Friday, November 21, 2008

Redhat + Winbind = Yay

Red HatI've always known that Red Hat can use Active Directory for authentication and allow Windows users to log into Linux without having a local account, but I had never actually set it up.

Based on a large amount of research and trial and error, I found from different sites the bits and pieces I needed to make it work properly. Unfortunately, I don't remember which sites I used to gather my information, so I can't credit anyone.

First, I needed to make changes in /etc/krb5.conf so I can join the Windows domain:

 default_realm = MYDOMAIN.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false

 kdc =
 admin_server =
 default_domain =

[domain_realms] = MYDOMAIN.COM = MYDOMAIN.COM

Next, I added the following to /etc/samba/smb.conf:

workgroup = MYDOMAIN
security = ads
password server =
template homedir = /home/%U
template shell = /bin/bash
winbind nested groups = yes
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
idmap uid = 100000-200000
idmap gid = 100000-200000

Join the domain with: net ads join -U administrator
Then, set up winbind to start automatically: chkconfig winbind on
Then, start winbind: service winbind start

Finally, I made /etc/pam.d/system-auth look like:

auth              required         /lib/security/$ISA/
auth              sufficient       /lib/security/$ISA/ likeauth nullok
auth              sufficient       /lib/security/$ISA/ use_first_pass
auth              required         /lib/security/$ISA/

account           required         /lib/security/$ISA/
account           sufficient       /lib/security/$ISA/ uid < 100 quiet
account           required         /lib/security/$ISA/
account           [default=bad success=ok user_unknown=ignore] /lib/security/$ISA/

password          requisite        /lib/security/$ISA/ retry=3
password          sufficient       /lib/security/$ISA/ nullok user_authtok md5 shadow
password          sufficient       /lib/security/$ISA/ user_authtok
password          required         /lib/security/$ISA/

session           required         /lib/security/$ISA/
session           required         /lib/security/$ISA/
session           optional         /lib/security/$ISA/ skel=/etc/skel umask=0077

After doing these things, I was able to ssh to my Red Hat workstation using a domain user. My user's home directory was automatically created when I logged in (due to the line in the system-auth file).