#### Edit /etc/samba/smb.conf as follows ###########################################
#======================= Global Settings =====================================
[global]
worgroup = PVALENTINO_DOMAIN
server string = Comment of my choice
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
template shell = /bin/bash
winbind use default domain = yes
password server = PVALENTINO_DC1 PVALENTINO_DC2
realm = PVALENTINO.LAN
# server string is the equivalent of the NT Description field
server string = PVALENTINO Application Server
# This option is important for security. It allows you to restrict # connections to
machines which are on your local network. The # following example restricts access to two
C class networks and # the "loopback" interface. For more examples of the syntax see #the smb.conf man page
; hosts allow = 192.168.1. 192.168.2. 127.
load printers = yes
# Put a capping on the size of the log files (in Kb).
max log size = 50
# Security mode. Most people will want user level security. See # security_level.txt for details.
security = ads
# Use password server option only with security = server
password server = PVALENTINO_DC1 PVALENTINO_DC2
# Password Level allows matching of _n_ characters of the password for # all combinations of upper and lower case.
; password level = 8
; username level = 8
# You may wish to use password encryption. Please read # ENCRYPTION.txt, Win95.txt and WinNT.txt in the Samba documentation.
# Do not enable this option unless you have read those documents
; encrypt passwords = yes
; smb passwd file = /etc/samba/smbpasswd
# The following are needed to allow password changing from Windows to # update the Linux system password also.
# NOTE: Use these with 'encrypt passwords' and 'smb passwd file' above.
# NOTE2: You do NOT need these to allow workstations to change only
# the encrypted SMB passwords. They allow the Unix password
# to be kept in sync with the SMB password.
; unix password sync = Yes
; passwd program = /usr/bin/passwd %u
; passwd chat = *New*UNIX*password* %nn *ReType*new*UNIX*password* %nn
*passwd:*all*authentication*tokens*updated*successfully*
# Unix users can map to different SMB User names
; username map = /etc/samba/smbusers
# Most people will find that this option gives better performance.
# See speed.txt and the manual pages for details
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
[data]
comment = batch processing directory
path = /data
public = no
writable = yes
# A read Only directory for logs
[log]
comment = Log Directory
path = /log
public = yes
read only = no
hide unreadable = yes
change permissions on data and log directories shown at end
############################### END smb.conf ###############################
#################### Edit /etc/samba/smbusers as follows ###################
# Unix_name = SMB_name1 SMB_name2 ...
root = administrator admin anotheradmin
nobody = guest pcguest smbguest
#################### End smbusers ###########################################
#### Edit /etc/krb5.conf as follows ################
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = PVALENTINO.LAN
dns_lookup_realm = false
dns_lookup_kdc = true
[realms]
EXAMPLE.COM = {
kdc = kerberos.example.com:88
admin_server = kerberos.example.com:749
default_domain = example.com
}
PVALENTINO.LAN = {
kdc = PVALENTINO_dc1.PVALENTINO.lan
}
[domain_realm]
.PVALENTINO.lan = PVALENTINO.LAN
PVALENTINO.lan = PVALENTINO.LAN
.kerberos.server = PVALENTINO.LAN
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
####################### END /etc/krb5.conf ###############################
####################### Edit /etc/nsswitch.conf as follows ##########
passwd: files winbind
shadow: files
group: files winbind
services: files winbind
protocol: files winbind
netgroup: files winbind
automount: files winbind
#########################################################
###################### Edit /etc/pam.d/system-auth as follows #######
add the following entries to their respective sections:
This line goes after the pam_unix.so entry in auth section:
auth sufficient /lib/security/$ISA/pam_winbind.so use_first_pass
This line goes goes after pam_succeed_if.so entry in the account section:
account [default=bad success=ok user_unknown=ignore] /lib/security/$ISA/pam_winbind.so
This line goes before the pam_deny.so entry in password section:
password sufficient /lib/security/$ISA/pam_winbind.so use_authtok
##################### END #################################
Create etc/pam.d/gdm as follows:
#%PAM-1.0
auth required pam_env.so
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
session required pam_loginuid.so
session optional pam_console.so
session required pam_mkhomedir.so skel=/etc/skel/ umask=0077
Edit /etc/pam.d/... gdm login and sshd as follows:
Add the following entry to the bottom of each file
session required pam_mkhomedir.so skel=/etc/skel/ umask=0077
Then make sure to manually create the directory /home/PVALENTINO_DOMAIN
Change permissions on the shared directories from smb.conf
do getent group grep "Windows Group Name" # to confirm you have correct name
chgrp -R "Windows Group Name" /log
chgrp -R "Windows Group Name" /data
chmod 775 /log
chmod 775 /data
Run the following:
chkconfig winbind on
chkconfig smb on
service start winbind
service start smb
net ads join -U administrator
Test winbind with:
# winbind -t
# winbind -m
# wbinfo -u
TRAINING2$
TRAINING3$
TRAINING8$
......
# wbinfo -g
........
getent passwd
getent group