Setup Linux to authenticate against a Samba server
This will show you how to setup Debian GNU/Linux to authenticate against a remote Samba server (Samba could also imply a Windows PDC too). It also details how to setup pam_mount to mount Samba shares automatically on login, so when a Samba user logs on to the Linux client, they get their $HOME as their home directory on the server. There’s also a shell script I devised to allow changing of passwords.
The article is based on a Linux client running Debian unstable and a Samba server running on a Debian stable server. It assumes you’ve already got a Samba server setup on a server and that it’s currently serving Windows style domain logons.
Before you start
You’re going to be changing files that effect the interactive login process – if you do something wrong you could (potentially) stop yourself from logging in to your machine. So before you start you may want to backup the /etc/nsswitch.conf file and the /etc/pam.d directory.
Installation on the client
# apt-get install winbind samba
That’s it 
Client configuration (Samba and NSS)
Edit /etc/samba/smb.conf and edit and/or add the following to it:
workgroup = YOURWORKGROUP security = domain encrypt passwords = yes password server = * idmap uid = 10000-20000 idmap gid = 10000-20000 template shell = /bin/bash template homedir = /home/%D/%U
As root, you need to mkdir /home/YOURWORKGROUP
Now edit /etc/nsswitch.conf so the passwd, group and shadow lines look like the following:
passwd: compat winbind group: compat winbind shadow: compat winbind
Testing things so far
Make sure the above has worked by running:
$ getent passwd
You should see your local /etc/passwd file, with the addition of the users from the remote Samba server at the bottom.
You may also be interested in:
$ wbinfo -u $ wbinfo -g
If the above commands don’t work for some reason, complete the steps in the following section below and try again. It may resolve the issues.
Add the client to the domain
You may need to join the Linux client to the Samba domain. On the Samba server, create a local account of the computer in /etc/passwd (otherwise Samba will complain later). For example, I added the following (as I always do):
oppressed$:x:1004:104::/dev/null:/bin/false
“oppressed” is the name of the Linux client. You append a dollar sign after the computer name to tell Samba it’s a computer account. I’ve added all computer accounts to a separate primary group (GID 104) called “computers”. This account has no home directory (hence /dev/null) and is unable to login interactivly (/bin/false) – no need to set a password.
Now on the client, run the following command:
# net join -S server_name -U Administrator
Where server_name, is the name of the remote Samba server and Administrator is a Samba user with administrator privs – I have mine as “root”. After running this, on the remote Samba machine, you should be able to cat /etc/samba/smbpasswd and see the computer account in there.
If net join gives you trouble, you could always just use smbpasswd -m on the remote Samba server.
Allowing Samba users to login to the client
You’re nearly there. You now need to edit PAM which controls interactive logins under Linux. All the PAM files to control logins can be found in /etc/pam.d
I found the easiest way to do this under Debian unstable was to edit just the following common files:
/etc/pam.d/common-auth
auth sufficient pam_winbind.so auth required pam_unix.so nullok_secure use_first_pass
/etc/pam.d/common-account
account sufficient pam_winbind.so
/etc/pam.d/common-session
session required pam_unix.so nullok_secure session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
Testing everything
Now you’re ready to test everything.
Switch to a console and enter the username in the format YOURWORKGROUPusername. For example, my workgroup (or SMB domain) is HEX, so to login as user “david”, I use HEXdavid
Hopefully, after entering your password you’ll be logged in:
Debian GNU/Linux testing/unstable oppressed tty1 oppressed login: HEXdavid Password: Last login: Thu Apr 22 03:20:31 2004 on tty1 Linux oppressed 2.6.5 #1 Tue Apr 20 17:23:40 BST 2004 i686 GNU/Linux I have no name!@oppressed:~$ pwd /home/HEX/david I have no name!@oppressed:~$
Mounting shares automatically using libpam-mount
Now you’ve got authentication working, you may want to automatically mount the users $HOME from the remote Samba server. This requires libpam-mount to be installed:
# apt-get install libpam-mount
Edit the /etc/security/pam_mount.conf file so it looks like:
debug 0 mkmountpoint 1 luserconf .pam_mount.conf options_allow nosuid,nodev options_deny suid,dev options_require nosuid,nodev lsof /usr/sbin/lsof %(MNTPT) fsck /sbin/fsck -p %(FSCKLOOP) cifsmount /bin/mount -t cifs //%(SERVER)/%(VOLUME) %(MNTPT) -S -o "user=%(USER)%(before="," OPTIONS)" smbmount /usr/bin/smbmount //%(SERVER)/%(VOLUME) %(MNTPT) -o "username=%(USER)%(before="," OPTIONS)" smbumount /usr/bin/smbumount %(MNTPT) umount /bin/umount %(MNTPT) mntagain /bin/mount --bind %(PREVMNTPT) %(MNTPT) volume * smb server_name & /home/YOURWORKGROUP/& uid=&,gid=&,dmask=0700,workgroup=YOURWORKGROUP - -
Where server_name is the name of the remote Samba server and YOURWORKGROUP is the name of your workgroup or Samba domain.
You need to edit the following PAM files within /etc/pam.d in order to use pam_mount:
/etc/pam.d/common-auth
Before the pam_winbind.so line, add:
auth required pam_mount.so
Append use_first_pass to the end of the pam_winbind.so line.
/etc/pam.d/common-session
At the end of the file, after the pam_mkhomedir.so line add:
session optional pam_mount.so
Changing passwords
If you’re logged in as a Samba user, you can’t use the standard passwd command to change passwords. You need to use smbpasswd and tell it to change the password on the remote Samba server. For the average Joe, who maybe logs in via a Display Manager, remembering the syntax could be a burden.
For this reason I wrote a shell script that determines if the user is a Samba user or a local user and runs the correct password changing program. It will attempt to discover the remote Samba server as well.
#!/bin/sh # ## User defined settings # # Samba server - if left blank, will attempt to automatically discover it SERVER='' # Minimum winbind UID, as specfied in smb.conf MINUID=10000 # Maximum winbind UID, as speci
[Note: Unfortunately the original Text was cut off at some point earlier in the history of this page.]
Leave a Reply
You must be logged in to post a comment.