ADS authenentication & Samba/Winbind

Buddy Jennings buddyj at msn.com
Tue Oct 31 22:48:47 UTC 2006 

Here are the steps I used to configure the machines...Just in case I missed 
something.  I'm wrote it uip as a 'how to' for future reference, not knowing 
then that the 64-bit machine wasn't working.

I have re-verified every step on the 64-bit machines many times
Requres logon as mydomain\username but here is what I've done so far

1. configure kbr5.conf (kerbose authen).  FAQ suggested using numeric ip 
address, not dns name

[libdefaults]
default_realm = MYDOMAIN.com
dns_lookup_realm = false
dns_lookup_kdc = false


[realms]

MYDOMAIN.com = {
kdc = 192.168.2.6:88
admin_server = 192.168.2.6:749
}

MYDOMAIN.COM = {
kdc = 192.168.2.6
kdc = 192.168.2.7
}

[domain_realm]
.mydomain.com = MYDOMAIN.COM
mydomain.com = MYDOMAIN.COM



2. stop services:

  service winbind stop
  service smb stop

  net ads join -U ads_administrator_name

This should give you feedback on what it finds t
There are the pertinent changes I made to smb.conf [run testparm to verify 
typing!]
'#' are my comments for this post, not in my file

[global]
       workgroup = mydomain                 #short domain name
       realm = MYDOMAIN.COM                 #kerbos realm see below should 
be caps
       server string = Test Server                  #Description type field 
for server
       security = ads                               #I want Active Directory 
Service (security?)
       password server = 192.168.2.6 192.168.2.7 #my PDC, BDC
       template primary group = mycompany         #pre-configured group I 
want as primary
       template homedir = /home/%U         # for use with pam_mkhomedirso 
parent has to
                                                       # exist. /home/%D/%U 
will create /home/mydomain/username
       template shell = /bin/bash         # shell I want them to start up
       winbind use default domain = yes         # this is supposed to keep 
you from having to log on as
                                                       # as 
mydomain\username but can just do username
        # not working for me yet....
       hosts allow = 192.168.2., 192.168.4., 127.      #not required but I 
want to controll what subnets
                                                       #can log on

      [netlogon] # I uncommented this section, not sure if it wasnecessary


3. Run testparm to make sure it likes the edited file.  The FAQ says to 
restart the services but step 4 requires
  a reboot

4. Add

session     required      /lib/security/$ISA/pam_mkhomedir.so skel=/etc/skel 
umask=077

  above

session     required      /lib/security/$ISA/pam_limits.so

to the /etc/pam.d/system-auth file.  skel=/etc/skel are default files that 
populate the directory

5. add

    wbinfo --set-auth-user myuser

   it will prompt to the the password and it will echo on screen and be 
stored unencrypted.

6. Reboot and test

Sources:
Red hat FAQ
# 5851 (but change '= DOMAIN' to '= ads'
# 5787
# 5402
# 4760

might also want to read
# 918
Redhat docs install guide 11.6 User authentication with PAM
# 6047
man page for smb.conf
# 5532
# 5492
# 5402

More information about the redhat-list mailing list