An Unofficial HOWTO build a FreeBSD 5.x/6.x Fileserver using Samba/Active Directory Services
by Michael Brown
mikal at mikro-net dot com
http://oslabs.mikro-net.com/
version 0.96 - 5/3/2005
this is a work in progress
First of all:
I haven't looked at this doc in a while, and I realized that there was a lot of unneccesary steps, so I revised and cleaned it up a bit.
A huge thank you to the Samba Team for providing a window into the weird world of windows! Many thanks and kudos and praise, etc. are due to these people, they are phenomenal! Also thanks to the Heimdal project, Project Cyrus, PADL, and the OpenLDAP team.
Introduction:
This document is meant as a guide to build a fileserver that runs on FreeBSD >= 5.1
which operates seamlessly in a Microsoft Active Directory
environment, whether it be Windows 2000 or 2003. Windows domain members
(clients) can browse shares on this server as if it were a windows server.
Permissions can be granted on a domain user/group basis through Samba's winbind mapping AD sccounts to FreeBSD 5.x's
built in POSIX ACLs (using UFS2). All of this is possible from Samba's abilty
to use Kerberos/SASL and LDAP to authenticate as if it were a native Windows machine. We will upgrade the stock FreeBSD Heimdal, and install Cyrus-SASL and OpenLDAP to provide this functionality.
Other services beside SMB/CIFS can be extended via PAM (ssh,ftp,printing,etc), and an example will be shown using ssh.
(Also see http://www.bzerk.nl/documents/ntdomauth/ for an ftp example using pam_winbind). For more in-depth research into Samba and its functionality, please see http://us1.samba.org/samba/docs, an Official Samba Documentation link page. Much of the information in this document is in fact indebted to the links on this page.
For information on mapping principals from alternative kerberos realms to AD principals (i.e. with MIT or Heimdal KDC's) see http://www.microsoft.com/windows2000/techinfo/planning/security/kerbsteps.asp.
Caveat:
This document assumes an intermediate level of familiarity with basic networking principles, FreeBSD and unix-like systems in general. It also assumes you have a functional Windows 2000 or 2003 Active Directory Domain Controller in your network and you have an account with the administrative right to add machine accounts to the domain. You will need this account information to authenticate to Active Directory. We will not be using Samba's name-services daemon (nmbd) in this scenario, as we are striving to push all naming contexts through DNS.
Nota Bene!! With the new (as of 2/10/2004 - 6 month old according to eeye) Microsoft ASN.1 advisories I would recommend asking your Windows admin (I am assuming windows responsibility does not fall under your position) to patch their servers (see this page for more to come with heretofore unpatched windows vulns) and read and implement measures using this paper from Microsoft:
How to Restrict the Use of Certain Cryptographic Algorithms and Protocols in Schannel.dll
to restrict all SSL to v3 or TLS only.
I have added some comments to the config files, please read them. These comments are to explain some of the why/how of features within that particular file. I hope it may help in some way. You will replace the following information in the config files (as described in the howto) with that which is applicable to your realm/domain:
fbsdad is our FreeBSD box's hostname
who.com is your AD domain FQDN/kerberos realm, which would make our box fbsdad.who.com
dc.who.com is the FQDN of your AD Domain Controller
192.168.129.50(/24) is the IP address of dc.who.com
admin is your account login
cn=admin,cn=users,dc=who,dc=com is the ldap dn for your admin AD account
pa55w0rd is the AD password for the admin account
*EOF* indicates the end of that particular config file
This was done with FreeBSD 5.3 release and works against Win2k 'Native Mode' and 2k3
'Windows Server 2003 Functional Level'.
This is also assuming standard FreeBSD 5.3 install (without samba as a package).
FreeBSD 5.3 RELEASE comes with OpenSSL 0.9.7e(?) by default. (You may want to upgrade openssl to the current stable version, 0.9.7g, as of this writing.)
