Difference between revisions of "Active Directory Integration"

From ArchWiki
Jump to: navigation, search
(AD Basic Terminology)
Line 46: Line 46:
 
* openntpd (or) ntp
 
* openntpd (or) ntp
  
<pre>
+
pacman -S samba pam-krb5 pam_pwcheck openntpd
pacman -S samba pam-krb5 pam_pwcheck openntpd
+
</pre>
+
  
 
=== Updating DNS ===
 
=== Updating DNS ===
Line 121: Line 119:
 
</pre>
 
</pre>
  
'''Update:'''<br>
+
'''Note:'''<br>
 
Heimdal 1.3.1 deprecated DES encryption which is required for AD authentication before Windows Server 2008. You'll probably have to add <pre>allow_weak_crypto = true</pre> to the {{Ic|[libdefaults]}} section.
 
Heimdal 1.3.1 deprecated DES encryption which is required for AD authentication before Windows Server 2008. You'll probably have to add <pre>allow_weak_crypto = true</pre> to the {{Ic|[libdefaults]}} section.
  
==== Creating an initial Token =====
+
==== Creating a Kerberos Ticket =====
Now you can query the AD domain controllers for a ticket with the following commands ('''uppercase is necessary'''):
+
Now you can query the AD domain controllers and request a kerberos ticket ('''uppercase is necessary'''):
<pre># kinit ADMINISTRATOR@EXAMPLE.COM</pre>
+
kinit ADMINISTRATOR@EXAMPLE.COM
  
<p>You´ll now be asked for the password. In case it matches, you'll be returned to the console.</p>
 
  
==== Validate the Token ====
+
==== Validating the Ticket ====
Run 'klist' to see the token.
+
Run 'klist' to verify you did receive the token. You should see something similar to:
 
+
# klist
=== Configuring Samba ===
+
Ticket cache: FILE:/tmp/krb5cc_0
 +
Default principal: administrator@EXAMPLE.COM
 +
 +
Valid starting    Expires          Service principal
 +
02/04/12 21:27:47 02/05/12 07:27:42 krbtgt/EXAMPLE.COM@EXAMPLE.COM
 +
        renew until 02/05/12 21:27:47
  
 +
=== Samba ===
 
Samba is a free software re-implementation of the SMB/CIFS networking protocol. It also includes tools for Linux machines to act as Windows networking servers and clients.
 
Samba is a free software re-implementation of the SMB/CIFS networking protocol. It also includes tools for Linux machines to act as Windows networking servers and clients.
  
 
==== /etc/samba/smb.conf ====
 
==== /etc/samba/smb.conf ====
=== Samba configuration for shares===
+
'''''NOTE: The configuration can vary greatly depending on how the Windows environment is deployed. Be prepared to troubleshoot and research.'''''
<p> Samba is highly configurable. Take this example only as a rough idea, hardly polished. Here is what my /etc/samba/smb.conf looks like:</p>
+
 
 +
In this section, we will focus on getting Authentication to work first by editing the 'Global' section first. Later, we will go back and add shares.
 +
 
 
<pre>
 
<pre>
#### /etc/samba/smb.conf ####
 
 
[Global]
 
[Global]
netbios name = archlinux
+
  netbios name = MYARCHLINUX
workgroup = PARADISE
+
  workgroup = EXAMPLE
realm = PARADISE.COM
+
  realm = EXAMPLE.COM
server string = archlinux
+
  server string = %h ArchLinux Host
map to guest = Bad User
+
  security = ads
idmap uid = 10000-20000
+
  encrypt passwords = yes
idmap gid = 10000-20000
+
  password server = pdc.example.com
winbind enum users = yes
+
  idmapd uid = 10000-20000
winbind enum groups = yes
+
  idmapd gid = 10000-20000
winbind gid = 10000-20000
+
winbind use default domain = Yes
+
winbind separator =+
+
os level = 20
+
 
+
# Theres no shell defined for users in AD, so I define a default shell to use
+
# Not sure if its even possible to define a shell in AD
+
template shell = /bin/bash
+
 
