Windows Domain auth for Linux boxes
Tarun Reddy
treddy at tarun.homeip.net
Fri May 28 19:47:38 UTC 2004
I agree with Craig.
I'm using FC2 against Windows 2003 active directory servers very
successfully (well, minus one part).
However, note that system-config-authentication is woefully
broken/incomplete when it comes to winbind configuration.
But here are my general steps using FC2.
Install FC2 with "Windows File Sharing"
during firstboot, skip over creating an account
run system-config-authentication
click enable Winbind support
click the configure button
fill in:
winbind domain: <DOMAIN> (no .com/.org/etc here)
Security model: ads
winbind ads realm: <DOMAIN.COM>
winbind domain controllers: dc.domain.com (I put in my primary ADS
server)
Template shell: (your choice)
now as root edit /etc/krb5.conf
You'll see where the system-config-authentication has not replaced
anything correctly here.
You need to change EXAMPLE.COM -> DOMAIN.COM and .example.com to
.domain.com as needed
Also change kerberos.example.com to your ads server and admin_server
to your ads server.
Now open /etc/samba/smb.conf
search for password server. You'll notice two entries here. You should
only have your ads server here.
I've added below template shell line
template homedir = /home/%U
so I don't have to have /home/DOMAIN/USER as the location for my home
directory.
I also changed winbind use default domain to yes so that users can
login as USER instead of DOMAIN+USER.
The final step is to add the machine to the domain
as root
net ads join -w DOMAIN -S ADSSERVER.DOMAIN.COM -U Administrator
/etc/rc.d/init.d/winbind restart
/etc/rc.d/init.d/sshd restart
(or even safer reboot)
You will have to add the users homedirs by hand before they can login
and that's the final piece I'm trying to solve. samba's add user script
doesn't work for me.
Hope this helps,
Tarun
On May 28, 2004, at 12:21 PM, Craig White wrote:
> On Fri, 2004-05-28 at 10:40, Matt Morgan wrote:
>> Has anybody done this on their system with more open tools? Or another
>> option seems to be maintaining an NIS server that somehow replicates
>> accounts with the AD servers, so that NIS handles Linux login, while
>> AD
>> handles only Windows--anybody tried that? Or if anybody else has come
>> up
>> with other solutions to this or similar problems, please write in. We
>> have looked at all the PAM options--kerberos, LDAP, etc.--and none of
>> them look quite as good as what Xandros has done; but if they work for
>> you, I'm very interested in hearing your stories.
> -----
> samba / winbind
>
> if you need documentation
>
> www.samba.org -> documentation, samba-3 howto
>
> Craig
More information about the fedora-list
mailing list