From c9307ed7b2f435ea5f04e34e237b47fbcd597f83 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Mon, 17 Jun 2002 05:06:23 +0000 Subject: [PATCH] moved Solaris-Winbind-HOWTO.txt specifics to DocBook version of Winbind HOWTO --- docs/textdocs/Solaris-Winbind-HOWTO.txt | 361 -------------------------------- 1 file changed, 361 deletions(-) delete mode 100644 docs/textdocs/Solaris-Winbind-HOWTO.txt diff --git a/docs/textdocs/Solaris-Winbind-HOWTO.txt b/docs/textdocs/Solaris-Winbind-HOWTO.txt deleted file mode 100644 index a81bacf4864..00000000000 --- a/docs/textdocs/Solaris-Winbind-HOWTO.txt +++ /dev/null @@ -1,361 +0,0 @@ -!== -!== Solaris-Winbind-HOWTO.txt -!== -Contributors: Naag Mummaneni -Updated: May 2, 2002 -Status: Current - -Subject: Installing and Configuring Winbind on Solaris -============================================================================= - -Installation and Configuration of Winbind on Solaris. ------------------------------------------------------ - -This HOWTO describes how to get winbind services up and running to control -access and authenticate users on your Solaris box using the winbind services -which come with SAMBA 2.2.x latest CVS Checkout.Make sure you are using the -latest Samba 2.2.x cvs checkout as other versions come with a lots of bugs -regarding winbind .And even the Latest Samba Stable Release is also not an -exception to this. - -Introduction ------------- - -This HOWTO describes the procedures used to get winbind up and running on a -Solaris system. Winbind is capable of providing access and authentication -control for Windows Domain users through an NT or Win2K PDC for 'regular' -services, such as telnet and ftp, as well for SAMBA services. - -Why should I to this? - -This allows the SAMBA administrator to rely on the authentication mechanisms -on the NT/Win2K PDC for the authentication of domain members. NT/Win2K users -no longer need to have separate accounts on the SAMBA server. - -Who should be reading this document? - -This HOWTO is designed for system administrators. If you are implementing -SAMBA on a file server and wish to (fairly easily) integrate existing -NT/Win2K users from your PDC onto the SAMBA server, this HOWTO is for you. - -Requirements ------------- - -If you have a samba configuration file that you are currently using... BACK -IT UP! If your system already uses PAM, back up the /etc/pam.conf file ! If -you haven't already made a boot disk, MAKEONE NOW! Messing with the pam -configuration file can make it nearly impossible to log in to yourmachine. -That's why you want to be able to boot back into your machine in single user -mode and restore your /etc/pam.conf back to the original state they were in -if you get frustrated with the way things are going. ;-) Please refer to the -main SAMBA web page or, better yet, your closest SAMBA mirror site for -instructions on downloading the source code of Samba 2.2.x from the SAMBA -CVS repository. To allow Domain users the ability to access SAMBA shares and -files, as well as potentially other services provided by your SAMBA machine, -PAM (pluggable authentication modules) must be setup properly on your -machine. In order to compile the winbind modules, you should have at least -the pam libraries resident on your system. Solaris 7/8 has its pam modules -coming with the distribution itself. - -Testing Things Out ------------------- - -Before starting, it is probably best to kill off all the SAMBA related -daemons running on your server. Kill off all smbd, nmbd, and winbindd -processes that may be running. - - -Configure and compile SAMBA ---------------------------- - -The configuration and compilation of SAMBA is pretty straightforward. The -first three steps may not be necessary depending upon whether or not you -have previously built the Samba binaries. - -root# autoconf -root# make clean -root# rm config.cache -root# ./configure --with-winbind --with-pam -root# make -root# make install - -This will, by default, install SAMBA in /usr/local/samba. See the main SAMBA -documentation if you want to install SAMBA somewhere else. It will also -build the winbindd executable and libraries. - -Configure nsswitch.conf and the winbind libraries -------------------------------------------------- - -The libraries needed to run the winbindd daemon through nsswitch need to be -copied to their proper locations, so - -root# cp ../samba/source/nsswitch/libnss_winbind.so /usr/lib - -I also found it necessary to make the following symbolic links: - -root# ln -s /usr/lib/libnss_winbind.so /usr/lib/libnss_winbind.so.1 -root# ln -s /usr/lib/libnss_winbind.so /usr/lib/libnss_winbind.so.2 -root# ln -s /usr/lib/libnss_winbind.so /usr/lib/nss_winbind.so.1 -root# ln -s /usr/lib/libnss_winbind.so /usr/lib/nss_winbind.so.2 - -Now, as root you need to edit /etc/nsswitch.conf to allow user and group -entries to be visible from the winbindd daemon. My /etc/nsswitch.conf file -look like this after editing: - - passwd: files winbind - group: files winbind - - -Configure smb.conf ------------------- - -Several parameters are needed in the smb.conf file to control the behavior -of winbindd. Configure smb.conf These are described in more detail in the -winbindd(8) man page. My smb.conf file was modified to include the following -entries in the [global] section: - -[global] - <...> - # The previous documentation says to - # as the "winbind seperator " directive also but - # it is no longer supported. - - # use uids from 10000 to 20000 for domain users - winbind uid = 10000-20000 - - # use gids from 10000 to 20000 for domain groups - winbind gid = 10000-20000 - - # allow enumeration of winbind users and groups - winbind enum users = yes - winbind enum groups = yes - - # give winbind users a real shell (only needed if - # they have telnet access) - template homedir = /home/winnt/%D/%U - template shell = /bin/bash - - -Join the SAMBA server to the PDC domain ---------------------------------------- - -Enter the following command to make the SAMBA server join the PDC domain, -where DOMAIN is the name of your Windows domain and Administrator is a -domain user who has administrative privileges in the domain. - -root# /usr/local/samba/bin/smbpasswd -j DOMAIN -r PDC -U Administrator - -The proper response to the command should be: "Joined the domain DOMAIN" -where DOMAIN is your DOMAIN name. - -Start up the winbindd daemon and test it! - -Eventually, you will want to modify your smb startup script to automatically -invoke the winbindd daemon when the other parts of SAMBA start, but it is -possible to test out just the winbind portion first. To start up winbind -services, enter the following command as root: - -root# /usr/local/samba/bin/winbindd - -I'm always paranoid and like to make sure the daemon is really running... - -root# ps -ae | grep winbindd - -This command should produce output like this, if the daemon is running - - 3025 ? 00:00:00 winbindd - -Now... for the real test, try to get some information about the users on -your PDC - -root# /usr/local/samba/bin/wbinfo -u - -This should echo back a list of users on your Windows users on your PDC. For -example, I get the following response: - -CEO\Administrator -CEO\burdell -CEO\Guest -CEO\jt-ad -CEO\krbtgt -CEO\TsInternetUser - -root# /usr/local/samba/bin/wbinfo -g - -CEO\Domain Admins -CEO\Domain Users -CEO\Domain Guests -CEO\Domain Computers -CEO\Domain Controllers -CEO\Cert Publishers -CEO\Schema Admins -CEO\Enterprise Admins -CEO\Group Policy Creator Owners - -The function 'getent' can now be used to get unified lists of both local and -PDC users and groups. Try the following command: - -root# getent passwd - -You should get a list that looks like your /etc/passwd list followed by the domain users with their new -uids, gids, home directories and default shells. - -The same thing can be done for groups with the command - -root# getent group - -Fix the /etc/rc.d/init.d/samba.server startup files The winbindd daemon -needs to start up after the smbd and nmbd daemons are running. To accomplish -this task, you need to modify the /etc/init.d/samba.server script to add -commands to invoke this daemon in the proper sequence. My -/etc/init.d/samba.server file starts up smbd, nmbd, and winbindd from the -/usr/local/samba/bin directory directly. - -## -## samba.server -## - -if [ ! -d /usr/bin ] -then # /usr not mounted - exit -fi - -killproc() { # kill the named process(es) - pid=`/usr/bin/ps -e | - /usr/bin/grep -w $1 | - /usr/bin/sed -e 's/^ *//' -e 's/ .