   
 
   
encrypt passwords = yes
+
  #idmapd backend = rid
security = ads
+
password server = adam.paradise.com
+
preferred master = no
+
dns proxy = no
+
wins server = eve.paradise.com
+
wins proxy = no
+
  
admin users = @"NET+domain admins"
+
  winbind use default domain = Yes
force group = "PARADISE+domain admins"
+
  winbind enum users = Yes
inherit acls = Yes
+
  winbind enum groups = Yes
map acl inherit = Yes
+
  winbind nested groups = Yes
acl group control = yes
+
  winbind separator = +
 +
  winbind refresh tickets = yes
 +
  winbind gid = 10000-20000
  
load printers = no
+
  template shell = /bin/bash
debug level = 3
+
  template homedir = /home/%D/%U
use sendfile = no
+
 
+
  preferred master = no
[homes]
+
  dns proxy = no
comment = User´s homedirs
+
  wins server = pdc.example.com
path =/home/%U
+
  wins proxy = no
valid users = %S NET+%S
+
browseable = no
+
read only = no
+
  
[data] 
+
  inherit acls = Yes
comment = Data
+
  map acl inherit = Yes
valid users = %S net+%S
+
  acl group control = yes
path = /data
+
 
read only = no
+
  load printers = no
browseable = yes
+
  debug level = 3
+
  use sendfile = no
[Back-up]
+
comment = Backup filer
+
path = /backup
+
read only = no
+
browseable = yes
+
valid users = @"NET+Domain Admins"
+
 
</pre>
 
</pre>
  
 
We shall now explain to Samba that it shall use the PDC´s database for authentication queries. Again, we use winbindd which is a part of the samba package. Winbind maps the UID and GID of the AD to our Linux-machine. Winbind uses a Unix-implementation of RPC-calls, Pluggable Authentication Modules (aka PAM) and Name Service Switch (NSS) to allow Windows AD and users accessing and to grant permissions on the Linux-machine. The best part of winbindd is, that you don´t have to define the mapping yourself, but only define a range of UID and GID. That´s what we defined in smb.conf.
 
We shall now explain to Samba that it shall use the PDC´s database for authentication queries. Again, we use winbindd which is a part of the samba package. Winbind maps the UID and GID of the AD to our Linux-machine. Winbind uses a Unix-implementation of RPC-calls, Pluggable Authentication Modules (aka PAM) and Name Service Switch (NSS) to allow Windows AD and users accessing and to grant permissions on the Linux-machine. The best part of winbindd is, that you don´t have to define the mapping yourself, but only define a range of UID and GID. That´s what we defined in smb.conf.
To include Winbindd into NSS calls, edit /etc/nsswitch.conf. Add winbind to the lines as shown here:
+
 
 
<pre>
 
<pre>
  
Line 218: Line 201:
 
  DAEMONS=(hwclock syslog-ng dbus network openntpd crond sshd samba)
 
  DAEMONS=(hwclock syslog-ng dbus network openntpd crond sshd samba)
  
 +
==== /etc/nsswitch.conf ====
  
=== Configuring PAM for Logins ===
+
NSSwitch tells the Linux host how to retrieve information from various sources and in which order to do so. In this case, we are appending Active Directory as additional sources for Users, Groups, and Hosts.
<p>Now we have to change /etc/pam.d/login so it sends its request to the AD controllers. In case of logins, PAM should first ask for AD accounts, and for local accounts if no matching AD account was found. Therefore, we add entries to include pam_winbindd.so into the authentication process. Furthermore, we include pam_mkhomedir.so. If an AD user logs in, /home/paradise/user will be created automatically.</p>
+
<pre>
+
#### /etc/pam.d/login ####
+
#%PAM-1.0
+
auth    sufficient    pam_unix2.so
+
auth    required      pam_winbind.so use_first_pass use_authtok
+
auth    required      pam_securetty.so
+
auth    required      pam_nologin.so
+
auth    required      pam_mail.so
+
account  sufficient    pam_unix2.so
+
account  sufficient    pam_winbind.so use_first_pass use_authtok
+
password required      pam_pwcheck.so
+
password sufficient    pam_unix2.so
+
password sufficient    pam_winbind.so use_first_pass use_authtok
+
session  required      pam_mkhomedir.so skel=/etc/skel/ umask=0022
+
session  sufficient    pam_unix2.so
+
session  sufficient    pam_winbind.so use_first_pass use_authtok
+
session  required      pam_limits.so
+
</pre>
+
<p>If you like to allow AD users to login into GDM, you have to do the same for /etc/pam.d/gdm. You may try to change other /etc/pam.d/ rules for other apps, to allow them to authenticate AD users.</p>
+
  
