This was tested on RHEL AS4 and SuSE 10.2 using Winbind which requires no changes to the AD schema. Winbind's UID mappings are independent on every Linux workstation.
You must have a AD domain controller to connect to. If the name of your domain is domain.com then your computer name must be in the domain.com subdomain.
Otherwise, domain membership will NOT work!!!
You must also have an administrative account that is allowed to join computers to the AD domain.
Before you do anything make a backup copy of the following files which will be edited by the authconfig tool in RHEL 4 and the YaST2 config tool in SuSE 10.2.
/etc/nsswitch.conf
/etc/krb5.conf
/etc/krb.realms
/etc/krb.conf
/etc/samba/smb.conf
/etc/pam.d/login
/etc/pam.d/sshd
RHEL /etc/pam.d/gdm
SuSE/etc/pam.d/xdm
RHEL AS4
- authconfig The majority of the configuration can be accomplished with the authconfig utility. Authconfig will display 2 lists. On the left is a list of sources of user information; these resources are consulted to determine a user's full name, user ID, group ID, and so forth. On the right is a list of valid authorities to authenticate a user's password.
- Make sure to leave "Use MD5 Passwords" and "Use Shadow Passwords" selected since we want to introduce an additional way to authenticate and not remove the local authentication. Select "Use Winbind" and "Use Winbind Authentication". See below for the settings I entered.
Security Model: (*) ads
( ) domain
Domain: "Your Domain Name"
Domain Controllers: FQDN of your AD controller
ADS Realm: AD Realm
Template Shell: ( ) /bin/false
( ) /sbin/nologin
( ) /bin/sh
(*) /bin/bash
( ) /bin/tcsh
Note: DO NOT SELECT THE JOIN DOMAIN BUTTON AS IT WILL NOT PROVIDE ANY INFORMATION AS TO WHETHER IT WORKED OR NOT!!
Select the OK button. When you select ok you will see a message similar to the following:
[dlopez@developer ~]$ sudo authconfig
Shutting down Winbind services: [FAILED]
Starting Winbind services: [ OK ] - Although authconfig configures "most" of the critical authentication-related files in the system correctly, the system still doesn't have what it needs to create local home directories for users.
Without a local home directory login attempts for any user will fail. - Configure PAM to Create Home Directories As Needed. Since Linux doesn't have a registry or notion of user profiles, the home directory is crucial. There are many ways to login to a Linux system we are going to edit 3 files so that home directories get created automatically when a user logs in via any of those 3 methods. The files are:
/etc/pam.d/sshd (ssh access)
/etc/pam.d/login (console access)
/etc/pam.d/gdm (GUI login - gnome)
Add the following line to each of the files listed above:
session required pam_mkhomedir.so skel=/etc/skel umask=0077 - Samba is a suite of services and client applications that provide Windows file-sharing protocols to Linux clients and servers. Winbind (the thing that gets us authentication to AD) is part of the Samba suite. Here Samba configuration is still required on the Linux client to tell the system exactly where to create the home directories when users login via AD. It's all configured in the /etc/samba/smb.conf file.
- First create the parent directory.
mkdir /home/AD
In the real-world you will replace AD with the Windows NT-style "short" name of your AD domain "IN ALL CAPS". If you try with lowercase, it won't work.
- Set permissions on the newly created directory.
chmod 755 /home/AD
- Next edit the smb.conf file and add the following line to the "[global]" section of the config file.
template homedir = /home/%D/%U
The %D variable is replaced with the NT-style short Windows domain name, and the %U variable is replaced with the Windows user logon name in lowercase.
- Restart winbind service: service winbind restart
- First create the parent directory.
- Join the computer to the domain:
(as root) [dlopez@developer ~]$ sudo net ads join -U administrator
administrator's password:
Using short domain name -- AD
Joined 'HOSTNAME' to realm 'DOMAIN.COM'
Check you can resolve your domain controller's IP address.
Make sure to just enter administrator username and not AD\administrator.
Make sure time is close for client and Kerberos server.
Make sure SELinux is set to permissive. Or edit the SELinux policy accordingly.
SuSE 10.2
- YaST2 -> Network Services -> Windows Domain Membership Enter the domain name: DOMAIN.COM. Check the boxes next to:
Also use SMB Information for Linux Authentication, Create home directory on login, Offline Authentication. - Select the Finish button and you should receive a pop-up that this computer is not joined to the domain yet. Enter the authenticated users name and password in order to join the computer to the domain. Upon success your computer will be joined to the domain.
- Without a local home directory login attempts for any user will fail!!!
- Configure PAM to Create Home Directories As Needed. Since Linux doesn't have a registry or notion of user profiles, the home directory is crucial. There are many ways to login to a Linux system we are going to edit 3 files so that home directories get created automatically when a user logs in via any of those 3 methods. The files are:
/etc/pam.d/sshd (ssh access)
/etc/pam.d/login (console access)
/etc/pam.d/xdm (GUI login - gnome)
Add the following line to each of the files listed above:
session required pam_mkhomedir.so skel=/etc/skel umask=0077 - Samba is a suite of services and client applications that provide Windows file-sharing protocols to Linux clients and servers. Winbind (the thing that gets us authentication to AD) is part of the Samba suite. Here Samba configuration is still required on the Linux client to tell the system exactly where to create the home directories when users login via AD. It's all configured in the /etc/samba/smb.conf file.
- First create the parent directory.
mkdir /home/AD
In the real-world you will replace HUMNET with the Windows NT-style "short" name of your AD domain "IN ALL CAPS".
If you try with lowercase, it won't work.
- Set permissions on the newly created directory.
chmod 755 /home/AD
- For SuSE 10.2 the following line was added by the GUI in the smb.conf file:
template homedir = /home/%D/%U'''
The %D variable is replaced with the NT-style short Windows domain name, and the %U variable is replaced with the Windows user logon name in lowercase.
- Restart winbind service: sudo /sbin/service winbind restart
- First create the parent directory.
- Test by pressing Crtl+Alt+F2 to switch to a login console. Enter AD\username and type AD username's password. It should log you in successfully.
Troubleshooting:
Once the computer has been successfully added to the domain you can try to ssh like this:
ssh AD\\username@servername
Or Login to the console like this:
AD\username
Enter password
In both cases you should automatically be put in your home directory /home/AD/username
