Just needed to auth a Redhat (actually Centos) 4 update 4 machine from an Active Directory server, thought I ought to make a note for future reference
It is worth gathering some information before you start, you will need the follow:
AD Domain, in the example I use HILDEBRANDTECH
Domain Controllers, in the example i use win23kent.hildebrandtechnology.local
ADS Realm, mine was HILDEBRANDTECHNOLOGY.LOCAL
It seems that for all of this case is important. Thanks Microsoft.
Other things to watch for are:
- Your client machine can resolve the hostname of your ad server, try with ping now and if it fails fix it before you start.
- Check your clocks are in sync, kerberos uses time based tickets so any clock skew at all will cause problems.
Because I was using RedHat Enterprise I had the luxury of using the authconfig. Login as root or su and run authconfig from the command line, you will be presented with some options for where the machine should source user and authentication data from. You need to tick the ‘Use Winbind’ option in both columns, after making my selections mine looked like this:
After making the correct settings, hit next. On the next screen you need to enter all the information you gathered before starting. Additionally I chose /bin/bash as the template shell:
After typing all the above in hit Ok. You can choose ‘Join Domain’ at this point but I prefer to do that manually so you can ensure it was successful.
Once you are at your prompt again, run the following:
[root@adc-a04 ~]# net ads join -U administrator
Using short domain name -- HILDEBRANDTECH
Joined 'ADC-A04' to realm 'HILDEBRANDTECHNOLOGY.LOCAL'
If you see a message similar to the above your machine should now be joined to the domain.
If you now run ‘getent passwd’ you should see some extra users are displayed, the ones gathered from the AD. An example of one is shown below.
You should now be able to login as ‘HILDEBRANDTECH\robin’. By default winbind requires the domain to be entered as part of the username. If your linux machine is only going to authenticate from a single AD realm you can make a small change to smb.conf to avoid this.
In /etc/samba/smb.conf look for the line which reads:
winbind use default domain = no
And change the no to yes. Then issue a ‘service winbind restart’ and re-run your ‘getent passwd’ you should notice the domain component of all the usernames has gone. Now you can simple use ‘robin’ to login.
Your users should now be able to login. There is a slight problem in that they will have no home accounts, pam can help with this though.
If you edit /etc/pam.d/login and add the following as the last line:
session required pam_mkhomedir.so skel=/etc/skel/ umask=0077
Pam will auto create the user a home account when they first login.
There is one minor issue with the default winbind settings for home accounts, by default winbind is configured set AD users’ home accounts to /home/DOMAIN/USER this is fine in our setup but pam refuses to create the DOMAIN directory, so none of the home accounts will get created.
You can fix this in one of two ways. First, manually create the /home/DOMAIN for each of your AD domains, this will likely be just the one. Or and this might suit better, change the structure of home accounts for AD users. This is done in /etc/samba/smb.conf. You need to add or edit a line like the following:
template homedir = /home/%U
The default here is %D/%U. %D gets expanded to the DOMAIN. The official samba documentation for this setting is here
Hopefully after all that you can still login, and your AD users can too.