Boswell's Q&A
Hat Trick
Some extra help in using Active Directory to authenticate users on Linux desktops.
- By Bill Boswell
- 05/17/2005
A few months ago, I wrote a column in
REDMOND magazine about using
Active Directory to authenticate Linux users. I regularly get requests for
help on this and additional information on getting the configuration files
put together correctly. (To read the original column,
click here.)
So, here's a quick checklist that I use to configure Fedora Core 3 clients
to authenticate with an Active Directory domain using windbind. In this example,
the domain name is Company.com with a flat name of COMPANY. The Active Directory
domain controller name is W2K3-DC1. The Linux host name is fc3. The Linux client
has SELINUX and iptables enabled and running. Following the checklist, I've
included a list of the configuration files.
Get
Help from Bill |
Got a Windows or Exchange question or need troubleshooting
help? Or maybe you want a better explanation than provided
in the manuals? Describe your dilemma in an e-mail
to Bill at mailto:[email protected];
the best questions get answered in this column.
When you send your questions, please include your
full first and last name, location, certifications (if
any) with your message. (If you prefer to remain anonymous,
specify this in your message but submit the requested
information for verification purposes.) The best questions
will be published here and the submitter will get one of the
finest MCPmag.com baseball-style caps ever made.
|
|
|
1. At the Linux machine, login as root and verify that the winbind service is
running:
>/etc/init.d/winbind status
2. Verify that the system time and time zone at the Linux machine matches the system
time and time zone at the Windows Server 2003 domain controller. To simplify this,
specify the domain controller as the Network Time Protocol server for the Linux machine.
3. Verify that the configuration file entries match the listings shown at the end of this column.
4. Launch system-config-network and edit the settings for the active Ethernet interface.
Verify that the host name is a fully qualified DNS name that includes the DNS suffix of the
Active Directory domain; for example, fc3.company.com.
5. If do not use DHCP, or if the DNS servers in the DHCP scope do not point at a DNS
server that is authoritative for the zone containing the Active Directory records, then
uncheck the "Obtain DNS Information from DHCP" option and, in the DNS tab, set the
HostName to match the Host Name in eth0 and set the DNS Search Path to company.com.
6. Save changes then deactivate and reactivate eth0.
7. Test the DNS settings by pinging the AD domain controller by its host name with no
suffix. The TCP/IP stack should append the domain suffix and the ping should succeed.
8. Under /home, verify that you have a folder that matches the flat name of the
Active Directory domain in all capital letters: example, COMPANY.
9. Verify that the permissions on the COMPANY folder will allow users to create
home directories. You can modify the permissions using Nautilus or chmod as follows:
>chmod 755 /home/COMPANY
10. Use Active Directory Users and Computers to verify that a computer account
exists for the Linux machine. If not, in a terminal window at the Linux machine,
use this command to join the domain:
net ads join -U administrator
11. Restart the Linux machine. This ensures that the services start with their
new configurations.
12. At the gdm login prompt, enter windows domain credentials with domain\username format:
company\user1
13. A home directory should be created and user should successfully get logged on.
Here's a consolidated list of the files that need entries so that winbind authentication will work:
nsswitch.conf
passwd: files winbind
shadow: files winbind
group: files winbind
hosts: files dns
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files winbind
rpc: files
services: files winbind
netgroup: files winbind
publickey: nisplus
automount: files
aliases: files nisplus
smb.conf
[global]
realm = COMPANY.COM
workgroup = COMPANY
server string = Samba Server
printcap name = /etc/printcap
load printers = yes
log file = /var/log/samba/%m.log
max log size = 50
security = ads
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
dns proxy = no
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
template homedir = /home/%D/%U
template shell = /bin/bash
winbind use default domain = yes
password server = w2k3-dc1.company.com
system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth sufficient /lib/security/$ISA/pam_winbind.so use_first_pass
auth required /lib/security/$ISA/pam_deny.so
account sufficient /lib/security/$ISA/pam_succeed_if.so uid <>
account required /lib/security/$ISA/pam_unix.so
account [default=bad success=ok user_unknown=ignore]/lib/security/$ISA/pam_winbind.so
password requisite /lib/security/$ISA/pam_cracklib.so retry=3
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
password sufficient /lib/security/$ISA/pam_winbind.so use_authtok
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
session optional /lib/security/$ISA/pam_mkhomedir.so
gdm (PAM configuration file)
#%PAM-1.0
auth required pam_env.so
auth required pam_stack.so
service=system-auth
auth required pam_nologin.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
session optional pam_console.so
session required pam_mkhomedir.so skel=/etc/skel/ umask=0077
login (PAM configuration file)
#%PAM-1.0
auth required pam_securetty.so
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_selinux.so multiple
session required pam_stack.so service=system-auth
session optional pam_console.so
session required pam_mkhomedir.so skel=/etc/skel/ umask=0077
Hope this helps!
About the Author
Contributing Editor Bill Boswell, MCSE, is the principal of Bill Boswell Consulting, Inc. He's the author of Inside Windows Server 2003 and Learning Exchange Server 2003 both from Addison Wesley. Bill is also Redmond magazine's "Windows Insider" columnist and a speaker at MCP Magazine's TechMentor Conferences.