Thursday, December 31, 2009



1. Windows AD integration
2. Avoids having to define users in 2 places: Windows, Linux
3. Uses Kerberos for authentication


1. krb5-* packages

2. Properly configured Kerberos environment:

default_realm = AD2.LINUXCBT.INTERNAL
kdc = linuxcbtwin3.ad2.linuxcbt.internal
admin_server = linuxcbtwin3
.linuxcbtwin3.ad2.linuxbt.internal = AD2.LINUXCBT.INTERNAL
1. Update: /etc/krb5.conf
2. Update Samba configuration to use ADS authentication
3. Update Samba server's DNS to point to ADS server
•/etc/hosts - including a pointer to the ADS server (linuxcbtwin3)
4. Join AD domain:
•'net ads join -U administrator'
5. Confirm AD membership using: 'Active Directory Users & Computers' Tool
6. Setup Winbind to authenticate using ADS:
•/etc/pam.d/system-auth - account & auth settings
• auth sufficient /lib/security/ - place before ''
•account sufficient /lib/security/
• /etc/nsswitch.conf
passwd: files winbind
group: files winbind
• Configure 'idmap' 'uid & gid' mappings - 10000 – 20000
• Use SWAT to update idmap settings for 'uid & gid'
Note: If you want ADS users to be able to logon to your Samba-Winbind Linux box using SSH, Telnet, mingetty, etc., change the 'Template Shell' directive to a valid shell. i.e. /bin/bash
•Create 'Template homedir' %D (Domain) directory beneath '/home'
mkdir /home/LINUXGENIUS

7. Test Winbind Integration using: wbinfo
•wbinfo -u - this enumerates users in AD
•binfo -g - this enumerates groups in AD
•ssh into LINUXCBTSERV1 (Winbind) as ADS user


1. Authenticate using ADS, as 'administrator' from Windows box

2. Create a user named 'linuxcbt' in AD

3. Create shared directory on the Samba box, and provide access (Share it)

No comments:

Post a Comment