Winbindd: Difference between revisions
m (→Testing: minor formatting) |
|||
Line 24: | Line 24: | ||
The current installation process put the library libnss_winbind.so in <tt><PATH_TO_SAMBA>/lib</tt> (ie. <tt>/usr/local/samba/lib</tt>). Use a current checkout as described in [[Samba4/HOWTO]]. |
The current installation process put the library libnss_winbind.so in <tt><PATH_TO_SAMBA>/lib</tt> (ie. <tt>/usr/local/samba/lib</tt>). Use a current checkout as described in [[Samba4/HOWTO]]. |
||
# |
# cp -s /usr/local/samba/lib/libnss_winbind.so /lib/libnss_winbind.so |
||
# ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2 |
# ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2 |
||
Revision as of 20:41, 29 August 2010
About Winbind and Samba4
Samba4 currently embed its own Winbind implementation. Winbind is responsible for affecting an unix uid to user, gid to groups.
It is also used to list groups of a given user, to translate SID to uid/gid and many other things.
As soon as you use file server capabilities of Samba4 (for instance for serving GPO or login scripts), calls to Winbind will be made to get the user's uid (and allocate if none exists). This can be noticed by the fact that when a file is created from Windows in one of the samba4 server share you will see big numerical uid and gid.
For example:
ls /home/mat/workspace/samba/homematwsnet/sysvol/home.matws.net/Policies/\{085C0631-6142-4637-9FED-2EC5B4FB6952\}/ -l total 0 drwxr-sr-x 4 3000008 users 4096 2010-03-05 23:31 . drwxrwsrwx 10 3000008 3000008 4096 2010-03-05 23:31 .. -rw-r--r-- 1 3000017 users 68 2010-03-06 01:43 GPT.INI
The user interaction can be eased by the usage libnss_winbind. That's the point of the next paragraph.
Using libnss_winbind
Installing and configuring
The current installation process put the library libnss_winbind.so in <PATH_TO_SAMBA>/lib (ie. /usr/local/samba/lib). Use a current checkout as described in Samba4/HOWTO.
# cp -s /usr/local/samba/lib/libnss_winbind.so /lib/libnss_winbind.so # ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2
You need to instruct the system to use the nss winbind library when searching for users or groups. For this add the keywork winbind to the stanza passwd and group in /etc/nsswitch.conf.
It should look like:
passwd: files winbind group: files winbind shadow: files ...
Note: On some systems it is the keyword compat that is used instead of files.
Testing
Check the following steps:
- winbind is "pingable"
$ /usr/local/samba/bin/wbinfo -p Ping to winbindd succeeded
- winbind is able to provide user list, you should see something like this
$ /usr/local/samba/bin/wbinfo -u ... Administrator ...
- getent passwd returns a password like file with entries for domain users
$ getent passwd ... Administrator:x:0:100::/home/MATWS/Administrator:/bin/false ...
- The id command returns information about a user
$ id Administrator uid=0(root) gid=100(users) groupes=0(root),100(users),3000004(Group Policy Creator Owners),3000008(Domain Admins)
If all these steps are ok then the installation of libnss_winbind is successful and you can enjoy manipulating domain users uid and gid in a much more friendly way.
You can now configure pam_winbind, if you want to be able to login on the server running samba 4, for this check next paragraph.
Using pam_winbind
Installing and configuring
The current installation process put the library pam_winbind.so in <PATH_TO_SAMBA>/lib (ie. /usr/local/samba/lib).
This library has to be installed in /lib/security to allow the system to be able to use it.
Add this entry to your smb.conf in the global section:
template shell = /bin/bash
Restart your samba 4 server so that it takes the new parameter.
Then you need to instruct pam how to use this library.
Note: The following actions can cause you not to be able to connect to your system if you do something wrong. You are invitated to make a backup of your previous configuration and to have a spare connection to the server as root to be able to restore them in case of problem.
Note2: This guide is based on the fact that the pam configuration is in /etc/pam.d/common* files which seems to be common nowdays. If it's not the case for you, you have to decline it accordingly to your configuration.
Files to modify:
- /etc/pam.d/common-account
Add this line before pam_unix.so:
account sufficient pam_winbind.so
- /etc/pam.d/common-auth
Add this line after pam_unix.so:
auth sufficient pam_winbind.so use_first_pass
- /etc/pam.d/common-session
Add this line before any other session line:
session required pam_winbind.so mkhomedir
Testing
- Check that getent passwd return a correct entry:
getent passwd ... Administrator:x:0:100::/home/MATWS/Administrator:/bin/bash ...
It's important that the shell must be a real shell (and not /bin/false).
- Check that you can connect as a non domain user (ie. root or any other account that used before
- Connect to the server using a domain account:
ssh administrator@localhost administrator@localhost's password: Linux ares 2.6.31-20-generic-pae #57-Ubuntu SMP Mon Feb 8 10:23:59 UTC 2010 i686 To access official Ubuntu documentation, please visit: http://help.ubuntu.com/ Last login: Tue Mar 9 00:19:30 2010 root@ares:~# who mat tty7 2010-03-09 17:05 (:0) Administrator pts/4 2010-03-24 16:38 (localhost)
If the latest point didn't work the option debug can be added to the modified entries in the modified pam files to help to find out what's wrong.