1009 >winbind separator</A
1011 # use uids from 10000 to 20000 for domain users
1013 HREF="winbindd.8.html#WINBINDUID"
1017 # use gids from 10000 to 20000 for domain groups
1019 HREF="winbindd.8.html#WINBINDGID"
1023 # allow enumeration of winbind users and groups
1025 HREF="winbindd.8.html#WINBINDENUMUSERS"
1027 >winbind enum users</A
1030 HREF="winbindd.8.html#WINBINDENUMGROUP"
1032 >winbind enum groups</A
1034 # give winbind users a real shell (only needed if they have telnet access)
1036 HREF="winbindd.8.html#TEMPLATEHOMEDIR"
1038 >template homedir</A
1039 > = /home/winnt/%D/%U
1041 HREF="winbindd.8.html#TEMPLATESHELL"
1053 >15.5.3.4. Join the SAMBA server to the PDC domain</A
1056 >Enter the following command to make the SAMBA server join the
1057 PDC domain, where <VAR
1061 your Windows domain and <VAR
1065 a domain user who has administrative privileges in the domain.</P
1072 >/usr/local/samba/bin/net join -S PDC -U Administrator</B
1075 >The proper response to the command should be: "Joined the domain
1083 is your DOMAIN name.</P
1091 >15.5.3.5. Start up the winbindd daemon and test it!</A
1094 >Eventually, you will want to modify your smb startup script to
1095 automatically invoke the winbindd daemon when the other parts of
1096 SAMBA start, but it is possible to test out just the winbind
1097 portion first. To start up winbind services, enter the following
1105 >/usr/local/samba/bin/winbindd</B
1108 >Winbindd can now also run in 'dual daemon mode'. This will make it
1109 run as 2 processes. The first will answer all requests from the cache,
1110 thus making responses to clients faster. The other will
1111 update the cache for the query that the first has just responded.
1112 Advantage of this is that responses stay accurate and are faster.
1113 You can enable dual daemon mode by adding '-B' to the commandline:</P
1120 >/usr/local/samba/bin/winbindd -B</B
1123 >I'm always paranoid and like to make sure the daemon
1124 is really running...</P
1131 >ps -ae | grep winbindd</B
1134 >This command should produce output like this, if the daemon is running</P
1136 >3025 ? 00:00:00 winbindd</P
1138 >Now... for the real test, try to get some information about the
1139 users on your PDC</P
1146 >/usr/local/samba/bin/wbinfo -u</B
1150 This should echo back a list of users on your Windows users on
1151 your PDC. For example, I get the following response:</P
1154 CLASS="PROGRAMLISTING"
1160 CEO+TsInternetUser</PRE
1163 >Obviously, I have named my domain 'CEO' and my <VAR
1169 >You can do the same sort of thing to get group information from
1173 CLASS="PROGRAMLISTING"
1179 >/usr/local/samba/bin/wbinfo -g</B
1184 CEO+Domain Computers
1185 CEO+Domain Controllers
1188 CEO+Enterprise Admins
1189 CEO+Group Policy Creator Owners</PRE
1192 >The function 'getent' can now be used to get unified
1193 lists of both local and PDC users and groups.
1194 Try the following command:</P
1204 >You should get a list that looks like your <TT
1208 list followed by the domain users with their new uids, gids, home
1209 directories and default shells.</P
1211 >The same thing can be done for groups with the command</P
1227 >15.5.3.6. Fix the init.d startup scripts</A
1235 >15.5.3.6.1. Linux</A
1241 > daemon needs to start up after the
1248 > daemons are running.
