Some months ago I asked the list how to get a Linux box to validate
users off an NT Domain. Yuri got me real close, and for the record, I'm
posting what worked for me in more detail.
Kent
============
_Situation:_
A university setting, with computer labs where students sit down at a PC
running Windows and log in using their personal NT Domain login account.
We have two domains: ACU (for staff/faculty), and ACU-ACADEMIC (for
students). ACU is the primary domain; phoebe is the PDC for that domain.
I wanted to have dual-boot machines (Win2K/XP and Debian), and let the
students log into either OS with their NT Domain accounts. I was pretty
sure it was possible, but in two and a half years of on-again/off-again
attempts, had never been successful.
I found two or three helpful pages on the web, but none solved my
problem. The only link I currently have is:
http://ftp.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam.html. "man
winbindd" was also quite helpful.
_Solution:_
There are three broad areas of setup that have to be accomplished:
Samba, Winbind, and PAM. Strictly speaking, winbind is a part of the
samba suite, but I consider them separate components, which makes
troubleshooting easier.
First, we start with a normal install of Debian Woody.
_Samba:_
Then we need to get Samba configured. "apt-get install samba
samba-common smbclient smbfs". I'm not sure which of these pieces are
necessary and which aren't, but they're what I have installed on my
working machine.
Then edit /etc/samba/smb.conf. I simplified mine so that I can see it
better and remove any unneeded complications. Here's what mine looks like:
[global]
workgroup = ACU
server string = %h server
security = domain
encrypt passwords = true
password server = phoebe
log file = /var/log/samba/log.%m
max log size = 1000
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
os level = 18
local master = No
dns proxy = no
Notice that the workgroup line needs to be set to your NT Domain name.
For me, this could be "ACU" or "ACU-ACADEMIC". I chose "ACU" since it
gives me access to both domains, whereas if I had used "ACU-ACADEMIC" I
would have been limited to access in the ACU-ACADEMIC domain, because of
the trust relationships set up between the two by our NT Domain sys
administrators.
Also, some of the documentation I've seen has the line "password server
= *", but if I remember correctly, I had no success with that until I
changed it to point specifically to our Primary Domain Controller (PDC),
phoebe.
Then you'll need to restart samba ("/etc/init.d/samba restart"), after
which you should be able to mount some domain share. For example, in
your home directory create a directory named netShare or something
similar ("mkdir netShare"). Then mount your domain share with a command
like "smbmount //servername/sharename netShare". If your Linux username
is different than your NT username, you'll need to specify that with a
command like "smbmount //servername/sharename -o username=myNTaccountName".
If you then can see the shared files in your netShare directory, you've
successfully set up Samba.
_Winbind_:
Now we need to set up winbind. This service allows your machine to "see"
the users and groups on your NT Domain.
Before installing winbind, run the command "gentent group" and/or
"getent passwd". These commands should basically list the information in
your local /etc/group and/or /etc/passwd files. After installing
winbind, these commands should also list the same sort of information
from your NT Domain.
"apt-get install winbind"
Now add the following lines to the end of the simplified
/etc/samba/smb.conf file I listed above:
winbind uid = 10000-20000
winbind gid = 10000-20000
template shell = /bin/bash
winbind separator = +
template homedir = /home/%D/%U
We'll also need to tell the system to look first at the local files
(/etc/passwd and /etc/group), and then to the NT Domain whenever it's
looking for account information. This is done in the /etc/nsswitch.conf
file. Here's mine:
passwd: files winbind compat
group: files winbind compat
shadow: winbind compat
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
Probably the only difference you'll see from the default file in Woody
is the changes to the first three lines.
Then restart winbind (/etc/init.d/winbindd restart).
You'll then need to add this machine to the NT Domain. Between Woody and
Sid, there's a major change in Samba. The older command to do this is
"smbpasswd -j <DOMAINNAME> -U <DOMAINADMINACCOUNT>". For me, this
command was "smbpasswd -j ACU -U Administrator"; I was then prompted for
the domain Administrator's password, and then got a message saying that
the machine had been added to the domain. The newer command is "net rpc
join -U <DOMAINADMINACCOUNT>". I haven't had success yet with the Sid
version, but will probably try in the next day or two.
Now run the "getent group" command and you should see info from your NT
domain appear as well as the local group info.
Notice that my subject of this email is "Solved (Mostly)". I haven't
gotten the home directory stuff figured out yet. When a user logs in,
the error is generated that the home directory doesn't exist and that /
will be used as the home directory. Hopefully I can get that solved in
the next day or two.
_PAM_:
Wow. This was the difficult part. Before you start, make a backup of
your "/etc/pam.d/login" file, and never log out of a root-accessible
account after making changes to this file without testing them first, or
you could lock yourself out of your machine.
First, a short PAM tutorial.
In the old days, the "login" program that allowed you to login to a
system had to know how to ask your name and password, and then where to
look to see if that was a valid name and password, and what to do if it
was or if it wasn't, and etc etc etc. The problem with this information
being hardcoded into the login program (or any other similar type
program), is that it wasn't very flexible, and if something happened
externally, like the location of the username/password database changed,
the login program had to be rewritten to accomodate that change.
Nowadays, the login program doesn't need to know all that. The login
program knows it's supposed to ask for a username/password, and if
everything is copacetic, let the user in. But it asks PAM to take care
of the menial details.
