From: Andre Godin (AGodin@jetnet.ca)
Date: Wed May 29 2002 - 15:13:06 EDT
Hello,
I've been struggling with this for a bit.
Requirement:
Allow DOMAIN NT users (belonging to departmental DOMAIN NT Groups)
read/write access to their departments Samba Group shares with Read only for
everyone else. The Samba server has been added to the domain as a member
server, and things, like getent passwd and group actually work, showing the
NT domain accounts nicely. I can even login as an NT user and get a shell.
I'm close, based on how I go about sharing test share, I'm getting the same
type of error. "The Specified Network password is not correct."
Any help/direction would be greatly appreciated...
Thanks...Andre
***Versions:***
Solaris 8
Samba 2.2.4 compiled --with-pam --with-winbind
***nsswitch.conf updated for winbind auth.***
passwd files winbind
group files winbind
***/etc/pam.conf***
#ident "@(#)pam.conf 1.19 95/11/30 SMI"
#
# PAM configuration
#
# Authentication management
#
login auth sufficient /usr/lib/security/pam_winbind.so
login auth required /usr/lib/security/pam_unix.so.1 try_first_pass
login auth required /usr/lib/security/pam_dial_auth.so.1 try_first_pass
#
rlogin auth sufficient /usr/lib/security/pam_rhosts_auth.so.1
rlogin auth sufficient /usr/lib/security/pam_winbind.so
rlogin auth required /usr/lib/security/pam_unix.so.1 try_first_pass
#
dtlogin auth sufficient /usr/lib/security/pam_winbind.so
dtlogin auth required /usr/lib/security/pam_unix.so.1 try_first_pass
#
rsh auth required /usr/lib/security/pam_rhosts_auth.so.1
other auth sufficient /usr/lib/security/pam_winbind.so
other auth required /usr/lib/security/pam_unix.so.1 try_first_pass
#
# Account management
#
login account sufficient /usr/lib/security/pam_winbind.so
login account required /usr/lib/security/pam_unix.so.1
dtlogin account sufficient /usr/lib/security/pam_winbind.so
dtlogin account required /usr/lib/security/pam_unix.so.1
#
other account sufficient /usr/lib/security/pam_winbind.so
other account required /usr/lib/security/pam_unix.so.1
#
# Session management
#
other session required /usr/lib/security/pam_unix.so.1
#
# Password management
#
other password sufficient /usr/lib/security/pam_winbind.so
other password required /usr/lib/security/pam_unix.so.1
***smb.conf***
[global]
# workgroup = NT-Domain-Name or Workgroup-Name, eg: REDHAT4
workgroup = <MY DOMAIN>
# server string is the equivalent of the NT Description field
server string = Intranet Web Server
# This option is important for security. It allows you to restrict
# connections to machines which are on your local network. The
# following example restricts access to two C class networks and
# the "loopback" interface. For more examples of the syntax see
# the smb.conf man page
hosts allow = <my subnet> 192.168.168. 127.
# Uncomment this if you want a guest account, you must add this to
/etc/passwd
# otherwise the user "nobody" is used
# guest account = pcguest
# this tells Samba to use a separate log file for each machine
# that connects
log file = /usr/local/samba/var/log.%m
log level = 10
# Put a capping on the size of the log files (in Kb).
max log size = 50
# Security mode. Most people will want user level security. See
# security_level.txt for details.
security = domain
# Use password server option only with security = server
# The argument list may include:
# password server = My_PDC_Name [My_BDC_Name] [My_Next_BDC_Name]
# or to auto-locate the domain controller/s
# password server = *
# password server = *
# Note: Do NOT use the now deprecated option of "domain controller"
# This option is no longer implemented.
# You may wish to use password encryption. Please read
# ENCRYPTION.txt, Win95.txt and WinNT.txt in the Samba documentation.
# Do not enable this option unless you have read those documents
encrypt passwords = yes
# Using the following line enables you to customise your configuration
# on a per machine basis. The %m gets replaced with the netbios name
# of the machine that is connecting
; include = /usr/local/samba/lib/smb.conf.%m
# Most people will find that this option gives better performance.
# See speed.txt and the manual pages for details
# You may want to add the following on a Linux system:
# SO_RCVBUF=8192 SO_SNDBUF=8192
socket options = TCP_NODELAY
# Browser Control Options:
# set local master to no if you don't want Samba to become a master
# browser on your network. Otherwise the normal election rules apply
local master = no
# Windows Internet Name Serving Support Section:
# WINS Support - Tells the NMBD component of Samba to enable it's WINS
Server
# wins support = yes
# WINS Server - Tells the NMBD components of Samba to be a WINS Client
# Note: Samba can be either a WINS Server, or a WINS Client, but NOT
both
wins server = <ip address of my wins server>
# use uids from 10000 to 20000 for domain users
winbind uid = 10000-20000
# use gids from 10000 to 20000 for domain groups
winbind gid = 10000-20000
# allow enumeration of winbind users and groups
winbind enum users = yes
winbind enum groups = yes
# give winbind users a real shell (only needed if
# they have telnet access)
template homedir = /www/home/winnt/%D/%U
template shell = /bin/bash
#============================ Share Definitions
==============================
# A publicly accessible directory, but read only, except for people in
# the "staff" group
[ITIS]
comment = IT_IS
path = /www/live/it_is
valid users = @MYDOMAIN\group
force group = MYDOMAIN\group
public = yes
writable = yes
printable = no
create mask = 0774
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers
This archive was generated by hypermail 2.1.7 : Wed Apr 09 2008 - 23:24:23 EDT