1249 To accomplish this task, you need to modify the startup scripts of your system. They are located at <TT
1251 >/etc/init.d/smb</TT
1255 >/etc/init.d/samba</TT
1257 script to add commands to invoke this daemon in the proper sequence. My
1258 startup script starts up <B
1271 >/usr/local/samba/bin</TT
1272 > directory directly. The 'start'
1273 function in the script looks like this:</P
1276 CLASS="PROGRAMLISTING"
1279 echo -n $"Starting $KIND services: "
1280 daemon /usr/local/samba/bin/smbd $SMBDOPTIONS
1284 echo -n $"Starting $KIND services: "
1285 daemon /usr/local/samba/bin/nmbd $NMBDOPTIONS
1289 echo -n $"Starting $KIND services: "
1290 daemon /usr/local/samba/bin/winbindd
1293 [ $RETVAL -eq 0 -a $RETVAL2 -eq 0 -a $RETVAL3 -eq 0 ] && touch /var/lock/subsys/smb || \
1299 >If you would like to run winbindd in dual daemon mode, replace
1302 CLASS="PROGRAMLISTING"
1303 > daemon /usr/local/samba/bin/winbindd</PRE
1306 in the example above with:
1309 CLASS="PROGRAMLISTING"
1310 > daemon /usr/local/samba/bin/winbindd -B</PRE
1313 >The 'stop' function has a corresponding entry to shut down the
1314 services and looks like this:</P
1317 CLASS="PROGRAMLISTING"
1320 echo -n $"Shutting down $KIND services: "
1325 echo -n $"Shutting down $KIND services: "
1330 echo -n $"Shutting down $KIND services: "
1333 [ $RETVAL -eq 0 -a $RETVAL2 -eq 0 -a $RETVAL3 -eq 0 ] && rm -f /var/lock/subsys/smb
1345 >15.5.3.6.2. Solaris</A
1348 >On solaris, you need to modify the
1351 >/etc/init.d/samba.server</TT
1352 > startup script. It usually
1353 only starts smbd and nmbd but should now start winbindd too. If you
1354 have samba installed in <TT
1356 >/usr/local/samba/bin</TT
1358 the file could contains something like this:</P
1361 CLASS="PROGRAMLISTING"
1366 if [ ! -d /usr/bin ]
1367 then # /usr not mounted
1371 killproc() { # kill the named process(es)
1372 pid=`/usr/bin/ps -e |
1373 /usr/bin/grep -w $1 |
1374 /usr/bin/sed -e 's/^ *//' -e 's/ .*//'`
1375 [ "$pid" != "" ] && kill $pid
1378 # Start/stop processes required for samba server
1384 # Edit these lines to suit your installation (paths, workgroup, host)
1387 /usr/local/samba/bin/smbd -D -s \
1388 /usr/local/samba/smb.conf
1391 /usr/local/samba/bin/nmbd -D -l \
1392 /usr/local/samba/var/log -s /usr/local/samba/smb.conf
1394 echo Starting Winbind Daemon
1395 /usr/local/samba/bin/winbindd
1405 echo "Usage: /etc/init.d/samba.server { start | stop }"
1410 >Again, if you would like to run samba in dual daemon mode, replace
1412 CLASS="PROGRAMLISTING"
1413 > /usr/local/samba/bin/winbindd</PRE
1416 in the script above with:
1419 CLASS="PROGRAMLISTING"
1420 > /usr/local/samba/bin/winbindd -B</PRE
1429 >15.5.3.6.3. Restarting</A
1432 >If you restart the <B
1442 > daemons at this point, you
1443 should be able to connect to the samba server as a domain member just as
1444 if you were a local user.</P
1453 >15.5.3.7. Configure Winbind and PAM</A
1456 >If you have made it this far, you know that winbindd and samba are working
1457 together. If you want to use winbind to provide authentication for other
1458 services, keep reading. The pam configuration files need to be altered in
1459 this step. (Did you remember to make backups of your original
1463 > files? If not, do it now.)</P
1465 >You will need a pam module to use winbindd with these other services. This
1466 module will be compiled in the <TT
1468 >../source/nsswitch</TT
1470 by invoking the command</P
1477 >make nsswitch/pam_winbind.so</B
1487 > file should be copied to the location of
1488 your other pam security modules. On my RedHat system, this was the