PAM does this for lots of apps, not just the login app. It does it for
ftp logins, and ssh logins, and password change routines, and database
access, and etc etc. PAM knows what to do for what app because of its
configuration files that the sysadmin has set up.
The old configuration file for PAM was /etc/pam.conf. However, since
that's the old method, we don't care about it and will just ignore it.
(Your fresh Woody install has the file, but it's all commented out
probably.)
The new configuration method is separate files for each app in the
/etc/pam.d directory. Since we're interested in the basic login
procedure, and not the ssh login, etc, we'll only be tinkering with the
/etc/pam.d/login file.
Again, make a backup of this file. Now.
There are a lot of comments in this file, but they got in the way of me
"seeing" the file, so I've removed all the comments, which results in
the following:
auth requisite pam_securetty.so
auth requisite pam_nologin.so
auth required pam_env.so
auth required pam_unix.so nullok
account required pam_unix.so
session required pam_unix.so
session optional pam_lastlog.so
session optional pam_motd.so
session optional pam_mail.so standard noenv
password required pam_unix.so nullok obscure min=4 max=8
As you can see, it's actually a pretty simple file.
There are four basic "module-types": auth, account, session, and
password. And there are four basic "control flags": required, requisite,
sufficient, and optional. The third field ties these things into library
files, found in /lib/security, followed by any options that need to be
passed to the library files.
When the login process is initiated, it needs to authenticate the user
(who are you? what's your password? what is the air-speed velocity of an
unladen swallow?). There are several tests involved in this
authentication. Some of the tests are handled by the "pam_securetty.so"
library; some are handled by the "pam_nologin.so" library, and so on.
The "requisite" flag means that the test must be successfully passed. If
the test is not passed, the applicant fails, and further processing of
the file ceases. We toss the poor guy over the bridge immediately into
the Gorge of Eternal Peril.
The "required" flag also means that the test must be successfully
passed. The difference from "requisite" is that if the test is not
passed, the applicant will eventually fail, but we're going to continue
processing the rest of the tests in the file before tossing the poor guy
over the bridge.
A "sufficient" flag means that if the test is passed, the applicant
passes. No need for further questions. Just let the guy cross the bridge
successfully.
An "optional" flag means that the Keeper of the Bridge of Death doesn't
care whether the applicant passes the tests or not. The Keeper has to
perform the tests and report the answers to the proper authorities, but
the Keeper doesn't care one way or the other if the applicant passes the
tests or not, and doesn't reward or punish the applicant. It's kind of
like those math tests you took at the beginning of your senior year in
high school; it's not for a grade, we just want to see what you remember
from last year's math classes.
So, looking at the above file, the first thing that happens is that
pam_securetty.so does its tests. If any of its tests fail, the whole
process returns a big fat "FAILURE" to the login process, and further
processing of the login file stops. However, if all of its tests pass,
it puts a checkmark next to the "PASSED" checkbox and turns further
processing on to the next test giver.
The next test giver is pam_nologin.so. Since its flag is "requisite", it
behaves like pam_securetty.so did.
BTW, if you want to see pam_nologin.so in action, create the file
"/etc/nologin", with contents something like "Sorry; the sysadmin has
disabled all non-root logins. Please try later" and then try logging
into another VT as a normal user. To restore normal logins, just delete
(or rename) the /etc/nologin file.
Then comes the required tests. If one of these tests fail, the whole
process returns a big fat "FAILURE" to the login process, but instead of
stopping the testing procedures, PAM still continues to process the rest
of the file.
After all the authentication tests are run, then the session tests
begin. The session tests do such things as setting up audit trails and
mounting home directories.
Then come the password tests. I didn't quite wrap my brain around this
set. Perhaps you can get more out of a "man pam".
The tests are not performed in order by the type necessarily; they're
performed by the order in which they appear within the file. It's just a
coincidence that they're grouped that way in the above listing.
_End of Tutorial_:
_Changes to PAM_:
To make PAM check the NT Domain for authenticating users instead of just
the local files, we need to change some stuff in the /etc/pam.d/login
file. Here's my new file, along with some comments:
# These two tests must pass.
auth required pam_securetty.so
auth required pam_nologin.so
# If this test passes, user is an NT Domain user and is valid. Exit
# the process with a "PASS".
auth sufficient pam_winbind.so
# If the above test failed, check to see if the user is a valid local
# user. (Don't ask for the password again.)
auth required pam_env.so
auth required pam_unix.so nullok use_first_pass
account sufficient pam_winbind.so
account required pam_unix.so
session required pam_unix.so
session optional pam_lastlog.so
session optional pam_motd.so
session optional pam_mail.so standard noenv
password required pam_unix.so nullok obscure min=4 max=8
You'll notice that the only changes are the addition of the two lines
referencing pam_winbind.so and the addition of the "use_first_pass"
option to one line. Without this option, if the pam_windbind.so auth
line fails, the user is prompted a second time for his password. Try it
to see for yourself.
_The Smoke Test_:
Now it's time to see if it all works.
Switch to a different VT and try to log in locally as you've been doing.
It should work.
Now log out, and try logging in as a domain user. Because of the
"winbind separator" line in /etc/samba/smb.conf, you'll need to log in
like so:
login: acu+westk
password: <password>
If all went well, you've gotten access! Yea!
Now to get the home directory stuff fixed.
Kent
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
- Re: an old message in debian-user Kent West
