HOWTO (try to) setup a Samba PDC with a (local or) MySQL backend

Table Of Contents

About Purpose Prerequisites What to Do For Working without MySQL For Working with MySQL Making sure it all works Configure your Windows XP Machines to join the domain Problems Resources Used

About

Last Updated: September 10th, 2004 Written By: Chris Kelly

Purpose

The purpose of this project was to set up a Samba PDC with a MySQL backend so that users, groups, and passwords are stored in a centralized place so that they can be accessed by other applications. LDAP was another possible solution, but using MySQL with pam should be a lot simpler to set up. (no configuring of an LDAP server or domain required) The original design was to have a machine running Samba as the PDC, and have several Windows XP machines log onto this domain. A SnapServer was to be used for shared documents and would authenticate agains the domain to assign access rights to users. Eventually, a server at a different location running IIS would authenticate users over a VPN to this PDC, and ideally that capability would be added to the billing software that we use. You must have system administrator (root) access to the machine to set this up, and all of the commands and file edits need to be done while logged in as root or using sudo.(Quick HOWTO: Using Sudo)

Prerequisites

  • have MySQL installed and running (we used MySQL: Ver 12.22 Distrib 4.0.20, for pc-linux (i686))
  • have Samba installed (we used Samba Version 3.0.0-14.3E)
  • have PAM installed and configured, and have the pam_mysql module installed (we used Linux-PAM 0.74 and pam_mysql Version 0.5 20/11/2002)
Feel free to use this or link to it, but please don't copy it anywhere without asking me first. If you find it helpful, a link back to my site is always nice too. Corrections and updates are always welcome, just email them to ckdake at ckdake dot com.

What to Do

Before you touch it, backup your smb.conf file.
cp /etc/samba/smb.conf /etc/samba/smb.conf.backup
If you break something, you can run the following command later to get back to your original configuration:
cp /etc/samba/smb.conf.backup /etc/samba/smb.conf
Once you are all backed up, launch your favorite editor and edit /etc/samba/smb.conf
  • Pick a name for your domain:
    workgroup = MYDOMAIN
  • Make sure your auth type is set to "user" ("domain" is for machines that are part of a domain and use the PDC to authenticate, while the PDC uses "user" because it authenticates locally). Search for the line containing:
    security = USER
    If it is set to something else, change it to "USER"
  • Enable the netlogin share by uncommenting it. Look for
    ;[netlogin]
    Remove the ; from the beginning of this line and the lines that follow it.
  • "unix password sync" may seem like a good idea but do not turn this on, it causes problems when trying to change passwords. make sure that somewhere in your config file, either it is directly turned off:
    unix password sync = No
    or the entire section is commented out like:
    ;  unix password sync = Yes
    ;  passwd program = /usr/bin/passwd %u
    ;  passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* %n\n *$
  • add the following inside of the [GLOBAL] section:
    domain user map = /etc/samba/domainuser.map
    domain group map = /etc/samba/domaingroup.map
    #add these only if using MySQL, comment out for localdb
    encrypt passwords = No
    update encrypted = No
    allow trusted domains = Yes
Add a file to map the UNIX users to the Domain users:
echo root="Administrator" >> /etc/samba/domainuser.map
Add a file to map the UNIX groups to the Domain groups:
echo wheel="Domain Admin" \
        users="Domain Users" >> /etc/samba/domaingroup.map

For Working without MySQL

To work without mysql, add user accounts and machine accounts as needed, the following is how a machine account should be created. Replace "myworkstation" with the windows name of your machines, and make sure to include the $ sign where it is included in the examples. Add this line to the end of your /etc/passwd file:
myworkstation$:x:5000:5000::/dev/null:/bin/false
Add this line to the end of your /etc/shadow file:
myworkstation$:*:9797:0::::: 
Add the following line to the end of your /etc/group file:
myworkstation::5000
Add user accounts (not machine accounts) to Samba's password db with smbpasswd. These users must have local user accounts already, and the passwords can either be the same or different. Replace "myuser" with the username.
smbpasswd -a myuser

