Integrating Samba with IBM Security Directory Server

Unified login across operating systems for accessing file share

IBM Security Directory Server can provide a unified login or single-user login for Linux® and Windows® clients and transparently provide access to a user's home directory through file sharing.

Share:

Prabir Meher (prabirmeher@in.ibm.com), Software Engineer, IBM India Private Ltd.

Prabir Meher is a software engineer working as a part of IBM Security Systems at IBM Software Labs, India. He works as an IBM Security Directory Server L2 engineer. Previously, he worked on designing and implementing Linux clusters and Infiniband.



18 March 2014

Also available in Russian

In today's world, most organizations have a heterogeneous environment that is a mixture of UNIX® and Windows platforms. This article will help such organizations by giving them the ability to integrate Samba with IBM Security Directory Server so that, using single-user login, they can access a file share from a Windows machine.

Imagine a scenario where you have saved a file on a Linux system. Later, you want to access that file from a Windows machine for a specific task. Previously, you may have had to use an external storage device between the Windows machine and the Linux system. With a setup such as the one I discuss in this article, all you have to do is log in to the Windows machine and the file you created on the Linux system will automatically be available to you.

The purpose of this article is to demonstrate the use of IBM Security Directory Server, formerly known as IBM Tivoli® Directory Server, as a core directory server for heterogeneous environments by integrating with Samba. With single-user login, a mechanism that allows users to log in to any machine with a single user's identity regardless of the OS, users can authenticate and access their accounts as well as home directory contents across platforms. By integrating IBM Security Directory Server with Samba, an organization can create a single home directory for each end user, and each end user will have access to that home directory regardless of the machine he is logged in to.

Protecting the mobile enterprise

IBM has published a new whitepaper to explore how to provide secure access for mobile users, block unauthorized users, and prevent fraud with IBM Security Access Manager for Mobile. Download "Beyond passwords: Protect the mobile enterprise with smarter security."

Environment setup

The example described here is based on the following setup:

  • A single machine having a private IP address of 192.168.150.161 and the hostname ldaphost1.
  • Red Hat Enterprise Linux Server release 6.3 is installed on the system ldaphost1.
  • The kernel bit mode is 64.
  • Both IBM Security Directory Server 6.3 and Samba are installed on ldaphost1.
  • The following entry must exist in the /etc/hosts file on the ldaphost1 system: 192.168.150.161 ldaphost1.

This article assumes you have already installed the IBM Security Directory Server on your system. It, therefore, does not cover the installation of IBM Security Directory Server (see Resources for the installation guide). I will go through the commands to create the IBM Security Directory Server instance.


About Samba

Samba is a suite of UNIX applications that enables UNIX-type operating systems to communicate with the Windows OS. Samba enables the Server Message Block (SMB) protocol for operating systems in the UNIX family. This, in turn, enables Windows to perform client-server networking and file and printer sharing.

We will be using the following features of Samba in the example:

  • File sharing (single or multiple directories)
  • Facilitating clients to browse the network
  • Authenticating clients

Install Samba

To install Samba on Linux, make sure you have a working yum repository. Then execute the following command: # yum install samba.

Check the status of Samba service with the following command: # service smb status.

Get the Samba schema files

To get the schema files from the Samba package, execute the following command, which will tell you the location of the files:
# rpm -ql samba | grep -i ibm

Here is a sample output from the above command:

/usr/share/doc/samba-3.5.10/LDAP/samba-schema.IBMSecureWay
/usr/share/doc/samba-3.5.10/LDAP/samba.schema.at.IBM-DS
/usr/share/doc/samba-3.5.10/LDAP/samba.schema.oc.IBM-DS

Copy the files indicated in the last two lines of the output (in this case, samba.schema.at.IBM-DS and samba.schema.oc.IBM-DS) to the schema directory of your IBM Security Directory Server instance. Then update the directory configuration to reflect the changes using the steps given in the following sections.


Setting up the IBM Security Directory Server instance

The IBM Security Directory Server instance will act as a directory server and will serve the client requests. You can create multiple IBM Security Directory Server instances on a single machine.

A directory server instance comprises all of the nonexecutable files required for a directory server and its corresponding administration daemon to run on a machine. These files include the ibmslapd.conf file, the schema files, the stash files, and the log files of the directory server instance. Each server instance and its corresponding administration daemon listen on a unique port with the same IP address on a system.

To create an IBM Security Directory Server instance, do the following.

Step 1. Create a new user

This is a normal system user, which will be the owner of the IBM Security Directory Server instance and will contain all the data for the instance. For each new instance, you need to create a new user, which must belong to the group idsldap. For example:
# idsadduser -u dsrdbm01 -w dsrdbm01 -l /home/dsrdbm01 -g idsldap -n

Step 2. Syntax

idsadduser -u <USERNAME> -w <USER_PASSWD> -l <HOMEDIR> -g <GROUPNAME> -n

Step 3. Create an IBM Security Directory Server instance

In this example, you will create a new IBM Security Directory Server instance that has the following characteristics:

  • The instance name is dsrdbm01.
  • It has an encryption seed abc0123456789.
  • It has a randomly generated salt, which can be obtained with the ldapsearch command on the DN "cn=crypto,cn=localhost" using base scope.
  • It is associated with a DB2® instance with the name dsrdbm01.

To create this instance, issue the following command:
# idsicrt -I dsrdbm01 -e abc0123456789 -l /home/dsrdbm01 –n. This command uses a syntax of the form:
idsicrt -I <INSTANCE_NAME> -e <ENCRYPTION_SEED> -l <HOMEDIR> -n.

If the directory server instance already exists, the command above will fail. If you do not specify the encryption salt, the command will randomly generate one. If you do not specify the encryption seed, you will be prompted for the seed.

Note: The encryption seed must contain only printable ISO-8859-1 ASCII characters with values in the range of 33 to 126, and must be a minimum of 12 and a maximum of 1,016 characters in length. If you choose to specify the salt manually, then the encryption salt must contain only printable ISO-8859-1 ASCII characters with values in the range of 33 to 126, and must be exactly 12 characters in length.

Step 4. Configure database for the IBM Security Directory Server instance

For an IBM Security Directory Server instance to function as a full directory server, you need to configure a back-end DB2 database, which in turn will store all the data of your LDAP directory. When you configure the database, information about the database is added to the ibmslapd.conf configuration file for the IBM Security Directory Server instance. If the database does not exist, the database is created.

Syntax

idscfgdb -I <INSTANCE_NAME> -a <DB_ADMIN> -w <DB_PASSWD> -t <DB_NAME> -l <HOMEDIR> -n

Consider the following command:
# idscfgdb -I dsrdbm01 -a dsrdbm01 -w dsrdbm01 -t dsrdbm01 -l /home/dsrdbm01 -n

This command configures a database called dsrdbm01 for directory server instance dsrdbm01 in /home/dsrdbm01 with a DB2 database administrator ID of dsrdbm01 whose password is dsrdbm01.

Step 5. Configure admin DN and password

The admin Distinguished Name (DN) is the DN used by the administrator of the directory server instance. This administrator is the user who has full access to all data in the directory.

Syntax

idsdnpw -u <adminDN> -p <adminPW> -I <INSTANCE_NAME> -n

For example, to set the administrator DN to cn=root and the password to root on a system for directory server instance dsrdbm01, you would issue the following command:
# idsdnpw -u "cn=root" -p root -I dsrdbm01 -n

Step 6. Configure a suffix to hold your data

A suffix is a distinguished name (DN) that identifies the top entry in a locally held directory hierarchy. Due to the relative naming scheme used in LDAP, this suffix applies to every other entry within that directory hierarchy. A directory server can have multiple suffixes, each identifying a locally held directory hierarchy. A suffix is also known as a naming context.

Syntax

idscfgsuf -s "<SUFFIX>" -I <INSTANCE_NAME> -n

For example, to configure a suffix o=ibm,c=in for the instance dsrdbm01, enter:
# idscfgsuf -s "o=ibm,c=in" -I dsrdbm01 -n

After you have executed the above steps, you will have a working IBM Security Directory Server instance. Now you are ready to start the IBM Security Directory Server instance.

