Friday, November 21, 2008

Redhat + Winbind = Yay

Red HatI've always known that Red Hat can use Active Directory for authentication and allow Windows users to log into Linux without having a local account, but I had never actually set it up.

Based on a large amount of research and trial and error, I found from different sites the bits and pieces I needed to make it work properly. Unfortunately, I don't remember which sites I used to gather my information, so I can't credit anyone.



First, I needed to make changes in /etc/krb5.conf so I can join the Windows domain:

[libdefaults]
 default_realm = MYDOMAIN.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false

[realms]
MYDOMAIN.COM = {
 kdc = server.mydomain.com:88
 admin_server = server.mydomain.com:749
 default_domain = mydomain.com
}

[domain_realms]
.mydomain.com = MYDOMAIN.COM
mydomain.com = MYDOMAIN.COM



Next, I added the following to /etc/samba/smb.conf:

workgroup = MYDOMAIN
security = ads
realm = MYDOMAIN.COM
password server = server.mydomain.com
template homedir = /home/%U
template shell = /bin/bash
winbind nested groups = yes
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
idmap uid = 100000-200000
idmap gid = 100000-200000


Join the domain with: net ads join -U administrator
Then, set up winbind to start automatically: chkconfig winbind on
Then, start winbind: service winbind start

Finally, I made /etc/pam.d/system-auth look like:

auth              required         /lib/security/$ISA/pam_env.so
auth              sufficient       /lib/security/$ISA/pam_unix.so likeauth nullok
auth              sufficient       /lib/security/$ISA/pam_winbind.so use_first_pass
auth              required         /lib/security/$ISA/pam_deny.so

account           required         /lib/security/$ISA/pam_unix.so
account           sufficient       /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
account           required         /lib/security/$ISA/pam_permit.so
account           [default=bad success=ok user_unknown=ignore] /lib/security/$ISA/pam_winbind.so

password          requisite        /lib/security/$ISA/pam_cracklib.so retry=3
password          sufficient       /lib/security/$ISA/pam_unix.so nullok user_authtok md5 shadow
password          sufficient       /lib/security/$ISA/pam_winbind.so user_authtok
password          required         /lib/security/$ISA/pam_deny.so

session           required         /lib/security/$ISA/pam_limits.so
session           required         /lib/security/$ISA/pam_unix.so
session           optional         /lib/security/$ISA/pam_mkhomedir.so skel=/etc/skel umask=0077



After doing these things, I was able to ssh to my Red Hat workstation using a domain user. My user's home directory was automatically created when I logged in (due to the pam_mkhomedir.so line in the system-auth file).

No comments:

Post a Comment