PDC
To add to the previous post, we’ll show now a way to ssh to your Solaris 10 SPARC server using an ActiveDirectory
user+pass, additional to use samba shares anywhere, with your AD credentials.
BUILDING
Samba from blastwave does not include pam_winbind.so, to plug it to PAM, and use our AD user+pass to
login to solaris, so we ned to build our own samba. The release i got is samba 3.0.28, from
http://us4.samba.org/samba/ftp/stable/samba-3.0.28.tar.gz
We need to make sure all required packages to build and use SAMBA are in the system, so please obtain
this list
using pkg-get from blastwave.
Our SAMBA sources like GNU ld, so we are not going to use solaris native ld to build it, we do so by doing:
# mv /usr/ccs/bin/ld /usr/ccs/bin/ld. old
# ln -s /opt/csw/bin/gld /opt/csw/bin/ld
# export PATH=$PATH:/opt/csw/bin
We uncompress SAMBA in a directory called “/builds” and then:
# cd /builds/samba-3.0.28/source
# ./configure –with-ldap –with-ads –with-krb5=/opt/csw –with-winbind –with-pam –prefix=/usr/samba_ad
This will use the openldap client libs in /opt/csw, same as the krb5 in /opt/csw. If all reqs are passed do a
# make && make install
Then, it will all end at /usr/samba_ad
After building these you can always remove the gcc suite, automake, autoconf, flex and bison.
We now need to copy the nsswitch and pam extensions to their locations:
# cp /builds/samba-3.0.28/source/nsswitch/libnss_win* /usr/lib
# ln -s /usr/lib/libnss_winbind.so /usr/lib/libnss_winbind.so.1
# ln -s /usr/lib/libnss_wins.so /usr/lib/libnss_wins.so.1
Now we copy the pam extension:
# cp /builds/samba-3.0.28/source/bin/pam_winbind.so /usr/lib/security
# cp /builds/samba-3.0.28/source/bin/pam_winbind.so /lib/security
# ln -s /usr/lib/security/pam_winbind.so /usr/lib/security/pam_winbind.so.1
# ln -s /lib/security/pam_winbind.so /lib/security/pam_winbind.so.1
CONFIGURING
134/433
/opt/csw/etc/krb5.conf
:
/usr/samba_ad/lib/smb.conf
:
/etc/nsswitch.conf
, to add winbind to users and groups:
passwd: files winbind
group: files winbind
Our Windows 2003 ActiveDirectory Primary Domain controller is “fwa-dc01.aww.com”, our AD domain is
“AWW.COM”, and our solaris 10 sparc server is “netra.aww.com”, so we add these entries to /etc/hosts,
taking care the FQDN appears first.
172.16.1.38 netra.aww.com netra loghost
172.16.1.55 fwa-dc01.aww.com fwa-dc01
Now we configure pam.conf, we need to make sure home directories are created whenever a user from the
windows world logs in, so we get pam_mkhomedir from http://mega.ist. utl.pt/~filipe/pam_mkhomedir-sol/, at
http://mega.ist. utl.pt/~filipe/pam_mkhomedir-sol/pam_mkhomedir-sol-0.0.1.tgz
We build pam_mkhomedir by uncompressing it at /builds/pam_mkhomedir and editing its Makefile to use the
solaris native ld:
LD=/usr/ccs/bin/ld.old
now we just build it
# cd /builds/pam_mkhomedir
# make
And then we copy it to the system default for PAM modules:
# cp /builds/pam_mkhomedir/pam_mkhomedir.so /usr/lib/security
# ln -s /usr/lib/security/pam_mkhomedir.so /usr/lib/security/pam_mkhomedir. so.1
/etc/pam.conf
, to use both pam_winbind and pam_mkhomedir, adding 4 lines:
login auth sufficient pam_winbind.so.1
other auth sufficient pam_winbind.so.1
other account sufficient pam_winbind.so.1
other session optional pam_mkhomedir.so.1 skel=/etc/skel umask=0022
STARTING DAEMONS
After this, we can start samba, and see the effects:
# export PATH=/usr/samba_ad/sbin:/usr/samba_ad/bin:/opt/csw/bin:/opt/csw/sbin:$PATH
# pkill winbindd; pkill smbd;pkill nmbd, /etc/init.d/cswsamba stop
# /opt/csw/bin/kdestroy
# net ads leave -U “Administrator%M1cr050ft123”
# /opt/csw/bin/kinit Administrator@AWW.COM
# net ads join -U “Administrator%M1cr050ft123”
135/433
# winbindd -B
# smbd -D
# nmbd -D
TESTING
I wrote an easy test script called sambatest.ksh:
#!/bin/bash
export
136/433
PATH=/usr/samba_ad/sbin:/usr/samba_ad/bin:/opt/csw/bin:/opt/csw/sbin:/usr/sbin:/usr/bin:/usr/openwin/bin:/opt/csw/gcc3/bin:/usr/sfw/bin:/usr/ccs/bin:/usr/local/bin:/usr/local/bin:/usr/local/sbin
export LD_LIBRARY_PATH=/usr/samba_ad/lib
set -x
which net
which smbd
which nmbd
which winbindd
which klist
which kinit
137/433
sleep 5
smbclient -L netra -U%
wbinfo -m
wbinfo -g
wbinfo -u
getent passwd
getent group
net ads status
net ads info
this
. Please note that wbinfo -m shows your AD domain, wbinfo -g and wbinfo
-u show users and groups, getent passwd should show both your local and AD users.
Now we use ssh with an ActiveDirectory user+pass, it should look like this:
root@kraftek:~# ssh bmahock@netra
Password:
Creating directory ‘/export/home/AWW.bmahock’.
Last login: Sat Feb 2 19:53:08 2008 from localhost
/usr/openwin/bin/xauth: creating new authority file /export/home/AWW.bmahock/.Xauthority
Sun Microsystems Inc. SunOS 5.10 Generic January 2005
-bash-3.00$ id
uid=10004(bmahock) gid=10008(domain users)
-bash-3.00$ pwd
/export/home/AWW.bmahock
Then it’s just a question of enjoying. 🙂
BINARIES
If you don’t want to compile much, just install the CSW packages mentioned above, get these binaries:
samba_ad_solaris_10_sparc.tar.gz
, put them at / and untar them, be careful, these contain the libraries
needed at /usr/lib/security and /usr/lib, then just configure /etc/nsswitch.conf, /etc/pam.conf,
/usr/samba_ad/lib/smb.conf, /etc/krb5.conf and /opt/csw/etc/krb5.conf, verify for each program and library that
no symbol is missing using ldd, and start your engines!.
SCREENSHOTS
Computers
Users
freenx solaris gnome session
for an ActiveDirectory user, yes he can also use sudo!
windows xp
using his AD user+pass, and paswordless-ly view and
smb.conf
.
138/433