Samba 3 "Pass through Authentication" Member Server.
*************************Disclaimer*************** **********************
This document worked for me. It may not work for you. I hope it helps
you out but if it doesn't and /or you flip out and toss your server
over a cliff I can't be held responsible.
I'm no Mavis Beacon either so don't be getting all touchy about
typo's. You're a smart kid you should be able to figure out what I
mean.
************************************************** *********************
OS: Suse 9.0 pro
Samba: 3.02a
Domain Type: NT4 (sp6) / PDC / Wins
************************************************** **********************
Requirements: Replace an primary windows 2000 file server with samba
as transparently as possible. Implement existing user accounts and
policies.
Allow for ACL modification via windows properties.
************************************************** **********************
You don't need to run the same OS as I do here. In fact Id prefer to
use Slackware as it is far more robust than Suse IMHO. The boss likes
Suse so there it is.

Samba 3.02a RPMs these were found in the Suse People directories.
samba3-pdb-3.0.2-0
samba3-3.0.2-0
samba3-vscan-0.3.4-0
samba3-python-3.0.2-0
samba3-doc-3.0.2-0
samba3-winbind-3.0.2-0
samba3-client-3.0.2-0
samba3-utils-3.0.2-0
samba3-cifsmount-3.0.2-0
libsmbclient-devel-3.0.2-0
libsmbclient-3.0.2-0

You're not going to have the same list as I
have if you use a different Distro or even if you compile from source.
You'll need ACL support in your Kernel and a filesystem that supports
ACL's. This will allow you to manage users from windows like your
Samba Box was a windows box (minus the BSOD's and add a dash of
stability) I used the EXT3 filesystem and the Suse 9 default kernel
allowed for ACL's so I lucked out there.







Filesystem:
Create a directory where your samba tree will grow:
Mkdir /media/userdata
I formatted the RAID array as ext3 like so:
Mkfs.ext3 /dev/sdb1
I user SCSI but if you use IDE:
Mkfs.ext3 /dev/hdaXXX

Once that is all done you can edit your /etc/fstab to user ACLS by
adding a line like this:
/dev/sdb /media/userdata ext3 acl
0 0
Now you should be able to mount the dir like normal without error. If
you do get errors check you syntax and Google for the answers.
Samba:
The next thing is to install samba. Make sure you uninstall any other
versions of samba and remove the directories.
Then download all the RPMS listed above into a directory. Once the
downloads are complete execute this:
rpm –iv –force *
That installs everything in the current directory regardless of
conflicts.
Use the force wisely. The v option will at least give you some useful
info if something runs into errors.

Edit the /etc/samba/smb.conf
[global]
workgroup =
netbios name =
security = DOMAIN
print cap name = cups
disable spoolss = yes
show add printer wizard = no
idmap uid = 15000-20000
idmap gid = 15000-20000
winbind separator = +
winbind use default domain = yes
use sendfile = yes
printing = cups

[SHARENAME]
comment = FILES
path = /media/userdata
read only = No
inherit permissions = Yes
inherit acls = Yes
map acl inherit = Yes

You can use this as your template. This config file is verbatim from
the one that is in the samba-how-to under the domain member section.
The important parts are in the share specification: The inherit
permissions, inherit acls and map acl inherit.

Don't start samba yet. Jin the domain first. You'll need the admin
login

net rpc join - -Uadministrator%'passwd'

Winbind:
Edit the /etc/nssswitch.conf

passwd: files winbind
shadow: files
group: files winbind

That's all you'll really need there. I commented out everything else.
If you want to ping boxes from the Linux command line using NetBIOS
names make sure that /lib/libnss_wins.so exists and sym link it to
/lib/secutrity and add this line to the nsswitch.conf

hosts: files dns winbind wins

Now start the deamons:

/etc/init.d/smb start
/etc/init.d/nmb start
/etc/init.d/winbind start

Check to see if you get the users:

wbinfo –u

And groups

wbinfo –g

If all goes well:

getent passwd

That should yield your NT account Information




PAM:
The last thing to do is use deal with pam
BACK UP YOUR FILES.
I deleted everything under pam.d and added 2 new files
touch samba login
Rather than get long winded about the file contents for winbind
authentication to an NT PDC you must use pam_winbind.so

#%PAM-1.0
# Pam file for login services
#################################
auth required pam_winbind.so
account required pam_winbind.so
session required pam_winbind.so
password required pam_winbind.so


#%PAM-1.0
# Pam file for samba
####################################
auth required pam_winbind.so nodelay
auth required pam_unix.so
account required pam_unix.so
password required pam_winbind.so nodelay
smb.conf=/etc/samba/smb.conf

Permissions:
setfacl –m g:"Domain Users":rwx /path/to/samba/share
and
chmod ugs=rwx,o=x /path/to/samba/share

Obviously if the linux box cant see the the "Domain Users" group then
the setfacl command will error.
We had to migrate 50ish gigs of data. So we used robocopy to move
things and retain permissions these are the switches:
Source Directory :
/SD:\\source\share :: Source Directory.

Destination Directory :
/DD:\\destination\share :: Destination Directory.

Of course we had some errors. But nothing that was too serious. We had
to adjust some directories but it sure beats having to do it all one
at a time!

Jorma Spaziano
Systems Specialist
Lincoln County Shared Services

Positive Comments Welcome.