fabianope
asked on
Annoyng Problem with SAMBA? (security = domain)
hello
I've mounted SAMBA 2.0 on a SuSE 8.1 with the option security = domain on smb.conf.
I've successfully joined the domain with:
% smbpasswd -j DOMAIN -r PDC[a win-2000 server] -Uadministrator%my_admin_p assword
and I've carefully created the same users on both sides (windows PDC and samba-linux)
from the Windows side all goes well (permissions, shared printer attached to the linux machine, etc)and also from the linux side I've no
problems to enter to my win shares with konqueror (smb://PDC/share).
only an annoyng problem in the linux environment: I must digit the userid/pw every time I copy something from local into the windows share and (after few minutes) also if I want to re-open the win share always with konqueror.
does anybody knows if exist a workaround to this problem?
for me the ideal scenario would be a windows_client-like behaviour on the linux client machine: only the log-in authentication and...all the win shares on the PDC associated to this user available with no more passwords via the konqueror smb://!
thanks a lot in advance fro your reply,
Fabianope
I've mounted SAMBA 2.0 on a SuSE 8.1 with the option security = domain on smb.conf.
I've successfully joined the domain with:
% smbpasswd -j DOMAIN -r PDC[a win-2000 server] -Uadministrator%my_admin_p
and I've carefully created the same users on both sides (windows PDC and samba-linux)
from the Windows side all goes well (permissions, shared printer attached to the linux machine, etc)and also from the linux side I've no
problems to enter to my win shares with konqueror (smb://PDC/share).
only an annoyng problem in the linux environment: I must digit the userid/pw every time I copy something from local into the windows share and (after few minutes) also if I want to re-open the win share always with konqueror.
does anybody knows if exist a workaround to this problem?
for me the ideal scenario would be a windows_client-like behaviour on the linux client machine: only the log-in authentication and...all the win shares on the PDC associated to this user available with no more passwords via the konqueror smb://!
thanks a lot in advance fro your reply,
Fabianope
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
the linux conf is suse 8.1 e samba 2.2.7a
I've configured winbind following the winbind.html file in the samba package documentation.
1. edited /etc/nsswitch.conf:
*************************
passwd: files winbind
shadow: files
group: files winbind
hosts: files dns
networks: files dns
services: files
protocols: files
rpc: files
ethers: files
netmasks: files
netgroup: files
publickey: files
bootparams: files
automount: files nis
aliases: files
*************************
2. edited /etc/samba/smb.conf (following the entire file: excuse the comments in ITA language):
************************** ********** ********** ********** ********** ********** *********
#
# /etc/samba/smb.conf is the main samba configuration file. See the manual page
# of smb.conf and the included documentation in /usr/share/doc/packages/sa mba in
# order to understand the options listed here and many more features.
#
# Lines in this file which starts with ; and # are ignored by samba while
# parsing it. Therefor both signs mark a comment, but here we use a # to
# indicate a real comment and ; for a deactivated option. To activate such a
# feature just remove the leading semicolon.
#
# We suggest to use the command 'testparm' after any changes you made.
#
# Copyright (c) 1999 - 2002 SuSE Linux AG Nuernberg, Germany.
#
# Submit bugfixes or comments to http://www.suse.de/feedback/
#definiamo Aristotele come un membro del Dominio CAS che ha Platone come PDC
[global]
socket options = SO_KEEPALIVE IPTOS_LOWDELAY TCP_NODELAY
username map = /etc/samba/smbusers
time server = Yes
encrypt passwords = Yes
veto files = /*.eml/*.nws/riched20.dll/ *.{*}/
wins support = No
unix extensions = Yes
#****WINBIND****
# separate domain and username with '+', like DOMAIN+username
winbind separator = +
# use uids from 10000 to 20000 for domain users
winbind uid = 10000-20000
# use gids from 10000 to 20000 for domain groups
winbind gid = 10000-20000
# allow enumeration of winbind users and groups
# might need to disable these next two for performance
# reasons on the winbindd host
winbind enum users = yes
winbind enum groups = yes
# give winbind users a real shell (only needed if they have telnet/sshd/etc... access)
template homedir = /home/winnt/%D/%U
template shell = /bin/bash
#****END OF WINBIND CONF****
printing = CUPS
password server = platone
workgroup = CAS
os level = 2
printcap name = CUPS
syslog = 0
security = DOMAIN
log level = 1
#esistono quattro diversi livelli di security:
#
# security = SHARE
#livello di sicurezza del WFW 3.xx
#ogni utente dichiarato negli users dello share ha ALMENO il privilegio di read.
