Difference between revisions of "Active Directory Integration"

From ArchWiki
Jump to: navigation, search
(Requirements)
(Installation :<br>)
Line 24: Line 24:
 
*Note: There is no need to taint the AD with linux schemes.
 
*Note: There is no need to taint the AD with linux schemes.
  
= Installation :<br> =
+
== Preparation of the Windows AD Policy ==
<p>These packages are needed on the Arch machine:<br>
 
* Samba
 
* Kerberos aka Heimdal
 
* NTP
 
</p>
 
<p>We´re starting to install those by using pacman:
 
* pacman -Sy samba ntp heimdal
 
</p>
 
<p>Now we can go on to the windows machine.</p>
 
<p></p>
 
== Windows AD Policy ==
 
  
 
It is necessary to disable "Digital Sign Communication (Always)" in the AD group policies. Dive into<p>
 
It is necessary to disable "Digital Sign Communication (Always)" in the AD group policies. Dive into<p>
Line 46: Line 35:
 
* use the "disable" radio button</p>
 
* use the "disable" radio button</p>
  
== Installation of Linux :<br> ==
+
This is all you have to do on the Windows. Let's go on with Archlinux.
=== Kerberus - krb5.conf :<br> ===
+
 
<p> Configurate the file /etc/krb5.conf as following. We´re here counting on that our domain is called TEST.DK in the AD</p>
+
= Installation <br> =
<pre>
+
<p>These packages are needed on the Archlinux machine:<br>
# This is made to get this server to work under the domain TEST.DK 
+
* Samba
 
+
* Heimdal
[libdefaults]
+
* NTP
default_realm = PDC.TEST.DK
+
* pam_krb5.so
clockskew = 300
+
</p>
ticket_lifetime = 1d
+
Most of the packages can be installed by using pacman:
[realms]
+
<pre>pacman -Sy samba ntp heimdal</pre>
PDC.TEST.DK = {
+
 
kdc = pdc1.test.dk
+
To install pam_krb5.so, you have to download pam_krb5-1.60.1-css1_linux.tar.Z for RedHat / Linux from http://www.css-security.com/. Untar it, move into the extracted folder and run:
kdc = pdc2.test.dk
+
<pre>./install.sh</pre>
admin_server = pdc1.test.dk
+
Now, pam_krb5.so is installed into /lib/security/cssi/, with a symlink into /lib/security.
}
+
 
+
== Configuration ==
[domain_realm]
+
 
.test.dk = PDC.TEST.DK
+
=== Samba / Winbindd Startup===
test.dk = PDC.TEST.DK
+
 
 +
The current samba package of Archlinux does include winbindd. While samba can be used as a daemon - /etc/rc.d/samba start - that includes smbd and nmbd, winbindd is not started. As there already is a feature request and a solution (http://bugs.archlinux.org/task/2261) I follow this way to have smbd, nmbd and winbindd be started at once. By adding /etc/conf.d/samba, where you can specify the parts /etc/rc,d/samba should start, and little changes in /etc/rc.d/samba to include /etc/conf.d/samba, winbindd will be started together with smbd, nmbd.
  
 +
Create /etc/conf.d/samba:
  
[logging]
+
<pre>
default = SYSLOG:NOTICE:DEAMON
+
##### /etc/conf.d/samba #####
kdc = FILE:/var/log/kdc.log
+
#
kadmin = FILE:/var/log/kadmin.log
+
# Configuration for the samba init script
 +
#
  
 
+
# space separated list of daemons to launch
[appdefaults]
+
#DAEMONS=(smbd nmbd)
pam = {
+
DAEMONS=(smbd nmbd winbindd)
ticket_lifetime = 1d
 
renew_lifetime = 1d
 
forwardable = true
 
proxiable = false
 
retain_after_close = false
 
minimum_uid = 0
 
debug = false
 
}
 
 
</pre>
 
</pre>
  
'''WARNING: Don´t change your domain's name to any other thing then the name of your AD's forest. It should be the domain name you´re PDC is running with  '''
+
Change /etc/rc.d/samba:
  
