Authenticate a linux client to Samba

Assumption: you are running a Samba3 PDC without LDAP and you want to authenticate your linux clients as well as your windows clients with samba.

What will you have to do at your linux client to make this work?

I am using Ubuntu on the client side and Debian Etch on the server.

What to do on the server

1. Add a posix account for the machine

/usr/sbin/useradd -g smbmachine -s /bin/false -d /dev/null machinenname$

2. Activate the machine with pdbedit

pdbedit -a -m -u machinenname

What to do on the client

1. Install winbind

sudo aptitude install winbind

2. Edit your /etc/samba/smb.conf

[global]
  workgroup = YOURWORKGROUP
  password server = samba
  server string = %h server (Samba, Ubuntu)

  dns proxy = no
  domain master = no
  encrypt passwords = true
  idmap gid = 10000-20000
  idmap uid = 10000-20000
  invalid users = root
  local master = no
  log file = /var/log/samba/log.%m
  max log size = 1000
  obey pam restrictions = no
  os level = 0
  panic action = /usr/share/samba/panic-action %d
  passdb backend = tdbsam
  passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n  passwd:*password\supdated\ssuccessfully* .
  passwd program = /usr/bin/passwd %u
  preferred master = no
  security = domain
  socket options = TCP_NODELAY
  syslog = 0
  template homedir = /home/%U
  template shell = /bin/bash
  template shell = /bin/bash
  winbind enum groups = yes
  winbind enum users = yes

3. Edit /etc/nsswitch.conf

[...] 

passwd:         compat winbind
group:          compat winbind
shadow:         compat

[...]

4. Edit /etc/pam.d/login
Add the entry for winbind:

#
# The PAM configuration file for the Shadow `login' service
#

# Winbind first
auth    sufficient      pam_winbind.so

# Outputs an issue file prior to each login prompt (Replaces the
# ISSUE_FILE option from login.defs). Uncomment for use
# auth       required   pam_issue.so issue=/etc/issue

# Disallows root logins except on tty's listed in /etc/securetty
# (Replaces the `CONSOLE' setting from login.defs)
auth       requisite  pam_securetty.so

#

[...]

5. Edit /etc/pam.d/gdm

#%PAM-1.0
auth    requisite       pam_nologin.so
auth    sufficient      pam_winbind.so
auth    required        pam_env.so readenv=1

[...]

If you want to let your samba users login to your client machine using different methods (e.g. ssh) you will have to edit these files as well.

6. Make sure your services pay attention to the changed config files
Restart winbind and gdm (reboot to be sure)

7. Join the domain:

sudo net join -S samba -U root

8. Check for success

#To get users:
wbinfo - u

#To get groups:
wbinfo - g

# To test connections:
wbinfo - t

9. Create the homedirectories for your samba users

10. Login
Login with an samba account: YOURWORKGROUP\username



TODO:

  • mounting the homedirectories with NFS
  • who should be allowed to login to this machine?
  • samba users allowed to login with SSH?
samba/auth_linux_client_at_samba_pdc.txt · Last modified: 2014-02 by tb
Driven by DokuWiki Recent changes RSS feed Valid CSS Valid XHTML 1.0 ipv6 ready