#risulta possibile far entrare anche l'utente guest.
#
# security = USER
#stting di default in samba 2.0
#all'utente e' chiesto di identificarsi solo una volta al momento del login
#l'userid/pw fornito h confrontato con quello contenuto nel server.
#tenuto conto che le pw possono essere spedite in chiaro conviene configurare samba come segue:
#
# encrypt password = yes
# smb passwd file = /etc/samba/smbpasswd
#
#in modo da evitare totalemente l'uso di etc/passwd e di etc/shadow
#
# security = SERVER
#in questo modo il meccanismo di autenticazione viene "scaricato" non sulla macchina locale
#ma su uno o piy server definiti su
# password server = NOME_SERVER1 NOME_SERVER2
#
# security = DOMAIN
#stessa cosa dell'opzione precedente in cui perr l'autenticazione h affidata ad un PDC e/o BDC
#
#volendo possiamo limitare il numero delle connsesioni (commentato):
# max connections = 8
#da notare che
# max xonnections = 0
#permette un numero arbitrario di connessioni simultanee.
#possiamo anche escludere arbitrariamente degli hosts dalla connessione (commentato):
# deny hosts = 192.168.1.0/255.255.255.0
#esclude tutti gli hosts da 192.168.1.0 a 192.168.1.255
#Permettiamo ad ogni utente di accedere alla sua home directory in lettura/scrittura:
[homes]
browseable = No
writeable = Yes
#nell'esempio, browseable = No sta ad indicare che lo share non risulta visibile ad utenti diversi
#da quello corrispondente alla home.
# The following share gives all users access to the Server's CD drive,
# assuming it is mounted under /media/cdrom.
;[cdrom]
; comment = Linux CD-ROM
; path = /media/cdrom
; locking = No
[printers]
comment = All Printers
path = /var/tmp
# Make printers accessible without user authentication.
; guest ok = Yes
printable = Yes
create mask = 0600
browseable = No
# This share provides printer driver down- and upload in an Windows NT-style
# point-and-print way. For more detailed information consult the Printing
# Support Section of the Samba-HOWTO-Collection. For uploading take extra care
# to add the printer admins to the group lp.
[print$]
comment = Printer Drivers
path = /var/lib/samba/drivers
# Make printer drivers accessible without user authentication.
; guest ok = Yes
write list = @ntadmin root
force group = ntadmin
create mask = 0664
directory mask = 0775
#create mask e directory mask hanno lo stesso compito del chmod.
#Apriamo a tutti gli utenti 192.168.0.x la directory /tmp sia in lettura che in scrittura
#se la si vuole aprire solo a fabianope togliere il commento a valid users e metterlo a public.
#a fabianope-gnome la apriamo invece solo in lettura (commentato)
[temp]
# valid users = fabianope, fabianope-gnome
public = yes
path = /tmp
read only = no
# read list = fabianope-gnome
#infine assicuriamoci che gli utenti non possano seguire links che escano da /tmp:
follow symlinks = yes
wide links = no
#Apriamo infine a tutti gli utenti samba una directory pubblica solo in lettura
[public]
path = /home/samba/public
public = yes
writable = no
#commentiamo l'opzione di renderla scrivibile solo a fabianope:
# write list = fabianope
#per finire un ultimo esempio di share preso da linux magazine:
[programs]
path = /home/samba/shared_progs
comment = shared programs directory
writeable = no
write list = fabianope, fabianope-gnome
read list = @users
admin users = fabianope
#qui da notare che i privilegi di scrittura "soverchiano" quelli di lettura dati al gruppo users (a cui appartiene anche fabianope)
#da notare che poi fabianope con privilegi di admin risulta "root" all'interno della directory sharata,
#anche se di fatto non ha questi privilegi nel sysop (etc/passwd).
