Work in progress
This site is in the process of being reviewed and updated.
User and Group Mappings (IDMAP)
Users and groups in Windows use SIDs, while users and groups in UNIX/Linux use UID's and GID's. The purpose of Winbind is to convert between SID's, UID's, and GID's.
Winbind is configured with ranges of UID's and GID's. The first time a Windows user is resolved, a UID is allocated and the SID-UID mapping is stored. The same process applies for Windows groups. Eventually, Winbind will have all UID's and GID's mapped to SID's.
For locations with a single Samba server, the Winbind mappings can be stored in a local database. However, to ensure consistent UID/GID mappings across multiple Samba servers, you will need to store ID mappings in LDAP.
Configuring Kerberos
/etc/krb5.conf
dns_lookup_realm dns_lookup_kdc
Configuring the Name Service Switch
/etc/nsswitch.conf
passwd: files winbind group: files winbind shadow: files
In Fedora and CentOS Linux, service specific PAM configuration files will contain a "pam_stack.so service=system-auth" or similar entry, effectively centralizing PAM configuration to the "system-auth" file. Therefore, system-auth should be the only file modified to include the necessary Winbind entries.
auth required pam_env.so auth sufficient pam_unix.so likeauth nullok auth sufficient pam_krb5.so try_first_pass auth sufficient pam_winbind.so try_first_pass auth required pam_deny.so account required pam_unix.so account sufficient pam_succeed_if.so uid < 100 quiet account required pam_permit.so account sufficient pam_krb5.so account sufficient pam_winbind.so password requisite pam_cracklib.so retry=3 password sufficient pam_unix.so nullok use_authtok md5 shadow password sufficient pam_krb5.so use_authtok password sufficient pam_winbind.so use_authtok password required pam_deny.so session required pam_limits.so session required pam_unix.so session optional pam_mkhomedir.so skel=etc/skel/ umask=0022 session optional pam_krb5.so
use_first_pass
Uses the same password given to the first module configured for authentication in the pam.conf file. The module should not ask for the password if the user cannot be authenticated by the first password.
This option is used when the system administrator wants to enforce the same password across multiple modules.
try_first_pass
Same as the use_first_pass option, except that if the primary password is not valid, PAM will prompt for a password.
pam_mkhomedir.so
The "pam_mkhomedir.so" module will create a home directory for a user if one doesn't exist. The umask=0022 parameter causes the directory permission to be set to 755. You may strengthen or weaken permissions as needed. The home directory is constructed from the skeletal files in the /etc/skel directory.
Configuring OpenLDAP to support Winbind IDMAP
Installation of OpenLDAP is not covered in this document; please reference xxx. Once OpenLDAP is installed, configure "/etc/slapd/slapd.conf". To generate the "rootdn" password for OpenLDAP, use the "slappasswd" command to generate a password hash, then paste the hash into the "rootpw" value. Make sure the file is set to mode 700 for permissions.
/etc/openldap/slapd.conf
include /etc/openldap/schema/samba.schema index sambaSID eq index sambaPrimaryGroupSID eq index sambaDomainName eq
Winbind IDMAP LDAP configuration
Add the following lines to a working "smb.conf" configuration file. See the note, below, if you are converting to LDAP from a local IDMAP database.
ldap admin dn = cn=Manager,dc=domain,dc=com ldap idmap suffix = ou=idmap ldap suffix = dc=domain,dc=com idmap backend = ldap:ldap://ldap.example.com
Once the above settings are present, type the following command at the shell prompt to register the password for the rootdn:
"smbpasswd -w passwd"
... where "passwd" matches the password set for the OpenLDAP rootdn account. The password will be stored in the Samba "secrets.tdb" database, which hashes the password and is only readable by the "root" account.
Once Winbind and the supporting components are configured, issue the following command at a shell (logged in as root) to finalize the Winbind setup. If you are converting from a local IDMAP database and the machine has already joined the domain, you do not need to perform this step.
"net ads join -U Administrator"
To validate that IDMAP entries are being entered correctly in the LDAP directory, connect with an LDAP administration tool to the OpenLDAP server. Expand the IDMAP container (ou=Idmap). There should be numerous entries like the example below:
objectClass: sambaIdmapEntry
sambaSidEntry
sambaSID: S-1-5-21-1957994488-2146356355-682003330-1427
uidNumber: 16777216
To configure Winbind to use LDAPS (SSL) for connections, add the following line to the "smb.conf" configuration file:
ldap ssl = on
Also change the 'idmap backend' value to include an "s" in the URL address as shown below:
idmap backend = ldap:ldaps://ldap.example.com
You may now start Winbind:
$ service winbind start
To validate that Winbind is correctly resolving groups from the domain, type "wbinfo -g" in a shell. This should list all the groups in the AD domain. To test that authentication is working, test logons through several different services including "ssh" and local login.
Once the configuration has been validated, add the Winbind daemon (winbind) to the appropriate Unix/Linux run-level.
Converting to LDAP from a local IDMAP database
If you are converting from a local IDMAP database to an LDAP-backed database, you will need to delete the winbind cache files and use 'getent' to trigger winbind to populate the LDAP directory:
$ rm -rf /var/cache/samba/winbindd_* $ getent passwd $ getent group
Please note that you will need to 'chown' any files and directories owned using the local database, since the population of the LDAP-backed IDMAP will result in newly mapped UID and GID values.