[olug] Samba on an NT Domain

Nick Walter waltern at iivip.com
Mon Jul 29 19:29:39 UTC 2002 

Don't worry about synchronizing Linux/NT passwords.  Just tell Linux to
allow users to use either one (no really, this works!). Through the
magic of pam_smb Linux can authenticate users against the NT domain for
things like logon sessions, ftp sessions, etc.  

To set it up, just configure /etc/pam_smb.conf and /etc/pam.d/login.

Add this line to the /etc/pam.d/login file

auth required /lib/security/pam_smb_auth.so

add the line *after* all the other "To set it up, just configure
/etc/pam_smb.conf and /etc/pam.d/login auth" lines.  Also change the
"required" to "sufficient" in the first pam_stack.so line.  This will
allow to users to log on with either their NT or linux password.

Also, configure /etc/pam_smb.conf.  It needs three one-word lines. 
First line is the name of the domain, second line is the PDC, third line
is a BDC.  For Example:

MYDOMAIN
SERVER1
SERVER2

Once those changes are made, it should work like a charm.

Nick Walter






On Mon, 2002-07-29 at 14:01, William E. Kempf wrote:
> ----- Original Message -----
> From: "Phil Brutsche" <phil at brutsche.us>
> To: <olug at olug.org>
> Sent: Friday, July 26, 2002 8:09 PM
> Subject: Re: [olug] Samba on an NT Domain
> 
> 
> > William E. Kempf wrote:
> > > Anyone know how to get a Linux box up and running under an NT PDC
> Domain?
> >
> > I've got a little experience with that :)
> >
> > > I've set the /etc/samba/smb.conf file to read:
> > >
> > > encrypt passwords = yes
> > > security = domain
> > > workgroup = DOMAIN_NAME
> > > password server = *
> > >
> > > I've run the command:
> > >
> > > # smbpasswd -r DOMAIN_PDC -j DOMAIN_NAME
> > >
> > > I get the error:
> > >
> > > cli_net_req_chal: Error NT_STATUS_INVALID_COMPUTER_NAME
> > > cli_nt_setup_creds: request challenge failed
> > > modify_trust_password: unable to setup the PDC credentials to
> DOMAIN_PDC.
> >                           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> >
> > > Error was NT_STATUS_INVALID_COMPUTER_NAME.
> > > 2002/07/26 12:00:00 : change_trust_account_password: Failed to change
> > > password for domain DOMAIN_NAME.
> > > Unable to join domain DOMAIN_NAME.
> >
> > When you join a domain you need to specifiy a username that has the
> > authority to join a machine to the domain:
> >
> > smbpasswd -r DOMAIN_PDC -j DOMAIN_NAME -U administrator
> 
> The machine name was already registered on the domain, so this wasn't
> needed.  The problem was a rather stupid one.  I had one of our NT admins
> helping to configure this box initially, and he changed the network
> configuration so the domain was the NT domain, rather then the actual
> network domain.  I thought this was wrong at the time, but let him go ahead
> with it.  Switching this back to the network domain allowed the smbpasswd
> command to execute with out error, and now the box is found on the NT
> domain.
> 
> Now I need help with administering this box.  I'm having some difficulty
> with user/password management.  The documentation can get quite confusing in
> places where I *think* some options apply when the Samba box is acting as a
> PDC rather then being connected to an NT PDC.  I setup smb.conf to include
> the following options:
> 
> passwd program = /usr/bin/passwd %u
> passwd chat = *password* %n\n *password* %n\n *updated*
> unix password sync = yes
> 
> (This is on a RH 7.2 box.)
> 
> Executing smbpasswd to change a users password reports success, and an su
> into that account works with the newly supplied password making me think
> everything is fine with the world.  However, if I go back to the NT box and
> try to logon to the domain with that user, the password has not been
> changed.  By the same token, changing the password on the NT domain has no
> effect on the smbpasswd or account pass word on the RH box.  Any ideas what
> I've done wrong here?
> 
> The next question is whether or not there's any way to automatically add
> user accounts from the NT domain.  We plan to use this box as a CVS server,
> and it would be nice if any user added to the NT domain would be given
> access to the CVS repository (through ssh) with out the need for adding them
> to the Linux box as well.
> 
> Bill Kempf
> 
> -_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_
> 
> For help contact olug-help at olug.org - run by ezmlm
> to unsubscribe, send mail to olug-unsubscribe at olug.org
> or `mail olug-unsubscribe at olug.org < /dev/null`
> (c)1998-2002 OLUG http://www.olug.org
> 
> -_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_
> 
> 



-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_

For help contact olug-help at olug.org - run by ezmlm
to unsubscribe, send mail to olug-unsubscribe at olug.org
or `mail olug-unsubscribe at olug.org < /dev/null`
(c)1998-2002 OLUG http://www.olug.org

-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_

More information about the OLUG mailing list