************************** ********** ********** ********** ********** ********** ********** ********** **********
3. edited etc/pam.d/login:
************************** ********** ********** ********** ********** ********** ********** ********** *********
#%PAM-1.0
auth requisite pam_unix2.so nullok #set_secrpc
auth required pam_securetty.so
auth sufficient pam_winbind.so
auth required pam_nologin.so
#auth required pam_homecheck.so
auth required pam_env.so
auth required pam_mail.so
account sufficient pam_winbind.so
account required pam_unix2.so
password required pam_pwcheck.so nullok
password required pam_unix2.so nullok use_first_pass use_authtok
session required pam_unix2.so none # debug or trace
session required pam_limits.so
************************** ********** ********** ********** ********** ********** ********** ********** *******
-all the demons (smb, nmb, winbindd) starts successfully
-I can see all the NT users with wbinfo -u
-I can see all the NT groups with wbinfo -g
-I can see all the user data with getent passwd
-I can see all the group data with getent group
but....
-I can't login into the linux machine with an NT user (say DOMAIN+administrator), also if it's suggested onto the login window.
-I can't find the "new" NT-users inside /etc/passwd: is it normal?
-I can't find the directories of these users as presented in
#getent passwd
they've the form of /home/winnt/DOMAIN/user
should I build them at hand?
-everyway, YAST->security and users->edit and create users doesn't allow me to modify che NT users
(aKa DOMAIN+user) because it says that "+" is an invalid character in the username!
I've added more point to the question.
thanks a lot
Fabianope.
I've configured winbind following the winbind.html file in the samba package documentation.
1. edited /etc/nsswitch.conf:
*************************
passwd: files winbind
shadow: files
group: files winbind
hosts: files dns
networks: files dns
services: files
protocols: files
rpc: files
ethers: files
netmasks: files
netgroup: files
publickey: files
bootparams: files
automount: files nis
aliases: files
*************************
2. edited /etc/samba/smb.conf (following the entire file: excuse the comments in ITA language):
**************************
#
# /etc/samba/smb.conf is the main samba configuration file. See the manual page
# of smb.conf and the included documentation in /usr/share/doc/packages/sa
# order to understand the options listed here and many more features.
#
# Lines in this file which starts with ; and # are ignored by samba while
# parsing it. Therefor both signs mark a comment, but here we use a # to
# indicate a real comment and ; for a deactivated option. To activate such a
# feature just remove the leading semicolon.
#
# We suggest to use the command 'testparm' after any changes you made.
#
# Copyright (c) 1999 - 2002 SuSE Linux AG Nuernberg, Germany.
#
# Submit bugfixes or comments to http://www.suse.de/feedback/
#definiamo Aristotele come un membro del Dominio CAS che ha Platone come PDC
[global]
socket options = SO_KEEPALIVE IPTOS_LOWDELAY TCP_NODELAY
username map = /etc/samba/smbusers
time server = Yes
encrypt passwords = Yes
veto files = /*.eml/*.nws/riched20.dll/
wins support = No
unix extensions = Yes
#****WINBIND****
# separate domain and username with '+', like DOMAIN+username
winbind separator = +
# use uids from 10000 to 20000 for domain users
winbind uid = 10000-20000
# use gids from 10000 to 20000 for domain groups
winbind gid = 10000-20000
# allow enumeration of winbind users and groups
# might need to disable these next two for performance
# reasons on the winbindd host
winbind enum users = yes
winbind enum groups = yes
# give winbind users a real shell (only needed if they have telnet/sshd/etc... access)
template homedir = /home/winnt/%D/%U
template shell = /bin/bash
#****END OF WINBIND CONF****
printing = CUPS
password server = platone
workgroup = CAS
os level = 2
printcap name = CUPS
syslog = 0
security = DOMAIN
log level = 1
#esistono quattro diversi livelli di security:
#
# security = SHARE
#livello di sicurezza del WFW 3.xx
#ogni utente dichiarato negli users dello share ha ALMENO il privilegio di read.
#risulta possibile far entrare anche l'utente guest.
#
# security = USER
#stting di default in samba 2.0
#all'utente e' chiesto di identificarsi solo una volta al momento del login
#l'userid/pw fornito h confrontato con quello contenuto nel server.
#tenuto conto che le pw possono essere spedite in chiaro conviene configurare samba come segue:
#
# encrypt password = yes
# smb passwd file = /etc/samba/smbpasswd
#
#in modo da evitare totalemente l'uso di etc/passwd e di etc/shadow
#
# security = SERVER
#in questo modo il meccanismo di autenticazione viene "scaricato" non sulla macchina locale
#ma su uno o piy server definiti su
# password server = NOME_SERVER1 NOME_SERVER2
#
# security = DOMAIN
#stessa cosa dell'opzione precedente in cui perr l'autenticazione h affidata ad un PDC e/o BDC
#
#volendo possiamo limitare il numero delle connsesioni (commentato):
# max connections = 8
#da notare che
# max xonnections = 0
#permette un numero arbitrario di connessioni simultanee.
