[WBEL-users] samba and AD
Toby Bluhm
tkb9@adelphia.net
Thu, 13 Jan 2005 14:12:05 -0500
---- Rodrigo Cortes <rcortes@placevendome.cl> wrote:
> Have you one conf for all ? krb5 ? smb ?
>
> Sorry but I have #$#% jejeje
>
>
Key elements I used in the those other conf files.
/etc/samba/smb.conf:
[global]
workgroup = AD
realm = AD.COMPANY.COM
server string = Samba Server
security = ADS
preferred master = No
domain master = No
dns proxy = No
wins server = 1.1.1.1
netbios name = WB3
ldap ssl = no
idmap uid = 99999-1999999
idmap gid = 99999-1999999
template homedir = /home/AD/%U
template shell = /bin/bash
winbind separator = +
winbind enum users = No
winbind enum groups = No
/etc/krb5.conf:
[logging]
default = SYSLOG
[libdefaults]
default_realm = AD.COMPANY.COM
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
AD.COMPANY.COM = {
kdc = dc001.ad.company.com
kdc = dc002.ad.compnay.com
}
[domain_realm]
.ad.company.com = AD.COMPANY.COM
. = AD.COMPANY.COM
[pam]
debug = false
ticket_lifetime = 36000
renew_lifetime = 604800
forwardable = false
krb4_convert = false
/etc/krb.realms
.ad.company.com AD.COMPANY.COM
. AD.COMPANY.COM
/etc/nsswitch.conf:
passwd: files nis winbind
shadow: files nis
group: files nis winbind
/etc/resolv.conf:
# AD domain
domain ad.company.com
search ad.company.com
nameserver 1.1.1.1
/etc/hosts:
# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1 localhost.localdomain localhost
1.1.1.10 wb3 wb3.ad.company.com
>
> -----Mensaje original-----
> De: whitebox-users-admin@beau.org [mailto:whitebox-users-admin@beau.org]
> En nombre de Toby Bluhm
> Enviado el: Jueves, 13 de Enero de 2005 15:23
> Para: Whitebox-users@beau.org
> Asunto: RE: [WBEL-users] samba and AD
>
>
>
> ---- Rodrigo Cortes <rcortes@placevendome.cl> wrote:
> > Well. In the doc with winbind and samba and AD is possible auth telnet
> and ftp. Doc say this, but don't work.
> >
> >
> >
>
>
> I was able to get a stock wb3 box with current updates ( at the time ~ 2
> months ago ) to allow AD account login with console,ssh,ftp,telnet. The
> pam setup was the key.
>
> You need to have your smb.conf, krb5.conf, krb.realms, nsswitch.conf
> setup right and you've joined the box to AD, a share works - this all
> needs to be happy before trying the pam edits.
>
> Note the message about using authconfig - it will mess with your pam
> setup & nsswitch.conf.
>
> I first ran authconfig to setup the box to authenticate with nis. If you
> use only local accounts, I see at least one line in system-auth that may
> need to be different than what I have here. Then I made the manual edits
> to the config files. Also, anytime during my testing that I made domain
> type changes to smb.conf, I deleted *.tdb in /etc/samba,
> /var/cache/samba, /var/cache/samba/printing and rejoined the wb3 box to
> the domain.
>
> YMMV
>
> in /etc/pam.d
>
> login:
> #%PAM-1.0
> auth required pam_securetty.so
> auth sufficient pam_winbind.so
> auth sufficient pam_unix.so use_first_pass
> auth required pam_stack.so service=system-auth
> auth required pam_nologin.so
> account sufficient pam_winbind.so
> account required pam_stack.so service=system-auth
> password required pam_stack.so service=system-auth
> session required pam_stack.so service=system-auth
> session optional pam_console.so
>
>
> sshd:
> #%PAM-1.0
> auth required pam_stack.so service=system-auth
> auth required pam_nologin.so
> auth sufficient pam_winbind.so
> account required pam_stack.so service=system-auth
> account sufficient pam_winbind.so
> password required pam_stack.so service=system-auth
> password sufficient pam_winbind.so
> session required pam_stack.so service=system-auth
> session required pam_limits.so
> session optional pam_console.so
>
> system-auth:
> #%PAM-1.0
> # This file is auto-generated.
> # User changes will be destroyed the next time authconfig is run.
> auth required /lib/security/$ISA/pam_env.so
> auth sufficient /lib/security/$ISA/pam_winbind.so
> auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
> use_first_pass
> auth required /lib/security/$ISA/pam_deny.so
> account required /lib/security/$ISA/pam_unix.so
> password required /lib/security/$ISA/pam_cracklib.so retry=3
> type=
> password sufficient /lib/security/$ISA/pam_unix.so nullok
> use_authtok md5 shadow nis
> password required /lib/security/$ISA/pam_deny.so
> session required /lib/security/$ISA/pam_limits.so
> session required /lib/security/$ISA/pam_unix.so
> session optional /lib/security/$ISA/pam_winbind.so
>
>
-Toby