Docs/SysAdmin/Server/Samba/Member
From Mandriva Community Wiki
This section contains information on the features available in Samba which allow you to integrate your server(s) into a large Windows® network or to have them form the basis of a small Windows network.
Contents |
[edit] Joining A Windows Domain
[edit] Why join your Linux box to a Windows domain?
A Windows Domain is a workgroup (usually) controlled by a Windows server which provides account and authentication services to the clients (typically Windows NT, 2000, XP or Vista, but to a limited extent Windows 9x) in the way one would use NIS or LDAP in a Unix network. This results in less admin overhead on the Windows NT/2000 machines (users only need a domain account, as opposed to one per machine) and more security on the Windows 9x machines (it is possible to only allow authenticated logins to Windows 9x).
It is possible to join a Linux system to a Windows domain, which allows you to provide file sharing to your colleagues who run Windows machines in the domain without needing to try and keep their Samba password on your machine in sync with their Windows domain password.
[edit] Configuration options required
To participate in a Windows domain, you need the following entries in your smb.conf file:
encrypt passwords = yes security = domain workgroup = <WORKGROUP> password server = <LIST_OF_DOMAIN_CONTROLLERS>
Setting password server = * will cause Samba to lookup the domain controllers on your network automatically. If for some reason this does not work, and you know the name of the domain controller, you can instead enter a space-separated list of the <nop>NetBIOS names of your Domain Controllers (PDCs and BDCs).
[edit] Joining the domain
You now need to join the Windows domain. This involves having an account made for your machine, and then having your machine log into the server and change its password. You can do this all in one step with the following command: smbpasswd -j <DOMAIN> -r <DOMAIN_CONTROLLER> -U <DOMAIN_ADMIN>, where DOMAIN is the name of your domain (should be the same as the workgroup parameter in your smb.conf file), DOMAIN_CONTROLLER is the name of the Primary Domain Controller of your domain, and DOMAIN_ADMIN is an account on the PDC with domain admin privileges. You will be prompted for this user's password, so you should ask your Windows admin to help you here if necessary.
Older versions of Samba need you to do this in two steps (can also be used if your Windows admin is not physically available but can make an account for your computer):
- have a computer account made in the domain for your Linux box. This must be the name used in the <nop>NetBIOS name parameter in smb.conf, or your hostname if you haven't specified a name. Ask your Windows admin to do this for you.
- join the Windows domain with the following command: smbpasswd -j <DOMAIN>
[edit] Authenticating other services from a Windows domain
Thanks to Name Service Switch (NSS) and Pluggable Authentication Modules (PAM), Linux is very flexible regarding authentication of services. By using the pam_smb module to do password authentication, you can use the accounts in a Windows domain to authenticate users for any service that supports PAM. After installing the package (see Installing and removing software), you need to edit the /etc/pam_smb.conf file as follows:
<DOMAIN> <PDC> <BDC>
where <DOMAIN> is the name of your domain and <PDC> and <BDC> are the NetBIOS names of your Primary Domain Controller and your Backup Domain Controller respectively.
pam_smb will only provide password authentication from the domain, but can not provide group or user information. Thus, for this to be useful, in most cases you will have to either use NIS or LDAP for account information or maintain passwd files on each machine using pam_smb.
To use pam_smb for password authentication you now need to modify the PAM configuration files. For example, if you want to allow users to use all PAM-aware services on your machine, you can modify the file /etc/pam.d/system-auth so that the 'auth' lines are as follows:
auth required /lib/security/pam_nologin.so auth required /lib/security/pam_env.so auth sufficient /lib/security/pam_ldap.so auth sufficient /lib/security/pam_smb_auth.so try_first_pass auth sufficient /lib/security/pam_unix.so likeauth nullok try_first_pass auth required /lib/security/pam_deny.so
[edit] Authenticating Apache from a Windows domain
An authentication module for Apache called mod_authnz_external allows you to do authentication for Apache via PAM, thus using 'mod_auth_external' with 'pam_smb' will allow authentication from the Domain Controller. You would probably want to secure this using SSL.
