SAMBA V: Domain Membership

Summary:

Joining A Windows Domain
Authenticating Other Services
Using Winbind To Authenticate Other Services

This section contains information on the latest features available in Samba, which allow you get the most out of your Linux desktop or server, and allow you to integrate it into a large Windows network, or to form the basis of a small Windows network.

Joining A Windows Domain

Why join your Linux box to a Windows domain?

A Windows Domain is a workgroup (usually) controlled by a Windows (Windows NT or Windows 2000) Server, which provides account and authentication services to the clients (typically Windows NT or Windows 2000 Pro, but to a limited extent Windows 9x) in the way one would use NIS or LDAP in a Unix network. This results in less admin overhead on the Windows NT/2000 machines (users only need a domain account, as opposed to one per machine) and more security on the Windows 9x machines (it is possible to only allow authenticated logins to windows 9x).

It is possible for you to join your Linux box to a Windows domain, which allows you to provide file sharing to your colleagues who run Windows machines in the domain, without needing to try and keep their Samba password on your machine in sync with their Windows domain password.

Configuration options required

To participate in a Windows domain, you need the following entries in your 'smb.conf' file:

encrypt passwords = yes
security = domain
workgroup = <WORKGROUP>
password server = <LIST_OF_DOMAIN_CONTROLLERS>

Setting

password server = *

will cause Samba to lookup the domain controllers on your network automatically. If for some reason this does not work, and you know the name of the domain controller, you can instead enter a space-separated list of the ~NetBIOS names of your Domain Controllers (PDCs and BDCs).

Actually joining the domain

You now need to join the Windows domain. This involves having an account made for your machine, and then having your machine log into the server and change it's password. You can do this all in one step with the following command:

smbpasswd -j <DOMAIN> -r <DOMAIN_CONTROLLER> -U <DOMAIN_ADMIN>

Where DOMAIN is the name of your domain (should be the same as the

workgroup

parameter in your 'smb.conf' file), DOMAIN_CONTROLLER is the name of the Primary Domain Controller of your domain, and DOMAIN_ADMIN is an account on the PDC with Domain Admin privileges. You will be prompted for this users password, so you should ask your windows admin to help you here if necessary.

Older versions of Samba need you to do this in two steps (can also be used if your windows admin is far away but can make an account for your computer):

Have a computer account made in the domain for your Linux box. This must be the name used in the
```
netbios name
```
parameter in 'smb.conf', or your host-name if you haven't specified a name. Ask your windows admin to do this for you.
Join the Windows domain with the following command:

smbpasswd -j <DOMAIN>

Allowing domain users to access your machine

The advantages of joining a domain are mainly to allow controlled access to files on your machine. To control the files permissions, Linux needs a user and groups to assign file ownership to, or when determining whether a user has access. Samba doesn't provide this, so you need to make local Unix accounts (or via some other method like NIS or LDAP) for each user accessing your machine via Samba. Samba only uses the domain to check the password of the user at present.

If you trust everyone in your domain to not eat up your disk space (or if you implement quotas), you can set samba up to create user accounts when a user authenticated by a domain controller accesses your machine, using the

add user script

parameter in 'smb.conf'. For example, you could use:

add user script = /usr/sbin/useradd -s /bin/false %u

or specify an external shell script, or add more parameters. There is also a corresponding delete user script parameter, which will run a command if a user attempts to connect to your machine, and Samba receives a packet that indicates that the user no longer exists. Please note that both of these scripts need full paths and are executed as ROOT.

An important feature currently under development by the Samba team is Winbind, which will allow Linux to directly get user and group information from a domain, and will obviate the need to make local user accounts. Look out for this feature in Samba 2.2.2.

Authenticating Other Services From A Windows Domain

Thanks to the Name Service Switch and Pluggable Authentication Modules, Linux is very flexible regarding authentication of services. By using the pam_smb module to do password authentication, you can use the accounts in a Windows domain to authenticate users for any service that supports PAM. The pam_smb module is available as an RPM at rpmhelp.net. After installing the pam_smb RPM, you need to edit the '/etc/pam_smb.conf' file as follows:

<DOMAIN>
<PDC>
<BDC>

where

<DOMAIN>

is the name of your domain, and

<PDC>

and

<BDC>

are the ~NetBIOS names of your Primary Domain Controller and your Backup Domain Controller respectively.

pam_smb will only provide password authentication from the domain, but can not provide group or user information. Thus for this to be useful, in most cases you will have to either use

NIS

LDAP

for account information, or maintain passwd files on each machine using pam_smb.

To use pam_smb for password authentication, you now need to modify the PAM configuration files. For example, if you want to allow users to use all PAM-aware services on your Mandrake 8.1 machine, you can modify the file '/etc/pam.d/system-auth' file so that the "auth" lines are as follows:

auth       required       /lib/security/pam_nologin.so
auth       required       /lib/security/pam_env.so
auth       sufficient     /lib/security/pam_ldap.so
auth       sufficient     /lib/security/pam_smb_auth.so use_first_pass
auth       sufficient     /lib/security/pam_unix.so likeauth nullok try_first_pass
auth       required       /lib/security/pam_deny.so

(here having added line 4). See the full file?