==== /etc/nsswitch.conf ====
+
passwd:            files winbind
 +
shadow:            files winbind
 +
group:            files winbind
 +
 +
hosts:            files dns wins
  
#### /etc/nsswitch.conf ####
 
passwd:            files winbind
 
shadow:            files winbind
 
group:            files winbind
 
</pre>
 
  
 
== Starting and testing services ==
 
== Starting and testing services ==
Line 288: Line 251:
 
wbinfo -g
 
wbinfo -g
 
</pre>
 
</pre>
 +
 +
=== Testing Samba commands ===
 +
 +
Try out some net commands to see if samba can communicate with  AD:
 +
 +
<pre>
 +
# net ads info
 +
[2012/02/05 20:21:36.473559,  0] param/loadparm.c:7599(lp_do_parameter)
 +
  Ignoring unknown parameter "idmapd backend"
 +
LDAP server: 192.168.1.2
 +
LDAP server name: PDC.example.com
 +
Realm: EXAMPLE.COM
 +
Bind Path: dc=EXAMPLE,dc=COM
 +
LDAP port: 389
 +
Server time: Sun, 05 Feb 2012 20:21:33 CST
 +
KDC server: 192.168.1.2
 +
Server time offset: -3
 +
</pre>
 +
 +
<pre>
 +
# net ads lookup
 +
[2012/02/05 20:22:39.298823,  0] param/loadparm.c:7599(lp_do_parameter)
 +
  Ignoring unknown parameter "idmapd backend"
 +
Information for Domain Controller: 192.168.1.2
 +
 +
Response Type: LOGON_SAM_LOGON_RESPONSE_EX
 +
GUID: 2a098512-4c9f-4fe4-ac22-8f9231fabbad
 +
Flags:
 +
        Is a PDC:                                  yes
 +
        Is a GC of the forest:                      yes
 +
        Is an LDAP server:                          yes
 +
        Supports DS:                                yes
 +
        Is running a KDC:                          yes
 +
        Is running time services:                  yes
 +
        Is the closest DC:                          yes
 +
        Is writable:                                yes
 +
        Has a hardware clock:                      yes
 +
        Is a non-domain NC serviced by LDAP server: no
 +
        Is NT6 DC that has some secrets:            no
 +
        Is NT6 DC that has all secrets:            yes
 +
Forest:                example.com
 +
Domain:                example.com
 +
Domain Controller:      PDC.example.com
 +
Pre-Win2k Domain:      EXAMPLE
 +
Pre-Win2k Hostname:    PDC
 +
Server Site Name :              Office
 +
Client Site Name :              Office
 +
NT Version: 5
 +
LMNT Token: ffff
 +
LM20 Token: ffff
 +
</pre>
 +
 +
<pre>
 +
net ads status
 +
</pre>
 +
 +
 +
== Configuring PAM for Logins ==
 +
 +
<p>Now we have to change /etc/pam.d/login so it sends its request to the AD controllers. In case of logins, PAM should first ask for AD accounts, and for local accounts if no matching AD account was found. Therefore, we add entries to include pam_winbindd.so into the authentication process. Furthermore, we include pam_mkhomedir.so. If an AD user logs in, /home/example/user will be created automatically.</p>
 +
<pre>
 +
#### /etc/pam.d/login ####
 +
#%PAM-1.0
 +
auth    sufficient    pam_unix2.so
 +
auth    required      pam_winbind.so use_first_pass use_authtok
 +
auth    required      pam_securetty.so
 +
auth    required      pam_nologin.so
 +
auth    required      pam_mail.so
 +
account  sufficient    pam_unix2.so
 +
account  sufficient    pam_winbind.so use_first_pass use_authtok
 +
password required      pam_pwcheck.so
 +
password sufficient    pam_unix2.so
 +
password sufficient    pam_winbind.so use_first_pass use_authtok
 +
session  required      pam_mkhomedir.so skel=/etc/skel/ umask=0022
 +
session  sufficient    pam_unix2.so
 +
session  sufficient    pam_winbind.so use_first_pass use_authtok
 +
session  required      pam_limits.so
 +
</pre>
 +
<p>If you like to allow AD users to login into GDM, you have to do the same for /etc/pam.d/gdm. You may try to change other /etc/pam.d/ rules for other apps, to allow them to authenticate AD users.</p>
 +
  
