I'm attemting to get into linux my first project I'm working on is integrating samba into a windows 2000 network. My initial thoughts were to create a windows users account. Than mirror that account on the linux box. I really don't want to maintain 2 separate sets of password so thats when I did more research and found out about winbind. Now my question is does anyone here know how to use winbind or better yet do have some resource that I can use to learn winbind basically I'm looking for web links or books? I googled and I really did not find anything.
finding help with samba's winbind
- Thread starter watts3000
- Start date
Here's all you ever would want to know about setting up SAMBA
That's pretty good stuff. Takes a while to load.
search for winbind on that page.
Basicly you are going to use a windows domain server to control the authentification thru the Linux PAM system.
PAM stands for pluggable authentification modules. They control how the authentification proccess happens in Linux. Before PAM programs like "login" could only check stuff like the /etc/passwords file to authenticate users if you wanted to use NSS (a older Unix network domain setup) you may have to recompile each and every program that requires authenfiction to make it.
Now you just change the PAM configuration to choose how you want to set things up. You can add new modules if you want to change everything.
Some older OSes and backwards OSes like SlackwareP) don't use PAM, but new ones will.
Window's active directory and NT domains works like thru a network information server protocol called LDAP.
So the service "winbind" gets it's user info from window's LDAP (in other words AD server or NT domain server) server and sets up SAMBA authintification that way.
You can use Linux as a domain controller if you want. OpenLDAP is commonly used, I don't know how well it works with windows, though! NSS is old school *nix stuff.
Depending on the version of SAMBA your using you can set that up as a DC or a PDC
(also make .bkup files of any configuration so that you can reverse the changes!)
That's pretty good stuff. Takes a while to load.
search for winbind on that page.
Basicly you are going to use a windows domain server to control the authentification thru the Linux PAM system.
PAM stands for pluggable authentification modules. They control how the authentification proccess happens in Linux. Before PAM programs like "login" could only check stuff like the /etc/passwords file to authenticate users if you wanted to use NSS (a older Unix network domain setup) you may have to recompile each and every program that requires authenfiction to make it.
Now you just change the PAM configuration to choose how you want to set things up. You can add new modules if you want to change everything.
Some older OSes and backwards OSes like Slackware
P) don't use PAM, but new ones will.Window's active directory and NT domains works like thru a network information server protocol called LDAP.
So the service "winbind" gets it's user info from window's LDAP (in other words AD server or NT domain server) server and sets up SAMBA authintification that way.
You can use Linux as a domain controller if you want. OpenLDAP is commonly used, I don't know how well it works with windows, though! NSS is old school *nix stuff.
Depending on the version of SAMBA your using you can set that up as a DC or a PDC
(also make .bkup files of any configuration so that you can reverse the changes!)
I'm using redhat 9 I don't know what version of samba it came with, but I know samba 3.0 is supposed to be active directory friendly. Basically I think samba 3.0 comes with winbind already integrated. Thanks for your input so far your the only person that knew what I was trying to do.
cleverhandle
Diamond Member
- Dec 17, 2001
- 3,566
- 3
- 81
Red Hat 9 uses Samba 2.x, so you'll need to run winbindd and use the NSS module for name resolution and the PAM modules for authentication. The best reference is the winbindd man page, available on your system or here. But using winbindd and 2.x in any kind of sizable environment is a rather fugly solution, because each Samba machine keeps its own mapping between Windows SID's and Unix UID's. Thus the same Windows user can end up with different numeric UID's on different machines. This is a particular pain for restoring from backups, and moving or sharing files across Samba servers.
For a small environment with only a few users, this may well be fine. But for larger environments 3.x is a considerable improvement, because it keeps a shared SID->UID map in the domain LDAP.
For a small environment with only a few users, this may well be fine. But for larger environments 3.x is a considerable improvement, because it keeps a shared SID->UID map in the domain LDAP.
Ok I would like to ask is active directory integration accomplished through the use of winbind? I looked through this article and the author made no reference to the use of winbind http://asia.cnet.com/itmanager/netadmin/0,39006400,39081966,00.htm.
cleverhandle
Diamond Member
- Dec 17, 2001
- 3,566
- 3
- 81
You need to be more specific than just "active directory integration." Samba is one big package, but it has pieces that perform a huge variety of functions - machine name resolution, user name/group ID resolution, file sharing, and authentication are the big ones. You can "integrate" a Linux box into Active Directory in a number of ways, depending on what you're after.
Winbind is the Samba component that provides user and group ID resolution by reading the info from a Windows server. It doesn't deal with passwords, transfer files, or know about machine names. If you wanted to maintain a central copy of user and group information with Samba 2.x, this required using winbind. I haven't tried 3.x in this way, and the docs are not clear about winbind's exact role. They are explicit that you can use LDAP to keep global SID->UID mappings at the Windows server, rather than keep a local winbind-generated mapping. Is winbind still required to actually retrieve that info from LDAP? I don't know. Try it and find out. If you get errors like "user does not exist" then you probably need winbind. I'd certainly think you'll need it in your NSS configuration, even if you don't run the daemon itself.
The article you reference is rather limited - it only describes integrated authentication, and only does it in a manual and clumsy way (kinit and smbclient). It doesn't describe SID->UID mappings at all.
I think you need to get in and try to do whatever it is you're trying to do in order to get a better idea of the questions to ask. More so than any other UNIX service I've run, I've found that other people's Samba configurations are usually pretty useless to me. It's too huge of a package and relies too much on a lot of site-specific requirements.
edit: screwed up the tags
TRENDING THREADS
-
Discussion Zen 5 Speculation (EPYC Turin and Strix Point/Granite Ridge - Ryzen 9000)- Started by DisEnchantment
- Replies: 25K
-
Discussion Intel Meteor, Arrow, Lunar & Panther Lakes + WCL Discussion Threads
- Started by Tigerick
- Replies: 22K
-
Discussion Intel current and future Lakes & Rapids thread- Started by TheF34RChannel
- Replies: 23K
-
News NVIDIA and Intel to Develop AI Infrastructure and Personal Computing Products- Started by poke01
- Replies: 411
-
Facebook
Twitter