NT Gatekeeper: Using Windbind to Enable SSO Between NT and Linux

The majority of our organization's users run Windows NT Workstation 4.0. A minority (about 20 percent) run Linux. To enable file- and print-services sharing between Linux and Windows, we installed a set of Samba servers that also run Linux. How can we enable true unified logon (i.e., single sign-on—SSO) between the Samba servers and the NT workstations? We want users to be able to access Windows and Samba resources transparently by using one user account that we define in an NT domain database.

Winbind, a little-known Samba service, provides unified logon between NT and UNIX systems. Winbind lets you integrate UNIX machines into an NT domain environment without needing a UNIX account database. Currently, Winbind is available only for the Linux OS. A stable version of Winbind is available in Samba 2.2.2 and later (the latest Samba release is 2.2.7a). To find out more about Samba and to download the Samba code (including Winbind), visit the Samba Web site (http://www.samba.org).

Winbind is built on a UNIX implementation of remote procedure calls (RPCs), a special Pluggable Authentication Module (PAM), and a Name Service Switch (NSS) module. Winbind uses RPCs to enumerate Windows domain users and groups, to obtain Windows domain user and group details from a Windows domain controller (DC), to authenticate users against an NT domain, and to change passwords. PAM is a UNIX technology that provides the flexibility to plug different authentication and authorization providers into the UNIX OS. The Winbind PAM lets NT users log on to a UNIX box and be authenticated against a Windows DC. The NSS module lets a UNIX service resolve host names, group names, and usernames by calling on a Windows DC. NT domain users and groups will then appear and work as UNIX users and groups on the UNIX box.

You can find a more detailed overview of the technologies behind Winbind in "Unified Logons between Windows NT and Unix using Winbind" (http://us6.samba.org/samba/ftp/appliance/winbind.pdf). You'll find more information about how to set up Winbind and its components in the Samba documentation at http://de.samba.org/samba/ftp/docs/htmldocs/Samba-HOWTO-Collection.html #WINBIND.

For readers who aren't familiar with Samba, it's an open-source software (OSS) suite that can provide seamless file and print services to a wide range of Server Message Block (SMB) and Common Internet File System (CIFS) clients (e.g., Windows, Linux, OS/2). Samba is freely available under the GNU general public license (GPL). More information about this license is available at http://ftp.easynet.be/samba/docs/gpl.html.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.