FreeBSD-POSIX ACLs now exist (since FreeBSD 5.1-RELEASE) for UFS2 enabling fine grained permission sets. To activate the ACLs you must edit /etc/fstab to mount the filesystems correctly. You must add the option 'acls' to the filesystems you wish to
activate. Example:
cat /etc/fstab
# Device Mountpoint FStype Options Dump Pass#
/dev/ad0s1b none swap sw 0 0
/dev/ad0s1a / ufs rw,acls 1 1
/dev/ad0s1h /exp ufs rw,acls 2 2
/dev/ad0s1g /home ufs rw,acls 2 2
/dev/ad0s1f /tmp ufs rw,acls 2 2
/dev/ad0s1d /usr ufs rw,acls 2 2
/dev/ad0s1e /var ufs rw,acls 2 2
/dev/acd0 /cdrom cd9660 ro,noauto 0 0
*EOF*
Active Directory's (IMHO) most secure form eschews NetBIOS and places all name service requests within DNS. To begin, edit your /etc/resolv.conf file so that you use your AD domain controller as a nameserver, preferably the primary nameserver; also add the domain name as at least one of the search domains:
cat /etc/resolv.conf
search who.com
domain who.com
#add other search domains here
#This is the AD dc
nameserver: 192.168.129.50
#Add any other dns servers here
Gather necessary source tarballs (x or xx designates latest stable version):
db-4.3.xx.tar.gz with strong crypto (www.sleepycat.com)
heimdal-0.6.x (ftp://ftp.pdc.kth.se/pub/heimdal/src/)
openldap-2.2.x.tar.gz (www.openldap.org)
cyrus-sasl-2.1.xx.tar.gz (http://asg.web.cmu.edu/sasl/)
samba-3.0.x.tar.gz (www.samba.org)
FreeBSD 5.3 comes with Heimdal 0.6.1 (kerberos) installed under /usr. Whatever the version of heimdal, we will upgrade it, to insure past reported vulnerabiltes are properly patched. The stable version as of this writing is 0.6.4, which we will get from source:
Extract heimdal tarball and build:
tar xvfz heimdal-0.6.x.tar.gz
cd heimdal-0.6.x
./configure --prefix=/usr --enable-shared --sysconfdir=/etc
make
At this point back up your su and login files as root, as there will be problems when the heimdal install overwrites these files:
# cp /usr/bin/login /usr/bin/login.bak; cp /usr/bin/su /usr/bin/su.bak
Now install, and overwrite the new files with your backups:
make install
# mv /usr/bin/su.bak /usr/bin/su; mv /usr/bin/login.bak /usr/bin/login
Create /etc/krb5.conf:
cat /etc/krb5.conf
#/etc/krb5.conf
#where you want your logs
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
#Your AD domain FQDN
[libdefaults]
default_realm = WHO.COM
# AD domain, DC FQDNs
[realms]
WHO.COM = {
kdc
default_domain = who.com
admin_server = dc.who.com
}
#Translating all possibles to WHO.COM
[domain_realm]
.who.com = WHO.COM
who.com = WHO.COM
.WHO.COM = WHO.COM
#This is used if you have alternative KDC's in you realm (not windows)
#that you are mapping trust accounts to in the windows domain
#see http://www.microsoft.com/windows2000/techinfo/planning/security/kerbsteps.asp
#[kdc]
#profile = /home/krb5kdc/kdc.conf
#self-explanatory
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
*EOF*
Since we are using Kerberos auth, at this point you must insure that your box's system clock is within 300 seconds (5 minutes) of your domain controller's clock. FreeBSD's date command is different than Linux and Solaris 9's, I know I am missing something here to automate/convert it.
So we need a ntp daemon to synchronize our system clock against the DC's time service. Please make sure your windomain ntp services checks against a valid time server! We will obtain this from ports:
cd /usr/ports/net/ntp
make install clean
Create necessary config files (/etc/ntp.conf, /etc/ntp.drift):
cat /etc/ntp.conf
# /etc/ntp.conf
# This is your AD DC - we will synchronize against it's time service
server dc.who.com prefer
driftfile /etc/ntp.drift
*EOF*
touch /etc/ntp.drift
Launch the daemon:
/usr/local/bin/ntpd -c /etc/ntp.conf
You can automate this to run at system start, of course.