Step 7. Start IBM Security Directory Server instance

Execute the following command to start your IBM Security Directory Server instance.
# ibmslapd -I dsrdbm01 -n

Syntax

# ibmslapd -I dsrdbm01 -n

Stop IBM Security Directory Server instance

To stop the IBM Security Directory Server instance, execute the following command:
# ibmslapd -I dsrdbm01 -k

Syntax

ibmslapd -I <instance_name> -k

Step 8. Update IBM Security Directory Server instance to reflect the Samba schema

  1. Find out your instance home directory with the following command:
    # idsilist -a

    .
    Listing 1. Sample output
    Directory server instance(s):
    --------------------------------------
    Instance 1:
    
    Name: dsrdbm01
    Version: 6.3
    Location: /home/dsrdbm01
    Description: IBM Tivoli Directory Server Instance V6.3
    IP Addresses: All available
    Port: 389
    Secure Port: 636
    Admin Server Port: 3538
    Admin Server Secure Port: 3539
    Type: Directory Server
  2. Copy the two Samba schema files mentioned in "Get the Samba schema files" into the directory instance's schema directory.
    # cp /usr/share/doc/samba-3.5.10/LDAP/samba.schema.at.IBM-DS 
    /home/dsrdbm01/idsslapd-dsrdbm01/etc/V3.samba.at
    # cp /usr/share/doc/samba-3.5.10/LDAP/samba.schema.oc.IBM-DS 
    /home/dsrdbm01/idsslapd-dsrdbm01/etc/V3.samba.oc
  3. Now create an LDIF file (samba.ldif) to update the above schema file in your IBM Security Directory Server instance:
    dn: cn=IBM Directory,cn=Schemas,cn=Configuration
    changetype: modify
    add: ibm-slapdIncludeSchema
    ibm-slapdIncludeSchema: /home/dsrdbm01/idsslapd-dsrdbm01/etc/V3.samba.at
    -
    add: ibm-slapdIncludeSchema
    ibm-slapdIncludeSchema: /home/dsrdbm01/idsslapd-dsrdbm01/etc/V3.samba.oc
  4. Execute an idsldapmodify command with samba.ldif file to update your IBM Security Directory Server instance with the samba schema:
    # idsldapmodify -D cn=root -w root -i samba.ldif
    Listing 2. Sample output
    Operation 0 modifying entry cn=IBM 
    Directory,cn=Schemas,cn=Configuration
  5. Restart the IBM Security Directory Server to reflect the changes:
    # ibmslapd -I dsrdbm01 -k && ibmslapd -I dsrdbm01 –n

Now that you have updated your IBM Security Directory Server instance with the Samba schema, it's time to configure Samba to communicate with the ISDS instance. To integrate Samba with IBM Security Directory Server, we will use a tool called smbldap-tools, which provides a set of Perl scripts for easier administration of the common users between Samba and LDAP. We will further discuss smbldap-tools in the next section.


About smbldap-tools

smbldap-tools is a package that contains some useful scripts for administrators to manage users and groups when using IBM Security Directory Server in a mixed environment of UNIX and Windows.

Install smbldap-tools

See Resources for a link to download the smbldap-tools package.

The recommended way to install smbldap-tools is to use yum, which will install all the required Perl dependencies packages to run the Perl scripts provided in the smbldap-tools package. See Resources for a link to the EPEL yum repository package. After downloading it:

  1. Install the package:
    # rpm -ivh epel-release-6-8.noarch.rpm
  2. Install smbldap-tools:
    # yum install smbldap-tools --enablerepo=epel

Samba configuration

This section describes the configuration steps for Samba to act as a server. This is a onetime configuration and is not required on the client machine. Any Windows machine needing to authenticate through this Samba server will merely have to join the domain as defined in the smb.conf file with an option "workgroup."

After you have completed the steps in "Install smbldap-tools," locate the Samba configuration file smb.conf provided by smbldap-tools that is required for the Samba-LDAP integration. Type the following commands to locate the file smb.conf:
# updatedb
# locate smb.conf

Listing 3. Sample output
/etc/samba/smb.conf
/usr/share/doc/smbldap-tools-0.9.8/smb.conf.example
/usr/share/man/man5/smb.conf.5.gz

Back up the original Samba configuration file and copy the smb.conf.example file:

# mv /etc/samba/smb.conf /etc/samba/smb.conf.orig
# cp /usr/share/doc/smbldap-tools-0.9.8/smb.conf.example /etc/samba/smb.conf

You need to modify the new smb.conf file according to your own environment. We will use the sample Samba configuration file below in this example.

Samba configuration file

The Samba daemon is controlled through a single ASCII file smb.conf that can contain a large set of unique options (also called parameters). Some of these options might be used by you regularly, and some might not be used at all, depending on how much functionality you want your Samba installation to offer to the clients.