 
=== Testing login ===
 
=== Testing login ===
Line 298: Line 341:
 
</pre>
 
</pre>
  
Both should work. You should notice that /home/paradise/kain will be created.
+
Both should work. You should notice that /home/example/kain will be created.
 
'''Log into another session using an linux account. Check that you still be able to log in as root - but keep in mind to be logged in as root in at least one session!'''  
 
'''Log into another session using an linux account. Check that you still be able to log in as root - but keep in mind to be logged in as root in at least one session!'''  
  
=== Testing Samba commands ===
+
== Working with SMB Shares ==
 
+
Earlier we skipped configuration of the shares. Now that things are working, go back to /etc/smb.conf, and add the exports for the host that you want available on the windows network.
Try out some net commands to see if samba can address the AD:
+
  
 
<pre>
 
<pre>
net ads info
+
[homes]
net ads lookup
+
  comment = User´s homedirs
net ads status
+
  path =/home/%U
</pre>
+
  valid users = %S NET+%S
 +
  browseable = no
 +
  read only = no
  
The commands return several AD related information.
+
[data] 
 +
  comment = Data
 +
  valid users = %S net+%S
 +
  path = /data
 +
  read only = no
 +
  browseable = yes
 +
 +
[Back-up]
 +
  comment = Backup filer
 +
  path = /backup
 +
  read only = no
 +
  browseable = yes
 +
  valid users = @"NET+Domain Admins"
 +
</pre>
  
 
= Resources =
 
= Resources =

Revision as of 02:33, 6 February 2012

This guide explains how to include ArchLinux into an existing Windows Active Directory.

THIS DOCUMENT IS A WORK IN PROGRESS

Introduction

A key challenge for system administrators of any datacenter is trying to coexisting in Heterogeneous environments. By this we mean the mixing of different server operating system technologies (typicall Microsoft Windows & Unix/Linux). User management and authentication is by far the most difficult of these to solve. The most common way of solving this problem is to use a Directory Server. There are a number of open-source and commercial solutions for the various flavors of *NIX; however, few solve the problem of interoperating with Windows. Active Directory (AD) is a directory service created by Microsoft for Windows domain networks. It is included in most Windows Server operating systems. Server computers on which Active Directory is running are called domain controllers.

Active Directory serves as a central location for network administration and security. It is responsible for authenticating and authorizing all users and computers within a network of Windows domain type, assigning and enforcing security policies for all computers in a network and installing or updating software on network computers. For example, when a user logs into a computer that is part of a Windows domain, it is Active Directory that verifies his or her password and specifies whether he or she is a system administrator or normal user.[1]

Active Directory uses Lightweight Directory Access Protocol (LDAP) versions 2 and 3, Kerberos and DNS. These same standards are available as linux, but piecing them together is not an easy task. Following these steps will help you configure an ArchLinux host to authenticate against an AD domain.

Before continuing, you must have an existing Active Directory domain, and have a user with the appropriate rights within the domain to: query users and add computer accounts (Domain Join).

AD Basic Terminology

If you are not familiar with Active Directory, there are a few keywords that must be understood. * This document is not an inclusive guide, refer to the resources section for additional information.