Authenticating Squid from a Windows domain

Unfortunately Squid does not have support for PAM, and thus needs some other mechanism for authenticating. auth_smb is a small program that can accomplish this.

Authenticating Apache from a Windows domain

An authentication module for Apache called mod_auth_external allows you to do authentication for Apache via PAM, thus using 'mod_auth_external' with 'pam_smb' will allow authentication from the Domain Controller. You would probably want to secure this using SSL.

There is also mod_auth_smb (current location unknown).

Using Winbind To Authenticate Other Services

Winbind is a set of 2 shared libraries for the Name Service Switch (NSS) and Pluggable Authentication Modules (PAM) services, which together allow you to do all user/group enumeration and password authentication from a Windows Domain Controller (Samba itself does not support Winbind yet).

Winbind implements a mapping of Windows Relative Security IDs to Unix UIDs. This mapping will most likely be different for each Linux box, so if you intend implementing NFS between Linux boxes later, Winbind is probably not a good choice, and you should consider using LDAP or NIS in conjunction with 'pam_smb'. Also, the mapping is stored in a database file on the machine, which should be backed up, otherwise the RID->UID mappings could be lost

Please note that Winbind is only available in Samba 2.2.2 and later. RPMS of samba-2.2.4 are available which implement a working Winbind, but other parts of Samba may not work.

To implement Winbind, you need complete each of the sections below.

Be a member of a (samba or windows) domain

This requires that you have:

encrypt passwords=yes
security=domain
password server = *

set in your '/etc/samba/smb.conf', that you have an account in the domain for your machine, and that you have joined the domain by issuing (as 'root'):

# smbpasswd -j <domain_name>

Add the following entries to smb.conf:

winbind uid = 10000-20000<br>  winbind gid = 10000-20000

(you can change the values of course. The default character Winbind uses to separate the users domain name from their user name is to suit Windows-type names, but it will not work for certain applications (for example mail delivery).
You can change it with

winbind separator = "+"

, for example).

Add "winbind" to the passwd and group sections of /etc/nsswitch.conf

(An example nsswitch.conf? file is given below that accomplishes this and also allows name resolution via WINS).

Start Winbindd

As 'root', type

winbindd

If you have installed the samba-winbind rpm, you should be able to use

service winbind start

Once Winbind is running, you can test it with 'wbinfo':

$ wbinfo -t #tests connection<br>  $ wbinfo -m #lists trusted domains<br>  $ wbinfo -u #gets users

To check that it really works, try:

$ getent passwd<br>  $ getent group

Configure pam.d files to use winbindd

Mis-configuring PAM can prevent you from logging in, allow others to log in without accounts, or be a very powerful tool for allowing you to customize your authentication method. The files listed below accomplish what I would want to test from Winbind on a Mandrake 8.0 box (allowing users from a Windows domain to log in to a console, and still allowing users with local Unix accounts all previous privileges), but are only given as an example. Please customize and test this before implementing in a production server, and always keep a 'root' login open somewhere when modifying PAM configuration files.

The files system-auth? and login? belong in the '/etc/pam.d' directory.

You will note that

system-auth? has been modified as follows:

auth    sufficient   /lib/security/pam_winbind.so
auth    sufficient   /lib/security/pam_unix.so likeauth nullok use_first_pass

to allow authentication from Winbind or standard Unix files, using only one password prompt.

account   sufficient /lib/security/pam_winbind.so
session   required   /lib/security/pam_mkhomedir.so skel=/etc/skel/ umask=0022

to allow account checking by Winbind and automatic home directory creation.

Note that login uses:

auth       required /lib/security/pam_stack.so service=system-auth

Note that the configuration of the 'system-auth' file is used by many 'pam.d' files via 'pam_stack', so if you don't want to do authentication via Winbind for all those services, you should probably make a separate 'system-auth' file ('system-auth-winbind' for example) and change the

pam_stack

line to have

service=system-auth-winbind

(this is as yet untested).

The file 'system-auth-winbind.pamd' (Mandrake 8.0? - Mandrake 8.1?) is a replacement for '/etc/pam.d/system-auth' if you want all PAM-capable service to allow authentication via Winbind.

section index

Next Item: SAMBA as a Domain Controller

Related Resources:

Samba: An Introduction
Just what is SMB?
Samba HOWTO Collection
Using SAMBA

man smb.conf

Revision / Modified: Oct. 15, 2001
Author: Buchan Milne

Legal: This page is covered by the GNU Free Documentation License. Standard disclaimers of warranty apply. Copyright LSTB and Mandrakesoft.

KB - SAMBA V: Domain Membership
Version 1.3 last modified by AdminWiki on 22/03/2004 at 09:44

Knowledge Base

Lost account?
Join the community, be part of the Club: it's free!
Get the PWP Download Subscription!