#### Edit /etc/samba/smb.conf as follows ########################################### #======================= Global Settings =====================================
[global] worgroup = PVALENTINO_DOMAIN
server string = Comment of my choice
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
template shell = /bin/bash
winbind use default domain = yes
password server = PVALENTINO_DC1 PVALENTINO_DC2
realm = PVALENTINO.LAN # server string is the equivalent of the NT Description field server string = PVALENTINO Application Server
# This option is important for security. It allows you to restrict # connections to machines which are on your local network. The # following example restricts access to two C class networks and # the "loopback" interface. For more examples of the syntax see #the smb.conf man page
; hosts allow = 192.168.1. 192.168.2. 127.
load printers = yes # Put a capping on the size of the log files (in Kb).
max log size = 50
# Security mode. Most people will want user level security. See # security_level.txt for details.
security = ads
# Use password server option only with security = server
password server = PVALENTINO_DC1 PVALENTINO_DC2 # Password Level allows matching of _n_ characters of the password for # all combinations of upper and lower case.
; password level = 8
; username level = 8 # You may wish to use password encryption. Please read # ENCRYPTION.txt, Win95.txt and WinNT.txt in the Samba documentation. # Do not enable this option unless you have read those documents
; encrypt passwords = yes
; smb passwd file = /etc/samba/smbpasswd # The following are needed to allow password changing from Windows to # update the Linux system password also.
# NOTE: Use these with 'encrypt passwords' and 'smb passwd file' above. # NOTE2: You do NOT need these to allow workstations to change only # the encrypted SMB passwords. They allow the Unix password # to be kept in sync with the SMB password.
; unix password sync = Yes
; passwd program = /usr/bin/passwd %u
; passwd chat = *New*UNIX*password* %nn *ReType*new*UNIX*password* %nn *passwd:*all*authentication*tokens*updated*successfully* # Unix users can map to different SMB User names
; username map = /etc/samba/smbusers # Most people will find that this option gives better performance. # See speed.txt and the manual pages for details
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 [data]
comment = batch processing directory
path = /data
public = no
writable = yes
# A read Only directory for logs
[log]
comment = Log Directory
path = /log
public = yes
read only = no
hide unreadable = yes
change permissions on data and log directories shown at end
############################### END smb.conf ###############################
#################### Edit /etc/samba/smbusers as follows ###################
# Unix_name = SMB_name1 SMB_name2 ...
root = administrator admin anotheradmin nobody = guest pcguest smbguest
#################### End smbusers ###########################################
#### Edit /etc/krb5.conf as follows ################
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = PVALENTINO.LAN
dns_lookup_realm = false
dns_lookup_kdc = true
[realms]
EXAMPLE.COM = {
kdc = kerberos.example.com:88
admin_server = kerberos.example.com:749
default_domain = example.com
}
PVALENTINO.LAN = { kdc = PVALENTINO_dc1.PVALENTINO.lan }
[domain_realm]
.PVALENTINO.lan = PVALENTINO.LAN
PVALENTINO.lan = PVALENTINO.LAN
.kerberos.server = PVALENTINO.LAN
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false
}
####################### END /etc/krb5.conf ############################### ####################### Edit /etc/nsswitch.conf as follows ########## passwd: files winbind shadow: files group: files winbind services: files winbind protocol: files winbind netgroup: files winbind automount: files winbind ######################################################### ###################### Edit /etc/pam.d/system-auth as follows ####### add the following entries to their respective sections: This line goes after the pam_unix.so entry in auth section: auth sufficient /lib/security/$ISA/pam_winbind.so use_first_pass This line goes goes after pam_succeed_if.so entry in the account section: account [default=bad success=ok user_unknown=ignore] /lib/security/$ISA/pam_winbind.so This line goes before the pam_deny.so entry in password section: password sufficient /lib/security/$ISA/pam_winbind.so use_authtok ##################### END ################################# Create etc/pam.d/gdm as follows: #%PAM-1.0 auth required pam_env.so auth required pam_stack.so service=system-auth auth required pam_nologin.so account required pam_stack.so service=system-auth password required pam_stack.so service=system-auth session required pam_stack.so service=system-auth session required pam_loginuid.so session optional pam_console.so session required pam_mkhomedir.so skel=/etc/skel/ umask=0077 Edit /etc/pam.d/... gdm login and sshd as follows: Add the following entry to the bottom of each file session required pam_mkhomedir.so skel=/etc/skel/ umask=0077 Then make sure to manually create the directory /home/PVALENTINO_DOMAIN Change permissions on the shared directories from smb.conf do getent group grep "Windows Group Name" # to confirm you have correct name chgrp -R "Windows Group Name" /log chgrp -R "Windows Group Name" /data chmod 775 /log chmod 775 /data Run the following: chkconfig winbind on chkconfig smb on service start winbind service start smb net ads join -U administrator Test winbind with: # winbind -t # winbind -m # wbinfo -u TRAINING2$ TRAINING3$ TRAINING8$ ...... # wbinfo -g ........ getent passwd getent group

No comments: