azeem81 at msn.com
Fri May 11 06:11:01 UTC 2007
>From: "Marcelo Magno T. Sales" <marcelo.sales at sefaz.pe.gov.br>
>Reply-To: For users of Fedora <fedora-list at redhat.com>
>To: For users of Fedora <fedora-list at redhat.com>
>Subject: Re: AD logins
>Date: Thu, 10 May 2007 09:46:53 -0300
>Em Qui 10 Mai 2007, azeem ahmad escreveu:
> > hi list
> > i have a windows 2000 active directory domain environment. and now i got
> > few fedora core 4 workstations. i want them to authenticate user logins
> > from Windows active directory
> > what i think is one possible way of doing this is to configure Samba
> > Winbind. am i right???
>Yes, this is one possible solution.
>1. Verify in your /etc/hosts if there is localhost configuration for IPv4.
>I've found that in several of my FC6 installations, there was only IPv6
>localhost information here, despite I had disabled IPv6 during
>If IPv4 localhost information is not present in /etc/hosts, you won't be
>to authenticate against AD.
>2. Setup the ntpd service so that it keeps the time of your workstation
>synchronized with some domain controller of your AD domain. If time is not
>synchronized, you won't be able to authenticate against AD. Check this
>if authentication fails after you finish the procedures listed here. The
>winbind service has to be (re)started after the time is synchronized.
>3. Run system-config-authentication and:
>3.1. check winbind, kerberos (optional, but recommended) and smb in the
>3.2. In winbind configuration, fill in the following:
>Winbind domain: the NetBIOS name of your AD domain (the short name), in
>Security model: ads
>Winbind ADS Realm: the fully qualified domain name of your AD domain (in
>Domain Controllers: the addresses or names (if your workstation can resolve
>them) of your nearest domain controllers, in a comma separated list.
>Template Shell: /usr/bin/bash
>3.3. In Kerberos configuration, fill in the following:
>Realm: the fully qualified domain
>KDCs: the addresses or names (if your workstation can resolve them) of your
>nearest domain controllers, in a comma separated list.
>Admin servers: leave blank or fill in the same as in KDCs, above.
>3.4. Check the checkbox "Use DNS to find the hosts for the realms"
>The other checkbox should be checked if you have your DCs all in the same
>site, or unchecked otherwise. Whatever you choose to do with this checkbox,
>this will not break your configuration, but it may slow down the
>3.5. In the Options tab, check "Use shadows passwords", "Use MD5 passwords"
>and "Local authorization is sufficient for local users".
>4. If you want home directories to be created automatically for AD users
>they log in (recommended), edit /etc/pam.d/system-auth-ac and add the
>following line at the end of the file:
>session required /lib/security/pam_mkhomedir.so skel=/etc/skel umask 007
>5. Edit /etc/krb5.conf and add / update the following:
>clockskew = 300
>default_realm = YOURDOMAIN.COM
>.yourdomain.com = YOURDOMAIN.COM
>yourdomain.com = YOURDOMAIN.COM
>6. Edit /etc/samba/smb.conf and add / update the following:
>wins server = the IP addresses of your WINS servers (if you have them) in a
>blank space separated list. If you don't use WINS, comment out this line.
>winbind enum users = yes
>winbind enum groups = yes
>template homedir = /home/%U
>winbind use default domain = yes
>7. Setup smb and winbind daemons so that they start automatically when the
>machine is booted:
>chkconfig --level 35 winbind on
>chkconfig --level 35 smb on
>8. Reboot the system
>9. Join the AD domain. You'll need an AD account with enough rights to do
>that. Run the following command:
>net ads join -U <username>
>The account you use in the above command must have permission to create
>computer objects in the Computers container of your AD domain. If it does
>not, create the computer object previously in the desired OU using AD Users
thanx Mr. Marcelo
i have done it and its working now. but one problem yet exists, and that is
i am unable to automatically create users' home directories. it is because i
am unable to find any such file as u mentiones " /etc/pam.d/system-auth-ac"
can u guide me a bit more
Advertisement: Your Future Starts Here. Dream it? Then be it! Find it at
More information about the users