Allow Windows Access to FreeBSD Secure Shell

We are using a business program that requires certain users access to a *NIX OS. I will save some amount of time by not having to add individual user to this box in the future. I can also use this to allow access to X windows progams that I hope to be able to pipe into windows boxes.

For this I will be using FreeBSD 6.1 and Samba 3 which is ported with FreeBSD

I start out by loading FreeBSD. (I take advantage of the High Speed connection and load it from the Internet). I only load the minimal load along with the documentation (MAN and CAT pages) and the ports.

As I want to have the ability to manage the server from a web interface, I load webmin from the distributin after FreeBSD is loaded.

I continue the set up by activating SSH named, setting the Timezone, root password and time server client. Then I let the computer restart.

I want to get the newest version of SAMBA possible. I get the latest version (samba-3.0.23d) from cvsup.

 cd /usr/ports/net/samba3
make install clean

I select all except quotas on the menus. I would select quotas if I required it.

And let it run! To get all the downloads and dependencies it takes over an hour to compile so we can do some other house keeping.

Kerberos needs confiuring. You will need to know the name of the domain this will be a member of and the name of at least one DC. You will create a file called krb5.conf in the /etc directory. The following is mine.

 [libdefaults] default_realm=OEISD.ORG [realm] OEISD.ORG={ kdc=dc.oeisd.org admin_server=dc.oeisd.org } [domain_realms] .oeisd.org=OEISD.ORG
Test the configuration by kinit adusername when prompted enter the password and you should get a ticket. If you do not get a ticket, check the default_realm should be yours and it should be capitalized. Under realm your domain should be capitalized and nothing inside the brackets should be. Check that the name of your dc is in the kdc and admin_server values. Then check that the domain_realms has your domain preceeded by a dot in lowercase letters and your domain name capitalzed. If that does not fix the problem, try pinging the dc by name. If that does not work check resolv.conf.

You can re-configure /etc/nsswitch.conf so it will use winbind.

 sed -i '' -e 's/group:.*/group: files winbind/' /etc/nsswitch.conf sed -i '' -e 's/passwd:.*/passwd: files winbind/' /etc/nsswitch.conf

You will need to decide where the users are going to have as their home directory on the server.

You may want to have PAM create a home directory for each user that logs in or you may want to have every use a template folder. The first is required if you intend to allow users to log into an X terminal setting. The second choice is satisfactory if users are not directly attempting to log into the computer such as a squid server.

IF YOU WANT TO create home directories, there are a couple of extra steps listed at the bottom of the article and you will need to make some minor changes to smb.conf and the pam.d files.

As of now I do not care that each user has his own home dir, they should not be making personal changes to this server anyhow. I built a folder called /tmp/winhome and gave 775 access to root:nobody.

You also want to make folders for any other shares that should be on this computer.

Next you need to create a guest and a template group.

While Samba is still loading it is a good time to get the confiuration file set up. This file is going to be located in /usr/local/etc and will be called smb.conf. This is mine:

 [global] server string = Samba Server announce version = 5.2 security = ADS workgroup = OEISD realm = OEISD.ORG hosts allow = 172.16. auth methods = winbind allow trusted domains = no password server = 172.16.12.3 #passdb backend = tdbsam (removed was returning an error) guest account = winuser #template primary group = winusers (predicated) template homedir = /tmp/winhome # note with template homedir winusers use root as their home, #if you are creating directories (pam_mkhomedir.so) at login comment out the template homedir line template shell = /bin/csh algorithmic rid base = 1000000 #idmap backend = idmap_rid:OEISD=1000-1000000 note the change idmap backend = rid:OEISD=1000-1000000 idmap uid = 1000-5000000 idmap gid = 1000-5000000 winbind separator=. winbind cache time = 3600 winbind enum users =no winbind enum groups =no winbind use default domain = yes winbind nested groups = yes # if this is not added testparm will return an error passdb expand explicit = no map to guest= Bad User load printers = yes printcap name = /etc/printcap printcap name = lpstat printing = cups printcap = cups log file = /var/log/samba/log.%m max log size = 50 socket options = TCP_NODELAY local master = no domain master = no preferred master = no wins server = 172.16.12.3 dns proxy = no [share] path = /tmp admin users = oeisd.administrator read only = Yes

We are finished until the Samba install is complete. Unless you are watching the system carefully and want to get the ldap.conf and cups.conf files when they get loaded.

After samba is installed, I like to rebuild the locate database (/etc/periodic/weekly/310.locate) and restart the server. ( I guess if its going to act like a Windows box we ought to treat it like a Windows box).

Next I have found that I get a lot less error if I configure cups. Add these lines at the top of the cupsd.conf file located in the /usr/local/etc/cups directory:

In version 3.0.21b,1 it was required to copy /usr/local/etc/rc.d/cups.sh.sample to /usr/local/etc/rc.d/cups.sh and change the permissions of /usr/local/etc/rc.d/cups.sh to 555; this is not the case in version 3.0.23d

You will need to edit the /usr/local/etc/openldap/ldap.conf file. There are only two entries that are required:

For Microsoft ldap you will need to use port 389

Test the Samba installation by running testparm. When testparm does not yield errors you should be able to join the server to the domain using the command

You will be prompted for a password for administrator. You can omit the "OU" if you do have a specific OU in mind. the administrator can be any one that has rights to join a computer to the domain.

Test if you are part of the domain with net group -U administrator and net user -U administrator. This should yield a list of domain groups and users.

In order for SAMBA of any service to start you need to add the following lines to /etc/rc.conf:
samba_enable="YES"
cups_enable="YES"

Start samba (/usr/local/etc/rc.d/samba.sh start). If everything is configured right now you should be able to type wbinfo -u and get a list of domain users and wbinfo -g and get a list of domain groups. You should also be able to connect to any shares that are on the server. You need to make certain you have the correct permissions on the folder to allow winusers the appropriate access.

Now set up pam to authenticate local logins. Edit /etc/pam.d/system. Take caution when editing any of the files in /etc/pam.d. If you make mistakes, you can make it so anyone can log into the computer (no authentication) or worse so no one can log into the computer (Including root). You need to add a directive to use pam_winbind.so for auth,password and account. Notice that sufficient is used not required or requisite. This is what my system file looks like:

 # # $FreeBSD: src/etc/pam.d/system,v 1.1 2003/06/14 12:35:05 des Exp $ # # System-wide defaults # # auth auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local auth sufficient pam_winbind.so try_first_pass #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass auth required pam_unix.so no_warn try_first_pass nullok # account account required pam_winbind.so #account required pam_krb5.so account required pam_login_access.so account required pam_unix.so # session #session optional pam_ssh.so session required pam_lastlog.so no_fail #session required pam_mkhomedir.so skel=/etc/skel/ umask=0077 #uncomment the line above if you are making the directories at login #make certain you have followed added the pam_mkhomedir package before uncommenting # password password sufficient pam_winbind.so try_first_pass #password sufficient pam_krb5.so no_warn try_first_pass password required pam_unix.so no_warn try_first_pass

The pam_winbind.so is not in /usr/lib it is in /usr/local/lib. This will cause your loging to fail. You can correct this by linking or copying the file:

To test get to a new login (ALT F2) and lgin as a domain user like oeisd.squiresr. Use your domainname and user name. We used a dot to separate the domain from user name. If you can log in, log out and try to log into the computer as root, you should still be able to do this.

Repeat the last step for each service that requires a domain log in.

If you want Samba to run at startup add samba_enable="YES" to /etc/rc.conf

USING pam_mkhomedir
• You will need to add the package pam_mkhomedir. This is found under /usr/ports/security/pam_mkhomedir.
  cd /usr/ports/security/pam_mkhomedir && make install clean
• Create a directory under /usr/home for the netBIOS name of your domain
  mkdir /usr/home/%DOMAIN%
• Link the pam_mkhome dir files to the usr/lib directory
  ln -s /usr/local/lib/mkhomedir.so /usr/lib/mkhomedir.so
  ln -s /usr/local/lib/mkhomedir.so2 /usr/lib/mkhomedir.so2
• Make the necessary adjustments in smb.conf and the pam.d files

Good LuckBack