Boswell's Q&A

Hat Trick

Some extra help in using Active Directory to authenticate users on Linux desktops.

A few months ago, I wrote a column in REDMOND magazine about using Active Directory to authenticate Linux users. I regularly get requests for help on this and additional information on getting the configuration files put together correctly. (To read the original column, click here.)

So, here's a quick checklist that I use to configure Fedora Core 3 clients to authenticate with an Active Directory domain using windbind. In this example, the domain name is with a flat name of COMPANY. The Active Directory domain controller name is W2K3-DC1. The Linux host name is fc3. The Linux client has SELINUX and iptables enabled and running. Following the checklist, I've included a list of the configuration files.

Get Help from Bill

Got a Windows or Exchange question or need troubleshooting help? Or maybe you want a better explanation than provided in the manuals? Describe your dilemma in an e-mail to Bill at; the best questions get answered in this column.

When you send your questions, please include your full first and last name, location, certifications (if any) with your message. (If you prefer to remain anonymous, specify this in your message but submit the requested information for verification purposes.) The best questions will be published here and the submitter will get one of the finest baseball-style caps ever made.

1. At the Linux machine, login as root and verify that the winbind service is running:

>/etc/init.d/winbind status

2. Verify that the system time and time zone at the Linux machine matches the system time and time zone at the Windows Server 2003 domain controller. To simplify this, specify the domain controller as the Network Time Protocol server for the Linux machine.

3. Verify that the configuration file entries match the listings shown at the end of this column.

4. Launch system-config-network and edit the settings for the active Ethernet interface. Verify that the host name is a fully qualified DNS name that includes the DNS suffix of the Active Directory domain; for example,

5. If do not use DHCP, or if the DNS servers in the DHCP scope do not point at a DNS server that is authoritative for the zone containing the Active Directory records, then uncheck the "Obtain DNS Information from DHCP" option and, in the DNS tab, set the HostName to match the Host Name in eth0 and set the DNS Search Path to

6. Save changes then deactivate and reactivate eth0.

7. Test the DNS settings by pinging the AD domain controller by its host name with no suffix. The TCP/IP stack should append the domain suffix and the ping should succeed.

8. Under /home, verify that you have a folder that matches the flat name of the Active Directory domain in all capital letters: example, COMPANY.

9. Verify that the permissions on the COMPANY folder will allow users to create home directories. You can modify the permissions using Nautilus or chmod as follows:

>chmod 755 /home/COMPANY

10. Use Active Directory Users and Computers to verify that a computer account exists for the Linux machine. If not, in a terminal window at the Linux machine, use this command to join the domain:

net ads join -U administrator

11. Restart the Linux machine. This ensures that the services start with their new configurations.

12. At the gdm login prompt, enter windows domain credentials with domain\username format:


13. A home directory should be created and user should successfully get logged on.

Here's a consolidated list of the files that need entries so that winbind authentication will work:

passwd: files winbind
shadow: files winbind
group: files winbind
hosts: files dns
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files winbind
rpc: files
services: files winbind
netgroup: files winbind
publickey: nisplus
automount: files
aliases: files nisplus

workgroup = COMPANY
server string = Samba Server
printcap name = /etc/printcap
load printers = yes
log file = /var/log/samba/%m.log
max log size = 50
security = ads
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
dns proxy = no
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
template homedir = /home/%D/%U
template shell = /bin/bash
winbind use default domain = yes
password server =

# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/$ISA/
auth sufficient /lib/security/$ISA/ likeauth nullok
auth sufficient /lib/security/$ISA/ use_first_pass
auth required /lib/security/$ISA/
account sufficient /lib/security/$ISA/ uid <>
account required /lib/security/$ISA/
account [default=bad success=ok user_unknown=ignore]/lib/security/$ISA/
password requisite /lib/security/$ISA/ retry=3
password sufficient /lib/security/$ISA/ nullok use_authtok md5 shadow
password sufficient /lib/security/$ISA/ use_authtok
password required /lib/security/$ISA/
session required /lib/security/$ISA/
session required /lib/security/$ISA/
session optional /lib/security/$ISA/

gdm (PAM configuration file)
auth required
auth required
auth required
account required service=system-auth
password required service=system-auth
session required service=system-auth
session optional
session required skel=/etc/skel/ umask=0077

login (PAM configuration file)
auth required
auth required service=system-auth
auth required
account required service=system-auth
password required service=system-auth
session required multiple
session required service=system-auth
session optional
session required skel=/etc/skel/ umask=0077

Hope this helps!

About the Author

Contributing Editor Bill Boswell, MCSE, is the principal of Bill Boswell Consulting, Inc. He's the author of Inside Windows Server 2003 and Learning Exchange Server 2003 both from Addison Wesley. Bill is also Redmond magazine's "Windows Insider" columnist and a speaker at MCP Magazine's TechMentor Conferences.

comments powered by Disqus

SharePoint Watch

Sign up for our newsletter.

I agree to this site's Privacy Policy.