#possiamo anche escludere arbitrariamente degli hosts dalla connessione (commentato):
# deny hosts = 192.168.1.0/255.255.255.0
#esclude tutti gli hosts da 192.168.1.0 a 192.168.1.255
#Permettiamo ad ogni utente di accedere alla sua home directory in lettura/scrittura:
[homes]
browseable = No
writeable = Yes
#nell'esempio, browseable = No sta ad indicare che lo share non risulta visibile ad utenti diversi
#da quello corrispondente alla home.
# The following share gives all users access to the Server's CD drive,
# assuming it is mounted under /media/cdrom.
;[cdrom]
; comment = Linux CD-ROM
; path = /media/cdrom
; locking = No
[printers]
comment = All Printers
path = /var/tmp
# Make printers accessible without user authentication.
; guest ok = Yes
printable = Yes
create mask = 0600
browseable = No
# This share provides printer driver down- and upload in an Windows NT-style
# point-and-print way. For more detailed information consult the Printing
# Support Section of the Samba-HOWTO-Collection. For uploading take extra care
# to add the printer admins to the group lp.
[print$]
comment = Printer Drivers
path = /var/lib/samba/drivers
# Make printer drivers accessible without user authentication.
; guest ok = Yes
write list = @ntadmin root
force group = ntadmin
create mask = 0664
directory mask = 0775
#create mask e directory mask hanno lo stesso compito del chmod.
#Apriamo a tutti gli utenti 192.168.0.x la directory /tmp sia in lettura che in scrittura
#se la si vuole aprire solo a fabianope togliere il commento a valid users e metterlo a public.
#a fabianope-gnome la apriamo invece solo in lettura (commentato)
[temp]
# valid users = fabianope, fabianope-gnome
public = yes
path = /tmp
read only = no
# read list = fabianope-gnome
#infine assicuriamoci che gli utenti non possano seguire links che escano da /tmp:
follow symlinks = yes
wide links = no
#Apriamo infine a tutti gli utenti samba una directory pubblica solo in lettura
[public]
path = /home/samba/public
public = yes
writable = no
#commentiamo l'opzione di renderla scrivibile solo a fabianope:
# write list = fabianope
#per finire un ultimo esempio di share preso da linux magazine:
[programs]
path = /home/samba/shared_progs
comment = shared programs directory
writeable = no
write list = fabianope, fabianope-gnome
read list = @users
admin users = fabianope
#qui da notare che i privilegi di scrittura "soverchiano" quelli di lettura dati al gruppo users (a cui appartiene anche fabianope)
#da notare che poi fabianope con privilegi di admin risulta "root" all'interno della directory sharata,
#anche se di fatto non ha questi privilegi nel sysop (etc/passwd).
**************************
3. edited etc/pam.d/login:
**************************
#%PAM-1.0
auth requisite pam_unix2.so nullok #set_secrpc
auth required pam_securetty.so
auth sufficient pam_winbind.so
auth required pam_nologin.so
#auth required pam_homecheck.so
auth required pam_env.so
auth required pam_mail.so
account sufficient pam_winbind.so
account required pam_unix2.so
password required pam_pwcheck.so nullok
password required pam_unix2.so nullok use_first_pass use_authtok
session required pam_unix2.so none # debug or trace
session required pam_limits.so
**************************
-all the demons (smb, nmb, winbindd) starts successfully
-I can see all the NT users with wbinfo -u
-I can see all the NT groups with wbinfo -g
-I can see all the user data with getent passwd
-I can see all the group data with getent group
but....
-I can't login into the linux machine with an NT user (say DOMAIN+administrator), also if it's suggested onto the login window.
-I can't find the "new" NT-users inside /etc/passwd: is it normal?
-I can't find the directories of these users as presented in
#getent passwd
they've the form of /home/winnt/DOMAIN/user
should I build them at hand?
-everyway, YAST->security and users->edit and create users doesn't allow me to modify che NT users
(aKa DOMAIN+user) because it says that "+" is an invalid character in the username!
I've added more point to the question.
thanks a lot
Fabianope.
ASKER
thanks a lot for your reply
just downloaded the winbind documentation: this weekend I'll give it a try and sunday-monday if all will go OK I'll send you the points
thanks again
Fabianope