The ntp package includes a client tool, ntpdc. We will use this to check our connection; type 'ntpdc' and at the prompt type 'peers' (Type 'help' at the prompt to see available commands - man ntpdc for more info):
ntpdc
ntpdc>peers
You can alternatively simplify this by using 'ntpq -p'
remote local st poll reach delay offset disp
=======================================================================
*dc.who.com 192.168.12.18 3 1024 37 0.00049 -0.021527 0.46245
ntpdc>
You should see something similar to the above.
A quick and dirty alternative workaround is to get the DC's clock time manually and set the box to it:
/usr/samba/bin/net time -S dc.who.com
Sun Feb 8 22:07:58 2004
date
Sun Feb 8 22:09:00 PST 2004
/usr/samba/bin/net time set -S dc.who.com
date: illegal time format
usage: date [-jnu] [-d dst] [-r seconds] [-t west] [-v[+|-]val[ymwdHMS]] ...
[-f fmt date | [[[[[cc]yy]mm]dd]HH]MM[.ss]] [+format]
date 0402082210.00
Check your watch..... ;-)
The installing of the ntp service, is (IMHO) the more robust solution.
Test new Heimdal install against active directory KDC:
kinit admin
password for admin@WHO.COM:
p455w0rd *this is masked, of course*
kinit: NOTICE: ticket renewable lifetime is 1 week
List current kerberos tickets with 'klist' command:
klist
Credentials cache: FILE:/tmp/krb5cc_0
Principal: admin@WHO.COM
Issued Expires Principal
Feb 6 21:54:40 Feb 6 07:54:40 krbtgt/WHO.COM@WHO.COM
This means you have a valid ticket granting ticket (tgt) from MS AD! Half of the hard
part is over. :)
Extract tarball sources to a tmp directory and install:
tar xvfz db-4.3.xx.tar.gz
cd db-4.3.xx/build_unix
../dist/configure --prefix=/usr
make && make install
Extract cyrus-sasl sources and install referring to heimdal in /usr:
tar xvfz cyrus-sasl-2.1.xx.tar.gz
cd cyrus-sasl-2.1.xx
./configure --prefix=/usr \
--with-dblib=berkeley \
--enable-gssapi
make && make install
Since we are using the AD DC as an ldap backend, we will not compile slapd or
slurpd. We only need the client tools.
Extract openldap source and install:
tar xvfz openldap-2.2.xx.tar.gz
cd openldap-2.2.xx
./configure --prefix=/usr \
--disable-slapd \
--disable-slurpd \
--with-tls \
--with-cyrus-sasl
make depend && make && make install
This example assumes you have the DC server certificate from MS
Certificate Services (this is generated from the root cert that must be installed somewhere in the domain so DC's
can be connected to via LDAP over SSL). For a guide on how to obtain this certificate click *here*.
create ldap.conf:
cat /usr/etc/openldap/ldap.conf
# Active Directory server. Define multiple servers by delimiting
# them with spaces.
host dc.who.com
# Search base
base dc=who,dc=com
# LDAP version 3
ldap_version 3
#URI for AD server
#Switch these if not using LDAP/SSL or do not have the MS Cert Svcs installed
#in the domain
#URI ldap://dc.who.com
URI ldaps://dc.who.com
# Bind DN (this might not be needed at all for anon LDAP connections(win2k)).
# This should be the DN of the AD account you have
# that can create machine accounts
binddn cn=ldapadmin,cn=users,dc=who,dc=com
bindpw p455w0rd
# Use port 636 for SSL
#port 636 (not really needed when ssl=on it is port 636 by default)
