Published: EAgerLinuxer http://bbs.chinaunix.net/forum/viewtopic.php?t=435614&show_type=new Maybe your company's server is Windows 200x, and has built Win200X domains to do all the machines and users of the company. Management, and this domain has works very good, and all users' permissions are also very reasonable. At this time, you want to add a Linux or BSD machine to go in, to provide the company's users such as FTP, Samba, etc., because these software under Linux and BSD are higher, safer than in Windows. One problem you may encounter is that you have to re-join many users on each new line, set these users, password, if your company's staff, this is still very tired . But since there have been all user authentication information, why not take advantage of it :). Winbind service in Samba3 provides us with such a way. First, you add this Linux server to the Win200x domain, become a member server in the domain, and then send authentication information to the PDC with the WINBIND service, which is used by the PDC to do user authentication. As long as the appropriate Winbind service, PAM, you can use the PDC to do authentication on your Linux or BSD server, is it very good? Below is the process of implementing the SSHD, Samba service PDC authentication on redhat7.3: 1. Related software used: Samba-3.0.7 PAM-0.75-32 (I don't talk about these software installation , Refer to the related files on CU :) 2, implementation method: 1) After the Samba installation is completed, the Takashi Libnss_WINBIND.SO Library to / LIB Directory Cp ../samba/source/nswitch/libnss_winbind.so / lib Ln -S /LIB/LIBNSS_WINBIND.SO /LIB/LIBNSS_WINBIND.SO.2 2) VI /etc/nsswitch.conf Do the following modifications, make Winbind become Passwd and Group certified information Passwd: FILES WINBIND Shadow: Files Group: Files Winbind 3) Use the ldconfig command to make Winbind use libnss_winbind.so libraries, so you don't have to restart the machine, if you don't do it, restart the machine.
/ sbin / ldconfig -v | grep winbind 4) VI SMB.CONF, add the following line in [Global] settings # Separate Domain and username with '/', Like Domain username Winbind Separetor = / # use uids from 1000 to 20000 for domain users idmap uid = 10000-20000 # use gids from 10000 to 20000 for domain groups idmap gid = 10000-20000 # allow enumeration of winbind users and groups winbind enum users = yes winbind enum groups = yes # give winbind users a real Shell (ONLY NEEDEDITIR = / Home /% D /% U Template shell = / bin / bash winbind separator is a separator between domain name and user name and group name, I am set into '/', IDMap UID and IDMAP GID are set WINBIND to cost WIN200X domain users, group map cost users, and the Id number used by the group, if your users can increase the difference between the two values. Template HomeDir is the main directory after the user login, I am set to / home / domain / username. The Template Shell is the shell after the user logs in. If you want to use the PDC to give your SSHD to do authentication, you can add this, give the user a shell, not bad. 5) Use Samba3's Net Join command to add this machine to the Windows 200x domain / usr / local / samba / bin / net rpc join -s pdc -u administrator and enter domain administrator password, and administrator is the domain administrator account. PDC is your domain name and you can use NetBIOS name. 6) Start WINBIDD Service / USR / local / samba / sbin / winbindd 7) Use the wbinfo command to view information of users and groups in the domain that you use the WinBindd service to connect to the PDC. Quote: [root @ logback wy] # wbinfo -u wy / administrator WY / GUEST WY / KRBTGT WY / WUYING WY / WY
Where '/' is domain name, I am WY, '/' is the domain username.
Quote: [root @ LogBack wy] # wbinfo -g BUILTIN / System Operators BUILTIN / Replicators BUILTIN / Guests BUILTIN / Power Users BUILTIN / Print Operators BUILTIN / Administrators BUILTIN / Account Operators BUILTIN / Backup Operators BUILTIN / Users WY / Domain Admins WY / Domain users WY / DOMAIN GUESTS WY / DOMAIN COMPUTERS WY / DOMAIN Controllers WY / CERT PUBLISHERS WY / Schema Admins WY / Enterprise Admin Swings WY / GROUP Policy CreatOr Owners WY / DNSUPDATEPROXY
Where '/' is domain name, I am WY, '/' is the domain group name. With GetNet Passwd and GetNet Group you can see all users and group information on local servers and domain servers. Here, our work has been completed more than half. Winbindd service has been working properly :) 8) Under SAMBA-3.0.7 Source Chat Source, Compile PAM_WINBIND.SO Certification Module, CP to / LIB / SECURITY under: make nsswitch / pam_winbind.so cp ../samba/ Source / nsswitch / pam_winbind.so / lib / security 9) The following is set up PAM, please back up your /etc/pam.d directory before setting. If it is a PAM that sets SSHD, it is wrong, and it may not be able to operate. Here is the configuration file I have changed /etc/pam.d/sshd: Quote: [root @ logback wy] # cat /etc/pam.d/sshd #% PAM-1.0 Auth Sufficient /Lib/security/pam_winbind.so auth required /lib/security/pam_stack.so service = system-auth auth required /lib/security/pam_nologin.so account sufficient /lib/security/pam_winbind.so account required /lib/security/pam_stack.so service = system-auth password required /lib/security/pam_stack.so service = system-auth session required /lib/security/pam_stack.so service = system-auth session required /lib/security/pam_limits.so session required /lib/security/pam_mkhomedir.so Session optional /lib/security/pam_console.so
Two two of them containing PAM_WINBIND.SO are this added, used to do WINBIND certification. The row containing PAM_MKHOMEDIR.SO is also what I added. It is used to automatically establish a primary directory and login script when you log in. Otherwise, you will be logged in, you will find yourself under the root directory. Note that the path to the main directory is the Template shell variable you specified in the smb.conf file, I am this / home / wy / username. / Home / WY directory wants to build manual, otherwise it is not going in. I set this directory permission to 1777, the benefits are everyone to write, but only the owner deletes, just like / TMP directory. Other machines use SSH to take a look:
Quote: [WY @ wy1 rpms] $ ssh wy/wuying@172.16.130.35 wy/wuying@172.16.130.35's password: Last login: sat Oct 30 19:57:47 2004 from 172.16.130.36 [WY / WUYING @ logback Wuying] $ ID UID = 10003 (WY / WUYING) GID = 10009 (Wy / Domain Uses) Groups = 10009 (Wy / Domain Users) [WY / WUYING @ logback wuying] $
OK, we have succeeded. WY / WUYING is a line of "domain name / user name", which is user UID number 1009 by MAP. Below is my /etc/pam.d/samba configuration file: Quote: [root @ logback wy] # cat /etc/pam.d/samba #% PAM-1.0 Auth Required Pam_Stack.so Service = System-Auth Account Required Pam_Stack.so Service = System-Auth
Then VI SMB.CONF file, in the last plus
Quote: [Admshare] Comment = admin Dir path = / home / wy / administrator valid user / wy / administrator valid user / wy / administrator valid user / wy / administrator valid users = "WY DOMAIN ADMINS" public = no writable = yes printable = no create mask = 0775 directory mask = 0775 Directory Mask = 0775
This will only have more manners to share in the ADMShare shared in the WY domain. If the user's password changes, we don't have to go to each Linux server to change your password, use WinBind to Win200xPDC to do certification, how he changed, convenient. I only entered WinBind and PAM configuration methods. If you still don't understand some of these concepts, you can refer to the PDF document in the DOCS directory after Samba3 source package Samba-3.0.7.tar.gz. I am talking about in the 6th and 20 chapters of Smaba-HOWTO-Collection.PDF documents.