  • Domain : The name used to group computers and accounts.
  • SID : Each computer that joins the domain as a member must have a unique SID or System Identifier.

Active Directory Configuration

NOTE: This section has not been validated. Proceed with caution


Updating the GPO

NOTE: These steps has not been validated. Proceed with caution

It may be necessary to disable Digital Sign Communication (Always) in the AD group policies. Dive into:

Local policies -> Security policies -> Microsoft Network Server -> Digital sign communication (Always) -> activate "define this policy" and use the disable radio button

If you use Windows Server 2008 R2, you need to modify that in GPO for Default Domain Controller Policy -> Computer Setting -> Policies -> Windows Setting -> Security Setting -> Local Policies -> Security Option -> Microsoft network client: Digitally sign communications (always)

Linux Host Configuration

The next few steps will begin the process of configuring the Host. You will need root or sudo access to complete these steps.

Arch Linux Packages

The following packages should also be installed:

  • samba
  • krb-5
  • pam-krb5
  • pam_pwcheck
  • openntpd (or) ntp
pacman -S samba pam-krb5 pam_pwcheck openntpd

Updating DNS

Active Directory is heavily dependent upon DNS. You will need to update /etc/resolv.conf to use one or more of the Active Directory domain controllers:

nameserver <IP1>
nameserver <IP2>

Replacing <IP1> and <IP2> with valid IP addresses for the AD servers. If your AD domains do not permit DNS forwarding or recursion, you may need to add additional resolvers.

Important: If your machine dual boots Windows and Linux, you should use a different DNS hostname and netbios name for the linux configuration if both operating systems will be members of the same domain.

Configuring NTP

In this example, we use OpenNTPD instead of ISC NTP. You may choose either package, but openntpd is cleaner and easier to configure.

/etc/conf.d/openntpd

Ensure the daemon is configured to 'sync' automatically on startup by adding the '-s' paramater to the config:

PARAMS="-s"

/etc/ntpd.conf

servers <IP1>
servers <IP2>

Replacing <IP1> and <IP2> with valid IP addresses for the AD servers. Alternatively, you can use other known NTP servers provided the Active directory servers sync to the same stratum. However, AD servers typically run NTP as a service.

/etc/rc.conf

Next, add 'openntpd' to the list of startup daemons in the ArchLinux configuration file:

DAEMONS=(hwclock syslog-ng dbus network openntpd crond sshd)
  • Note we place it AFTER 'network' and BEFORE 'crond'

Start openntpd

Start the NTP daemon to sync the time now.

rc.d start openntpd

Kerberos

Let's assume that your AD is named example.com. Let's further assume your AD is ruled by two domain controllers, the primary and secondary one, which are named PDC and BDC, pdc.example.com and bdc.example.com respectively. Their IP adresses will be 192.168.1.2 and 192.168.1.3 in this example. Take care to watch your syntax; upper-case is very important here.


==== /etc/krb5.conf ====
##### /etc/krb5.conf ####
[libdefaults]
        default_realm 	= 	EXAMPLE.COM
	clockskew 	= 	300
	ticket_lifetime	=	1d
	
[realms]
	EXAMPLE.COM = {
		kdc 	= 	192.168.1.2
		kdc 	= 	192.168.1.3
		default_domain = EXAMPLE.COM
	}
	
	
[domain_realm]
	.example.com 	= 	EXAMPLE.COM
	example.com	= 	EXAMPLE.COM
	example	= 	EXAMPLE.COM

[appdefaults]
	pam = {
	ticket_lifetime 	= 1d
	renew_lifetime 		= 1d
	forwardable 		= true
	proxiable 		= false
	retain_after_close 	= false
	minimum_uid 		= 0
	debug 			= false
	}

[logging]
	default 		= SYSLOG:NOTICE:DAEMON
	kdc 			= FILE:/var/log/kdc.log 

Note:

Heimdal 1.3.1 deprecated DES encryption which is required for AD authentication before Windows Server 2008. You'll probably have to add
allow_weak_crypto = true
to the [libdefaults] section.

