Follow Techotopia on Twitter

On-line Guides
All Guides
eBook Store
iOS / Android
Linux for Beginners
Office Productivity
Linux Installation
Linux Security
Linux Utilities
Linux Virtualization
Linux Kernel
System/Network Admin
Scripting Languages
Development Tools
Web Development
GUI Toolkits/Desktop
Mail Systems
Eclipse Documentation

How To Guides
General System Admin
Linux Security
Linux Filesystems
Web Servers
Graphics & Desktop
PC Hardware
Problem Solutions
Privacy Policy




Samba HowTo Guide
Prev Home Next

Testing Things Out

Before starting, it is probably best to kill off all the Samba-related daemons running on your server. Kill off all smbd, nmbd, and winbindd processes that may be running. To use PAM, make sure that you have the standard PAM package that supplies the /etc/pam.d directory structure, including the PAM modules that are used by PAM-aware services, several PAM libraries, and the /usr/doc and /usr/man entries for PAM. Winbind is built better in Samba if the pam-devel package is also installed. This package includes the header files needed to compile PAM-aware applications.

Configure nsswitch.conf and the Winbind Libraries on Linux and Solaris

PAM is a standard component of most current generation UNIX/Linux systems. Unfortunately, few systems install the pam-devel libraries that are needed to build PAM-enabled Samba. Additionally, Samba-3 may auto-install the Winbind files into their correct locations on your system, so before you get too far down the track, be sure to check if the following configuration is really necessary. You may only need to configure /etc/nsswitch.conf.

The libraries needed to run the winbindd daemon through nsswitch need to be copied to their proper locations:


cp ../samba/source/nsswitch/ /lib

I also found it necessary to make the following symbolic link:

root# ln -s /lib/ /lib/

And, in the case of Sun Solaris:


ln -s /usr/lib/ /usr/lib/


ln -s /usr/lib/ /usr/lib/


ln -s /usr/lib/ /usr/lib/

As root, edit /etc/nsswitch.conf to allow user and group entries to be visible from the winbindd daemon. My /etc/nsswitch.conf file looked like this after editing:

passwd:     files winbind
shadow:     files 
group:      files winbind

The libraries needed by the winbindd daemon will be automatically entered into the ldconfig cache the next time your system reboots, but it is faster (and you do not need to reboot) if you do it manually:


/sbin/ldconfig -v | grep winbind

This makes libnss_winbind available to winbindd and reports the current search path that is used by the dynamic link loader. The use of the grep filters the output of the ldconfig command so that we may see proof that this library is indeed recognized by the dynamic link loader.

The Sun Solaris dynamic link loader management tool is called crle . The use of this tool is necessary to instruct the dynamic link loader to search directories that contain library files that were not supplied as part of the original operating system platform. The following example shows how to use this tool to add the directory /usr/local/lib to the dynamic link loader's search path:

root#  crle -u -l /usr/lib:/usr/local/lib

When executed without arguments, crle reports the current dynamic link loader configuration. This is demonstrated here:

root#  crle

Configuration file [version 4]: /var/ld/ld.config
  Default Library Path (ELF):   /lib:/usr/lib:/usr/local/lib
  Trusted Directories (ELF):    /lib/secure:/usr/lib/secure  (system default)

Command line:
  crle -c /var/ld/ld.config -l /lib:/usr/lib:/usr/local/lib

From this it is apparent that the /usr/local/lib directory is included in the search dynamic link libraries in order to satisfy object module dependencies.

NSS Winbind on AIX

(This section is only for those running AIX.)

The Winbind AIX identification module gets built as in the nsswitch directory of the Samba source. This file can be copied to /usr/lib/security, and the AIX naming convention would indicate that it should be named WINBIND. A stanza like the following:

        program = /usr/lib/security/WINBIND
        options = authonly

can then be added to /usr/lib/security/methods.cfg. This module only supports identification, but there have been reports of success using the standard Winbind PAM module for authentication. Use caution configuring loadable authentication modules, since misconfiguration can make it impossible to log on to the system. Information regarding the AIX authentication module API can be found in the “Kernel Extensions and Device Support Programming Concepts for AIX” document that describes the Loadable Authentication Module Programming Interface for AIX. Further information on administering the modules can be found in the System Management Guide: Operating System and Devices.

Configure smb.conf

Several parameters are needed in the smb.conf file to control the behavior of winbindd. These are described in more detail in the winbindd(8) man page. My smb.conf file, as shown in the smb.conf for Winbind Setup, was modified to include the necessary entries in the [global] section.

Example23.1.smb.conf for Winbind Setup

# separate domain and username with '\', like DOMAIN\username
winbind separator = \
# use uids from 10000 to 20000 for domain users
idmap uid = 10000-20000
# use gids from 10000 to 20000 for domain groups
idmap gid = 10000-20000
# allow enumeration of winbind users and groups
winbind enum users = yes
winbind enum groups = yes
# give winbind users a real shell (only needed if they have telnet access)
template homedir = /home/winnt/%D/%U
template shell = /bin/bash

Join the Samba Server to the PDC Domain

All machines that will participate in domain security should be members of the domain. This applies also to the PDC and all BDCs.

The process of joining a domain requires the use of the net rpc join command. This process communicates with the domain controller it will register with (usually the PDC) via MS DCE RPC. This means, of course, that the smbd process must be running on the target domain controller. It is therefore necessary to temporarily start Samba on a PDC so that it can join its own domain.

Enter the following command to make the Samba server join the domain, where PDC is the name of your PDC and Administrator is a domain user who has administrative privileges in the domain.

Samba HowTo Guide
Prev Home Next

  Published under the terms fo the GNU General Public License Design by Interspire