# Search scope
scope sub
# User ID attr for AD
pam_login_attribute sAMAccountName
#MD5 passwd hash
pam_password md5
# Break of the connection after one hour idle time
idle_timelimit 3600
# This is mapping made possible by nss_ldap
# Bases for the searches. These should be the OU's
# you create the user accounts in.
# Here we reference the standard default AD user container
# Please change to the container your users reside in
nss_base_passwd cn=Users,dc=who,dc=com?one
nss_base_group cn=Users,dc=who,dc=com?one
# The msSFU mappings reference Microsoft's Services for Unix
# Which you may uncomment if you have this installed on your DC
# *Schema mappings for Active Directory*
#nss_map_objectclass posixAccount User
#nss_map_objectclass shadowAccount User
#nss_map_attribute uid sAMAccountName
#nss_map_attribute userPassword msSFUPassword
#nss_map_attribute homeDirectory msSFUHomeDirectory
#nss_map_attribute uniqueMember member
#nss_map_attribute cn sAMAccountName
#nss_map_attribute homeDirectory msSFUHomeDirectory
#nss_map_objectclass posixGroup Group
#pam_login_attribute sAMAccountName
#pam_filter objectclass=User
#pam_password ad
# SSL is enabled - Comment this line if no MS Enterprise Root CA Cert
ssl on
# OpenLDAP SSL options
# Require and verify server certificate (yes/no)
# Default is "no" Uncomment this is you have a client cert (you won't MS LDAP
# over SSL does not auth client cert, just a valid AD password)
#tls_checkpeer yes
# CA certificates for server certificate verification
# At least one of these are required if tls_checkpeer is "yes"
# This again refers to the MS Root CA Cert - comment it if none
TLS_CACERT /etc/ca/ldapca.pem
# SSL cipher suite
# See man ciphers for syntax
# comment this if no cert
tls_ciphers TLSv1
# Disable SASL security layers. This is needed for AD.
sasl_secprops maxssf=0
# Override the default Kerberos ticket cache location.
krb5_ccname FILE:/tmp/krb5cc_0
*EOF*
Symlink ldap.conf to needed locations:
ln -s /usr/etc/openldap/ldap.conf /etc/ldap.conf
ln -s /usr/etc/openldap/ldap.conf /usr/etc/ldap.conf
Test out your openldap installation with ldapsearch:
/usr/bin/ldapsearch
SASL/GSSAPI authentication started
SASL username: admin@WHO.COM
SASL SSF: 0
# extended LDIF
#
# LDAPv3
# base <> with scope sub
# filter: (objectclass=*)
# requesting: ALL
#
etc,etc.....
It should print out lines upon lines of AD info for you, as you are
authenticating to the AD tree through SASL from the former ticket you were
granted from the dc. Now check your ticket list:
klist
Credentials cache: FILE:/tmp/krb5cc_0
Principal: admin@WHO.COM
Issued Expires Principal
Feb 6 21:54:40 Feb 7 07:54:40 krbtgt/WHO.COM@WHO.COM
Feb 6 21:57:28 Feb 7 07:54:40 ldap/dc.who.com@WHO.COM
Good. You will see these tickets if an ldapsearch command was issued without
the '-x' param.
We are almost ready to install samba, we just need to prepare the environment.