*//'` - [ "$pid" != "" ] && kill $pid -} - -# Start/stop processes required for samba server - -case "$1" in - -'start') -# -# Edit these lines to suit your installation (paths, workgroup, host) -# -echo Starting SMBD - /usr/local/samba/bin/smbd -D -s \ - /usr/local/samba/smb.conf - -echo Starting NMBD - /usr/local/samba/bin/nmbd -D -l \ - /usr/local/samba/var/log -s /usr/local/samba/smb.conf - -echo Starting Winbind Daemon - /usr/local/samba/bin/winbindd - ;; - -'stop') - killproc nmbd - killproc smbd - killproc winbindd - ;; - -*) - echo "Usage: /etc/init.d/samba.server { start | stop }" - ;; -esac - -If you restart the smbd, nmbd, and winbindd daemons at this point, you -should be able to connect to the samba server as a domain member just as if -you were a local user. - - -Configure Winbind and PAM -------------------------- - -If you have made it this far, you know that winbindd and samba are working -together. If you want to use winbind to provide authentication for other -services, keep reading. The pam configuration file need to be altered in -this step. (Did you remember to make backups of your original /etc/pam.conf -file? If not, do it now.) You will need a pam module to use winbindd with -these other services. This module will be compiled in the ../source/nsswitch -directory by default when we used ./configure --with-pam option. - -root# make nsswitch/pam_winbind.so - -from the ../source directory. The pam_winbind.so file should be copied to -the location of your other pam security modules. On my Solaris 8, this was -the /usr/lib/security directory. - -root# cp ../samba/source/nsswitch/pam_winbind.so /usr/lib/security - -The /etc/pam.conf need to be changed. I changed this file so that my Domain -users can logon both locally as well as telnet.The following are the changes -that I made.You can customize the pam.conf file as per your requirements,but -be sure of those changes because in the worst case it will leave your system -nearly impossible to boot. - -# -#ident "@(#)pam.conf 1.14 99/09/16 SMI" -# -# Copyright (c) 1996-1999, Sun Microsystems, Inc. -# All Rights Reserved. -# -# PAM configuration -# -# Authentication management -# -login auth required /usr/lib/security/pam_winbind.so -login auth required /usr/lib/security/$ISA/pam_unix.so.1 try_first_pass -login auth required /usr/lib/security/$ISA/pam_dial_auth.so.1 try_first_pass -# -rlogin auth sufficient /usr/lib/security/pam_winbind.so -rlogin auth sufficient /usr/lib/security/$ISA/pam_rhosts_auth.so.1 -rlogin auth required /usr/lib/security/$ISA/pam_unix.so.1 try_first_pass -# -dtlogin auth sufficient /usr/lib/security/pam_winbind.so -dtlogin auth required /usr/lib/security/$ISA/pam_unix.so.1 try_first_pass -# -rsh auth required /usr/lib/security/$ISA/pam_rhosts_auth.so.1 -other auth sufficient /usr/lib/security/pam_winbind.so -other auth required /usr/lib/security/$ISA/pam_unix.so.1 try_first_pass -# -# Account management -# -login account sufficient /usr/lib/security/pam_winbind.so -login account requisite /usr/lib/security/$ISA/pam_roles.so.1 -login account required /usr/lib/security/$ISA/pam_unix.so.1 -# -dtlogin account sufficient /usr/lib/security/pam_winbind.so -dtlogin account requisite /usr/lib/security/$ISA/pam_roles.so.1 -dtlogin account required /usr/lib/security/$ISA/pam_unix.so.1 -# -other account sufficient /usr/lib/security/pam_winbind.so -other account requisite /usr/lib/security/$ISA/pam_roles.so.1 -other account required /usr/lib/security/$ISA/pam_unix.so.1 -# -# Session management -# -other session required /usr/lib/security/$ISA/pam_unix.so.1 -# -# Password management -# -#other password sufficient /usr/lib/security/pam_winbind.so -other password required /usr/lib/security/$ISA/pam_unix.so.1 -dtsession auth required /usr/lib/security/$ISA/pam_unix.so.1 -# -# Support for Kerberos V5 authentication (uncomment to use Kerberos) -# -#rlogin auth optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass -#login auth optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass -#dtlogin auth optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass -#other auth optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass -#dtlogin account optional /usr/lib/security/$ISA/pam_krb5.so.1 -#other account optional /usr/lib/security/$ISA/pam_krb5.so.1 -#other session optional /usr/lib/security/$ISA/pam_krb5.so.1 -#other password optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass - -I also added a try_first_pass line after the winbind.so line to get rid of -annoying double prompts for passwords. - -Now restart your Samba & try connecting through your application that you -configured in the pam.conf. - - - -!== -!== end of Solaris-Winbind-HOWTO.txt -!== -- 2.11.4.GIT