Windows Domain auth for Linux boxes

Tarun Reddy treddy at tarun.homeip.net
Fri May 28 19:47:38 UTC 2004 

I agree with Craig.

I'm using FC2 against Windows 2003 active directory servers very 
successfully (well, minus one part).

However, note that system-config-authentication is woefully 
broken/incomplete when it comes to winbind configuration.

But here are my general steps using FC2.

Install FC2 with "Windows File Sharing"
during firstboot, skip over creating an account
run system-config-authentication
click enable Winbind support
click the configure button
fill in:
winbind domain: <DOMAIN>  (no .com/.org/etc here)
Security model: ads
winbind ads realm: <DOMAIN.COM>
winbind domain controllers: dc.domain.com  (I put in my primary ADS 
server)
Template shell: (your choice)

now as root edit /etc/krb5.conf
You'll see where the system-config-authentication has not replaced 
anything correctly here.

You need to change EXAMPLE.COM -> DOMAIN.COM and .example.com to 
.domain.com as needed
Also change kerberos.example.com to your ads server  and admin_server 
to your ads server.

Now open /etc/samba/smb.conf
search for password server. You'll notice two entries here. You should 
only have your ads server here.

I've added below template shell line
template homedir = /home/%U

so I don't have to have /home/DOMAIN/USER as the location for my home 
directory.

I also changed winbind use default domain  to yes so that users can 
login as USER instead of DOMAIN+USER.

The final step is to add the machine to the domain

as root
net ads join -w DOMAIN -S ADSSERVER.DOMAIN.COM -U Administrator

/etc/rc.d/init.d/winbind restart
/etc/rc.d/init.d/sshd restart
(or even safer reboot)

You will have to add the users homedirs by hand before they can login 
and that's the final piece I'm trying to solve. samba's add user script 
doesn't work for me.

Hope this helps,
Tarun



On May 28, 2004, at 12:21 PM, Craig White wrote:

> On Fri, 2004-05-28 at 10:40, Matt Morgan wrote:
>> Has anybody done this on their system with more open tools? Or another
>> option seems to be maintaining an NIS server that somehow replicates
>> accounts with the AD servers, so that NIS handles Linux login, while 
>> AD
>> handles only Windows--anybody tried that? Or if anybody else has come 
>> up
>> with other solutions to this or similar problems, please write in. We
>> have looked at all the PAM options--kerberos, LDAP, etc.--and none of
>> them look quite as good as what Xandros has done; but if they work for
>> you, I'm very interested in hearing your stories.
> -----
> samba / winbind
>
> if you need documentation
>
> www.samba.org  -> documentation, samba-3 howto
>
> Craig

More information about the fedora-list mailing list