create samba pam config file
touch /etc/pam.d/samba
Edit /etc/pam.d/login
cat /etc/pam.d/system
#
# $FreeBSD: src/etc/pam.d/system,v 1.1 2003/06/14 12:35:05 des Exp $
#
# System-wide defaults
#
# auth
auth sufficient pam_opie.so no_warn no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
#auth sufficient pam_krb5.so no_warn try_first_pass
#auth sufficient pam_ssh.so no_warn try_first_pass
auth sufficient pam_winbind.so no_warn try_first_pass
auth required pam_unix.so no_warn try_first_pass nullok
# account
#account required pam_krb5.so
account sufficient pam_winbind.so
account required pam_login_access.so
account required pam_unix.so
# session
#session optional pam_ssh.so
session required pam_lastlog.so no_fail
# password
#password sufficient pam_krb5.so no_warn try_first_pass
password required pam_unix.so no_warn try_first_pass
*EOF*
Edit /etc/pam.d/samba
cat /etc/pam.d/samba
auth sufficient pam_winbind.so
account sufficient pam_winbind.so
*EOF*
Create /etc/nsswitch.conf
cat /etc/nsswitch.conf
passwd: files winbind
group: files winbind
*EOF*
Install samba from source, we will install into /usr/samba as example
tar xvfz samba-3.0.x.tar.gz
cd samba-3.0.x/source
./configure --prefix=/usr/samba \
--with-acl-support --with-winbind \
--with-ldap \
--with-pam --with-pam_smbpass \
--with-krb5=/usr --with-ads \
--with-shared-libraries=idmap_rid
make && make install
Copy nss_winbind.so and pam_winbind.so to /usr/lib and create needed
symlinks:
cp nsswitch/nss_winbind.so /usr/lib
cp nsswitch/pam_winbind.so /usr/lib
ln -s /usr/lib/nss_winbind.so /usr/lib/nss_winbind.so.1
ln -s /usr/lib/pam_winbind.so /usr/lib/pam_winbind.so.2
Create smb.conf - this is an example that assumes you have the Root CA certificate from MS Cert Services (this needs to be installed somewhere in the
domain so DC's can be connected to via LDAP over SSL). These parameters are commented out, you can enable them if you choose to use AD as a LDAP backend. We will use the idmap_rid modules we built to insure consistent rid -> uid/gid maps on any samba server (assuming the same mapping range configured on each). This only works, with one domain, however, as you must set "allow trusted domains = no" for it to work its magic.
cat /usr/samba/lib/smb.conf
[global]
#This would be your AD Domain (kerberos realm)
realm = WHO.COM
security = ADS
encrypt passwords = yes
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE SO_SNDBUF=8192 SO_RCVBUF=8192
workgroup = WHO
server string = fbsd samba
# needed for idmap_rid
allow trusted domains = no
# change range as needed, note that the total number of mappings must fit within your range
idmap backend = idmap_rid:WHO=10000-13000
# change this as needed; this maps AD user/group accounts to unix uids/gids
idmap uid = 10001-13000
idmap gid = 10001-13000
disable netbios = Yes
#Uncomment this if DOMAIN\user not wanted (chgs to DOMAIN+user) *not recommended*
#winbind separator = +
#Uncomment this if you want the DOMAIN\ stripped from the username from winbind
#and you only have one trusting domain
#winbind use default domain = Yes
#Change this to where you want the samba log
log file = /var/log/samba.log
#Debug goes from 1 to 10 * 10 way too much info for me to understand ;)
#debug level = 10
#log level = 2
#kernel oplocks = no
#assuming you installed bash - change as needed
template shell = /usr/local/bin/bash
#------------------------------
#This section is not needed unless you want to use AD as an ldap backend and you
#compiled samba with the '--with-ldapsam' switch
#ldap suffix = DC=who,DC=com
#ldap admin dn = "cn=admin,cn=users,DC=who,DC=com"
#ldap filter = "(&(uid=%u)(objectclass=person))"
#ldap filter ="(&(uid=%u)(objectCategory=person)(objectClass=user)(sAMAccountName=*))"
#Uncomment this if you are using AD as LDAP backend and do not have the MS Cert Services Root CA Certificate
#ldap port = 3268
#ldap server = dc.who.com
#Comment this line if no MS Cert
#ldap ssl = on
#Change the URI to ldap://dc.who.com:3268 if no MS Cert
#passdb backend = ldapsam:ldaps://dc.who.com:3269
#--------------------------------
#This is needed for Win2k3 server unless you
#apply the famous registry hack
client signing = mandatory
server signing = mandatory
#Uncomment this if you want 139 open, but why
#would you? We're doing SMB over TCP only
#no NetBIOS here
smb ports = 445
restrict anonymous = 2
#This provides a secure channel for SMB uncomment
#it if you don't want it
client schannel = yes
server schannel = yes
#NTLMv2 Authentication Only >> don't change this if your
#domain's functionality
#is at least 2000 Native, use the strongest
#password scheme you can -- this is MS, after all
client ntlmv2 auth = yes
#Share - Simple Example - man smb.conf for details
[storage]
path = /home/share
read only = no
*EOF*
If using AD as ldap backend, create secrets.tdb for ldap connect to AD
/usr/samba/bin/smbpasswd -w p455w0rd
You should still have a valid ticket from the domain controller, so join the server to the domain:
/usr/samba/bin/net ads join
Using short domain name -- WHO
Joined 'FBSDAD' to realm 'WHO.COM'
This shows a successful join.
