LSDF samba with domain authorization

From Lsdf
Jump to navigationJump to search

User can have primary unix group ('itg') or secondary ('project 1')

Horst Westergom creates groups in ADS. Could delegate to group responsibles.

Proposal: /lsdf/username/(project links)

share name : \\lsdf\\HOMES

what about shares for projects

Need to enforce login to shared mahcines, to avoid ...

install sofs

packages

yum install samba samba-common samba-swat samba-client
chkconfig --add smb
chkconfig smb on

also make sure there are kerbros packages: 

pam_krb5-2.2.14-10.x86_64 krb5-libs-1.6.1-36.el5_4.1.x86_64

swat config (xinetd)

service swat
{
       port            = 901
       socket_type     = stream
       wait            = no
#       only_from       = 127.0.0.1
       user            = root
       server          = /usr/sbin/swat
       log_on_failure  += USERID
       server_args = -s /etc/samba/smb.conf -l /var/log/samba -d 1
       disable         = no
}

Restart xinetd!

smb.conf

/etc/pam.d/system-auth-ac

!! auth sufficient pam_krb,5so realm=IRS.FZK.DE

check realm - different domain.

/etc/krb5.conf

! libdefaults, realms

/krb.keytab

Not necessary, unless using afs

/etc/ssh/sshd_config

It needs to worrk through PAM: UsePAM=yes

reading users from LDAP

/etc/gbv2pw.cfg

This is Olaf's config file for Olaf's script. We need to check it, to filter users. 

cron_gbv_simple.sh  gbv2pw.pl  gbvcheckshell.pl  gbvfinger.pl  gbvsearch.pl


The first one creates thee files: passwd group shadow

It needs access to ldap port 398

We preserve these. so that the script merges them with ones from LDAP 

cd /etc/
cp passwd passwd.locla
cp group greoup.local
cp shadow shadow.local

Cron job /usr/local/sbin/cron_gbv_simple.sh


Need additional per modules: 

yum install perl-Config-General.noarch perl-LDAP.noarch perl-IO-Socket-SSL.noarch

Some are installable via CPAN only :( 

export http_proxy=http://proxy.fzk.de:8000/

+ ftp, https? 

perl -MCPAN -e "install Module::Util"

Get rid of this module.

This script downloads these three files with .ldap suffix, merges with .local

Need to convert users from /etc/passwd to smbpasswd 

for i in $(cat /etc/passwd | awk -F ":" '$3>400 {print $1}' | grep -v "^dg");

do smbpasswd -n -a $i; done

Ludmila create passwd2smb script to do this.

Also need another cron job that creates dirs and links (see top of the page for general discussion.


By now, going to do it manually 

mkdir /home/trunov

password convertation

How to automatically convert windows windows password into samba passwords?

pam_smbpass.so - convert tool. in /lib/security

Otherwise we use swat package - via web. or ssh. Since users need to login at least once and type in their password

Con

Retrieved from "https://wiki.scc.kit.edu/lsdf/index.php?title=LSDF_samba_with_domain_authorization&oldid=1802"