Domain security via winbind?

PalmettoHodag
PalmettoHodag used Ask the Experts™
on
Hi,
I want to run my Linux server (RedHat v8.0) as a fileserver for Windows NT/2000/XP clients.  These clients are part of a Windows domain.  I want the authentication (users/groups) to go against the Windows PDC . . . without creating corresponding userIDs and groups on the Linux system (there would be quite a few users).  It seems that some people were doing this with winbindd and pam_ntdom previously, but pam_ntdom has been pulled from the Samba mirrors due to security holes.  Is there an alternative to use which will give the same functionality?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Commented:
Winbind still works and is still included with the latest release of Samba

The module now used for lookups is
pam_winbind.so

Check this URL out for instructions for setting up winbind to authenticate NT domain users

http://au1.samba.org/samba/docs/Samba-HOWTO-Collection.html#WINBIND

I have set this up and can use NT domain users to authenticate and access the system.
PalmettoHodag:
This old question needs to be finalized -- accept an answer, split points, or get a refund.  For information on your options, please click here-> http:/help/closing.jsp#1 
EXPERTS:
Post your closing recommendations!  No comment means you don't care.

Commented:
Have you not got this working yet?

The link gives instructions on all the files needed to be modified in order to get this to work.

Post back if you do not have this working and need further instruction.
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
Actually, no.  The URL is a dead link.  I attempted to configure using various "how-to's" at the time, but to no avail.  However, I did find the following link which seems to be more up-to-date:

http://de.samba.org/samba/devel/docs/html/winbind.html

These instructions are for Red Hat 7.1.  I am using Red Hat 8.0 in a Windows NT 4.0 domain.  This domain will be converted to an Active Directory environment in a year or so.  Do you recommend a WINBIND solution in my situation?
Commented:
I am not sure about Winbind connecting to AD. I have not tried this yet.

It definately works for connecting to a NT4 domain controller.

From memory these are the things that need to be done.

Edit /ETC/SMB.CONF

security = domain
workgroup = <domainname>
password server = <PDC> <BDC>
winbind separator = +
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/winnt/%D/%U
template shell = /bin/bash
winbind use default domain = yes

Edit /etc/pam.d/login

add the following lines

auth sufficient /lib/security/pam_winbind.so
auth sufficient /lib/security/pam_unix.so use_first_pass

account sufficient /lib/security/pam_winbind.so

Edit /etc/nsswitch

passwd:  files  winbind
shadow:  files
group:  files winbind


Restart the machine - a restart of SMB + winbind + NMB should be all that is required, also make sure these services are installed and running

Add the machine to your domain

smbpasswd -j <DOMAIN> -r <PDC> -UAdministrator%password

This should be successful and now try logging onto a console using your domain password

login: <domain>+<user>                                 the + is the domain separator you specified in smb.conf
password: <network password>




See how you go with this.
No comment has been added lately, so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area that this question is:
Accept comments from neobilly as answer
Please leave any comments here within the next seven days.

PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!

TheWeakestLink
EE Cleanup Volunteer

Author

Commented:
Thanks neobilly . . . your clarification resulted in a successful configuration of WinBind.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial