[olug] Samba on an NT Domain

Nick Walter waltern at iivip.com
Mon Jul 29 19:40:29 UTC 2002 

Ugh, I scrambled up that e-mail didn't I? The paragraph starting with
"add the line *after* . . ." should have read:

add the line *after* all the other auth lines.  Also change the
"required" to "sufficient" in the first pam_stack.so line.  this will
allow users to log on with either their NT or Linux password.

Nick Walter


On Mon, 2002-07-29 at 14:29, Nick Walter wrote:
> Don't worry about synchronizing Linux/NT passwords.  Just tell Linux to
> allow users to use either one (no really, this works!). Through the
> magic of pam_smb Linux can authenticate users against the NT domain for
> things like logon sessions, ftp sessions, etc.  
> 
> To set it up, just configure /etc/pam_smb.conf and /etc/pam.d/login.
> 
> Add this line to the /etc/pam.d/login file
> 
> auth required /lib/security/pam_smb_auth.so
> 
> add the line *after* all the other "To set it up, just configure
> /etc/pam_smb.conf and /etc/pam.d/login auth" lines.  Also change the
> "required" to "sufficient" in the first pam_stack.so line.  This will
> allow to users to log on with either their NT or linux password.
> 
> Also, configure /etc/pam_smb.conf.  It needs three one-word lines. 
> First line is the name of the domain, second line is the PDC, third line
> is a BDC.  For Example:
> 
> MYDOMAIN
> SERVER1
> SERVER2
> 
> Once those changes are made, it should work like a charm.
> 
> Nick Walter
> 
> 
> 
> 
> 
> 
> On Mon, 2002-07-29 at 14:01, William E. Kempf wrote:
> > ----- Original Message -----
> > From: "Phil Brutsche" <phil at brutsche.us>
> > To: <olug at olug.org>
> > Sent: Friday, July 26, 2002 8:09 PM
> > Subject: Re: [olug] Samba on an NT Domain
> > 
> > 
> > > William E. Kempf wrote:
> > > > Anyone know how to get a Linux box up and running under an NT PDC
> > Domain?
> > >
> > > I've got a little experience with that :)
> > >
> > > > I've set the /etc/samba/smb.conf file to read:
> > > >
> > > > encrypt passwords = yes
> > > > security = domain
> > > > workgroup = DOMAIN_NAME
> > > > password server = *
> > > >
> > > > I've run the command:
> > > >
> > > > # smbpasswd -r DOMAIN_PDC -j DOMAIN_NAME
> > > >
> > > > I get the error:
> > > >
> > > > cli_net_req_chal: Error NT_STATUS_INVALID_COMPUTER_NAME
> > > > cli_nt_setup_creds: request challenge failed
> > > > modify_trust_password: unable to setup the PDC credentials to
> > DOMAIN_PDC.
> > >                           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> > >
> > > > Error was NT_STATUS_INVALID_COMPUTER_NAME.
> > > > 2002/07/26 12:00:00 : change_trust_account_password: Failed to change
> > > > password for domain DOMAIN_NAME.
> > > > Unable to join domain DOMAIN_NAME.
> > >
> > > When you join a domain you need to specifiy a username that has the
> > > authority to join a machine to the domain:
> > >
> > > smbpasswd -r DOMAIN_PDC -j DOMAIN_NAME -U administrator
> > 
> > The machine name was already registered on the domain, so this wasn't
> > needed.  The problem was a rather stupid one.  I had one of our NT admins
> > helping to configure this box initially, and he changed the network
> > configuration so the domain was the NT domain, rather then the actual
> > network domain.  I thought this was wrong at the time, but let him go ahead
> > with it.  Switching this back to the network domain allowed the smbpasswd
> > command to execute with out error, and now the box is found on the NT
> > domain.
> > 
> > Now I need help with administering this box.  I'm having some difficulty
> > with user/password management.  The documentation can get quite confusing in
> > places where I *think* some options apply when the Samba box is acting as a
> > PDC rather then being connected to an NT PDC.  I setup smb.conf to include
> > the following options:
> > 
> > passwd program = /usr/bin/passwd %u
> > passwd chat = *password* %n\n *password* %n\n *updated*
> > unix password sync = yes
> > 
> > (This is on a RH 7.2 box.)
> > 
> > Executing smbpasswd to change a users password reports success, and an su
> > into that account works with the newly supplied password making me think
> > everything is fine with the world.  However, if I go back to the NT box and
> > try to logon to the domain with that user, the password has not been
> > changed.  By the same token, changing the password on the NT domain has no
> > effect on the smbpasswd or account pass word on the RH box.  Any ideas what
> > I've done wrong here?
> > 
> > The next question is whether or not there's any way to automatically add
> > user accounts from the NT domain.  We plan to use this box as a CVS server,
> > and it would be nice if any user added to the NT domain would be given
> > access to the CVS repository (through ssh) with out the need for adding them
> > to the Linux box as well.
> > 
> > Bill Kempf
> > 
> > -_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_
> > 
> > For help contact olug-help at olug.org - run by ezmlm
> > to unsubscribe, send mail to olug-unsubscribe at olug.org
> > or `mail olug-unsubscribe at olug.org < /dev/null`
> > (c)1998-2002 OLUG http://www.olug.org
> > 
> > -_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_
> > 
> > 
> 
> 
> 
> -_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_
> 
> For help contact olug-help at olug.org - run by ezmlm
> to unsubscribe, send mail to olug-unsubscribe at olug.org
> or `mail olug-unsubscribe at olug.org < /dev/null`
> (c)1998-2002 OLUG http://www.olug.org
> 
> -_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_
> 
> 



-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_

For help contact olug-help at olug.org - run by ezmlm
to unsubscribe, send mail to olug-unsubscribe at olug.org
or `mail olug-unsubscribe at olug.org < /dev/null`
(c)1998-2002 OLUG http://www.olug.org

-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_

More information about the OLUG mailing list