!== !== NISPLUS.txt !== Contributor: TAKAHASHI, Motonobu Created: 1999/02/21 Theme: Using NIS+ with Samba ============================================================================ NIS+(NISPLUS) is a directory service that Sun has implemented on Solaris. It is now supported on HP-UX and Linux. Samba-2 use NIS+ for the following courses: (Samba-1.x supports only the first) (1) as the map database to automount, which uses nis homedir (2) to replace the user database file (usually smbpasswd file), which Samba uses to authenticate users. (3) to replace the user database file (usually smbpasswd file), which Samba uses to authenticate users when it acts a domain controller. We will explain the above in order. (2) and (3) uses the same database, but differ in supported features. How to setup nis homedir -------------------------- This feature is the same as the NISPLUS option of samba-1.9.18p10. To use this feature, enter the following: % ./configure --with-automount --with-nisplus-home (Of course you can add other options you like.) In smb.conf, the [global] section, type the folowing: nis homedir = yes Next, by referring to description in smb.conf(5), set the few Domain Controller options for Windows 9x machines. Before proceeding, we assume that the Samba machine already belongs to the NIS+ domain and you have already set the NIS+ settings. Here we assume some parameters: (1) logon mashine (Also called hostA) workgroup = DOM domain logon = yes security = user nis homedir = yes Also create [netlogon] and [homes] shares and set them as a member of NIS+ domain (2) home directory server (Also called hostB), set as a member of the NIS+ domain (just like hostA) and have users' home directories (3) auto_home.org_dir is set as: user1 hostB:/usr1/home/user1 user2 hostB:/usr1/home/user2 All other NIS+ settings are to be set properly. The above accounts 'user1' and 'user2' can now connect to the Samba server on hostB from Windows clients. Under this Linux environment, now go to a Windows 95 Client, Check the "logon to Windows NT domain" checkbox in "Microsoft Network Client" Reboot Windows and logon as 'user1' under domain 'DOM'. After logon, type the following at a command prompt (eg: MS-DOS shell): net use u: /home Enter your password and once connection is made, u: drive is now mapped to \\hostB\user1 based on the setting of hostB To test the setting, go back to the Linux machine hostA, Change the following in smb.conf nis homedir = no Restart and logon Windows 9x. Now, u: drive should be connected to \\hostA\user1 How to set security = user ---------------------------- Under NIS+, instead of getting information from smbpasswd file, Samba will get information from smbpasswd NIS+ table. So this feature will work whenever smbpasswd file is needed. This feature requires a configure option: --with-nisplus We will now explain these settings, but not general NIS+ functions. (1) Migrating smbpasswd Note that you must be a principal that can create the NIS+ tables. To create smbpasswd NIS+ table in the NIS+ domain, first, run: # source/script/mknissmbpwdtbl.sh Next, run # cat smbpasswd | source/script/mknissmbpasswd.sh This will load the contents of Samba-2 formatted smbpasswd file into NIS+ table. Note that by default smbpasswd can only be accessed by the owner of the NIS+ table and smb NIS+ group. You may add the proper principal into the smb NIS+ group or add proper permission to smbpasswd NIS+ table. If your Samba server is not the master server of NIS+ domain, you have to add the principal of the server (of the form unix.XXX@domain.) into smb NIS+ group. You can do so with the command 'nisgrpadm'. For example if you want to operate on HOSTNAME.foo.com (foo.com is a name of NIS+ domain), type #nisgrpadm -a smb.groups_dir.foo.com. unix.HOSTNAME@foo.com. This will set smbpasswd NIS+ table from the Samba server. (2) Modify smb.conf To refer to smbpasswd NIS+ table, You may modify smb.conf like: smb passwd file = smbpasswd.org_dir You can specify the NIS+ table with other format (such as " smbpasswd.your.domain") And you have to specify: encrypt passwords = yes to refer to the smbpasswd NIS+ table. (x) in case of 'security = server' or 'security = domain' This setting also works under 'security = server' and 'security = domain', because instead of referring to the original smbpasswd file, Samba now refers to smbpasswd NIS+ table. Note that if you've set the security parameter described above, the location of MACHINE.SID file and [DOMAIN].[MACHINE].mac file under 'security = domain' are also affected by the setting of smbpasswd file parameter. For this reason, when you start Samba as daemon and "/" is the current directory, MACHINE.SID file will be created as '/smbpasswd.org_dirMACHINE.SID', and '/smbpasswd.org_dir' directory is also created. Thus functionally speaking, you can use NIS+ under 'security = server' and 'security = domain', except for the inconveniences described above. Also using smbpasswd file, a root user can use smbpasswd command to change the password of user1, for example: # smbpasswd user1 [password] But under NIS+ database, even root cannot change the other user's passwords. Only the user can change his password. Regarding using the user database when using domain controller. -------------------------------------- (I've not examined yet.) -------------------------------------- What I want to fix: (1) nsswitch.conf support (2) the created location problem of some files such as MACHINE.SID