The Samba configuration file called smb.conf by default uses the same format as Windows .ini files. If you have ever worked with an .ini file, you will find smb.conf easy to create and modify.

A sample Samba configuration file smb.conf on the Samba server used for this setup is described in the following section. If you want to use this configuration file for your setup, you might need to customize it according to your own requirements. See Resources for a discussion of all the possible configuration options or parameters for Samba.

Listing 4. Sample configuration file
[global]
netbios name = PDC-SRV
workgroup = SMBTDS
security = user
passdb backend = ldapsam:ldap://192.168.150.161/
ldap admin dn = cn=root
ldap suffix = o=ibm,c=in
ldap user suffix = ou=People
ldap machine suffix = ou=Computers
ldap group suffix = ou=Groups

log file = /var/log/%m.log
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

os level = 33
domain logons = yes
domain master = yes
local master = yes
preferred master = yes

wins support = yes

logon home = \\%L\%u\.win_profile\%m
logon path = \\%L\profiles\%m\%U
logon drive = H:

winbind use default domain = no
ldap ssl = no
add machine script = /usr/sbin/smbldap-useradd -W -g "Domain Computers" %u
Dos charset = 850
Unix charset = ISO8859-1

[netlogon]
path = /var/lib/samba/netlogon
read only = yes
browsable = no

[profiles]
path = /var/lib/samba/profiles
browsable = no
writable = yes
read only = no
create mask = 0600
directory mask = 0700
profile acls = yes
csc policy = disable
store dos attributes = Yes

[homes]
browsable = no
writable = yes
guest ok = no
map archive = yes

Test Samba configuration file syntax

To test the syntax of the smb.conf configuration file, enter:
# testparm

testparm is a simple test program to check the file for internal correctness. If this program reports no problems, you can be sure that the Samba daemon (smbd) will load the configuration file successfully.

Listing 5. Sample output
Load smb config files from /etc/samba/smb.conf
Processing section "[netlogon]"
Processing section "[profiles]"
Processing section "[homes]"
Loaded services file OK.
Server role: ROLE_DOMAIN_PDC
Press enter to see a dump of your service definitions

You now need to create the directories according to the samba configuration file.

Set up netlogon and profiles directories

In the Samba configuration file section, we defined two paths: netlogon and profiles. If these two directories do not exist, you will have to create them.

Netlogon:Logon scripts are DOS batch files that the client downloads and runs during the login process. Logon scripts are placed in the NETLOGON share.

Profiles: A profile is a collection of information environment, including the contents of the Start menu, icons that appear on the desktop, and other characteristics about the GUI environment that end users are allowed to customize. A roaming profile (also called roving profile or profile serving) can follow its owner from computer to computer. The Samba server is capable of supporting roaming profiles. In this way, the user can sign on from various computers and always get the same desktop and profile settings.

Create the two folders (netlogon and profiles) in the /var/lib/samba directory.

  1. Change the directory to /var/lib/samba
    # cd /var/lib/samba/
  2. Create directory netlogon
    # mkdir netlogon
  3. Create directory profiles
    # mkdir profiles
  4. Confirm that the directories netlogon and profiles were created successfully
    # ls
    netlogon private profiles scripts
  5. Give the profiles directory world-write permissions with sticky bit enabled:
    # chmod 1777 profiles

Start Samba services

Now start the Samba server:

# service smb start
Starting SMB services:                                     [  OK  ]
# service nmb start
Starting NMB services:                                     [  OK  ]

Set up IBM Security Directory Server admin DN for Samba

Samba must know the admin bind DN of the IBM Security Directory Server server to make the necessary add or modify operations. You can also use any other DN instead of the admin DN, but you need to have sufficient permission for the user.

# smbpasswd -W
Setting stored password for "cn=root" in secrets.tdb
New SMB password:            <Enter the password of DN "cn=root">
Retype new SMB password:     <Re-type the password>

The above command will store the password of the IBM Security Directory Server admin DN cn=root in a database file called secrets.tdb at the location /var/lib/samba/private. This is a hashed file. Using the cat command to view this file will display garbage characters.

To find out the filetype of secrets.tdb, execute the following command:

# file /var/lib/samba/private/secrets.tdb
/var/lib/samba/private/secrets.tdb: TDB database version 6, little-endian hash size 131 bytes.

smbclient

Make sure you can access your Samba server.