<p>P.S. your tickets is in use in this defined time, as defined above . </p>
 
<p>Now you shall edit the file /etc/hosts - So the machine knows where your pdc is no matter what.</p>
 
<p> 192.168.X.X        PDC.TEST.DK</p>
 
Now you can request a ticket with the following command - with the domains naime part in upper case:
 
 
<pre>
 
<pre>
# kinit ADMINISTRATOR@PDC.TEST.DK
+
##### /etc/rc.d/samba #####
# password for ADMINISTRATOR@PDC.TEST.DK:</pre>
+
#!/bin/bash
 +
 
 +
. /etc/rc.conf
 +
. /etc/rc.d/functions
 +
[ -f /etc/conf.d/samba ] && . /etc/conf.d/samba
 +
 
 +
[ -z "$DAEMONS" ] && DAEMONS=(smbd nmbd)
  
<p>You´ll now be asked for the password as shown above: - if its the correct password – you´ll be returned to the console, which just means it works. There can be a problem about the clock on the machines – Therefor its important that the time is the same on both machines. To avoid this, the time can be synchronized with this command:</p>
+
case "$1" in
<pre>
+
start)
# /usr/bin/ntpdate pdc1.test.dk
+
rc=0
 +
stat_busy "Starting Samba Server"
 +
for d in ${DAEMONS[@]}; do
 +
PID=`pidof -o %PPID /usr/sbin/$d`
 +
[ -z "$PID" ] && /usr/sbin/$d -D
 +
rc=$(($rc+$?))
 +
done
 +
if [ $rc -gt 0 ]; then
 +
stat_fail
 +
else
 +
add_daemon samba
 +
stat_done
 +
fi
 +
;;
 +
stop)
 +
rc=0
 +
stat_busy "Stopping Samba Server"
 +
for d in ${DAEMONS[@]}; do
 +
PID=`pidof -o %PPID /usr/sbin/$d`
 +
[ -z "$PID" ] || kill $PID &> /dev/null
 +
rc=$(($rc+$?))
 +
done
 +
if [ $rc -gt 0 ]; then
 +
stat_fail
 +
else
 +
rm /var/run/samba/smbd.pid &>/dev/null
 +
rm /var/run/samba/nmbd.pid &>/dev/null
 +
rm /var/run/samba/winbindd.pid &>/dev/null
 +
rm_daemon samba
 +
stat_done
 +
fi
 +
;;
 +
restart)
 +
$0 stop
 +
sleep 1
 +
$0 start
 +
;;
 +
*)
 +
echo "usage: $0 {start|stop|restart}"
 +
esac
 +
exit 0
 
</pre>
 
</pre>
You can also edit your /etc/ntp.conf like this:
+
 
 +
=== Heimdal / Kerberos - /etc/krb5.conf ===
 +
<p> Let's assume that your AD is named paradise.com. Let's further assume your AD is ruled by two domain controllers, the primary and secondary one, which are named adam and eve, adam.paradise.com and eve.paradise.com respectively. Their IP adresses will be 192.168.0.1 and 192.168.0.2 in this example.</p>
 
<pre>
 
<pre>
server pdc1.test.dk
+
##### /etc/krb5.conf ####
server pdc2.tet.dk
+
[libdefaults]
 +
        default_realm = PARADISE.COM
 +
clockskew = 300
 +
ticket_lifetime = 1d
 +
 +
[realms]
 +
PARADISE.COM = {
 +
kdc = 192.168.0.1
 +
kdc = 192.168.0.2
 +
default_domain = PARADISE.COM
 +
}
 +
 +
 +
[domain_realm]
 +
.paradise.com = PARADISE.COM
 +
paradise.com = PARADISE.COM
 +
paradise = PARADISE.COM
 +
 
 +
[appdefaults]
 +
pam = {
 +
ticket_lifetime = 1d
 +
renew_lifetime = 1d
 +
forwardable = true
 +
proxiable = false
 +
retain_after_close = false
 +
minimum_uid = 0
 +
debug = false
 +
}
 +
 
 +
[logging]
 +
default = SYSLOG:NOTICE:DEAMON
 +
kdc = FILE:/var/log/kdc.log
 
</pre>
 
</pre>
Now you have told your machines with machine its allowed to update time from.
 
