BZERK Open Source

Getting FreeBSD to authenticate against a windows PDC Setting up Samba with winbindd, PAM and nsswitch
Ruben de Groot, 13-08-2003
This howto describes how we configure a FreeBSD server to act as a fileserver in a Windows domain, authenticating against the (Windows) PDC. Using PAM and nsswitch, we will even be able to login as a windows domain user, without having to maintain a seperate database of Unix accounts.

1 Prerequisites

FreeBSD 5.1 or later including ports collection
NT4 or W2k Primary Domain Controller

2 Samba installation
It's important to install samba with the right options activated. Change to the /usr/ports/net/samba directory and type:

   make WITH_WINBIND_NSS=yes

A menu is presented where we can select various other options. As a minimum select ACL support, Audit, Winbind and Winbind Auth Challenge. After the compilation has successfully completed type "make install" to finish the installation.

3 Samba configuration
For a detailed description of all the samba configuration options we refer to the samba documentation on www.samba.org. The following basic samba configuration file (/usr/local/etc/smb.conf) will make samba act as a fileserver called "SOLEIL" in the domain "BZERK".

[global]
	workgroup = BZERK
	netbios name = SOLEIL
	server string = Soleil Fileserver
	security = DOMAIN
	encrypt passwords = Yes
	password server = *
	log file = /var/log/sambalog.%m
	winbind uid = 10000-20000
	winbind gid = 10000-20000
	template homedir = /share/homes/%U
	template shell = /bin/false
	winbind separator = .
	winbind enum users = Yes
	winbind enum groups = Yes
	winbind use default domain = Yes
	hosts allow = 192.168.2. 192.168.1. 127. 10.0.0.
	nt acl support = Yes

[homes]
	comment = Home Directories
	read only = No
	browseable = No

[printers]
	comment = All Printers
	path = /var/spool/samba
	printable = Yes
	browseable = No

[data]
	comment = test share
	path = /share/data
	read only = No
	force create mode = 0664
	force directory mode = 0775

4 Nsswitch configuration
Starting at FreeBSD 5.1, it is possible to configure alternative password and group databases through the /etc/nsswitch.conf configuration file. If it doesn't exist allready, just create the file with the following two lines:

   passwd:     files winbind
   group:      files winbind

Now if the server needs to lookup account information on a user or group, it will first search its local password database (files), followed by de domain users database on the Primary Domain Controller (winbind).

5 PAM configuration
At the time of this writing, the pam_winbind.so module will not automatically be installed by the samba port, so we will do this by hand. First copy the module to /usr/local/lib:

   cd /usr/ports/net/samba/work/samba-2.2.8a/source/nsswitch
   cp pam_winbind.so /usr/local/lib/

Next we have to modify some of the files in /etc/pam.d. Which files need modification depends on which services we want to provide. In this example we will provide ftp access to all domain users. The following modified /etc/pam.d/ftpd makes this possible:

   #
   # $FreeBSD$
   #
   # PAM configuration for the "ftpd" service
   #
   
   # auth
   auth    required   pam_nologin.so    no_warn
   auth    sufficient pam_winbind.so
   auth    sufficient pam_opie.so       no_warn no_fake_prompts
   auth    requisite  pam_opieaccess.so no_warn allow_local
   auth    required   pam_unix.so       no_warn try_first_pass
   
   # account
   account sufficient pam_winbind.so
   account required   pam_unix.so
   
   # session
   session required   pam_permit.so

(Don't forget to put the line "/bin/false" in /etc/shells, as this is the default shell of all domain users (see smb.conf above) and ftpd won't accept users whose shell is not in /etc/shells)

6 Starting the daemons
Now it is time to actually start Samba and winbind. The samba port has installed a sample startup script, which we will rename first so it will be executed at the next boot. Then we execute the script and finally we start winbindd.

   cd /usr/local/etc/rc.d
   mv samba.sh.sample samba.sh
   /usr/local/etc/rc.d/samba.sh start
   /usr/local/sbin/winbindd

Note that you probably want to edit the samba.sh script, so that it will start winbindd automatically at boot time as well.

7 Joining the Domain
To add the Samba server into a Windows NT Domain, in this case the BZERK domain, as a Domain member capable of authenticating user accounts to any Domain Controller in the same way as a Windows NT Server, use the following command:

   smbpasswd -j BZERK -U Administrator

You will be asked for the Domain Administrator's password.

8 Administration
If all went well we now have a working fileserver and member of the domain that will for normal users be indistinguishable from an ordinary Windows fileserver (except for speed probably, samba is known to be quite fast in comparison to native Windows filesharing).
Administration is straightforward as well. Most administrative jobs can be done with native Windows tools as well as Unix commands. We will end this document with some examples of usefull Unix commandline tools for administering the box.

pw usershow Administrator (or other Domain User) : show the credentials of user Administrator (uid, homedir, etc)
wbinfo -u : show all domain users
wbinfo -g : show all domain groups
man wbinfo : various other nice options
chown : change ownership (works just as well for Domain Users)

Appendix A - recompiling ls
In FreeBSD 5.1, a lot of tools in the root filesystem are still statically linked binaries. This can be a real PITA, especially with /bin/ls, which will not show domain user and group names, but only their numerical id's when checking file/directory permissions.
The workaround is to recompile /bin/ls as a dynamically linked binary (you need the full sources installed on your system for this)

   cd /usr/src/bin/ls
   make clean
   make NOSHARED=NO depend
   make NOSHARED=NO
   make NOSHARED=NO install

After this, ls will show full user and groupnames of Domain Users and Groups.