Marcelo Magno T. Sales
marcelo.sales at sefaz.pe.gov.br
Thu May 10 12:46:53 UTC 2007
Em Qui 10 Mai 2007, azeem ahmad escreveu:
> hi list
> i have a windows 2000 active directory domain environment. and now i got a
> few fedora core 4 workstations. i want them to authenticate user logins
> from Windows active directory
> what i think is one possible way of doing this is to configure Samba with
> Winbind. am i right???
Yes, this is one possible solution.
1. Verify in your /etc/hosts if there is localhost configuration for IPv4.
I've found that in several of my FC6 installations, there was only IPv6
localhost information here, despite I had disabled IPv6 during installation.
If IPv4 localhost information is not present in /etc/hosts, you won't be able
to authenticate against AD.
2. Setup the ntpd service so that it keeps the time of your workstation
synchronized with some domain controller of your AD domain. If time is not
synchronized, you won't be able to authenticate against AD. Check this first
if authentication fails after you finish the procedures listed here. The
winbind service has to be (re)started after the time is synchronized.
3. Run system-config-authentication and:
3.1. check winbind, kerberos (optional, but recommended) and smb in the first
3.2. In winbind configuration, fill in the following:
Winbind domain: the NetBIOS name of your AD domain (the short name), in
Security model: ads
Winbind ADS Realm: the fully qualified domain name of your AD domain (in
Domain Controllers: the addresses or names (if your workstation can resolve
them) of your nearest domain controllers, in a comma separated list.
Template Shell: /usr/bin/bash
3.3. In Kerberos configuration, fill in the following:
Realm: the fully qualified domain
KDCs: the addresses or names (if your workstation can resolve them) of your
nearest domain controllers, in a comma separated list.
Admin servers: leave blank or fill in the same as in KDCs, above.
3.4. Check the checkbox "Use DNS to find the hosts for the realms"
The other checkbox should be checked if you have your DCs all in the same
site, or unchecked otherwise. Whatever you choose to do with this checkbox,
this will not break your configuration, but it may slow down the
3.5. In the Options tab, check "Use shadows passwords", "Use MD5 passwords"
and "Local authorization is sufficient for local users".
4. If you want home directories to be created automatically for AD users when
they log in (recommended), edit /etc/pam.d/system-auth-ac and add the
following line at the end of the file:
session required /lib/security/pam_mkhomedir.so skel=/etc/skel umask 007
5. Edit /etc/krb5.conf and add / update the following:
clockskew = 300
default_realm = YOURDOMAIN.COM
.yourdomain.com = YOURDOMAIN.COM
yourdomain.com = YOURDOMAIN.COM
6. Edit /etc/samba/smb.conf and add / update the following:
wins server = the IP addresses of your WINS servers (if you have them) in a
blank space separated list. If you don't use WINS, comment out this line.
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%U
winbind use default domain = yes
7. Setup smb and winbind daemons so that they start automatically when the
machine is booted:
chkconfig --level 35 winbind on
chkconfig --level 35 smb on
8. Reboot the system
9. Join the AD domain. You'll need an AD account with enough rights to do
that. Run the following command:
net ads join -U <username>
The account you use in the above command must have permission to create
computer objects in the Computers container of your AD domain. If it does
not, create the computer object previously in the desired OU using AD Users
More information about the users