AD logins

Sat May 12 04:21:37 UTC 2007



>From: "Marcelo Magno T. Sales" <marcelo.sales at sefaz.pe.gov.br>
>Reply-To: For users of Fedora <fedora-list at redhat.com>
>To: For users of Fedora <fedora-list at redhat.com>
>Subject: Re: AD logins
>Date: Fri, 11 May 2007 10:44:21 -0300
>
>Em Sex 11 Mai 2007, azeem ahmad escreveu:
> > >From: "Marcelo Magno T. Sales" <marcelo.sales at sefaz.pe.gov.br>
> > >Reply-To: For users of Fedora <fedora-list at redhat.com>
> > >To: For users of Fedora <fedora-list at redhat.com>
> > >Subject: Re: AD logins
> > >Date: Thu, 10 May 2007 09:46:53 -0300
> > >
> > >Em Qui 10 Mai 2007, azeem ahmad escreveu:
> > > > hi list
> > > > i have a windows 2000 active directory domain environment. and now i
> > > > got
> > >
> > >a
> > >
> > > > few fedora core 4 workstations. i want them to authenticate user 
>logins
> > > > from Windows active directory
> > > >
> > > > what i think is one possible way of doing this is to configure Samba
> > >
> > >with
> > >
> > > > Winbind. am i right???
> > >
> > >Yes, this is one possible solution.
> > >
> > >1. Verify in your /etc/hosts if there is localhost configuration for 
>IPv4.
> > >I've found that in several of my FC6 installations, there was only IPv6
> > >localhost information here, despite I had disabled IPv6 during
> > >installation.
> > >If IPv4 localhost information is not present in /etc/hosts, you won't 
>be
> > >able
> > >to authenticate against AD.
> > >
> > >2. Setup the ntpd service so that it keeps the time of your workstation
> > >synchronized with some domain controller of your AD domain. If time is 
>not
> > >synchronized, you won't be able to authenticate against AD. Check this
> > >first
> > >if authentication fails after you finish the procedures listed here. 
>The
> > >winbind service has to be (re)started after the time is synchronized.
> > >
> > >3. Run system-config-authentication and:
> > >
> > >3.1. check winbind, kerberos (optional, but recommended) and smb in the
> > >first
> > >two tabs.
> > >
> > >3.2. In winbind configuration, fill in the following:
> > >Winbind domain: the NetBIOS name of your AD domain (the short name), in
> > >capital letters.
> > >Security model: ads
> > >Winbind ADS Realm: the fully qualified domain name of your AD domain 
>(in
> > >capital letters)
> > >Domain Controllers: the addresses or names (if your workstation can
> > > resolve them) of your nearest domain controllers, in a comma separated
> > > list. Template Shell: /usr/bin/bash
> > >
> > >3.3. In Kerberos configuration, fill in the following:
> > >Realm: the fully qualified domain
> > >KDCs: the addresses or names (if your workstation can resolve them) of
> > > your nearest domain controllers, in a comma separated list.
> > >Admin servers: leave blank or fill in the same as in KDCs, above.
> > >
> > >3.4. Check the checkbox "Use DNS to find the hosts for the realms"
> > >The other checkbox should be checked if you have your DCs all in the 
>same
> > >site, or unchecked otherwise. Whatever you choose to do with this
> > > checkbox, this will not break your configuration, but it may slow down
> > > the
> > >authentication process.
> > >
> > >3.5. In the Options tab, check "Use shadows passwords", "Use MD5
> > > passwords" and "Local authorization is sufficient for local users".
> > >
> > >4. If you want home directories to be created automatically for AD 
>users
> > >when
> > >they log in (recommended), edit /etc/pam.d/system-auth-ac and add the
> > >following line at the end of the file:
> > >session	required	/lib/security/pam_mkhomedir.so	skel=/etc/skel	umask 
>007
> > >
> > >5. Edit /etc/krb5.conf and add / update the following:
> > >[libdefaults]
> > >clockskew = 300
> > >default_realm = YOURDOMAIN.COM
> > >
> > >[domain_realm]
> > >.yourdomain.com = YOURDOMAIN.COM
> > >yourdomain.com = YOURDOMAIN.COM
> > >
> > >6. Edit /etc/samba/smb.conf and add / update the following:
> > >[global]
> > >wins server = the IP addresses of your WINS servers (if you have them) 
>in
> > > a blank space separated list. If you don't use WINS, comment out this
> > > line. winbind enum users = yes
> > >winbind enum groups = yes
> > >template homedir = /home/%U
> > >winbind use default domain = yes
> > >
> > >7. Setup smb and winbind daemons so that they start automatically when 
>the
> > >machine is booted:
> > >chkconfig --level 35 winbind on
> > >chkconfig --level 35 smb on
> > >
> > >8. Reboot the system
> > >
> > >9. Join the AD domain. You'll need an AD account with enough rights to 
>do
> > >that. Run the following command:
> > >net ads join -U <username>
> > >The account you use in the above command must have permission to create
> > >computer objects in the Computers container of your AD domain. If it 
>does
> > >not, create the computer object previously in the desired OU using AD
> > > Users and Computers.
> > >
> > >That's all.
> > >
> > >[]'s
> > >Marcelo
> >
> > thanx Mr. Marcelo
> > i have done it and its working now. but one problem yet exists, and that 
>is
> > i am unable to automatically create users' home directories. it is 
>because
> > i am unable to find any such file as u mentiones "
> > /etc/pam.d/system-auth-ac"
> >
> > can u guide me a bit more
>
>Should be there... What files do you have in /etc/pam.d?
>
>[]'s
>Marcelo
>
yes Mr. Marcelo. there was a file named system-auth instead
i made the same entry in that file and its working now

um greatful for all ur help
Regards
Azeem

_________________________________________________________________
Advertisement: 1000s of Sexy Singles online now at Lavalife - Click here 
http://a.ninemsn.com.au/b.aspx?URL=http%3A%2F%2Flavalife9%2Eninemsn%2Ecom%2Eau%2Fclickthru%2Fclickthru%2Eact%3Fid%3Dninemsn%26context%3Dan99%26locale%3Den%5FAU%26a%3D27782&_t=762255081&_r=lavalife_may07_1000sexysingles&_m=EXT