Home

BOSWELL'S Q&A: Hat Trick

Submitted by trochevs on Fri, 2006-12-29 21:08.

A few months ago, I wrote a column in REDMOND magazine about using Active Directory to authenticate Linux users. I regularly get requests for help on this and additional information on getting the configuration files put together correctly. (To read the original column, go to

So, here's a quick checklist that I use to configure Fedora Core 3 clients to authenticate with an Active Directory domain using windbind. In this example, the domain name is Company.com with a flat name of COMPANY. The Active Directory domain controller name is W2K3-DC1. The Linux host name is fc3. The Linux client has SELINUX and iptables enabled and running. Following the checklist, I've included a list of the configuration files.

  1. At the Linux machine, login as root and verify that the winbind service is running:

    >/etc/init.d/winbind status
  2. Verify that the system time and time zone at the Linux machine matches the system time and time zone at the Windows Server 2003 domain controller. To simplify this, specify the domain controller as the Network Time Protocol server for the Linux machine.
  3. Verify that the configuration file entries match the listings shown at the end of this column.
  4. Launch system-config-network and edit the settings for the active Ethernet interface. Verify that the host name is a fully qualified DNS name that includes the DNS suffix of the Active Directory domain; for example, fc3.company.com.
  5. If do not use DHCP, or if the DNS servers in the DHCP scope do not point at a DNS server that is authoritative for the zone containing the Active Directory records, then uncheck the "Obtain DNS Information from DHCP" option and, in the DNS tab, set the HostName to match the Host Name in eth0 and set the DNS Search Path to company.com.
  6. Save changes then deactivate and reactivate eth0.
  7. Test the DNS settings by pinging the AD domain controller by its host name with no suffix. The TCP/IP stack should append the domain suffix and the ping should succeed.
  8. Under /home, verify that you have a folder that matches the flat name of the Active Directory domain in all capital letters: example, COMPANY.
  9. Verify that the permissions on the COMPANY folder will allow users to create home directories. You can modify the permissions using Nautilus or chmod as follows:
    >chmod 755 /home/COMPANY
  10. Use Active Directory Users and Computers to verify that a computer account exists for the Linux machine. If not, in a terminal window at the Linux machine, use this command to join the domain:
    net ads join -U administrator
  11. Restart the Linux machine. This ensures that the services start with their new configurations.
  12. At the gdm login prompt, enter windows domain credentials with domain\username format:
    company\user1
  13. A home directory should be created and user should successfully get logged on.

Here's a consolidated list of the files that need entries so that winbind authentication will work:

nsswitch.conf

passwd: files winbind
shadow: files winbind
group: files winbind
hosts: files dns
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files winbind
rpc: files
services: files winbind
netgroup: files winbind
publickey: nisplus
automount: files
aliases: files nisplus

 

smb.conf

[global]
realm = COMPANY.COM
workgroup = COMPANY
server string = Samba Server 
printcap name = /etc/printcap
load printers = yes
log file = /var/log/samba/%m.log
max log size = 50
security = ads
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
dns proxy = no
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
template homedir = /home/%D/%U
template shell = /bin/bash
winbind use default domain = yes
password server = w2k3-dc1.company.com

 

system-auth

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth sufficient /lib/security/$ISA/pam_winbind.so use_first_pass
auth required /lib/security/$ISA/pam_deny.so
account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100
account required /lib/security/$ISA/pam_unix.so
account [default=bad success=ok
user_unknown=ignore]/lib/security/$ISA/pam_winbind.so
password requisite /lib/security/$ISA/pam_cracklib.so retry=3
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
password sufficient /lib/security/$ISA/pam_winbind.so use_authtok
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
session optional /lib/security/$ISA/pam_mkhomedir.so

 

gdm (PAM configuration file)

#%PAM-1.0
auth required pam_env.so
auth required pam_stack.so
service=system-auth
auth required pam_nologin.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
session optional pam_console.so
session required pam_mkhomedir.so skel=/etc/skel/ umask=0077

 

login (PAM configuration file)

#%PAM-1.0
auth required pam_securetty.so
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_selinux.so multiple
session required pam_stack.so service=system-auth
session optional pam_console.so
session required pam_mkhomedir.so skel=/etc/skel/ umask=0077

Hope this helps!
--Bill Boswell

»