Hello,
can someone give me some ideas hints about the following situation and configuring authentication for Windows users on my CentOS clients please:
IHAC WIN2003 R2 Domaincontroller with ALL my users and groups maintained there. For Usermapping (SID to UID/GID) I want to use IMU which is included with WIN2003 R2 srv and extends my Active Directory schema for UID, GID, NIS Domain etc.
I want now authenticate my Windows users on my CentOS clients via their "domainname\username" and passwords on the CentOS clients.
I also have a NAS server which has usermapping integrated and resolves the Windows SID's to the UID/GID's configured within the IMU schema extensions.
Now I have no idea to setup my CentOS clients to use winbind, PAM and LDAP (IMU supports LDAP queries for UID/GID resolving) WITHOUT needing any Samaba Server or functionality.
* Do I need to configure the smb.conf file because my usermapping is done on the NAS Server and I want to resolve my Windows Users/Groups UID/GID's from IMU via LDAP?
* Do I (just) need to Join the AD (2003 native) or even using Kerberos with generating ktpass.exe keytab files (what is needed/recommended and what is the difference?) Can I authenticate the users without using Kerberos?
For e.g. my username is "domain\user_a" and within the IMU the UID is set to "12345", I don't want Samba/winbind to do usermapping again based on the configured values in the smb.conf file.
Some hints would be really nice for me to understand how exactly it works and what is needed...
Using winbind with Win2003 R2 AD and Microsoft Identity Management for UNIX for UID/GID mappings
Using winbind with Win2003 R2 AD and Microsoft Identity Mana
We do this all the time. It is very simple once you've done it. The instructions below came from someone that I used to work with so it includes some things that I do not use such as random root passwords and SELinux. They are not required. I'll try to format it so it is reasonable to follow.
General Setup
-Ensure the box is fully patched, and that it is keeping proper time
-Use yum to install the following packages (if they're not already):
---samba
---ntp
---sharutils (only needed if you're generating a random root password to lock the box down later)
-If the box isn't on the same subnet as the domain controller (i.e., in the production subnet), you'll probably have to add a hosts file entry for the domain controller
---192.168.1.1 dc1.example.com dc1
---192.168.1.2 dc2.example.com dc2
Winbind Setup
-Use the GUI tool ?system-config-authentication? (or console tool ?authconfig?) and enable winbind for both authentication and user-information with the following info (you will join the box to the domain at this time):
---Winbind Domain:
---Security Model: ads
---Winbind ADS realm: (most likely the FQDN of your AD)
---Winbind Domain Controllers: dc1.example.com,dc2.example.com
---Template Shell: /bin/bash
-If you will also have local user accounts, you need to select ?Local authorization is sufficient for local users? on the ?Options? tab as well
-To make it less problematic to log in, replace the default domain separator (?\?) with ?+?:
-Edit /etc/samba/smb.conf, adding the following line in the ?global? section:
---winbind separator = +
---Modify the line ?winbind use default domain = false? to ?= true? (this allows using username rather than domain+username to login)
---If you are using SELinux, winbindd doesn't have access to /etc/samba/secrets.tdb (created when you joined the box to the domain). To fix this:
------With the GUI tool
---------Fix with the gui tool ?system-config-securitylevel? and on the SELinux tab, open the ?other? tree and check the boxes for ?winbind_disable_trans? and ?use_samba_home_dirs?