1492 > directory. On Solaris, the pam security
1493 modules reside in <TT
1495 >/usr/lib/security</TT
1503 >cp ../samba/source/nsswitch/pam_winbind.so /lib/security</B
1511 >15.5.3.7.1. Linux/FreeBSD-specific PAM configuration</A
1516 >/etc/pam.d/samba</TT
1517 > file does not need to be changed. I
1518 just left this fileas it was:</P
1521 CLASS="PROGRAMLISTING"
1522 >auth required /lib/security/pam_stack.so service=system-auth
1523 account required /lib/security/pam_stack.so service=system-auth</PRE
1526 >The other services that I modified to allow the use of winbind
1527 as an authentication service were the normal login on the console (or a terminal
1528 session), telnet logins, and ftp service. In order to enable these
1529 services, you may first need to change the entries in
1535 >/etc/inetd.conf</TT
1537 RedHat 7.1 uses the new xinetd.d structure, in this case you need
1538 to change the lines in <TT
1540 >/etc/xinetd.d/telnet</TT
1544 >/etc/xinetd.d/wu-ftp</TT
1548 CLASS="PROGRAMLISTING"
1555 CLASS="PROGRAMLISTING"
1560 For ftp services to work properly, you will also need to either
1561 have individual directories for the domain users already present on
1562 the server, or change the home directory template to a general
1563 directory for all domain users. These can be easily set using
1570 >template homedir</B
1576 > file can be changed
1577 to allow winbind ftp access in a manner similar to the
1582 changed to look like this:</P
1585 CLASS="PROGRAMLISTING"
1586 >auth required /lib/security/pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed
1587 auth sufficient /lib/security/pam_winbind.so
1588 auth required /lib/security/pam_stack.so service=system-auth
1589 auth required /lib/security/pam_shells.so
1590 account sufficient /lib/security/pam_winbind.so
1591 account required /lib/security/pam_stack.so service=system-auth
1592 session required /lib/security/pam_stack.so service=system-auth</PRE
1597 >/etc/pam.d/login</TT
1598 > file can be changed nearly the
1599 same way. It now looks like this:</P
1602 CLASS="PROGRAMLISTING"
1603 >auth required /lib/security/pam_securetty.so
1604 auth sufficient /lib/security/pam_winbind.so
1605 auth sufficient /lib/security/pam_unix.so use_first_pass
1606 auth required /lib/security/pam_stack.so service=system-auth
1607 auth required /lib/security/pam_nologin.so
1608 account sufficient /lib/security/pam_winbind.so
1609 account required /lib/security/pam_stack.so service=system-auth
1610 password required /lib/security/pam_stack.so service=system-auth
1611 session required /lib/security/pam_stack.so service=system-auth
1612 session optional /lib/security/pam_console.so</PRE
1615 >In this case, I added the <B
1617 >auth sufficient /lib/security/pam_winbind.so</B
1619 lines as before, but also added the <B
1621 >required pam_securetty.so</B
1623 above it, to disallow root logins over the network. I also added a
1626 >sufficient /lib/security/pam_unix.so use_first_pass</B
1631 > line to get rid of annoying
1632 double prompts for passwords.</P
1640 >15.5.3.7.2. Solaris-specific configuration</A
1643 >The /etc/pam.conf needs to be changed. I changed this file so that my Domain
1644 users can logon both locally as well as telnet.The following are the changes
1645 that I made.You can customize the pam.conf file as per your requirements,but
1646 be sure of those changes because in the worst case it will leave your system
1647 nearly impossible to boot.</P
1650 CLASS="PROGRAMLISTING"
1652 #ident "@(#)pam.conf 1.14 99/09/16 SMI"
1654 # Copyright (c) 1996-1999, Sun Microsystems, Inc.
1655 # All Rights Reserved.
