[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Windows Domain auth for Linux boxes

I agree with Craig.

I'm using FC2 against Windows 2003 active directory servers very successfully (well, minus one part).

However, note that system-config-authentication is woefully broken/incomplete when it comes to winbind configuration.

But here are my general steps using FC2.

Install FC2 with "Windows File Sharing"
during firstboot, skip over creating an account
run system-config-authentication
click enable Winbind support
click the configure button
fill in:
winbind domain: <DOMAIN>  (no .com/.org/etc here)
Security model: ads
winbind ads realm: <DOMAIN.COM>
winbind domain controllers: dc.domain.com (I put in my primary ADS server)
Template shell: (your choice)

now as root edit /etc/krb5.conf
You'll see where the system-config-authentication has not replaced anything correctly here.

You need to change EXAMPLE.COM -> DOMAIN.COM and .example.com to .domain.com as needed Also change kerberos.example.com to your ads server and admin_server to your ads server.

Now open /etc/samba/smb.conf
search for password server. You'll notice two entries here. You should only have your ads server here.

I've added below template shell line
template homedir = /home/%U

so I don't have to have /home/DOMAIN/USER as the location for my home directory.

I also changed winbind use default domain to yes so that users can login as USER instead of DOMAIN+USER.

The final step is to add the machine to the domain

as root
net ads join -w DOMAIN -S ADSSERVER.DOMAIN.COM -U Administrator

/etc/rc.d/init.d/winbind restart
/etc/rc.d/init.d/sshd restart
(or even safer reboot)

You will have to add the users homedirs by hand before they can login and that's the final piece I'm trying to solve. samba's add user script doesn't work for me.

Hope this helps,

On May 28, 2004, at 12:21 PM, Craig White wrote:

On Fri, 2004-05-28 at 10:40, Matt Morgan wrote:
Has anybody done this on their system with more open tools? Or another
option seems to be maintaining an NIS server that somehow replicates
accounts with the AD servers, so that NIS handles Linux login, while AD handles only Windows--anybody tried that? Or if anybody else has come up
with other solutions to this or similar problems, please write in. We
have looked at all the PAM options--kerberos, LDAP, etc.--and none of
them look quite as good as what Xandros has done; but if they work for
you, I'm very interested in hearing your stories.
samba / winbind

if you need documentation

www.samba.org  -> documentation, samba-3 howto


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]