[olug] Samba on an NT Domain
Nick Walter
waltern at iivip.com
Mon Jul 29 19:29:39 UTC 2002
Don't worry about synchronizing Linux/NT passwords. Just tell Linux to
allow users to use either one (no really, this works!). Through the
magic of pam_smb Linux can authenticate users against the NT domain for
things like logon sessions, ftp sessions, etc.
To set it up, just configure /etc/pam_smb.conf and /etc/pam.d/login.
Add this line to the /etc/pam.d/login file
auth required /lib/security/pam_smb_auth.so
add the line *after* all the other "To set it up, just configure
/etc/pam_smb.conf and /etc/pam.d/login auth" lines. Also change the
"required" to "sufficient" in the first pam_stack.so line. This will
allow to users to log on with either their NT or linux password.
Also, configure /etc/pam_smb.conf. It needs three one-word lines.
First line is the name of the domain, second line is the PDC, third line
is a BDC. For Example:
MYDOMAIN
SERVER1
SERVER2
Once those changes are made, it should work like a charm.
Nick Walter
On Mon, 2002-07-29 at 14:01, William E. Kempf wrote:
> ----- Original Message -----
> From: "Phil Brutsche" <phil at brutsche.us>
> To: <olug at olug.org>
> Sent: Friday, July 26, 2002 8:09 PM
> Subject: Re: [olug] Samba on an NT Domain
>
>
> > William E. Kempf wrote:
> > > Anyone know how to get a Linux box up and running under an NT PDC
> Domain?
> >
> > I've got a little experience with that :)
> >
> > > I've set the /etc/samba/smb.conf file to read:
> > >
> > > encrypt passwords = yes
> > > security = domain
> > > workgroup = DOMAIN_NAME
> > > password server = *
> > >
> > > I've run the command:
> > >
> > > # smbpasswd -r DOMAIN_PDC -j DOMAIN_NAME
> > >
> > > I get the error:
> > >
> > > cli_net_req_chal: Error NT_STATUS_INVALID_COMPUTER_NAME
> > > cli_nt_setup_creds: request challenge failed
> > > modify_trust_password: unable to setup the PDC credentials to
> DOMAIN_PDC.
> > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> >
> > > Error was NT_STATUS_INVALID_COMPUTER_NAME.
> > > 2002/07/26 12:00:00 : change_trust_account_password: Failed to change
> > > password for domain DOMAIN_NAME.
> > > Unable to join domain DOMAIN_NAME.
> >
> > When you join a domain you need to specifiy a username that has the
> > authority to join a machine to the domain:
> >
> > smbpasswd -r DOMAIN_PDC -j DOMAIN_NAME -U administrator
>
> The machine name was already registered on the domain, so this wasn't
> needed. The problem was a rather stupid one. I had one of our NT admins
> helping to configure this box initially, and he changed the network
> configuration so the domain was the NT domain, rather then the actual
> network domain. I thought this was wrong at the time, but let him go ahead
> with it. Switching this back to the network domain allowed the smbpasswd
> command to execute with out error, and now the box is found on the NT
> domain.
>
> Now I need help with administering this box. I'm having some difficulty
> with user/password management. The documentation can get quite confusing in
> places where I *think* some options apply when the Samba box is acting as a
> PDC rather then being connected to an NT PDC. I setup smb.conf to include
> the following options:
>
> passwd program = /usr/bin/passwd %u
> passwd chat = *password* %n\n *password* %n\n *updated*
> unix password sync = yes
>
> (This is on a RH 7.2 box.)
>
> Executing smbpasswd to change a users password reports success, and an su
> into that account works with the newly supplied password making me think
> everything is fine with the world. However, if I go back to the NT box and
> try to logon to the domain with that user, the password has not been
> changed. By the same token, changing the password on the NT domain has no
> effect on the smbpasswd or account pass word on the RH box. Any ideas what
> I've done wrong here?
>
> The next question is whether or not there's any way to automatically add
> user accounts from the NT domain. We plan to use this box as a CVS server,
> and it would be nice if any user added to the NT domain would be given
> access to the CVS repository (through ssh) with out the need for adding them
> to the Linux box as well.
>
> Bill Kempf
>
> -_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_
>
> For help contact olug-help at olug.org - run by ezmlm
> to unsubscribe, send mail to olug-unsubscribe at olug.org
> or `mail olug-unsubscribe at olug.org < /dev/null`
> (c)1998-2002 OLUG http://www.olug.org
>
> -_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_
>
>
-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_
For help contact olug-help at olug.org - run by ezmlm
to unsubscribe, send mail to olug-unsubscribe at olug.org
or `mail olug-unsubscribe at olug.org < /dev/null`
(c)1998-2002 OLUG http://www.olug.org
-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_
More information about the OLUG
mailing list