  
=== PAM (login) :<br> ===
+
Inside an AD, it is importand that all machines run the same system time. To synchronize the time run:
<p>Now we have to change /etc/pam.d/login so it sends its request to PDC. In case it has to check usernames and passwords, it will query the PDC:</p>
 
 
<pre>
 
<pre>
#%PAM-1.0
+
/usr/bin/ntpdate adam.paradise.com
auth    required        /lib/security/pam_securetty.so
+
</pre>
auth    required        /lib/security/pam_nologin.so
 
auth    sufficient      /lib/security/pam_unix.so shadow md5 nullok likeauth
 
auth    required        /lib/security/pam_krb5.so use_first_pass
 
  
account required        /lib/security/pam_unix.so
+
Now you can query the AD domain controllers for a ticket with the following commands (uppercase is necessary):
 +
<pre># kinit ADMINISTRATOR@PARADISE.COM</pre>
  
password       required        /lib/security/pam_cracklib.so
+
<p>You´ll now be asked for the password. In case it matches, you'll be returned to the console.</p>
password        required        /lib/security/pam_unix.so shadow md5 nullok use_authtok
 
  
session required        /lib/security/pam_unix.so
+
=== PAM Configuration for Login ===
session optional        /lib/security/pam_krb5.so
+
<p>Now we have to change /etc/pam.d/login so it sends its request to the AD controllers. In case of logins, PAM should first ask for AD accounts, and for local accounts if no matching AD account was found. Therefore, we add entries to include pam_winbindd.so into the authentication process. Furthermore, we include pam_mkhomedir.so. If an AD user logs in, /home/paradise/user will be created automatically.</p>
session optional        /lib/security/pam_console.so
+
<pre>
 +
#### /etc/pam.d/login ####
 +
#%PAM-1.0
 +
auth    sufficient    pam_unix2.so
 +
auth    required      pam_winbind.so use_first_pass use_authtok
 +
auth    required      pam_securetty.so
 +
auth    required      pam_nologin.so
 +
auth    required      pam_mail.so
 +
account  sufficient    pam_unix2.so
 +
account  sufficient    pam_winbind.so use_first_pass use_authtok
 +
password required      pam_pwcheck.so
 +
password sufficient    pam_unix2.so
 +
password sufficient    pam_winbind.so use_first_pass use_authtok
 +
session required      pam_mkhomedir.so skel=/etc/skel/ umask=0022
 +
session  sufficient    pam_unix2.so
 +
session  sufficient    pam_winbind.so use_first_pass use_authtok
 +
session  required      pam_limits.so
 
</pre>
 
</pre>
<p>Now it should all work in theory, so if you try to log in to your server, you should be able to use a windows AD username and password. </p>
+
<p>If you like to allow AD users to login into GDM, you have to do the same for /etc/pam.d/gdm. You may try to change other /etc/pam.d/ rules for other apps, to allow them to authenticate AD users.</p>
  
=== Samba Configuration :<br> ===
+
=== Samba Configuration for Shares===
<p> In here you can make a lot of strange things – So its a good thing to start reading at http://us3.samba.org/samba/ where you can get a lot of info about this.
+
<p> Samba is highly configurable. Take this example only as a rough idea, hardly polished. Here is what my /etc/samba/smb.conf looks like:</p>
Here is what my smb.conf looks like:</p>
 
 
<pre>
 
<pre>
 +
#### /etc/samba/smb.conf ####
 
[Global]
 