To work with mysql

Before you touch it, backup you /etc/pam.d/samba file.
cp /etc/pam.d/samba /etc/pam.d/samba.backup
If you break something, you can run the following command later to get back to your original configuration:
cp /etc/pam.d/samba.backup /etc/pam.d/samba
Then, replace the contents of /etc/pam.d/samba with the following. Make sure to replace "MYUSER" and "MYPASS" with the username and password that you will be using to access the mysql database. "crypt=1" tells PAM to use the default MySQL ENCRYPTION() method for hashing passwords and "sqllog=0" tells PAM to log to the system log instead of trying to log access into the database.
#%PAM-1.0
auth     required    pam_mysql.so   user=MYUSER passwd=MYPASS
        db=authentication table=users usercolumn=login crypt=1 sqllog=0
account  required    pam_mysql.so   user=MYUSER passwd=MYPASS
        db=authentication table=users usercolumn=login crypt=1 sqllog=0
password required    pam_mysql.so   user=MYUSER passwd=MYPASS
        db=authentication table=users usercolumn=login crypt=1 sqllog=0
session  required    pam_mysql.so   user=MYUSER passwd=MYPASS
        db=authentication table=users usercolumn=login crypt=1 sqllog=0
create a mysql db "authentication" and grant all privelages on it to MYUSER with the password MYPASSWORD.
CREATE database authentication;
GRANT ALL ON authentication.* to 'MYUSER'@localhost IDENTIFIED BY 'MYPASSWORD'; 
then run the following SQL commands:
USE authentication;
CREATE TABLE users (
  uid int(6) NOT NULL auto_increment,
  gid int(6) DEFAULT '0' NOT NULL,
  last_name varchar(80) NOT NULL,
  first_name varchar(80) NOT NULL,
  login varchar(16) NOT NULL,
  date datetime DEFAULT '0000-00-00 00:00:00' NOT NULL,
  password varchar(16) NOT NULL,
  PRIMARY KEY (uid),
  KEY uid (uid),
  UNIQUE uid_2 (uid)
);
Then run this command as many times as needed to add each of your users to the database. Replace "mylastname, myfirstname, myusername, mypassword" with the appropriate information for each user.
 INSERT INTO users VALUES('','','mylastname','myfirstname','myusername',NOW(),ENCRYPT('mypassword'));
Machine accounts also need to be inserted with a username "mymachinename$", but this is where I ran into problems, more on this at the end. This is a password change script to let you easily change passwords for users in the database. I put it in /root/chgpasswd.sh, but you can put it whereever you like.
#!/bin/bash
#prompts for the name of the user to change the password of
read -ep "username: " USER
stty_orig=`stty -g`
stty -echo
#prompts for the root password for the mysql database
read -ep "admin password: " ADMIN
echo "";
#prompts for the new password for the user
read -ep "new password: " PASS
echo "";
#prompts to verify the new password for the user
read -ep "verify: " PASS2
stty $stty_orig

#if the passwords match, update the password
if [ $PASS == $PASS2 ]; then
mysql -uroot -p$ADMIN -e"update authentication.users 
        set password=ENCRYPT('$PASS') where login='$USER'";
echo "Success!";
else 
   echo "Sorry! Passwords do not match";
fi 
Then set the script to be executable and try it out, if you saved it in the same place as me:
chmod +x /root/chgpasswd.sh
/root/chgpasswd.sh

Making sure it all works

Start up Samba on your machine and give it a try. It should start up successfully and you should be able to browse the serivce. The more common ways to start a service are:
/etc/init.d/smb start
or:
/etc/init.d/samba start
But if neither of these work for you, consult your operating system documentation for instructions. To see if its working, try out:
smbclient -L localhost -U myusername
(replace myusername with a user that has permissions to access the Samba shares and type in the password when prompted). This should list the shares available on the local machine.

Configure your Windows XP Machines to join the domain

On your Windows machine, make the following changes to your registry and reboot:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters]
"requiresignorseal"=dword:00000000
"signsecurechannel"=dword:00000000
Reboot the windows machine, Log in as "Administrator" and join the domain as using root as the username and your root password. Reboot again, and log on to the domain with any other username and password that you added to your database.

Problems

Using the local authentication files, everything works properly and machines are able to join the domain. When using mysql, I think the problem is that Samba isn't reading the machine accounts from mysql. When trying to use mysql, windows clients say "Account not authorized to log in from this station" when trying to browse the Domain or access a share.

Resources Used

comments powered by Disqus