# smbclient -L ldaphost1 -N
Anonymous login successful
Domain=[SMBTDS] OS=[Unix] Server=[Samba 3.5.10-125.el6]

      Sharename       Type      Comment
      ---------       ----      -------
      IPC$            IPC       IPC Service (Samba 3.5.10-125.el6)
Anonymous login successful
Domain=[SMBTDS] OS=[Unix] Server=[Samba 3.5.10-125.el6]

      Server               Comment
      ---------            -------
      PDC-SRV              Samba 3.5.10-125.el6

      Workgroup            Master
      ---------            -------
      SMBTDS               PDC-SRV

The smbclient command should give you the results as shown above.

Configure smbldap-tools

As we have discussed, smbldap-tools provides a useful set of tools to manage LDAP and Samba users. Since the Perl scripts provided by smbldap-tools are a generic package that can work with almost all LDAP servers, it is the administrator's job to make the scripts aware of the back-end IBM Security Directory Server/LDAP and Samba server. For this, you need to configure two files:

  • smbldap.conf — This contains all global values for the Samba server as well as for the IBM Security Directory Server server.
  • smbldap_bind.conf — This contains only the admin bind DN for IBM Security Directory Server.

To configure the above two files, smbldap-tools provides an interactive Perl configuration script: configure.pl. Execute this script and follow the instructions that will be displayed.

Listing 6. Generate smbldap.conf
[root@ldaphost1 ~]# perl /usr/share/doc/smbldap-tools-0.9.8/smbldap-config.pl
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
       smbldap-tools script configuration
       -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Before starting, check
 . if your samba controller is up and running.
 . if the domain SID is defined (you can get it with the 'net getlocalsid')

 . you can leave the configuration using the Ctrl-c key combination
 . empty value can be set with the "." character
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Looking for configuration files...

Samba Configuration File Path [/etc/samba/smb.conf] >

The default directory in which the smbldap configuration files are stored is shown.
If you need to change this, enter the full directory path, then press enter to continue.
Smbldap-tools Configuration Directory Path [/etc/smbldap-tools] >
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Let's start configuring the smbldap-tools scripts ...

. workgroup name: name of the domain Samba acts as a PDC for
  workgroup name [SMBTDS] >
. netbios name: netbios name of the samba controller
  netbios name [PDC-SRV] >
. logon drive: local path to which the home directory will be connected (for NT Workstations). Ex: 'H:'
  logon drive [] > H:
. logon home: home directory location (for Win95/98 or NT Workstation).
  (use %U as username) Ex:'\\PDC-SRV\%U'
  logon home (press the "." character if you don't want homeDirectory) [\\PDC-SRV\%U] >
. logon path: directory where roaming profiles are stored. Ex:'\\PDC-SRV\profiles\%U'
  logon path (press the "." character if you don't want roaming profiles) [\\PDC-SRV\profiles\%U] >
. home directory prefix (use %U as username) [/home/%U] >
. default users' homeDirectory mode [700] >
. default user netlogon script (use %U as username) [] >
  default password validation time (time in days) [45] >
. ldap suffix [o=ibm,c=in] >
. ldap group suffix [ou=Groups] >
. ldap user suffix [ou=Users] >
. ldap machine suffix [ou=Computers] >
. Idmap suffix [ou=Idmap] >
. sambaUnixIdPooldn: object where you want to store the next uidNumber
  and gidNumber available for new users and groups
  sambaUnixIdPooldn object (relative to ${suffix}) [sambaDomainName=SMBTDS] >
. ldap master server: IP address or DNS name of the master (writable) ldap server
  ldap master server [192.168.150.161] >
. ldap master port [389] >
. ldap master bind dn [cn=root] >
. ldap master bind password [] >
. ldap slave server: IP address or DNS name of the slave ldap server: can also be the master one
  ldap slave server [192.168.150.161] >
. ldap slave port [389] >
. ldap slave bind dn [cn=root] >
. ldap slave bind password [] >
. ldap tls support (1/0) [0] >
. SID for domain SMBTDS: SID of the domain (can be obtained with 'net getlocalsid PDC-SRV')
  SID for domain SMBTDS [S-1-5-21-233278410-2575954275-693856369] >
. unix password encryption: encryption used for unix passwords
  unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA) [SSHA] >
. default user gidNumber [513] >
. default computer gidNumber [515] >
. default login shell [/bin/bash] >
. default skeleton directory [/etc/skel] >
. default domain name to append to mail address [] >
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
backup old configuration files:
  /etc/smbldap-tools/smbldap.conf->/etc/smbldap-tools/smbldap.conf.old
  /etc/smbldap-tools/smbldap_bind.conf->/etc/smbldap-tools/smbldap_bind.conf.old
writing new configuration file:
  /etc/smbldap-tools/smbldap.conf done.
  /etc/smbldap-tools/smbldap_bind.conf done.
[root@ldaphost1 ~]#