------From the console
---------setsebool -P winbind_disable_trans 1
---------setsebool -P use_samba_home_dirs 1
---------setsebool -P httpd_disable_trans 1 ←? groupware needed this
------Switching between SELinux enabled and disabled requires a reboot. SELinux labels files in a way that when a switch is made, the labels may cause programs to act peculiar. Fix: Have init relabel the files before they can be used
---------touch /.autorelabel
---------reboot
-To have winbind make your home folders for you automatically, add the following line just before the ?session? criteria section in /etc/pam.d/system-auth 1):
---session required pam_mkhomedir.so skel=/etc/skel umask=0022
-Go ahead and create /home/
-If you want to use the gui login, you'll have to restart the GUI as well, either via reboot (bad) or by changing from runlevel 5 to 3 and back to 5
-run visudo and add the following line:
---%+Domain\ Admins ALL=(ALL) ALL
-Create the file randomPasswdChange.sh (0700 root:root) in /root/bin
#!/bin/bash
head -c 10 /dev/random | uuencode -m - | tail -n 2 | head -n 1 | passwd ?stdin root
-Set a random password for the root account (Don't worry, sudo will still work)2)
---/root/bin/randomPasswdChange.sh
-Now have cron change the root password to a random value hourly
---MAILTO=??
---00 * * * * /root/bin/randomPasswdChange.sh
-Set winbind to run at startup
-Start winbindd
You should be able to login with your domain user name and password now, and you can sudo using the same.
General Setup
-Ensure the box is fully patched, and that it is keeping proper time
-Use yum to install the following packages (if they're not already):
---samba
---ntp
---sharutils (only needed if you're generating a random root password to lock the box down later)
-If the box isn't on the same subnet as the domain controller (i.e., in the production subnet), you'll probably have to add a hosts file entry for the domain controller
---192.168.1.1 dc1.example.com dc1
---192.168.1.2 dc2.example.com dc2
Winbind Setup
-Use the GUI tool ?system-config-authentication? (or console tool ?authconfig?) and enable winbind for both authentication and user-information with the following info (you will join the box to the domain at this time):
---Winbind Domain:
---Security Model: ads
---Winbind ADS realm: (most likely the FQDN of your AD)
---Winbind Domain Controllers: dc1.example.com,dc2.example.com
---Template Shell: /bin/bash
-If you will also have local user accounts, you need to select ?Local authorization is sufficient for local users? on the ?Options? tab as well
-To make it less problematic to log in, replace the default domain separator (?\?) with ?+?:
-Edit /etc/samba/smb.conf, adding the following line in the ?global? section:
---winbind separator = +
---Modify the line ?winbind use default domain = false? to ?= true? (this allows using username rather than domain+username to login)
---If you are using SELinux, winbindd doesn't have access to /etc/samba/secrets.tdb (created when you joined the box to the domain). To fix this:
------With the GUI tool
---------Fix with the gui tool ?system-config-securitylevel? and on the SELinux tab, open the ?other? tree and check the boxes for ?winbind_disable_trans? and ?use_samba_home_dirs?
------From the console
---------setsebool -P winbind_disable_trans 1
---------setsebool -P use_samba_home_dirs 1
---------setsebool -P httpd_disable_trans 1 ←? groupware needed this
------Switching between SELinux enabled and disabled requires a reboot. SELinux labels files in a way that when a switch is made, the labels may cause programs to act peculiar. Fix: Have init relabel the files before they can be used
---------touch /.autorelabel
---------reboot
-To have winbind make your home folders for you automatically, add the following line just before the ?session? criteria section in /etc/pam.d/system-auth 1):
---session required pam_mkhomedir.so skel=/etc/skel umask=0022
-Go ahead and create /home/
-If you want to use the gui login, you'll have to restart the GUI as well, either via reboot (bad) or by changing from runlevel 5 to 3 and back to 5
-run visudo and add the following line:
---%+Domain\ Admins ALL=(ALL) ALL
-Create the file randomPasswdChange.sh (0700 root:root) in /root/bin
#!/bin/bash
head -c 10 /dev/random | uuencode -m - | tail -n 2 | head -n 1 | passwd ?stdin root
-Set a random password for the root account (Don't worry, sudo will still work)2)
---/root/bin/randomPasswdChange.sh
-Now have cron change the root password to a random value hourly
---MAILTO=??
---00 * * * * /root/bin/randomPasswdChange.sh
-Set winbind to run at startup
-Start winbindd
You should be able to login with your domain user name and password now, and you can sudo using the same.