Boswell's Q&A

Hat Trick

Some extra help in using Active Directory to authenticate users on Linux desktops.

A few months ago, I wrote a column in REDMOND magazine about using Active Directory to authenticate Linux users. I regularly get requests for help on this and additional information on getting the configuration files put together correctly. (To read the original column, click here.)

So, here's a quick checklist that I use to configure Fedora Core 3 clients to authenticate with an Active Directory domain using windbind. In this example, the domain name is Company.com with a flat name of COMPANY. The Active Directory domain controller name is W2K3-DC1. The Linux host name is fc3. The Linux client has SELINUX and iptables enabled and running. Following the checklist, I've included a list of the configuration files.

Get Help from Bill

Got a Windows or Exchange question or need troubleshooting help? Or maybe you want a better explanation than provided in the manuals? Describe your dilemma in an e-mail to Bill at mailto:[email protected]; the best questions get answered in this column.

When you send your questions, please include your full first and last name, location, certifications (if any) with your message. (If you prefer to remain anonymous, specify this in your message but submit the requested information for verification purposes.) The best questions will be published here and the submitter will get one of the finest MCPmag.com baseball-style caps ever made.

1. At the Linux machine, login as root and verify that the winbind service is running:

>/etc/init.d/winbind status

2. Verify that the system time and time zone at the Linux machine matches the system time and time zone at the Windows Server 2003 domain controller. To simplify this, specify the domain controller as the Network Time Protocol server for the Linux machine.

3. Verify that the configuration file entries match the listings shown at the end of this column.

4. Launch system-config-network and edit the settings for the active Ethernet interface. Verify that the host name is a fully qualified DNS name that includes the DNS suffix of the Active Directory domain; for example, fc3.company.com.

5. If do not use DHCP, or if the DNS servers in the DHCP scope do not point at a DNS server that is authoritative for the zone containing the Active Directory records, then uncheck the "Obtain DNS Information from DHCP" option and, in the DNS tab, set the HostName to match the Host Name in eth0 and set the DNS Search Path to company.com.

6. Save changes then deactivate and reactivate eth0.

7. Test the DNS settings by pinging the AD domain controller by its host name with no suffix. The TCP/IP stack should append the domain suffix and the ping should succeed.

8. Under /home, verify that you have a folder that matches the flat name of the Active Directory domain in all capital letters: example, COMPANY.

9. Verify that the permissions on the COMPANY folder will allow users to create home directories. You can modify the permissions using Nautilus or chmod as follows:

>chmod 755 /home/COMPANY

10. Use Active Directory Users and Computers to verify that a computer account exists for the Linux machine. If not, in a terminal window at the Linux machine, use this command to join the domain:

net ads join -U administrator

11. Restart the Linux machine. This ensures that the services start with their new configurations.

12. At the gdm login prompt, enter windows domain credentials with domain\username format:

company\user1

13. A home directory should be created and user should successfully get logged on.

Here's a consolidated list of the files that need entries so that winbind authentication will work:

nsswitch.conf
passwd: files winbind
shadow: files winbind
group: files winbind
hosts: files dns
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files winbind
rpc: files
services: files winbind
netgroup: files winbind
publickey: nisplus
automount: files
aliases: files nisplus

smb.conf
[global]
realm = COMPANY.COM
workgroup = COMPANY
server string = Samba Server
printcap name = /etc/printcap
load printers = yes
log file = /var/log/samba/%m.log
max log size = 50
security = ads
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
dns proxy = no
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
template homedir = /home/%D/%U
template shell = /bin/bash
winbind use default domain = yes
password server = w2k3-dc1.company.com

system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth sufficient /lib/security/$ISA/pam_winbind.so use_first_pass
auth required /lib/security/$ISA/pam_deny.so
account sufficient /lib/security/$ISA/pam_succeed_if.so uid <>
account required /lib/security/$ISA/pam_unix.so
account [default=bad success=ok user_unknown=ignore]/lib/security/$ISA/pam_winbind.so
password requisite /lib/security/$ISA/pam_cracklib.so retry=3
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
password sufficient /lib/security/$ISA/pam_winbind.so use_authtok
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
session optional /lib/security/$ISA/pam_mkhomedir.so

gdm (PAM configuration file)
#%PAM-1.0
auth required pam_env.so
auth required pam_stack.so
service=system-auth
auth required pam_nologin.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
session optional pam_console.so
session required pam_mkhomedir.so skel=/etc/skel/ umask=0077

login (PAM configuration file)
#%PAM-1.0
auth required pam_securetty.so
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_selinux.so multiple
session required pam_stack.so service=system-auth
session optional pam_console.so
session required pam_mkhomedir.so skel=/etc/skel/ umask=0077

Hope this helps!

About the Author

Contributing Editor Bill Boswell, MCSE, is the principal of Bill Boswell Consulting, Inc. He's the author of Inside Windows Server 2003 and Learning Exchange Server 2003 both from Addison Wesley. Bill is also Redmond magazine's "Windows Insider" columnist and a speaker at MCP Magazine's TechMentor Conferences.

comments powered by Disqus
Most   Popular