[Global]
netbios name = Atlantis
+
netbios name = archlinux
workgroup = TEST
+
workgroup = PARADISE
realm = TEST.DK
+
realm = PARADISE.COM
server string = Atlantis
+
server string = archlinux
 
map to guest = Bad User
 
map to guest = Bad User
 
idmap uid = 10000-20000
 
idmap uid = 10000-20000
Line 142: Line 212:
 
winbind enum groups = yes
 
winbind enum groups = yes
 
winbind gid = 10000-20000
 
winbind gid = 10000-20000
 +
winbind use default domain = Yes
 
winbind separator =+
 
winbind separator =+
 
os level = 20
 
os level = 20
  
 
 
# Theres no shell defined for users in AD, so I define a default shell to use
 
# Theres no shell defined for users in AD, so I define a default shell to use
 
# Not sure if its even possible to define a shell in AD
 
# Not sure if its even possible to define a shell in AD
 
template shell = /bin/bash
 
template shell = /bin/bash
 
 
   
 
   
# Er sat til dette som default
+
encrypt passwords = yes
; encrypt passwords = yes
 
 
 
 
# I denne "mode", vil Samba opføre sig som et medlem af domæne i et AD's realm. For at operere i denne "mode"
 
# skal maskinen der kører Samba have Kerberus installeret og konfigureret (/etc/krb5.conf) og dermed vil Samba
 
# tvinges til at joine AD's realm ved hjælp af internettet.
 
 
security = ads
 
security = ads
password server = 192.168.X.X
+
password server = adam.paradise.com
 
preferred master = no
 
preferred master = no
 
dns proxy = no
 
dns proxy = no
wins server = 192.168.X.X
+
wins server = eve.paradise.com
 
wins proxy = no
 
wins proxy = no
  
 
# This should not be nessesary - BUT ????
 
 
admin users = @"NET+domain admins"
 
admin users = @"NET+domain admins"
 +
force group = "RPDA+domain admins"
 +
inherit acls = Yes
 +
map acl inherit = Yes
 +
acl group control = yes
  
 
# secures that Samba only is listening to the cluster-service
 
interfaces = 192.168.0.0/255.255.255.0
 
bind interfaces only = yes
 
 
 
 
load printers = no
 
load printers = no
 
debug level = 3
 
debug level = 3
 
use sendfile = no
 
use sendfile = no
 
 
   
 
   
 
[homes]
 
[homes]
 
comment = User´s homedirs
 
comment = User´s homedirs
 
path =/home/%U
 
path =/home/%U
# valid users = %S net+%S
+
valid users = %S NET+%S
 
browseable = no
 
browseable = no
 
read only = no
 
read only = no
  
 
# Find ud af om disse er nødvendige 
 
force group = "NET+domain admins"
 
inherit acls = Yes
 
map acl inherit = Yes
 
 
 
# Accepts the users to change their rigths
 
acl group control = yes
 
 
 
 
[data]   
 
[data]   
 
comment = Data
 
comment = Data
Line 204: Line 251:
 
read only = no
 
read only = no
 
browseable = yes
 
browseable = yes
 
 
   
 
   
 
[Back-up]
 
[Back-up]
Line 213: Line 259:
 
valid users = @"NET+Domain Admins"
 
valid users = @"NET+Domain Admins"
 
</pre>
 
</pre>
You can run a test if your configuration is good enough.
+
 
<pre># testparm<pre>
+
We shall now explain to Samba that it shall use the PDC´s database for authentication queries. Again, we use winbindd which is a part of the samba package. Winbind maps the UID and GID of the AD to our Linux-machine. Winbind uses a Unix-implementation of RPC-calls, Pluggable Authentication Modules (aka PAM) and Name Service Switch (NSS) to allow Windows AD and users accessing and to grant permissions on the Linux-machine. The best part of winbindd is, that you don´t have to define the mapping yourself, but only define a range of UID and GID. That´s what we defined in smb.conf.
Fix the errors and restart samba
+
To include Winbindd into NSS calls, edit /etc/nsswitch.conf. Add winbind  lines as shown here:
<pre># /etc/rc.d/samba restart </pre>
 
We shall now explain to Samba that it shall use the PDC´s database about the users.Here are we using winbind wich is a part of samba´s suite.Winbind maps the UID and GID in the PDC over on our Linux-machine. Winbind uses a Unix-implementation of RPC-calls,Pluggable Authentication Module(PAM) and Name Service Switch(NSS) to allowe windows domain and users to access and grant permissions on the Linux-machine.
 