1659 # Authentication management
1661 login auth required /usr/lib/security/pam_winbind.so
1662 login auth required /usr/lib/security/$ISA/pam_unix.so.1 try_first_pass
1663 login auth required /usr/lib/security/$ISA/pam_dial_auth.so.1 try_first_pass
1665 rlogin auth sufficient /usr/lib/security/pam_winbind.so
1666 rlogin auth sufficient /usr/lib/security/$ISA/pam_rhosts_auth.so.1
1667 rlogin auth required /usr/lib/security/$ISA/pam_unix.so.1 try_first_pass
1669 dtlogin auth sufficient /usr/lib/security/pam_winbind.so
1670 dtlogin auth required /usr/lib/security/$ISA/pam_unix.so.1 try_first_pass
1672 rsh auth required /usr/lib/security/$ISA/pam_rhosts_auth.so.1
1673 other auth sufficient /usr/lib/security/pam_winbind.so
1674 other auth required /usr/lib/security/$ISA/pam_unix.so.1 try_first_pass
1676 # Account management
1678 login account sufficient /usr/lib/security/pam_winbind.so
1679 login account requisite /usr/lib/security/$ISA/pam_roles.so.1
1680 login account required /usr/lib/security/$ISA/pam_unix.so.1
1682 dtlogin account sufficient /usr/lib/security/pam_winbind.so
1683 dtlogin account requisite /usr/lib/security/$ISA/pam_roles.so.1
1684 dtlogin account required /usr/lib/security/$ISA/pam_unix.so.1
1686 other account sufficient /usr/lib/security/pam_winbind.so
1687 other account requisite /usr/lib/security/$ISA/pam_roles.so.1
1688 other account required /usr/lib/security/$ISA/pam_unix.so.1
1690 # Session management
1692 other session required /usr/lib/security/$ISA/pam_unix.so.1
1694 # Password management
1696 #other password sufficient /usr/lib/security/pam_winbind.so
1697 other password required /usr/lib/security/$ISA/pam_unix.so.1
1698 dtsession auth required /usr/lib/security/$ISA/pam_unix.so.1
1700 # Support for Kerberos V5 authentication (uncomment to use Kerberos)
1702 #rlogin auth optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
1703 #login auth optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
1704 #dtlogin auth optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
1705 #other auth optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
1706 #dtlogin account optional /usr/lib/security/$ISA/pam_krb5.so.1
1707 #other account optional /usr/lib/security/$ISA/pam_krb5.so.1
1708 #other session optional /usr/lib/security/$ISA/pam_krb5.so.1
1709 #other password optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass</PRE
1712 >I also added a try_first_pass line after the winbind.so line to get rid of
1713 annoying double prompts for passwords.</P
1715 >Now restart your Samba and try connecting through your application that you
1716 configured in the pam.conf.</P
1727 >15.6. Limitations</A
1730 >Winbind has a number of limitations in its current
1731 released version that we hope to overcome in future
1738 >Winbind is currently only available for
1739 the Linux, Solaris and IRIX operating systems, although ports to other operating
1740 systems are certainly possible. For such ports to be feasible,
1741 we require the C library of the target operating system to
1742 support the Name Service Switch and Pluggable Authentication
1743 Modules systems. This is becoming more common as NSS and
1744 PAM gain support among UNIX vendors.</P
1748 >The mappings of Windows NT RIDs to UNIX ids
1749 is not made algorithmically and depends on the order in which
1750 unmapped users or groups are seen by winbind. It may be difficult
1751 to recover the mappings of rid to UNIX id mapping if the file
1752 containing this information is corrupted or destroyed.</P
1756 >Currently the winbind PAM module does not take
1757 into account possible workstation and logon time restrictions
1758 that may be been set for Windows NT users, this is
1759 instead up to the PDC to enforce.</P
1769 >15.7. Conclusion</A
1772 >The winbind system, through the use of the Name Service
1773 Switch, Pluggable Authentication Modules, and appropriate
1774 Microsoft RPC calls have allowed us to provide seamless
1775 integration of Microsoft Windows NT domain users on a
1776 UNIX system. The result is a great reduction in the administrative
1777 cost of running a mixed UNIX and NT network.</P
1785 SUMMARY="Footer navigation table"
1796 HREF="cups-printing.html"
1805 HREF="samba-howto-collection.html"
1814 HREF="advancednetworkmanagement.html"
1824 >CUPS Printing Support</TD
1830 HREF="optional.html"
1838 >Advanced Network Manangement</TD