Table of Contents
Authenticate a linux client to Samba
Assumption: you are running a Samba3 PDC without LDAP and you want to authenticate your linux clients as well as your windows clients with samba.
What will you have to do at your linux client to make this work?
I am using Ubuntu on the client side and Debian Etch on the server.
What to do on the server
1. Add a posix account for the machine
/usr/sbin/useradd -g smbmachine -s /bin/false -d /dev/null machinenname$
2. Activate the machine with pdbedit
pdbedit -a -m -u machinenname
What to do on the client
1. Install winbind
sudo aptitude install winbind
2. Edit your /etc/samba/smb.conf
[global] workgroup = YOURWORKGROUP password server = samba server string = %h server (Samba, Ubuntu) dns proxy = no domain master = no encrypt passwords = true idmap gid = 10000-20000 idmap uid = 10000-20000 invalid users = root local master = no log file = /var/log/samba/log.%m max log size = 1000 obey pam restrictions = no os level = 0 panic action = /usr/share/samba/panic-action %d passdb backend = tdbsam passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n passwd:*password\supdated\ssuccessfully* . passwd program = /usr/bin/passwd %u preferred master = no security = domain socket options = TCP_NODELAY syslog = 0 template homedir = /home/%U template shell = /bin/bash template shell = /bin/bash winbind enum groups = yes winbind enum users = yes
3. Edit /etc/nsswitch.conf
[...] passwd: compat winbind group: compat winbind shadow: compat [...]
4. Edit /etc/pam.d/login
Add the entry for winbind:
# # The PAM configuration file for the Shadow `login' service # # Winbind first auth sufficient pam_winbind.so # Outputs an issue file prior to each login prompt (Replaces the # ISSUE_FILE option from login.defs). Uncomment for use # auth required pam_issue.so issue=/etc/issue # Disallows root logins except on tty's listed in /etc/securetty # (Replaces the `CONSOLE' setting from login.defs) auth requisite pam_securetty.so # [...]
5. Edit /etc/pam.d/gdm
#%PAM-1.0 auth requisite pam_nologin.so auth sufficient pam_winbind.so auth required pam_env.so readenv=1 [...]
If you want to let your samba users login to your client machine using different methods (e.g. ssh) you will have to edit these files as well.
6. Make sure your services pay attention to the changed config files
Restart winbind and gdm (reboot to be sure)
7. Join the domain:
sudo net join -S samba -U root
8. Check for success
#To get users: wbinfo - u #To get groups: wbinfo - g # To test connections: wbinfo - t
9. Create the homedirectories for your samba users
Login with an samba account:
- mounting the homedirectories with NFS
- who should be allowed to login to this machine?
- samba users allowed to login with SSH?