Main Contents

CentOS 5.2 and Winbind

February 7, 2009

Built a Linux Samba server for a file server this week. It’s in a satellite office connected via OpenVPN to the main office, which hosts Active Directory. Samba is running winbind, which allows transparent access to resources and minimal management on the server. I learned that winbind’s offline logons work for local or ssh logon to the server if Active Directory is unavailable, but it does not allow offline access to the server via network shares; the VPN and Active Directory must be up to initially log on and get drives mapped. Outages during the day do not impact file or printer access. This could be disastrous in certain situations, but considering the bulk of the work this office does is via E-mail or Citrix, an Internet outage means they don’t get any work done anyway.

This setup is very similar to plain ads security mode as described in my earlier post, Configure Samba with Domain Security Mode, but, while a little more complicated to set up, has more features, such as local logon privileges for AD users.

Had a heck of a time getting winbind working on CentOS 5.2. Most everything worked, joined to the domain, wbinfo -u returned users, but getent wasn’t working. `getent passwd` only returned local users. `getent group` returned local groups and only two domain groups, preceded by BUILTIN. Finally figured out I had this in my smb.conf:

winbind trusted domains only = yes

when it should be this:

winbind trusted domains only = no

Just in case it helps anyone else, here’s relevant portions from my config files:

#/etc/samba/smb.conf

[global]

   workgroup = DOMAIN
   password server = myadserver.domain.com
   realm = DOMAIN.COM
   security = ads
   idmap uid = 10000-20000
   idmap gid = 50000-60000
   winbind separator = +
   template homedir = /home/%U
   template shell = /bin/bash
   printing = cups
   printcap name = cups
   load printers = yes
   encrypt passwords = yes
   passdb backend = tdbsam
   server string = MY-SERVER
   os level = 20
   client use spnego = yes
   winbind offline logon = yes
   winbind use default domain = yes
   winbind enum users = yes
   winbind enum groups = yes
   winbind trusted domains only = no
#/etc/krb5.conf

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = DOMAIN.COM
 dns_lookup_realm = true
 dns_lookup_kdc = true

[realms]
DOMAIN.COM = {
   default_domain = domain.com
  kdc = 192.168.0.5:88
  kdc = 192.168.0.5
  kdc = myadserver.domain.com
  admin_server = 192.168.0.5:749
  default_domain = domain.com
}

[domain_realm]
domain.com = DOMAIN.COM
.domain.com = DOMAIN.COM

[kdc]
 profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }
#/etc/pam.d/system-auth

auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_krb5.so use_first_pass
auth        sufficient    pam_winbind.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_krb5.so
account     [default=bad success=ok user_unknown=ignore] pam_winbind.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    sufficient    pam_krb5.so use_authtok
password    sufficient    pam_winbind.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     required      pam_mkhomedir.so skel=/etc/skel/ umask=0022
session     optional      pam_krb5.so
#/etc/nsswitch.conf

<snip>
passwd:  files winbind
shadow:  files winbind
group:    files winbind
</snip>
#/etc/security/pam_winbind.conf

[global]

;debug = yes
cached_login = yes
;krb5_auth = yes
;krb5_ccache_type = FILE
;require_membership_of =

In order to get shared documents on the server to act more Windows-like, I had to change the default umask and use ACL’s instead of default file security:

#/etc/bashrc

<snip>
if [ $UID -gt 99 ] && [ "`id -gn`" = "`id -un`" ]; then
        umask 002
else
        umask 002
fi
</snip>
#/etc/samba/smb.conf

#========= Share Definitions ========
[Share]
  create mask = 0770
  force create mode = 0770
  force directory mode = 0770
  force group = DOMAIN+Group_Name

Use chown and chmod to set your domain groups as owners of your shared directories. Should look something like this:

# ls -l
drwxrwx--- 2 root DOMAIN+domain users 4096 Feb  6 15:13 Docs

Then for ACL’s, use setfacl:

# setfacl -d -R -m u::rwx,g::rwx,m::rwx Docs

Use getfacl to confirm. When you ls a directory after that, you’ll see a + sign next to the normal permissions

# ls -l
drwxrwx---+ 2 root DOMAIN+domain users 4096 Feb  6 15:13 Docs

Filed under: Linux, Microsoft, Windows |

Sorry, the comment form is closed at this time.