AD logins

Fri May 11 06:11:01 UTC 2007

>From: "Marcelo Magno T. Sales" <marcelo.sales at sefaz.pe.gov.br>
>Reply-To: For users of Fedora <fedora-list at redhat.com>
>To: For users of Fedora <fedora-list at redhat.com>
>Subject: Re: AD logins
>Date: Thu, 10 May 2007 09:46:53 -0300
>
>Em Qui 10 Mai 2007, azeem ahmad escreveu:
> > hi list
> > i have a windows 2000 active directory domain environment. and now i got 
>a
> > few fedora core 4 workstations. i want them to authenticate user logins
> > from Windows active directory
> >
> > what i think is one possible way of doing this is to configure Samba 
>with
> > Winbind. am i right???
>
>Yes, this is one possible solution.
>
>1. Verify in your /etc/hosts if there is localhost configuration for IPv4.
>I've found that in several of my FC6 installations, there was only IPv6
>localhost information here, despite I had disabled IPv6 during 
>installation.
>If IPv4 localhost information is not present in /etc/hosts, you won't be 
>able
>to authenticate against AD.
>
>2. Setup the ntpd service so that it keeps the time of your workstation
>synchronized with some domain controller of your AD domain. If time is not
>synchronized, you won't be able to authenticate against AD. Check this 
>first
>if authentication fails after you finish the procedures listed here. The
>winbind service has to be (re)started after the time is synchronized.
>
>3. Run system-config-authentication and:
>
>3.1. check winbind, kerberos (optional, but recommended) and smb in the 
>first
>two tabs.
>
>3.2. In winbind configuration, fill in the following:
>Winbind domain: the NetBIOS name of your AD domain (the short name), in
>capital letters.
>Security model: ads
>Winbind ADS Realm: the fully qualified domain name of your AD domain (in
>capital letters)
>Domain Controllers: the addresses or names (if your workstation can resolve
>them) of your nearest domain controllers, in a comma separated list.
>Template Shell: /usr/bin/bash
>
>3.3. In Kerberos configuration, fill in the following:
>Realm: the fully qualified domain
>KDCs: the addresses or names (if your workstation can resolve them) of your
>nearest domain controllers, in a comma separated list.
>Admin servers: leave blank or fill in the same as in KDCs, above.
>
>3.4. Check the checkbox "Use DNS to find the hosts for the realms"
>The other checkbox should be checked if you have your DCs all in the same
>site, or unchecked otherwise. Whatever you choose to do with this checkbox,
>this will not break your configuration, but it may slow down the
>authentication process.
>
>3.5. In the Options tab, check "Use shadows passwords", "Use MD5 passwords"
>and "Local authorization is sufficient for local users".
>
>4. If you want home directories to be created automatically for AD users 
>when
>they log in (recommended), edit /etc/pam.d/system-auth-ac and add the
>following line at the end of the file:
>session	required	/lib/security/pam_mkhomedir.so	skel=/etc/skel	umask 007
>
>5. Edit /etc/krb5.conf and add / update the following:
>[libdefaults]
>clockskew = 300
>default_realm = YOURDOMAIN.COM
>
>[domain_realm]
>.yourdomain.com = YOURDOMAIN.COM
>yourdomain.com = YOURDOMAIN.COM
>
>6. Edit /etc/samba/smb.conf and add / update the following:
>[global]
>wins server = the IP addresses of your WINS servers (if you have them) in a
>blank space separated list. If you don't use WINS, comment out this line.
>winbind enum users = yes
>winbind enum groups = yes
>template homedir = /home/%U
>winbind use default domain = yes
>
>7. Setup smb and winbind daemons so that they start automatically when the
>machine is booted:
>chkconfig --level 35 winbind on
>chkconfig --level 35 smb on
>
>8. Reboot the system
>
>9. Join the AD domain. You'll need an AD account with enough rights to do
>that. Run the following command:
>net ads join -U <username>
>The account you use in the above command must have permission to create
>computer objects in the Computers container of your AD domain. If it does
>not, create the computer object previously in the desired OU using AD Users
>and Computers.
>
>That's all.
>
>[]'s
>Marcelo
>

thanx Mr. Marcelo
i have done it and its working now. but one problem yet exists, and that is 
i am unable to automatically create users' home directories. it is because i 
am unable to find any such file as u mentiones " /etc/pam.d/system-auth-ac"

can u guide me a bit more

Regards
Azeem

_________________________________________________________________
Advertisement: Your Future Starts Here. Dream it? Then be it! Find it at 
www.seek.com.au 
http://a.ninemsn.com.au/b.aspx?URL=http%3A%2F%2Fninemsn%2Eseek%2Ecom%2Eau%2F%3Ftracking%3Dsk%3Ahet%3Ask%3Anine%3A0%3Ahot%3Atext&_t=763838044&_r=seek_may07_futurestartshere&_m=EXT