Test it:
/usr/samba/bin/net ads testjoin
Join is OK.
Check your ticket list; it should look similar to this:
klist
Credentials cache: FILE:/tmp/krb5cc_0
Principal: admin@WHO.COM
Issued Expires Service principal
Feb 7 21:33:03 Feb 8 07:33:01 krbtgt/WHO.COM@WHO.COM
Feb 7 21:33:02 Feb 8 07:33:01 ldap/dc.who.com@WHO.COM
Feb 7 21:33:09 Feb 8 07:33:01 dc$@WHO.COM
Feb 7 21:33:09 Feb 8 07:35:09 kadmin/changepw@WHO.COM
This reflects all the AD kerberos tickets that have beem gained thus far.
Start the server (remember we are not using the NetBIOS elements of Samba, so we will
not be using nmbd):
/usr/samba/sbin/smbd -D
/usr/samba/sbin/winbindd
Now check to see if winbind is grabbing the Windows domain accounts:
/usr/samba/bin/wbinfo -u
WHO\administrator
WHO\admin
WHO\mary
etc.....
/usr/samba/bin/wbinfo -g
WHO\Domain Users
WHO\Domain Admins
WHO\Enterprise Admins
etc......
Check /var/log/samba.log (or wherever you are logging samba) for errors.
The finish line is within reach, but first we must explore FreeBSD's ACL interface.
There are two main commands for our needs: setfacl and getfacl. For greater detail man getfacl or man setfacl. Now that we have the Samba daemons running, we can connect to the DC and extract account information that will be added to this box's current databases.
There is no getent command provided by default in FreeBSD, but you can download the getpwent and getgrent utilities here (md5: a90485ec254c2e9a0a6e4f69c6701716). Alternatively one can use the 'pw' command, which will, if winbind is working properly, populate the db. Remember we used 10001-30000 for our idmap uids and gids, so here is an example:
pw usershow 1001
WHO\administrator:*:10001:10001::0:0:administrator:/home/WHO/administrator:/usr/local/bin/bash
pw usershow 1002
WHO\admin :*:10002:10001::0:0:admin:/home/WHO/admin:/usr/local/bin/bash
pw groupshow WHO\\Domain\ Admins
WHO\Domain Admins:*:10002:WHO\administrator,WHO\admin,WHO\mary
etc....
Scripts could be written to automate the process in large networks.
Our shared directory /home/share, needs to be accessible by your domain account:
setfacl -m u:10002:rwx /home/share
Check acls on that directory:
getfacl /home/share
#file:/home/share
#owner:0
#group:0
user::rwx
user:WHO\admin:rwx
group::r-x
mask::rwx
other::r-x
Ok.... So far so good. Let's connect with Samba's smbclient (again, using our kerberos ticket, thus the '-k' option) to a share on the AD domain controller, let's assume the share UNC path is '\\dc.who.com\usershare':
/usr/samba/bin/smbclient -k //dc.who.com/usershare
OS=[Windows Server 2003 3790] Server=[Windows Server 2003 5.2]
smb: \>
Let's connect to ourselves (our Samba share), but while authenticating to the DC (via our kerberos tgt):
smbclient -k //fbsdad/share
OS=[Unix] Server=[Samba 3.0.x]
smb: \>
Now for the final test - in your network, there is certainly a winstation!(2000/XP)
Navigate to it and login as your admin account.
