[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

RE: ADS authenentication & Samba/Winbind



Here are the steps I used to configure the machines...Just in case I missed something. I'm wrote it uip as a 'how to' for future reference, not knowing then that the 64-bit machine wasn't working.

I have re-verified every step on the 64-bit machines many times
Requres logon as mydomain\username but here is what I've done so far

1. configure kbr5.conf (kerbose authen). FAQ suggested using numeric ip address, not dns name

[libdefaults]
default_realm = MYDOMAIN.com
dns_lookup_realm = false
dns_lookup_kdc = false


[realms]

MYDOMAIN.com = {
kdc = 192.168.2.6:88
admin_server = 192.168.2.6:749
}

MYDOMAIN.COM = {
kdc = 192.168.2.6
kdc = 192.168.2.7
}

[domain_realm]
.mydomain.com = MYDOMAIN.COM
mydomain.com = MYDOMAIN.COM



2. stop services:

 service winbind stop
 service smb stop

 net ads join -U ads_administrator_name

This should give you feedback on what it finds t
There are the pertinent changes I made to smb.conf [run testparm to verify typing!]
'#' are my comments for this post, not in my file

[global]
      workgroup = mydomain                 #short domain name
realm = MYDOMAIN.COM #kerbos realm see below should be caps server string = Test Server #Description type field for server security = ads #I want Active Directory Service (security?)
      password server = 192.168.2.6 192.168.2.7 #my PDC, BDC
template primary group = mycompany #pre-configured group I want as primary template homedir = /home/%U # for use with pam_mkhomedirso parent has to # exist. /home/%D/%U will create /home/mydomain/username
      template shell = /bin/bash         # shell I want them to start up
winbind use default domain = yes # this is supposed to keep you from having to log on as # as mydomain\username but can just do username
       # not working for me yet....
hosts allow = 192.168.2., 192.168.4., 127. #not required but I want to controll what subnets
                                                      #can log on

     [netlogon] # I uncommented this section, not sure if it wasnecessary


3. Run testparm to make sure it likes the edited file. The FAQ says to restart the services but step 4 requires
 a reboot

4. Add

session required /lib/security/$ISA/pam_mkhomedir.so skel=/etc/skel umask=077

 above

session     required      /lib/security/$ISA/pam_limits.so

to the /etc/pam.d/system-auth file. skel=/etc/skel are default files that populate the directory

5. add

   wbinfo --set-auth-user myuser

it will prompt to the the password and it will echo on screen and be stored unencrypted.

6. Reboot and test

Sources:
Red hat FAQ
# 5851 (but change '= DOMAIN' to '= ads'
# 5787
# 5402
# 4760

might also want to read
# 918
Redhat docs install guide 11.6 User authentication with PAM
# 6047
man page for smb.conf
# 5532
# 5492
# 5402




[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]