AD logins

Marcelo Magno T. Sales marcelo.sales at sefaz.pe.gov.br
Fri May 11 13:44:21 UTC 2007 

Em Sex 11 Mai 2007, azeem ahmad escreveu:
> >From: "Marcelo Magno T. Sales" <marcelo.sales at sefaz.pe.gov.br>
> >Reply-To: For users of Fedora <fedora-list at redhat.com>
> >To: For users of Fedora <fedora-list at redhat.com>
> >Subject: Re: AD logins
> >Date: Thu, 10 May 2007 09:46:53 -0300
> >
> >Em Qui 10 Mai 2007, azeem ahmad escreveu:
> > > hi list
> > > i have a windows 2000 active directory domain environment. and now i
> > > got
> >
> >a
> >
> > > few fedora core 4 workstations. i want them to authenticate user logins
> > > from Windows active directory
> > >
> > > what i think is one possible way of doing this is to configure Samba
> >
> >with
> >
> > > Winbind. am i right???
> >
> >Yes, this is one possible solution.
> >
> >1. Verify in your /etc/hosts if there is localhost configuration for IPv4.
> >I've found that in several of my FC6 installations, there was only IPv6
> >localhost information here, despite I had disabled IPv6 during
> >installation.
> >If IPv4 localhost information is not present in /etc/hosts, you won't be
> >able
> >to authenticate against AD.
> >
> >2. Setup the ntpd service so that it keeps the time of your workstation
> >synchronized with some domain controller of your AD domain. If time is not
> >synchronized, you won't be able to authenticate against AD. Check this
> >first
> >if authentication fails after you finish the procedures listed here. The
> >winbind service has to be (re)started after the time is synchronized.
> >
> >3. Run system-config-authentication and:
> >
> >3.1. check winbind, kerberos (optional, but recommended) and smb in the
> >first
> >two tabs.
> >
> >3.2. In winbind configuration, fill in the following:
> >Winbind domain: the NetBIOS name of your AD domain (the short name), in
> >capital letters.
> >Security model: ads
> >Winbind ADS Realm: the fully qualified domain name of your AD domain (in
> >capital letters)
> >Domain Controllers: the addresses or names (if your workstation can
> > resolve them) of your nearest domain controllers, in a comma separated
> > list. Template Shell: /usr/bin/bash
> >
> >3.3. In Kerberos configuration, fill in the following:
> >Realm: the fully qualified domain
> >KDCs: the addresses or names (if your workstation can resolve them) of
> > your nearest domain controllers, in a comma separated list.
> >Admin servers: leave blank or fill in the same as in KDCs, above.
> >
> >3.4. Check the checkbox "Use DNS to find the hosts for the realms"
> >The other checkbox should be checked if you have your DCs all in the same
> >site, or unchecked otherwise. Whatever you choose to do with this
> > checkbox, this will not break your configuration, but it may slow down
> > the
> >authentication process.
> >
> >3.5. In the Options tab, check "Use shadows passwords", "Use MD5
> > passwords" and "Local authorization is sufficient for local users".
> >
> >4. If you want home directories to be created automatically for AD users
> >when
> >they log in (recommended), edit /etc/pam.d/system-auth-ac and add the
> >following line at the end of the file:
> >session	required	/lib/security/pam_mkhomedir.so	skel=/etc/skel	umask 007
> >
> >5. Edit /etc/krb5.conf and add / update the following:
> >[libdefaults]
> >clockskew = 300
> >default_realm = YOURDOMAIN.COM
> >
> >[domain_realm]
> >.yourdomain.com = YOURDOMAIN.COM
> >yourdomain.com = YOURDOMAIN.COM
> >
> >6. Edit /etc/samba/smb.conf and add / update the following:
> >[global]
> >wins server = the IP addresses of your WINS servers (if you have them) in
> > a blank space separated list. If you don't use WINS, comment out this
> > line. winbind enum users = yes
> >winbind enum groups = yes
> >template homedir = /home/%U
> >winbind use default domain = yes
> >
> >7. Setup smb and winbind daemons so that they start automatically when the
> >machine is booted:
> >chkconfig --level 35 winbind on
> >chkconfig --level 35 smb on
> >
> >8. Reboot the system
> >
> >9. Join the AD domain. You'll need an AD account with enough rights to do
> >that. Run the following command:
> >net ads join -U <username>
> >The account you use in the above command must have permission to create
> >computer objects in the Computers container of your AD domain. If it does
> >not, create the computer object previously in the desired OU using AD
> > Users and Computers.
> >
> >That's all.
> >
> >[]'s
> >Marcelo
>
> thanx Mr. Marcelo
> i have done it and its working now. but one problem yet exists, and that is
> i am unable to automatically create users' home directories. it is because
> i am unable to find any such file as u mentiones "
> /etc/pam.d/system-auth-ac"
>
> can u guide me a bit more

Should be there... What files do you have in /etc/pam.d?

[]'s
Marcelo

More information about the users mailing list