John H Terpstra wrote:
On Sunday 15 January 2006 09:52, Philip Washington wrote:
I have set up a Samba PDC and am trying to get my linux computers to use
the PDC for authentication. So far using Suse 10 or RHEL4 I have not
been able to accomplish this. I have been searching for 2 days looking
for the information or the right combination of informationn and have
not come up with a solution. Does anyone here know of a howto which
shows a setup for a linux desktop which can use a Samba PDC so that
users in a Domain can use their same logins to login to a linux desktop.
Have you checked chapter 7, section 7.3.5.1? If you have, what problems are
you experiencing? I'd really like to make sure that our documentation is
correct, so your help would be appreciated.
http://www.samba.org/samba/docs/Samba3-ByExample.pdf
- John T.
Duh. I bought the book but I didn't remember that part. I went to
the samba displayed in html form and checked the link and could have
sworn it took me to the ADS portion. Well nevermind this part, I just
didn't pick up the book and look through it.
Okay what I accomplished today is getting the logins working via console
and gdm xdm.
Things I found that may need correcting
The html page when clicking on the link points you to a file that
references ldap.
passwd: files ldap
shadow: files ldap
group: files ldap
I may be mistaken but I believe that for winbind configuration you need
winbind instead of ldap here. I started with a straight Suse 10 setup
with the files needed (I believe). I used Yast2 for my initial
configuration and that didn't work. So I borrowed from your book and
made some adjustments to the original files based on that. I still have
some problems but a domain user can now logon.
Problems I still have that I know of:
1) Users when logging in. System does not create a home directory for
them if it's there first time to login. I think there is a PAM module
or something like that, that might help, by getting and using there home
directories from the file server. If someone has a better idea and/or
sees the mistake I made causing this please post.
2) Once a user logs in , they cannot browse the network using the
desktop application on Suse. They can see Samba servers and shares, but
when they click on a share they can't login. Could something in the
smb.conf file have done this? I haven't looked at the Samba PDC logs,
but I looked at the file server logs and saw no changes there, like my
computer didn't exist.
Here are my configuration files.
nsswitch.conf------------------------------------------------------------------------------------------------
passwd: compat winbind
group: compat winbind
hosts: files dns
networks: files dns
services: files
protocols: files
rpc: files
ethers: files
netmasks: files
netgroup: files
publickey: files
bootparams: files
automount: files nis
aliases: files
smb.conf
---------------------------------------------------------------------
# I modified the idmaps to match what is on my Samba PDC
#
[global]
workgroup = DOMTEST
printing = cups
security = domain
netbios name = WRKSTN
log level = 1
syslog = 0
log file = /var/log/samba/%m
smb ports = 139
name resolve order = wins bcast hosts
printcap name = cups
printcap cache time = 750
cups options = raw
map to guest = Bad User
idmap gid = 16777216-33554431
idmap uid = 16777216-33554431
template primary group = "Domain Users"
template shell = /bin/bash
winbind separator = +
hosts allow = 192.168.5.,127.
--------------------------------------------------------------------
Okay here is where there is a slight deviation from the Samba3-examples
(very slight, I think)
[For those following along, if your logged into X to mak changes to
pam.d file . Make changes to your pam.d file save them then hit
Ctrl-Alt-F1 or Ctrl-Alt-F2, which will take you to a console screen.
Once you are there make sure you can log in as root. Hit Ctrl-Alt-F7 to
get back to the X window. If you are ssh into the system, create
another ssh session before you start or try to make sure you can log in
as root via ssh , before logging out of your current session.] Whatever
you do don't directly copy these files onto you r system. Look at
Samba3-examples and understand the differences here and change at your
on risk
------------------------------------------------------------------------
/etc/pam.d/login
#%PAM-1.0
auth required pam_securetty.so
auth include common-auth
auth required pam_nologin.so
auth required pam_mail.so
account include common-account
password include common-password
session include common-session
session required pam_resmgr.so
-----------------------------------------------------------------------------
/etc/pam.d/common-auth
auth sufficient pam_unix2.so nullok
auth sufficient pam_winbind.so use_first_pass use_authtok
auth required pam_env.so
#auth required pam_unix2.so
--------------------------------------------------------------------------------
/etc/pam.d/common-account
#
#account required pam_unix2.so
account sufficient pam_unix2.so
account sufficient pam_winbind.so use_first_pass use_authtok
------------------------------------------------------------------------------------
/etc/pam.d/common-passwd
password required pam_pwcheck.so nullok
password sufficient pam_winbind.so use_first_pass use_authtok
password required pam_unix2.so nullok use_first_pass use_authtok
#password required pam_make.so /var/yp
------------------------------------------------------------------------------------
.etc/pam.d/common-session
#
#account required pam_unix2.so
account sufficient pam_unix2.so
account sufficient pam_winbind.so use_first_pass use_authtok
----------------------------------------------------------------------------------------
Basically the changes were using an include file and you don't have to
edit /etc/pam.d/gdm,
/etc/pam.d/xdm or /etc/pam.d/login, just the common-* files. You can
look at it as a way of setting up everything at once or screwing up
everything at once :-).
So I'll still continue to work on my issues noted and find some more,
then work on RHEL and then circle back and try to do LDAP authentication
through the ldap server on the SambaPDC. I started with winbind
because after looking around it seemed that it might be the easiest to
configure and I need to get these desktops up pretty quick.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