The best part of winbind is, that you don´t have to define the mapping yourself, but only define a range of UID and GID. That´s what we defined in smb.conf.
 
You shall edit /etc/nsswitch.conf . Only the to lines as shown here:
 
<pre>
 
passwd:            compat winbind
 
shadow:            compat winbind
 
group:            compat winbind
 
</pre>
 
Note: nsswitch is a part of glib-package – be shure that changes is not updating – eller or remember to change it back. Else you´ll have big problems later on.
 
Registrate your configurations and remember those with this command:
 
 
<pre>
 
<pre>
wbinfo ----seth-auth-user=UDBY\\administrator%password
+
#### /etc/nsswitch.conf ####
 +
passwd:            ... winbind
 +
shadow:            ... winbind
 +
group:            ... winbind
 
</pre>
 
</pre>
  

Revision as of 16:09, 15 December 2006

HowTo Arch Linux as Active Directory Member

This guide explains how to include Archlinux into an existing Windows Active Directory.

WARNING

Having Backups of all modified files is recommended, as well as testing login before any rebooting. In the worst case, login will be broken for all users, including root - so be warned.

General

  • What you get:
    • Windows AD users & archlinux users are accepted archlinux box users, at the console or gdm
    • Windowes AD users can use Samba shares like Windows Shares.
  • What you won't get
    • Windows users are simply users on your machine. Possibly you can have Windows AD Admins to be linux admins, too. But this is not worked out so far in this HowTo.
    • Several other apps use authentication - like sudo, f.e. As far as they use PAM, it should be able to let them check against AD user accounts, too. But this is not worked out so far.

Requirements

  • Be a Windows Admin.
  • Be root.
  • Be able to work with linux without X.
  • Be able to edit files.
  • Note: There is no need to taint the AD with linux schemes.

Preparation of the Windows AD Policy

It is necessary to disable "Digital Sign Communication (Always)" in the AD group policies. Dive into

'Local policies'
'Security policies'
'Microsoft Network Server'
'Digital sign communication (Always)'
and

  • activate "define this policy" and
  • use the "disable" radio button

This is all you have to do on the Windows. Let's go on with Archlinux.

Installation

These packages are needed on the Archlinux machine:

  • Samba
  • Heimdal
  • NTP
  • pam_krb5.so

Most of the packages can be installed by using pacman:

pacman -Sy samba ntp heimdal

To install pam_krb5.so, you have to download pam_krb5-1.60.1-css1_linux.tar.Z for RedHat / Linux from http://www.css-security.com/. Untar it, move into the extracted folder and run:

./install.sh

Now, pam_krb5.so is installed into /lib/security/cssi/, with a symlink into /lib/security.

Configuration

Samba / Winbindd Startup

The current samba package of Archlinux does include winbindd. While samba can be used as a daemon - /etc/rc.d/samba start - that includes smbd and nmbd, winbindd is not started. As there already is a feature request and a solution (http://bugs.archlinux.org/task/2261) I follow this way to have smbd, nmbd and winbindd be started at once. By adding /etc/conf.d/samba, where you can specify the parts /etc/rc,d/samba should start, and little changes in /etc/rc.d/samba to include /etc/conf.d/samba, winbindd will be started together with smbd, nmbd.