Open an explorer window and connect to your freebsd box using the UNC name: \\fbsdad
Right click on the share folder and select 'properties'.
Select the 'security' tab.
*click on images to enlarge*
Is WHO\admin listed? GOOD! Your AD acls are being properly mapped to your local POSIX acls.
Now we will enable the sshd with pam_winbind so we can login to this box using our windomain account.
We'll grab the lastest version from openssh.org here.
Extract the sources, configure for PAM usage, build and install:
tar xvfz openssh-4.xpx.tar.gz
cd openssh-4.xpx
./configure --prefix=/usr --with-md5-passwords \
--with-pam --with-zlib \
--sysconfdir=/etc/ssh
make && make install
Edit /etc/ssh/sshd_config for pam usage by uncommenting and changing this line:
#UsePAM no
To:
UsePAM yes
Now restart sshd:
/etc/rc.d/rc.sshd restart
Now you may want your users to be able to have their home directories created on the fly when they log in. This is entirely possible with PAM. FreeBSD 5.x does not come with a pam_mkhomedir module, but I have compiled one using a patched version of the Linux-PAM-0.75 source built for FreeBSD. This can be found _here_.
(md5sum: eef7cb89e218478dfba56ad2fade1e2f ).
If you want to download the source for Linux PAM-0.75 and patch it yourself, the patch can be found in this post to the freebsd lists:
http://lists.freebsd.org/pipermail/freebsd-questions/2003-October/021555.html
Download & check md5, gunzip; or patch and compile yourself and copy the pam_mkhomedir.so file to /usr/lib
gunzip pam_mkhomedir.so.gz; cp pam_mkhomedir.so /usr/lib
ln -s /usr/lib/pam_mkhomedir.so /usr/lib/pam_mkhomedir.so.2
Now we will edit the /etc/pam.d/sshd to allow windomain logins via ssh, and call on the pam_mkhomedir module to create a home directory upon login if one doesn't exist:
cat /etc/pam.d/sshd
#
# $FreeBSD: src/etc/pam.d/sshd,v 1.15 2003/04/30 21:57:54 markm Exp $
#
# PAM configuration for the "sshd" service
#
# auth
auth required pam_nologin.so no_warn
auth sufficient pam_winbind.so
auth sufficient pam_opie.so no_warn no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
#auth sufficient pam_krb5.so no_warn try_first_pass
#auth sufficient pam_ssh.so no_warn try_first_pass
auth required pam_unix.so no_warn try_first_pass
# account
#account required pam_krb5.so
account sufficient pam_winbind.so
account required pam_login_access.so
account required pam_unix.so
# session
#session optional pam_ssh.so
session optional pam_mkhomedir.so umask=0022 skel=/etc/skel
session required pam_permit.so
# password
#password sufficient pam_krb5.so no_warn try_first_pass
password required pam_unix.so no_warn try_first_pass
Now create a container directory for your domain accounts. By default this will exist in /home/DOMAIN. In our case the domain is WHO.COM, so we will create /home/WHO and chgrp to WHO\Domain Users. The permissions should be 770 so the windomain group can initially make the directories.
mkdir /home/WHO
chmod 770 /home/WHO
chgrp WHO\\Domain\ Users /home/WHO
ls -al /home/WHO
drwxrwx--- 3 root WHO\domain users 512 May 3 02:18 ./
drwxr-xr-x 8 root wheel 512 May 3 01:46 ../
Place whatever files (.cshrc, .bash_history, rc files, etc.) you want created upon login in /etc/skel. Now try logging in via ssh from another box:
Nice.
Coming soon: Notes/Comparisons for Solaris 9 x86 & AIX 5.x
Copyright (c) 2005 Michael Brown
Permission is granted to copy, distribute and/or modify this document
under the terms of the GNU Free Documentation License, Version 1.2
or any later version published by the Free Software Foundation;
with no Invariant Sections, no Front-Cover Texts, and no Back-Cover
Texts. A copy of the license is included in the section entitled "GNU
Free Documentation License".