Creating a Kerberos Ticket =

Now you can query the AD domain controllers and request a kerberos ticket (uppercase is necessary):

kinit ADMINISTRATOR@EXAMPLE.COM


Validating the Ticket

Run 'klist' to verify you did receive the token. You should see something similar to:

# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@EXAMPLE.COM

Valid starting    Expires           Service principal 
02/04/12 21:27:47 02/05/12 07:27:42 krbtgt/EXAMPLE.COM@EXAMPLE.COM
        renew until 02/05/12 21:27:47

Samba

Samba is a free software re-implementation of the SMB/CIFS networking protocol. It also includes tools for Linux machines to act as Windows networking servers and clients.

/etc/samba/smb.conf

NOTE: The configuration can vary greatly depending on how the Windows environment is deployed. Be prepared to troubleshoot and research.

In this section, we will focus on getting Authentication to work first by editing the 'Global' section first. Later, we will go back and add shares.

[Global]
  netbios name = MYARCHLINUX
  workgroup = EXAMPLE
  realm = EXAMPLE.COM
  server string = %h ArchLinux Host
  security = ads
  encrypt passwords = yes
  password server = pdc.example.com
  idmapd uid = 10000-20000
  idmapd gid = 10000-20000
 
  #idmapd backend = rid

  winbind use default domain = Yes
  winbind enum users = Yes
  winbind enum groups = Yes
  winbind nested groups = Yes
  winbind separator = +
  winbind refresh tickets = yes
  winbind gid = 10000-20000

  template shell = /bin/bash
  template homedir = /home/%D/%U
   
  preferred master = no
  dns proxy = no
  wins server = pdc.example.com
  wins proxy = no

  inherit acls = Yes
  map acl inherit = Yes
  acl group control = yes

  load printers = no
  debug level = 3
  use sendfile = no

We shall now explain to Samba that it shall use the PDC´s database for authentication queries. Again, we use winbindd which is a part of the samba package. Winbind maps the UID and GID of the AD to our Linux-machine. Winbind uses a Unix-implementation of RPC-calls, Pluggable Authentication Modules (aka PAM) and Name Service Switch (NSS) to allow Windows AD and users accessing and to grant permissions on the Linux-machine. The best part of winbindd is, that you don´t have to define the mapping yourself, but only define a range of UID and GID. That´s what we defined in smb.conf.



==== /etc/conf.d/samba ====
Update the samba initscript configuration file to enable the winbind daemon
 ##### /etc/conf.d/samba #####
 #SAMBA_DAEMONS=(smbd nmbd)
 SAMBA_DAEMONS=(smbd nmbd winbindd)

==== /etc/rc.conf ====
Next, add 'samba' to the list of startup daemons in the ArchLinux configuration file:

The daemons started by /etc/rc.d/samba are configured in the file /etc/conf.d/samba. * NOTE: Your actual list may vary.
 DAEMONS=(hwclock syslog-ng dbus network openntpd crond sshd samba)

==== /etc/nsswitch.conf ====

NSSwitch tells the Linux host how to retrieve information from various sources and in which order to do so. In this case, we are appending Active Directory as additional sources for Users, Groups, and Hosts.

 passwd:            files winbind
 shadow:            files winbind
 group:             files winbind 
 
 hosts:             files dns wins


== Starting and testing services ==

=== Starting Samba ===

Hopefully, you have not rebooted yet! Fine. If you are in an X-session, quit it, so you can test login into another console, while you are still logged in.

Start Samba (including smbd, nmbd and winbindd:
<pre>
/etc/rc.d/samba restart


Join the Domain

You need an AD Administrator account to do this. Let's assume this is named Administrator. The command is 'net ads join'

# net ads join -U Administrator
Administrator's password: xxx
Using short domain name -- PARADISE
Joined 'MACHINE-NAME' to realm 'PARADISE.COM'


Restart Samba

'winbindd' failed to start on the first try because we were not yet a domain. Restart the samba service and winbind should fire up as well:

rc.d restart samba

Testing Winbind

Let's check if winbind is able to query the AD. The following command should return a list of AD users:

wbinfo -u

We can do the same for AD groups:

wbinfo -g

Testing Samba commands

Try out some net commands to see if samba can communicate with AD:

