Windows Domain auth for Linux boxes

Matt Morgan matt.morgan-fedora-list at brooklynmuseum.org
Fri May 28 20:35:07 UTC 2004 

I'm going to top-post this message to say THANK YOU to Tarun, Phil, 
Craig, Patrick and Michael. Will try it all out. I had a feeling that 
Xandros guy was being a little misleading.

On 05/28/2004 03:47 PM, Tarun Reddy wrote:

> I agree with Craig.
>
> I'm using FC2 against Windows 2003 active directory servers very 
> successfully (well, minus one part).
>
> However, note that system-config-authentication is woefully 
> broken/incomplete when it comes to winbind configuration.
>
> But here are my general steps using FC2.
>
> Install FC2 with "Windows File Sharing"
> during firstboot, skip over creating an account
> run system-config-authentication
> click enable Winbind support
> click the configure button
> fill in:
> winbind domain: <DOMAIN>  (no .com/.org/etc here)
> Security model: ads
> winbind ads realm: <DOMAIN.COM>
> winbind domain controllers: dc.domain.com  (I put in my primary ADS 
> server)
> Template shell: (your choice)
>
> now as root edit /etc/krb5.conf
> You'll see where the system-config-authentication has not replaced 
> anything correctly here.
>
> You need to change EXAMPLE.COM -> DOMAIN.COM and .example.com to 
> .domain.com as needed
> Also change kerberos.example.com to your ads server  and admin_server 
> to your ads server.
>
> Now open /etc/samba/smb.conf
> search for password server. You'll notice two entries here. You should 
> only have your ads server here.
>
> I've added below template shell line
> template homedir = /home/%U
>
> so I don't have to have /home/DOMAIN/USER as the location for my home 
> directory.
>
> I also changed winbind use default domain  to yes so that users can 
> login as USER instead of DOMAIN+USER.
>
> The final step is to add the machine to the domain
>
> as root
> net ads join -w DOMAIN -S ADSSERVER.DOMAIN.COM -U Administrator
>
> /etc/rc.d/init.d/winbind restart
> /etc/rc.d/init.d/sshd restart
> (or even safer reboot)
>
> You will have to add the users homedirs by hand before they can login 
> and that's the final piece I'm trying to solve. samba's add user 
> script doesn't work for me.
>
> Hope this helps,
> Tarun
>
>
>
> On May 28, 2004, at 12:21 PM, Craig White wrote:
>
>> On Fri, 2004-05-28 at 10:40, Matt Morgan wrote:
>>
>>> Has anybody done this on their system with more open tools? Or another
>>> option seems to be maintaining an NIS server that somehow replicates
>>> accounts with the AD servers, so that NIS handles Linux login, while AD
>>> handles only Windows--anybody tried that? Or if anybody else has 
>>> come up
>>> with other solutions to this or similar problems, please write in. We
>>> have looked at all the PAM options--kerberos, LDAP, etc.--and none of
>>> them look quite as good as what Xandros has done; but if they work for
>>> you, I'm very interested in hearing your stories.
>>
>> -----
>> samba / winbind
>>
>> if you need documentation
>>
>> www.samba.org  -> documentation, samba-3 howto
>>
>> Craig
>
>
>

More information about the fedora-list mailing list