Logging in from Fedora Linux clients to Windows 2000 server with ADS

PAG gulawani at hathway.com
Thu May 13 12:58:19 UTC 2004

  Hi everyone,

I want to convert some 50 new machines that an organization is getting 
into Fedora Linux workstations.

This is the current setup:
The organization currently has one Primary Windows 2000 ADS and 2 
numbers of Windows 2000 servers acting as Backup domain servers.
There are currently some 50 workstations already in the network and 
these are all Windows 2000 professional machines. There are HP laser 
network printers in the network.

Now the organization wants to add about 50 more workstations in the 
network. I am trying to convince them to use Fedora Linux on these 
machines instead of Windows 2000 professionnal. My ultimate goal is to 
convert more machines to Linux.

 From these Fedora machines, users should be able to login to the 
Windows servers using their Windows username and passwords. They will be 
using a lot of files from the Windows 2000 servers which currently also 
act as the file servers. They are currently reluctant on converting the 
Windows servers and converting to Linux as some critical applications 
that they use are available only on windows. In addition to this they 
would need to print to the Network printers in the network.

I googled and found a LOT of information on modifying the SAMBA and 
modifying the krb5 for the above purpose. I am using a couple of 
machines to do a test setup. I have installed FC1 on these machines and 
have configured SAMBA on both these machines.
Some of the settings done are as follows:
SAMBA "smb.conf" file is at the very bottom of this email
KRB5 "krb5.conf" file is also at the bottom of the email
"nsswitch.conf" file was modified also at the bottom of this email
"login" file (in /etc/pam.d directory was also modified)
The authentication that I am using is SMB and KRB5

My FC1 machines are registered into the ADS using "net ads join -U 
user1". This went well and showed me as joined to the domain.

I have set up test users "user1" and "user2" in both the windows domain 
as well as on the FC1 machines. The passwords of the above users on the 
local FC1 machines and the Windows 2000 ADS machines are differrent. 
(The reason I have kept these differrent is to test that the login using 
the Windows 2000 username and password works.)

The problem that I face is this:
1. I cannot log in at the FC1 GUI login prompt (I'm using gnome) using 
the windows username (user1 or user2) and password. I can only login 
using my FC1 local username and password. This is the first thing that I 
want to be able to do. I should be able to login as any user (even if 
the user is not added in the local FC1 machine).
2. After logging into gnome as the local FC1 user, when I browse the 
network and click on any machine on the network it asks me for a 
username and password again for that machine. After entering the correct 
windows username and password I get access to the shared resources in 
the network.

I want to maintain one central username and password into the Windows 
2000 ADS. So if a username is added or is a password of an existing user 
is changed it is maintained at one location only and not  in multiple 

Can someone point out what I could be doing wrong here. At this point 
I'm quite zonked actually. Some sites mentinoed that all I need to do 
was enable kerbrose authintication on the local machine (no need to 
setup samba). In other places there is nothing mentioned about krb5 but 
a lot of settings about samba.

I'd appretiate your help a lot. I'm sorry for the long email, but I just 
wanted to  make sure I've given all the details.

+++++++++++++++++++++   smb.conf  +++++++++++++
# Global parameters
    workgroup = dec
    server string = M02 Samba Server
    netbios name = M02
    security = ADS
    realm = M06.DEC.DOM
    password server = M06
    printcap name = cups
    disable spoolss = Yes
    show add printer wizard = No
    idmap uid = 10000-20000
    idmap gid = 10000-20000
    winbind separator = +
    winbind use default domain = Yes
    use sendfile = Yes
    printing = cups

    comment = Home Directories
    valid users = %S
    writeable = yes
    browseable = Yes

    comment = All Printers
    path = /var/spool/samba
    printer admin = root, administrator
    create mask = 0600
    guest ok = Yes
    printable = Yes
    use client driver = Yes
    browseable = No

    comment = Common folders for all
    path = /home/common
    writeable = yes
    guest ok = yes

+++++++++++++++++++++   nsswitch.conf  +++++++++++++
passwd:     files winbind
shadow:     files
group:      files winbind

hosts:      files dns

bootparams: nisplus [NOTFOUND=return] files

ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files

netgroup:   files

publickey:  nisplus

automount:  files
aliases:    files nisplus

+++++++++++++++++++++   krb5.conf  +++++++++++++
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

 ticket_lifetime = 24000
 default_realm = DEC.DOM
 dns_lookup_realm = false
 dns_lookup_kdc = false

 DEC.DOM = {
  kdc = M06.DEC.DOM:88
  admin_server = M06.DEC.DOM:749
  default_domain = DEC.DOM

 .example.com = DEC.DOM
 example.com = DEC.DOM

 profile = /var/kerberos/krb5kdc/kdc.conf

 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false

+++++++++++++++++++++   login (file in /etc/pam.d)  +++++++++++++
auth       required     /lib/security/pam_securetty.so
auth       sufficient   /lib/security/pam_winbind.so
auth       sufficient   /lib/security/pam_unix.so use_first_pass
auth       required     /lib/security/pam_stack.so service=system-auth
auth       required     /lib/security/pam_nologin.so
account    sufficient   /lib/security/pam_winbind.so
account    required     /lib/security/pam_stack.so service=system-auth
password   required     /lib/security/pam_stack.so service=system-auth
session    required     /lib/security/pam_stack.so service=system-auth
session    optional     /lib/security/pam_console.so



More information about the fedora-list mailing list