Create /etc/conf.d/samba:

##### /etc/conf.d/samba #####
#
# Configuration for the samba init script
#

# space separated list of daemons to launch
#DAEMONS=(smbd nmbd)
DAEMONS=(smbd nmbd winbindd)

Change /etc/rc.d/samba:

##### /etc/rc.d/samba #####
#!/bin/bash

. /etc/rc.conf
. /etc/rc.d/functions
[ -f /etc/conf.d/samba ] && . /etc/conf.d/samba

[ -z "$DAEMONS" ] && DAEMONS=(smbd nmbd)

case "$1" in
start)
rc=0
stat_busy "Starting Samba Server"
for d in ${DAEMONS[@]}; do
PID=`pidof -o %PPID /usr/sbin/$d`
[ -z "$PID" ] && /usr/sbin/$d -D
rc=$(($rc+$?))
done
if [ $rc -gt 0 ]; then
stat_fail
else
add_daemon samba
stat_done
fi
;;
stop)
rc=0
stat_busy "Stopping Samba Server"
for d in ${DAEMONS[@]}; do
PID=`pidof -o %PPID /usr/sbin/$d`
[ -z "$PID" ] || kill $PID &> /dev/null
rc=$(($rc+$?))
done
if [ $rc -gt 0 ]; then
stat_fail
else
rm /var/run/samba/smbd.pid &>/dev/null
rm /var/run/samba/nmbd.pid &>/dev/null
rm /var/run/samba/winbindd.pid &>/dev/null
rm_daemon samba
stat_done
fi
;;
restart)
$0 stop
sleep 1
$0 start
;;
*)
echo "usage: $0 {start|stop|restart}"
esac
exit 0

Heimdal / Kerberos - /etc/krb5.conf

Let's assume that your AD is named paradise.com. Let's further assume your AD is ruled by two domain controllers, the primary and secondary one, which are named adam and eve, adam.paradise.com and eve.paradise.com respectively. Their IP adresses will be 192.168.0.1 and 192.168.0.2 in this example.

##### /etc/krb5.conf ####
[libdefaults]
        default_realm 	= 	PARADISE.COM
	clockskew 	= 	300
	ticket_lifetime	=	1d
	
[realms]
	PARADISE.COM = {
		kdc 	= 	192.168.0.1
		kdc 	= 	192.168.0.2
		default_domain = PARADISE.COM
	}
	
	
[domain_realm]
	.paradise.com 	= 	PARADISE.COM
	paradise.com	= 	PARADISE.COM
	paradise	= 	PARADISE.COM

[appdefaults]
	pam = {
	ticket_lifetime 	= 1d
	renew_lifetime 		= 1d
	forwardable 		= true
	proxiable 		= false
	retain_after_close 	= false
	minimum_uid 		= 0
	debug 			= false
	}

[logging]
	default 		= SYSLOG:NOTICE:DEAMON
	kdc 			= FILE:/var/log/kdc.log 

Inside an AD, it is importand that all machines run the same system time. To synchronize the time run:

/usr/bin/ntpdate adam.paradise.com

Now you can query the AD domain controllers for a ticket with the following commands (uppercase is necessary):

# kinit ADMINISTRATOR@PARADISE.COM

You´ll now be asked for the password. In case it matches, you'll be returned to the console.

PAM Configuration for Login

Now we have to change /etc/pam.d/login so it sends its request to the AD controllers. In case of logins, PAM should first ask for AD accounts, and for local accounts if no matching AD account was found. Therefore, we add entries to include pam_winbindd.so into the authentication process. Furthermore, we include pam_mkhomedir.so. If an AD user logs in, /home/paradise/user will be created automatically.

#### /etc/pam.d/login ####
#%PAM-1.0
auth     sufficient     pam_unix2.so
auth     required       pam_winbind.so use_first_pass use_authtok
auth     required       pam_securetty.so
auth     required       pam_nologin.so
auth     required       pam_mail.so
account  sufficient     pam_unix2.so
account  sufficient     pam_winbind.so use_first_pass use_authtok
password required       pam_pwcheck.so
password sufficient     pam_unix2.so
password sufficient     pam_winbind.so use_first_pass use_authtok
session  required       pam_mkhomedir.so skel=/etc/skel/ umask=0022
session  sufficient     pam_unix2.so
session  sufficient     pam_winbind.so use_first_pass use_authtok
session  required       pam_limits.so

If you like to allow AD users to login into GDM, you have to do the same for /etc/pam.d/gdm. You may try to change other /etc/pam.d/ rules for other apps, to allow them to authenticate AD users.

