Follow Techotopia on Twitter

On-line Guides
All Guides
eBook Store
iOS / Android
Linux for Beginners
Office Productivity
Linux Installation
Linux Security
Linux Utilities
Linux Virtualization
Linux Kernel
System/Network Admin
Programming
Scripting Languages
Development Tools
Web Development
GUI Toolkits/Desktop
Databases
Mail Systems
openSolaris
Eclipse Documentation
Techotopia.com
Virtuatopia.com
Answertopia.com

How To Guides
Virtualization
General System Admin
Linux Security
Linux Filesystems
Web Servers
Graphics & Desktop
PC Hardware
Windows
Problem Solutions
Privacy Policy

  




 

 

Samba HowTo Guide
Prev Home Next

Note

The command to start up Winbind services assumes that Samba has been installed in the /usr/local/samba directory tree. You may need to search for the location of Samba files if this is not the location of winbindd on your system.

Winbindd can now also run in “dual daemon mode”. This will make it run as two processes. The first will answer all requests from the cache, thus making responses to clients faster. The other will update the cache for the query to which the first has just responded. The advantage of this is that responses stay accurate and are faster. You can enable dual daemon mode by adding -B to the command line: 

root# 

/usr/local/samba/sbin/winbindd -B

I'm always paranoid and like to make sure the daemon is really running. 

root# 

ps -ae | grep winbindd

This command should produce output like the following if the daemon is running. 

3025 ?        00:00:00 winbindd

Now, for the real test, try to get some information about the users on your PDC: 

root# 

/usr/local/samba/bin/wbinfo -u

This should echo back a list of users on your Windows users on your PDC. For example, I get the following response: 

CEO\Administrator
CEO\burdell
CEO\Guest
CEO\jt-ad
CEO\krbtgt
CEO\TsInternetUser

Obviously, I have named my domain “CEO” and my winbind separator is “\”.

You can do the same sort of thing to get group information from the PDC: 

root# 

/usr/local/samba/bin/wbinfo -g

CEO\Domain Admins
CEO\Domain Users
CEO\Domain Guests
CEO\Domain Computers
CEO\Domain Controllers
CEO\Cert Publishers
CEO\Schema Admins
CEO\Enterprise Admins
CEO\Group Policy Creator Owners

The function getent can now be used to get unified lists of both local and PDC users and groups. Try the following command: 

root# 

getent passwd

You should get a list that looks like your /etc/passwd list followed by the domain users with their new UIDs, GIDs, home directories, and default shells.

The same thing can be done for groups with the command: 

root# 

getent group

Fix the init.d Startup Scripts

Linux

The winbindd daemon needs to start up after the smbd and nmbd daemons are running. To accomplish this task, you need to modify the startup scripts of your system. They are located at /etc/init.d/smb in Red Hat Linux and in /etc/init.d/samba in Debian Linux. Edit your script to add commands to invoke this daemon in the proper sequence. My startup script starts up smbd, nmbd, and winbindd from the /usr/local/samba/bin directory directly. The start function in the script looks like this: 

start() {
        KIND="SMB"
        echo -n $"Starting $KIND services: "
        daemon /usr/local/samba/bin/smbd $SMBDOPTIONS
        RETVAL=$?
        echo
        KIND="NMB"
        echo -n $"Starting $KIND services: "
        daemon /usr/local/samba/bin/nmbd $NMBDOPTIONS
        RETVAL2=$?
        echo
        KIND="Winbind"
        echo -n $"Starting $KIND services: "
        daemon /usr/local/samba/sbin/winbindd
        RETVAL3=$?
        echo
        [ $RETVAL -eq 0 -a $RETVAL2 -eq 0 -a $RETVAL3 -eq 0 ] && \
		touch /var/lock/subsys/smb || RETVAL=1
        return $RETVAL
}

If you would like to run winbindd in dual daemon mode, replace the line: 

        daemon /usr/local/samba/sbin/winbindd

in the example above with: 

        daemon /usr/local/samba/sbin/winbindd -B

.