Note: If you do not have a master and slave server setup, you need to put the master bind DN and master bind password in place of the slave bind DN and the slave bind password. Most of the values will be auto-pulled by the smbldap-config.pl script. Reconfirm the values and accept them within the square brackets by pressing Enter.


Initialize ISDS for Samba

You need to populate your IBM Security Directory Server database with some initial values that contain the basic information about your Samba PDC and your IBM Security Directory Server structure.

A Windows domain is a network of logically grouped computers that use Windows. A server computer in a Windows domain can be assigned the role of primary domain controller (PDC). Here we will emulate this feature using Samba as a PDC.

Listing 7. Adding necessary users, groups, and containers to IBM Security Directory Server
[root@ldaphost1 ~]# smbldap-populate
Populating LDAP directory for domain SMBTDS (S-1-5-21-233278410-2575954275-693856369)
(using builtin directory structure)

entry o=ibm,c=in already exist.
adding new entry: ou=Users,o=ibm,c=in
adding new entry: ou=Groups,o=ibm,c=in
adding new entry: ou=Computers,o=ibm,c=in
adding new entry: ou=Idmap,o=ibm,c=in
entry sambaDomainName=SMBTDS,o=ibm,c=in already exist. Updating it...
adding new entry: uid=root,ou=Users,o=ibm,c=in
adding new entry: uid=nobody,ou=Users,o=ibm,c=in
adding new entry: cn=Domain Admins,ou=Groups,o=ibm,c=in
adding new entry: cn=Domain Users,ou=Groups,o=ibm,c=in
adding new entry: cn=Domain Guests,ou=Groups,o=ibm,c=in
adding new entry: cn=Domain Computers,ou=Groups,o=ibm,c=in
adding new entry: cn=Administrators,ou=Groups,o=ibm,c=in
adding new entry: cn=Account Operators,ou=Groups,o=ibm,c=in
adding new entry: cn=Print Operators,ou=Groups,o=ibm,c=in
adding new entry: cn=Backup Operators,ou=Groups,o=ibm,c=in
adding new entry: cn=Replicators,ou=Groups,o=ibm,c=in

Please provide a password for the domain root:
Changing UNIX and samba passwords for root
New password:		<set root password>
Retype new password:

Create common users for your Linux and Windows platforms

Open a root terminal and create a user using the command below. This user will be able to log in to the Windows or Linux machine using the same user ID and password.

smbldap-tools provides a script for creating a user:

# smbldap-useradd -am winlinuser
# smbldap-passwd winlinuser
Changing UNIX and samba passwords for winlinuser
New password:
Retype new password:

If the above command completes successfully, you will have a normal end user named winlinuser on your system. Now you need to check whether this user is able to log in to any Linux machine that is a client of the IBM Security Directory Server server and to any Windows machine that has joined the Samba domain SMBTDS as defined in the smb.conf file. The next section describes how to test your user.

Test your user

From a Linux machine, open a terminal and try to log in as winlinuser on the IBM Security Directory Server server or on any Linux machine that is a client of the IBM Security Directory Server server.

In the example below, we are using SSH to log in as winlinuser on the same host ldaphost1, which is also an IBM Security Directory Server client to itself for LDAP user authentication.

[root@ldaphost1 ~]# ssh winlinuser@ldaphost1
The authenticity of host 'ldaphost1 (192.168.150.161)' can't be established.
RSA key fingerprint is ab:20:99:59:74:25:dc:96:20:47:e5:ae:7e:9c:a5:90.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'ldaphost1,192.168.150.161' (RSA) to the list of known hosts.
winlinuser@ldaphost1's password:
[winlinuser@ldaphost1 ~]$ id
uid=1016(winlinuser) gid=513 groups=513

As you can see, the Linux login is successful. Now try to log in from the same Linux machine using smbclient as the Windows login.

