Use the Winbind service to authenticate Window200xPDC for you

Source: Internet
Author: User
Tags builtin domain server
Article Title: Use the Winbind service to authenticate Window200xPDC for you. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.
Maybe most of your company's servers are Windows X, and you have created a WIN200x domain to manage all the machines and users of the company, and this domain works very well, the permission settings for all users are reasonable. In this case, you want to add a linux or BSD machine to provide services such as ftp and samba to company users, these software in linux and BSD are more efficient and safer than those in windows. One problem you may encounter is that you have to add many new users to each new linux and BSD Server to set their permissions and passwords, if you have many employees in your company, you are still very tired.
  
But since the authentication information of all users already exists in the domain, why not use it properly :). The winbind service in SAMBA3 provides us with such a channel. First, you add the linux server to the win200x domain to become a member server in the domain. then, you use the winbind service to send the authentication information to the PDC for user authentication. As long as you set up the winbind service and PAM properly, you can use PDC to authenticate the ftp, samba, and ssh services on your linux or BSD Server. isn't that good?
The following describes how to use winbind + PAM to authenticate sshd and samba service PDC on redhat7.3:
  
   1. related software used:
Samba-3.0.7 pam-0.75-32 (I will not talk about the installation process of these software, refer to the relevant files on the CU.
  
   2. implementation method:
1) after samba is installed, the library libnss_winbind.so is included in the/lib directory.
Cp ../samba/source/nsswitch/libnss_winbind.so/lib
Ln-s/lib/libnss_winbind.so/lib/libnss_winbind.so.2
  
2) modify vi/etc/nsswitch. conf as follows to make winbind a source of authentication information for passwd and group.
Passwd: files winbind
Shadow: files
Group: files winbind
  
3) run the ldconfig command to enable winbind to use the libnss_winbind.so library, so that you do not need to restart the machine. if not, restart the machine.
/Sbin/ldconfig-v | grep winbind
  
4) vi smb. conf: add the following lines in the [global] settings
# Separate domain and username with '/', like DOMAIN + username
Winbind separator =/
# Use uids from 10000 to 20000 for domain users
Idmap uid = 10000-20000
# Use gids from 10000 to 20000 for domain groups
Idmap gid = 10000-20000
# Allow enumeration of winbind users and groups
Winbind enum users = yes
Winbind enum groups = yes
# Give winbind users a real shell (only needed if they have telnet access)
Template homedir =/home/% D/% U
Template shell =/bin/bash
Winbind separator is the separator between the domain name and the user name and group name. I set it '/',
Idmap uid and idmap gid are the idnumber range used by winbind to set win200x domain users, group map users, and groups. if you have many users, you can increase the difference between the two values. Template homedir is the main directory after the user logs on. I set it to/home/domain name/user name. Template shell is the shell after the user logs on. if you want to use PDC to authenticate your sshd, you can add this and give the user a shell.
  
5) use the net join command of samba3 to add this machine to the windows200x domain.
/Usr/local/samba/bin/net rpc join-s pdc-U Administrator
Enter the domain administrator password, which is the domain administrator account. PDC is your domain name. you can use NETBIOS name.
  
6) start the winbindd service
/Usr/local/samba/sbin/winbindd
  
7) run the wbinfo command to view the information about the users and groups in the domain that are caught by the PDC using the winbindd service.
Reference:
  
[Root @ LogBack wy] # wbinfo-u
WY/Administrator
WY/Guest
WY/krbtgt
WY/wuying
WY/wy
  
The domain name is before '/', and the domain name is after WY and.
Reference:
  
[Root @ LogBack wy] # wbinfo-g
BUILTIN/System Operators
BUILTIN/Replicators
BUILTIN/Guests
BUILTIN/Power Users
BUILTIN/Print Operators
BUILTIN/Administrators
BUILTIN/Account Operators
BUILTIN/Backup Operators
BUILTIN/Users
WY/Domain Admins
WY/Domain Users
WY/Domain Guests
WY/Domain Computers
WY/Domain Controllers
WY/Cert Publishers
WY/Schema Admins
WY/Enterprise Admins
WY/Group Policy Creator Owners
WY/DnsUpdateProxy
  
The domain name is before '/', and the Domain Group name is after WY and.
With getnet passwd and getnet group, you can view information about all users and groups on the local server and domain server.
By now, we have finished more than half of our work. The Winbindd service is working properly :)
  
8) go to the source code directory of samba-3.0.7, compile the pam_winbind.so Authentication Module, CP to/lib/security:
Make nsswitch/pam_winbind.so
Cp ../samba/source/nsswitch/pam_winbind.so/lib/security
  
9) The PAM is set below. back up your/etc/pam. d Directory before setting. If you have set up the PAM for the sshd and other logon services, you may not be able to log in through ssh. therefore, be careful when performing this operation.
The following is the configuration file of/etc/pam. d/sshd that I modified:
Reference:
  
[Root @ LogBack wy] # cat/etc/pam. d/sshd
# % PAM-1.0
Auth sufficient/lib/security/pam_winbind.so
Auth required/lib/security/pam_stack.so service = system-auth
Auth required/lib/security/pam_nologin.so
Account sufficient/lib/security/pam_winbind.so
Account required/lib/security/pam_stack.so service = system-auth
Password required/lib/security/pam_stack.so service = system-auth
Session required/lib/security/pam_stack.so service = system-auth
Session required/lib/security/pam_limits.so
Session required/lib/security/pam_mkhomedir.so
Session optional/lib/security/pam_console.so
  
Two rows containing pam_winbind.so are added for winbind authentication.
The rows containing pam_mkhomedir.so are also added to automatically create the main directory and logon script for the domain user upon logon. Otherwise, you will find yourself in the root directory as soon as you log on. Note that the path of the main directory is the Template shell variable you specified in the smb. conf file. I am/home/WY/user name. The/home/WY directory must be created manually. Otherwise, it cannot be logged in. I set the permission for this directory to 1777. the advantage is that everyone can write this directory, but only the owner can delete it, just like the/tmp directory.
Try again on other machines using ssh:
Reference:
  
[Wy @ wy1 RPMS] $ ssh wy/wuying@172.16.130.35
Wy/wuying@172.16.130.35's password:
Last login: Sat Oct 30 19:57:47 2004 from 172.16.130.36
[WY/wuying @ LogBack wuying] $ id
Uid = 10003 (WY/wuying) gid = 10009 (WY/Domain Users) groups = 10009 (WY/Domain Users)
[WY/wuying @ LogBack wuying] $
  
OK. We have succeeded. WY/wuying is the line type of "domain name/user name". This domain user is mapped to a user with the local uid 1009.
  
The following is my/etc/pam. d/samba configuration file:
Reference:
  
[Root @ LogBack wy] # cat/etc/pam. d/samba
# % PAM-1.0
Auth required pam_stack.so service = system-auth
Account required pam_stack.so service = system-auth
  
Then add the vi smb. conf file at the end
Reference:
  
[ADMshare]
Comment = admin dir
Path =/home/WY/administrator
Valid users = "WY + Domain Admins"
Public = no
Writable = yes
Printable = no
Create mask = 0775
Directory mask = 0775
  
In this way, only members of the Domain Admins group in the WY Domain can write things to the ADMshare share. Is it better to manage more. If the password of the domain user is changed, we do not need to change the password on each linux server. we can use winbind to perform authentication on win200xPDC. how can we change the password.
  
Unzip the pdf file in the docs directory. All of my lectures are in Chapter 6th and chapter 20th of the smaba-howto-collection.pdf documents. the related concepts are well explained. if any expert has time to turn these documents into Chinese, it is a blessing to CU. At, I went home.
  
Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.