Talk:Active Directory integration
PAM / Kerberos update required
This article was first published on Feb 6th, 2012 based on a previous wiki page called "Arch_Server_and_Active_Directory".
When I follow these instructions, the pam configuration is way different, I end up having to guess that the instructions mean /etc/pam.d/system-auth. Additionally, since the ticket granting ticket expires and winbindd fails to renew it, and since the max lifetime is 7 days anyway, basically the system becomes unable to log in to after a restart. I end up having to mount the arch linux drive in another system, or boot from the install cd, and remove the references to winbind from /etc/nsswitch.conf before I can log into the system again after this happens. Also, testparm complains that idmap uid and idmap gid are deprecated, and that template primary group is an unknown parameter.
Perhaps someone who knows what the hell they're doing with Samba and Kerberos AD integration might want to update this documentation, because I don't know how to fix it, nor can I find any useful documentation in any of my Google searches. (Redscourge (talk) 20:42, 8 March 2013 (UTC))
- I have found a forum post about this issue, located here: https://bbs.archlinux.org/viewtopic.php?pid=1265595 Also that was not enough by itself, I have made a few changes to my system-login to get sound and graphics (among other things) working (which you can find here: https://bbs.archlinux.org/viewtopic.php?id=162649) By using "idmap config * : range = 10000-33554431" or to control each domain "idmap config DOMAIN : range = 10000-33554431" syntax, you can resolve idmap uid/gid deprecated messages. I'm still stuck on offline logins though. If you follow the instructions, you won't be able to log in without a working AD connection. --Queljin (talk) 15:56, 15 May 2013 (UTC)
ADS client integration
The following thread points to some required Updates to install / configure an Arch system as a ADS-client. I can't add to it; noting it for reference here. --Indigo (talk) 08:07, 22 August 2014 (UTC)
User:Agartner removed mentions of
pam_mkhomedir.so with  without a reason in the edit summary. Since this violates ArchWiki:Contributing#Always_properly_use_the_edit_summary I'm reporting the edit here in case somebody had something to object. — Kynikos (talk) 11:04, 28 April 2015 (UTC)
- My apologies, this was my first contribution. I just set up Active Directory Integration, and it appears that pam_mkhomedir.so is no longer needed. The functionality is handled by smb and winbind (as defined in pam_winbind.conf and smb.conf) --Agartner (talk) 05:42, 29 April 2015 (UTC)
A couple of notes on content
No major changes (yet), just a few notes about style, technical accuracy, modernization to see what others think (on parts that don't affect me directly, unfortunately).
Updating the GPO: As of Samba4, this should probably be removed (I think). This was definitely necessary in S3, do we still support/care for S3? Can somebody confirm or deny the need for S4?
Updating DNS: There is no guarantee that the DNS servers are a domain controller, or even a windows server for that matter. Perhaps "Active Directory domain controllers" could be replaced by "internal DNS servers. In many small networks, these will be the domain controllers."?
Kerberos: PDC and BDC are old terms that should have died 15 years ago for Windows admins, and at release of Samba4 for us, but live on (and on, and on, and...). There are five FSMO roles now, four of which can be duplicated any number of times. A generic server1 and server2 would be good IMO. Also, the "Let us assume" part is an odd read for me, especially in a technical document. If a scenario is necessary, it should probably be covered in the introduction (unless the scenario must be built inline, and even then, an overview should be provided in the introduction). Finally, does Samba no longer create its own krb5.conf in /var/lib/samba/private/? I'm only looking from the ADDC POV right now, so I don't know. I'll setup a Samba client at some point before making any edits.
Creating a Kerberos Ticket: Rename "Requesting a Kerberos ticket". Also, there are other title capitalization errors elsewhere (including the title of the article), but the important part was creating vs requesting.
Finally, the general flow of the article could use some work. It feels a little piecemeal to me as you continue further into the additional sections not yet mentioned (probably due to it having major edits by 15 or so users over the past few years).
Objections to any of the above?
In samba 4.5.1 is not possible combine
security = ads password server = pdc.example.com
"WARNING: The setting 'security=ads' should NOT be combined with the 'password server' parameter. (by default Samba will discover the correct DC to contact automatically)."
idmap config rid backend
In Samba 4.6+, the idmap backend of rid for the wildcard domain appears to be depreciated. (See ). The following error was shown via journalctl:
winbindd: main: FATAL: Invalid idmap backend rid configured as the default backend!
I was able to get the following to work with a basic WS2012R2 active directory setup (Source: ). Obviously replacing '<DOMAIN NAME' with an all-caps domain name.
idmap config <DOMAIN NAME> : backend = rid idmap config <DOMAIN NAME> : range = 10000-20000 idmap config * : range = 10000-20000
Wireless WPA-EAP Machine Authentication
I did a small write-up on how to join a Cisco-Wifi with Machine-Auth against AD. I'm not good at writing :) Feel free to fix and integrate the content. https://wiki.archlinux.org/index.php/User:B2ag/Active_Directory_Integration/WPA-EPA-machine-auth