Setup Linux to authenticate against a Samba server

This will show you how to setup Debian GNU/Linux to authenticate against a remote Samba server (Samba could also imply a Windows PDC too). It also details how to setup pam_mount to mount Samba shares automatically on login, so when a Samba user logs on to the Linux client, they get their $HOME as their home directory on the server. There's also a shell script I devised to allow changing of passwords.

The article is based on a Linux client running Debian unstable and a Samba server running on a Debian stable server. It assumes you've already got a Samba server setup on a server and that it's currently serving Windows style domain logons.

Before you start

You're going to be changing files that effect the interactive login process - if you do something wrong you could (potentially) stop yourself from logging in to your machine. So before you start you may want to backup the /etc/nsswitch.conf file and the /etc/pam.d directory.

Installation on the client

 # apt-get install winbind samba

That's it :-)

Client configuration (Samba and NSS)

Edit /etc/samba/smb.conf and edit and/or add the following to it:

 workgroup = YOURWORKGROUP
 sercurity = domain
 encrypt passwords = yes
 password server = *
 idmap uid = 10000-20000
 idmap gid = 10000-20000
 template shell = /bin/bash
 template homedir = /home/%D/%U 

As root, you need to mkdir /home/YOURWORKGROUP

Now edit /etc/nsswitch.conf so the passwd, group and shadow lines look like the following:

passwd:         compat winbind
group:          compat winbind
shadow:         compat winbind

Testing things so far

Make sure the above has worked by running:

 $ getent passwd

You should see your local /etc/passwd file, with the addition of the users from the remote Samba server at the bottom.

You may also be interested in:

 $ wbinfo -u
 $ wbinfo -g

If the above commands don't work for some reason, complete the steps in the following section below and try again. It may resolve the issues.

Add the client to the domain

You may need to join the Linux client to the Samba domain. On the Samba server, create a local account of the computer in /etc/passwd (otherwise Samba will complain later). For example, I added the following (as I always do):

 oppressed$:x:1004:104::/dev/null:/bin/false

"oppressed" is the name of the Linux client. You append a dollar sign after the computer name to tell Samba it's a computer account. I've added all computer accounts to a seperate primary group (GID 104) called "computers". This account has no home directory (hence /dev/null) and is unable to login interactivly (/bin/false) - no need to set a password.

Now on the client, run the following command:

 # net join -S server_name -U Administrator

Where server_name, is the name of the remote Samba server and Administrator is a Samba user with administrator privs - I have mine as "root". After running this, on the remote Samba machine, you should be able to cat /etc/samba/smbpasswd and see the computer account in there.

If net join gives you trouble, you could always just use smbpasswd -m on the remote Samba server.

Allowing Samba users to login to the client

You're nearly there. You now need to edit PAM which controls interactive logins under Linux. All the PAM files to control logins can be found in /etc/pam.d

I found the easiest way to do this under Debian unstable was to edit just the following common files:

/etc/pam.d/common-auth

 auth    sufficient      pam_winbind.so
 auth    required        pam_unix.so nullok_secure use_first_pass

/etc/pam.d/common-account

 account sufficient      pam_winbind.so

/etc/pam.d/common-session

 session required        pam_unix.so nullok_secure
 session required        pam_mkhomedir.so skel=/etc/skel/ umask=0022

Testing everything

Now you're ready to test everything.

Switch to a console and enter the username in the format YOURWORKGROUP\username. For example, my workgroup (or SMB domain) is HEX, so to login as user "david", I use HEX\david

Hopefully, after entering your password you'll be logged in:

 Debian GNU/Linux testing/unstable oppressed tty1
 
 oppressed login: HEX\david
 Password:
 Last login: Thu Apr 22 03:20:31 2004 on tty1
 Linux oppressed 2.6.5 #1 Tue Apr 20 17:23:40 BST 2004 i686 GNU/Linux
 I have no name!@oppressed:~$ pwd
 /home/HEX/david
 I have no name!@oppressed:~$

Mounting shares automatically using libpam-mount

Now you've got authentication working, you may want to automatically mount the users $HOME from the remote Samba server. This requires libpam-mount to be installed:

 # apt-get install libpam-mount

Edit the /etc/security/pam_mount.conf file so it looks like:

 debug 0
 mkmountpoint 1
 luserconf .pam_mount.conf
 
 options_allow   nosuid,nodev
 options_deny    suid,dev
 options_require nosuid,nodev
 
 lsof /usr/sbin/lsof %(MNTPT)
 fsck /sbin/fsck -p %(FSCKLOOP)
 cifsmount /bin/mount -t cifs //%(SERVER)/%(VOLUME) %(MNTPT) -S -o "user=%(USER)%(before=\",\" OPTIONS)"
 smbmount /usr/bin/smbmount //%(SERVER)/%(VOLUME) %(MNTPT) -o "username=%(USER)%(before=\",\" OPTIONS)"
 smbumount /usr/bin/smbumount %(MNTPT)
 umount   /bin/umount %(MNTPT)
 mntagain /bin/mount --bind %(PREVMNTPT) %(MNTPT) 

 volume * smb server_name &       /home/YOURWORKGROUP/&     uid=&,gid=&,dmask=0700,workgroup=YOURWORKGROUP - -

Where server_name is the name of the remote Samba server and YOURWORKGROUP is the name of your workgroup or Samba domain.

You need to edit the following PAM files within /etc/pam.d in order to use pam_mount:

/etc/pam.d/common-auth

Before the pam_winbind.so line, add:

 auth    required        pam_mount.so

Append use_first_pass to the end of the pam_winbind.so line.

/etc/pam.d/common-session

At the end of the file, after the pam_mkhomedir.so line add:

 session optional        pam_mount.so

Changing passwords

If you're logged in as a Samba user, you can't use the standard passwd command to change passwords. You need to use smbpasswd and tell it to change the password on the remote Samba server. For the average Joe, who maybe logs in via a Display Manager, remembering the syntax could be a burden.

For this reason I wrote a shell script that determines if the user is a Samba user or a local user and runs the correct password changing program. It will attempt to discover the remote Samba server as well.

 #!/bin/sh
 #
 
 ## User defined settings
 #
 # Samba server - if left blank, will attempt to automatically discover it
 SERVER=''
 # Minimum winbind UID, as specfied in smb.conf
 MINUID=10000
 # Maximum winbind UID, as speci

[Note: Unfortunately the original Text was cut off at some point earlier in the history of this page.]

LinuxHints/SambaAuth (last edited 2010-09-07 08:23:16 by 195)