Samba Configuration for Shares

Samba is highly configurable. Take this example only as a rough idea, hardly polished. Here is what my /etc/samba/smb.conf looks like:

#### /etc/samba/smb.conf ####
[Global]
netbios name = archlinux
workgroup = PARADISE
realm = PARADISE.COM
server string = archlinux
map to guest = Bad User
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
winbind gid = 10000-20000
winbind use default domain = Yes
winbind separator =+
os level = 20

# Theres no shell defined for users in AD, so I define a default shell to use
# Not sure if its even possible to define a shell in AD
template shell = /bin/bash
 
encrypt passwords = yes
security = ads
password server = adam.paradise.com
preferred master = no
dns proxy = no
wins server = eve.paradise.com
wins proxy = no

admin users = @"NET+domain admins"
force group = "RPDA+domain admins"
inherit acls = Yes
map acl inherit = Yes
acl group control = yes

load printers = no
debug level = 3
use sendfile = no
 
[homes]
comment = User´s homedirs
path =/home/%U
valid users = %S NET+%S
browseable = no
read only = no

[data]  
comment = Data
valid users = %S net+%S
path = /data
read only = no
browseable = yes
 
[Back-up]
comment = Backup filer
path = /backup
read only = no
browseable = yes
valid users = @"NET+Domain Admins"

We shall now explain to Samba that it shall use the PDC´s database for authentication queries. Again, we use winbindd which is a part of the samba package. Winbind maps the UID and GID of the AD to our Linux-machine. Winbind uses a Unix-implementation of RPC-calls, Pluggable Authentication Modules (aka PAM) and Name Service Switch (NSS) to allow Windows AD and users accessing and to grant permissions on the Linux-machine. The best part of winbindd is, that you don´t have to define the mapping yourself, but only define a range of UID and GID. That´s what we defined in smb.conf. To include Winbindd into NSS calls, edit /etc/nsswitch.conf. Add winbind lines as shown here:

#### /etc/nsswitch.conf ####
passwd:            ... winbind
shadow:            ... winbind
group:             ... winbind

Testing :

We can now test on several ways: First a test of Samba and Winbind conf:

/etc/rc.d/samba restart
/usr/sbin/winbindd

for some paranoids friends – we can test if winbinds is running correctly:

ps -aux | grep winbind

To test if we can get the info out of the PDC –

/usr/bin/wbinfo -u     eller wbinfo -u

We should not have a printet list of users in the PDC. We can do the same with our groups:

/usr/bin/wbinfo -g   eller wbinfo -g

We can use getent commands to get both the locale and the PDc userlist. These opetunities will generate a list of data – as /etc/passwd and /etc/group. It a good idea to test if AD´s users is valid on our Linux-server:

touch testfile $ chown ”TEST+Guest” testfile

If this works – Welldone – Then there´s no more problems.

Samba Server on the domain :

Some good commands !

# net ads info
LDAP server: 192.168.X.X
LDAP server name: win2003
Realm: TEST.DK
Bind Path: dc=TEST,dc=DK
LDAP port: 389
Server time: Wed, 01 Mar 2006 14:59:44 GMT
KDC server: 192.168.X.X
Server time offset: -7

# net ads lookup
# net ads status

Lets get on to the last part - to registrate our Linux-server on our Windows-domain

# net ads join -U Administrator
Administrator's password:
Using short domain name -- TEST
Joined 'MACHINE-NAME' to realm 'TEST.DK'

To check if it all is happend in the correct way – jump to your PDC and look in the AD under computers. There shold now be a record of your machine. And last - to leave to domain - the command is :

# net ads leave
Removed 'MACHINE-NAME' from realm 'TEST.DK'

More INFO:

Everything there is to know about Samba

Please feel free to comment this article - but if your edit this - PLEASE LET ME KNOW