The stop function has a corresponding entry to shut down the services and looks like this: 

stop() {
        KIND="SMB"
        echo -n $"Shutting down $KIND services: "
        killproc smbd
        RETVAL=$?
        echo
        KIND="NMB"
        echo -n $"Shutting down $KIND services: "
        killproc nmbd
        RETVAL2=$?
        echo
        KIND="Winbind"
        echo -n $"Shutting down $KIND services: "
        killproc winbindd
        RETVAL3=$?
        [ $RETVAL -eq 0 -a $RETVAL2 -eq 0 -a $RETVAL3 -eq 0 ] && \
		 rm -f /var/lock/subsys/smb
        echo ""
        return $RETVAL
}
Solaris

Winbind does not work on Solaris 9; see Winbind on Solaris 9 section for details.

On Solaris, you need to modify the /etc/init.d/samba.server startup script. It usually only starts smbd and nmbd but should now start winbindd, too. If you have Samba installed in /usr/local/samba/bin, the file could contains something like this: 

	##
	## samba.server
	##

	if [ ! -d /usr/bin ]
	then                    # /usr not mounted
		exit
	fi

	killproc() {            # kill the named process(es)
		pid=`/usr/bin/ps -e |
		     /usr/bin/grep -w $1 |
		     /usr/bin/sed -e 's/^  *//' -e 's/ .*//'`
		[ "$pid" != "" ] && kill $pid
	}
	 
	# Start/stop processes required for Samba server

	case "$1" in

	'start')
	#
	# Edit these lines to suit your installation (paths, workgroup, host)
	#
	echo Starting SMBD
	   /usr/local/samba/bin/smbd -D -s \
		/usr/local/samba/smb.conf

	echo Starting NMBD
	   /usr/local/samba/bin/nmbd -D -l \
		/usr/local/samba/var/log -s /usr/local/samba/smb.conf

	echo Starting Winbind Daemon
	   /usr/local/samba/sbin/winbindd
	   ;;

	'stop')
	   killproc nmbd
	   killproc smbd
	   killproc winbindd
	   ;;

	*)
	   echo "Usage: /etc/init.d/samba.server { start | stop }"
	   ;;
	esac

Again, if you would like to run Samba in dual daemon mode, replace: 

/usr/local/samba/sbin/winbindd

in the script above with: 

/usr/local/samba/sbin/winbindd -B

Restarting

If you restart the smbd, nmbd, and winbindd daemons at this point, you should be able to connect to the Samba server as a domain member just as if you were a local user.

Configure Winbind and PAM

If you have made it this far, you know that winbindd and Samba are working together. If you want to use Winbind to provide authentication for other services, keep reading. The PAM configuration files need to be altered in this step. (Did you remember to make backups of your original /etc/pam.d files? If not, do it now.)

You will need a PAM module to use winbindd with these other services. This module will be compiled in the ../source/nsswitch directory by invoking the command: 

root# 

make nsswitch/pam_winbind.so

from the ../source directory. The pam_winbind.so file should be copied to the location of your other PAM security modules. On my Red Hat system, this was the /lib/security directory. On Solaris, the PAM security modules reside in /usr/lib/security. 

root# 

cp ../samba/source/nsswitch/pam_winbind.so /lib/security

Linux/FreeBSD-Specific PAM Configuration

The /etc/pam.d/samba file does not need to be changed. I just left this file as it was: 

auth    required  /lib/security/pam_stack.so service=system-auth
account required  /lib/security/pam_stack.so service=system-auth

The other services that I modified to allow the use of Winbind as an authentication service were the normal login on the console (or a terminal session), telnet logins, and ftp service. In order to enable these services, you may first need to change the entries in /etc/xinetd.d (or /etc/inetd.conf). Red Hat Linux 7.1 and later uses the new xinetd.d structure, in this case you need to change the lines in /etc/xinetd.d/telnet and /etc/xinetd.d/wu-ftp from 

	enable = no

to 

	enable = yes

For ftp services to work properly, you will also need to either have individual directories for the domain users already present on the server or change the home directory template to a general directory for all domain users. These can be easily set using the smb.conf global entry template homedir.

Samba HowTo Guide
Prev Home Next

 
 
  Published under the terms fo the GNU General Public License Design by Interspire