winlinuser@ldaphost1 ~]$ smbclient -L ldaphost1 -U winlinuser
Enter winlinuser's password:
Domain=[SMBTDS] OS=[Unix] Server=[Samba 3.5.10-125.el6]

        Sharename       Type      Comment
        ---------       ----      -------
        IPC$            IPC       IPC Service (Samba 3.5.10-125.el6)
        winlinuser      Disk      Home directory of winlinuser
Domain=[SMBTDS] OS=[Unix] Server=[Samba 3.5.10-125.el6]

        Server               Comment
        ---------            -------
        PDC-SRV              Samba 3.5.10-125.el6

        Workgroup            Master
        ---------            -------
        SMBTDS               PDC-SRV

The above login was also successful, which means that you can log in from any Windows computer using this username.

Testing a user with Windows XP

We will now configure a Windows XP machine to join the SMBTDS Samba domain we created.

Right-click on My Computer and select Properties, as shown below.

Screen capture showing the Properties Dialog Box

In the System Properties dialog box, click on Computer Name, then on Change to join the domain as shown below.

Screen capture showing the system properties

After clicking Change, you will see a dialog box in which to provide your domain name, as shown below.

Screen capture showing box to insert domain name

Click on the Domain radio button and type SMBTDS, then click OK. You will be prompted to provide your domain administrator username and password, which in this case will be root and the root password.

Note: Only a Windows domain administrator or Samba administrator who knows the credentials can join a domain. You cannot join a domain as a non-privileged user.

After the Windows machine has joined the domain using the Domain Administrator/Samba Administrator credentials, any normal or non-privileged user of the same Windows machine will be able to log in to the machine using the common user (in this example, winlinuser) credentials. This user does not exist on the same Windows machine and was created on the IBM Security Directory Server server by the administrator of the server and sent to the end user by means of an email or any other preferred methods of communications.

This user is the user that was created during the steps under Create common users for your Linux and Windows platforms for your Linux and Windows platforms

Screen capture showing joined domain

The Welcome message shown above confirms that you have successfully joined the domain SMBTDS. After this, you need to restart your system and log in again to this Windows machine using the winlinuser username, as shown below.

Screen capture showing Windows login

We have now successfully logged in to the Windows machine using the username winlinuser, which is also a Linux user.

If you open My Computer, you will notice that the winlinuser's home directory is mounted and mapped to a drive H, as we have configured in the Samba configuration file.

Screen capture showing the Linux home directory icon

You will be able to access all the files you had created on your Linux system using this username winlinuser from this Windows machine.


Basic troubleshooting

Sometimes a Windows XP machine can refuse to join a Samba domain. The first thing you should do in such a case is to create a registry key requiresignorseal of type D_WORD and set its value to 0.

Click on Start > Run, then type regedit and press Enter. You will be presented with the registry editor window. Navigate to the following location and create the requiresignorseal key.
HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters

If you get any other error, you might want to check the Samba log file, generally located at the directory /var/log/samba. The location of the Samba log file can be changed in the smb.conf file.


Conclusion

I have described a procedure using which you will have single-user login enabled for accessing Linux file share from a Windows machine using Samba sharing. This setup should prove useful in a heterogeneous environment. Moreover, you can also access all the Windows files on Linux machine using the method I have described.

Resources

Learn

Get products and technologies

Comments

developerWorks: Sign in

Required fields are indicated with an asterisk (*).


Need an IBM ID?
Forgot your IBM ID?


Forgot your password?
Change your password

By clicking Submit, you agree to the developerWorks terms of use.

 


The first time you sign into developerWorks, a profile is created for you. Information in your profile (your name, country/region, and company name) is displayed to the public and will accompany any content you post, unless you opt to hide your company name. You may update your IBM account at any time.

All information submitted is secure.

Choose your display name



The first time you sign in to developerWorks, a profile is created for you, so you need to choose a display name. Your display name accompanies the content you post on developerWorks.

Please choose a display name between 3-31 characters. Your display name must be unique in the developerWorks community and should not be your email address for privacy reasons.

Required fields are indicated with an asterisk (*).

(Must be between 3 – 31 characters.)

By clicking Submit, you agree to the developerWorks terms of use.

 


All information submitted is secure.

Dig deeper into Security on developerWorks


static.content.url=http://www.ibm.com/developerworks/js/artrating/
SITE_ID=1
Zone=Security
ArticleID=964818
ArticleTitle=Integrating Samba with IBM Security Directory Server
publish-date=03182014