[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

RE: ADS authenentication & Samba/Winbind

Here are the steps I used to configure the machines...Just in case I missed something. I'm wrote it uip as a 'how to' for future reference, not knowing then that the 64-bit machine wasn't working.

I have re-verified every step on the 64-bit machines many times
Requres logon as mydomain\username but here is what I've done so far

1. configure kbr5.conf (kerbose authen). FAQ suggested using numeric ip address, not dns name

default_realm = MYDOMAIN.com
dns_lookup_realm = false
dns_lookup_kdc = false


MYDOMAIN.com = {
kdc =
admin_server =

kdc =
kdc =

.mydomain.com = MYDOMAIN.COM
mydomain.com = MYDOMAIN.COM

2. stop services:

 service winbind stop
 service smb stop

 net ads join -U ads_administrator_name

This should give you feedback on what it finds t
There are the pertinent changes I made to smb.conf [run testparm to verify typing!]
'#' are my comments for this post, not in my file

      workgroup = mydomain                 #short domain name
realm = MYDOMAIN.COM #kerbos realm see below should be caps server string = Test Server #Description type field for server security = ads #I want Active Directory Service (security?)
      password server = #my PDC, BDC
template primary group = mycompany #pre-configured group I want as primary template homedir = /home/%U # for use with pam_mkhomedirso parent has to # exist. /home/%D/%U will create /home/mydomain/username
      template shell = /bin/bash         # shell I want them to start up
winbind use default domain = yes # this is supposed to keep you from having to log on as # as mydomain\username but can just do username
       # not working for me yet....
hosts allow = 192.168.2., 192.168.4., 127. #not required but I want to controll what subnets
                                                      #can log on

     [netlogon] # I uncommented this section, not sure if it wasnecessary

3. Run testparm to make sure it likes the edited file. The FAQ says to restart the services but step 4 requires
 a reboot

4. Add

session required /lib/security/$ISA/pam_mkhomedir.so skel=/etc/skel umask=077


session     required      /lib/security/$ISA/pam_limits.so

to the /etc/pam.d/system-auth file. skel=/etc/skel are default files that populate the directory

5. add

   wbinfo --set-auth-user myuser

it will prompt to the the password and it will echo on screen and be stored unencrypted.

6. Reboot and test

Red hat FAQ
# 5851 (but change '= DOMAIN' to '= ads'
# 5787
# 5402
# 4760

might also want to read
# 918
Redhat docs install guide 11.6 User authentication with PAM
# 6047
man page for smb.conf
# 5532
# 5492
# 5402

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]