# net ads info
[2012/02/05 20:21:36.473559,  0] param/loadparm.c:7599(lp_do_parameter)
  Ignoring unknown parameter "idmapd backend"
LDAP server: 192.168.1.2
LDAP server name: PDC.example.com
Realm: EXAMPLE.COM
Bind Path: dc=EXAMPLE,dc=COM
LDAP port: 389
Server time: Sun, 05 Feb 2012 20:21:33 CST
KDC server: 192.168.1.2
Server time offset: -3
# net ads lookup
[2012/02/05 20:22:39.298823,  0] param/loadparm.c:7599(lp_do_parameter)
  Ignoring unknown parameter "idmapd backend"
Information for Domain Controller: 192.168.1.2

Response Type: LOGON_SAM_LOGON_RESPONSE_EX
GUID: 2a098512-4c9f-4fe4-ac22-8f9231fabbad
Flags:
        Is a PDC:                                   yes
        Is a GC of the forest:                      yes
        Is an LDAP server:                          yes
        Supports DS:                                yes
        Is running a KDC:                           yes
        Is running time services:                   yes
        Is the closest DC:                          yes
        Is writable:                                yes
        Has a hardware clock:                       yes
        Is a non-domain NC serviced by LDAP server: no
        Is NT6 DC that has some secrets:            no
        Is NT6 DC that has all secrets:             yes
Forest:                 example.com
Domain:                 example.com
Domain Controller:      PDC.example.com
Pre-Win2k Domain:       EXAMPLE
Pre-Win2k Hostname:     PDC
Server Site Name :              Office
Client Site Name :              Office
NT Version: 5
LMNT Token: ffff
LM20 Token: ffff
net ads status


Configuring PAM for Logins

Now we have to change /etc/pam.d/login so it sends its request to the AD controllers. In case of logins, PAM should first ask for AD accounts, and for local accounts if no matching AD account was found. Therefore, we add entries to include pam_winbindd.so into the authentication process. Furthermore, we include pam_mkhomedir.so. If an AD user logs in, /home/example/user will be created automatically.

#### /etc/pam.d/login ####
#%PAM-1.0
auth     sufficient     pam_unix2.so
auth     required       pam_winbind.so use_first_pass use_authtok
auth     required       pam_securetty.so
auth     required       pam_nologin.so
auth     required       pam_mail.so
account  sufficient     pam_unix2.so
account  sufficient     pam_winbind.so use_first_pass use_authtok
password required       pam_pwcheck.so
password sufficient     pam_unix2.so
password sufficient     pam_winbind.so use_first_pass use_authtok
session  required       pam_mkhomedir.so skel=/etc/skel/ umask=0022
session  sufficient     pam_unix2.so
session  sufficient     pam_winbind.so use_first_pass use_authtok
session  required       pam_limits.so

If you like to allow AD users to login into GDM, you have to do the same for /etc/pam.d/gdm. You may try to change other /etc/pam.d/ rules for other apps, to allow them to authenticate AD users.


Testing login

Now, start a new console session and try to login with an AD account. As we told winbind to use default_realms, it should not be necessary to add the AD name. Lets assume there is an AD user named kain. Try to login as

kain
PARADISE+kain

Both should work. You should notice that /home/example/kain will be created. Log into another session using an linux account. Check that you still be able to log in as root - but keep in mind to be logged in as root in at least one session!

Working with SMB Shares

Earlier we skipped configuration of the shares. Now that things are working, go back to /etc/smb.conf, and add the exports for the host that you want available on the windows network.

[homes]
  comment = User´s homedirs
  path =/home/%U
  valid users = %S NET+%S
  browseable = no
  read only = no

[data]  
  comment = Data
  valid users = %S net+%S
  path = /data
  read only = no
  browseable = yes
 
[Back-up]
  comment = Backup filer
  path = /backup
  read only = no
  browseable = yes
  valid users = @"NET+Domain Admins"

Resources