|
Windows Authentication on CentOS 5.3
Install the Samba package.
yum install samba
Tweak the Samba config file for your network.
mv /etc/samba/smb.conf /etc/samba/smb.conf.1
vi /etc/samba/smb.conf
#---
[global]
security = ads
realm = DOMAIN.COM
password server = 192.168.1.10
workgroup = DOMAIN
winbind separator = +
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%D/%U
template shell = /bin/bash
client use spnego = yes
client ntlmv2 auth = yes
encrypt passwords = yes
# This allows logins w/o specifying DOMAIN
# winbind use default domain = yes
restrict anonymous = 2
#---
Enable and start the Samba and Winbind services.
chkconfig smb on
chkconfig winbind on
/etc/init.d/smb start
/etc/innit.d/winbind start
Add the ActiveDirectory server and yourself to your hosts.
vi /etc/hosts
#---
192.168.1.100 centos.domain.com centos
192.168.1.10 windows.domain.com windows
#---
Verify you are using the domain server(s) for DNS.
vi /etc/resolv.conf
#---
domain domain.com
nameserver 192.168.1.10
#---
Configure Kerberos for the Windows domain.
vi /etc/krb5.conf
#---
[libdefaults]
default_realm = DOMAIN.COM
[realms]
DOMAIN.COM = {
kdc = windows.domain.com:88
admin_server = windows.domain.com:749
default_domain = domain.com
}
[domain_realm]
.domain.com = DOMAIN.COM
domain.com = DOMAIN.COM
#---
Request a Kerberos ticket and join the domain.
kinit Administrator@DOMAIN.COM
net ads join -U Administrator
Edit the nsswitch.conf file to include Winbind.
vi /etc/nsswitch.conf
#---
passwd: compat winbind
group: compat winbind
shadow: compat winbind
#---
Configure the PAM authentication mechanisms.
vi /etc/pam.d/system-auth
#---
session required pam_mkhomedir.so skel=/etc/skel/
#---
Restart the Winbind service.
/etc/init.d/winbind restart
Create the directory for your domain user homes.
mkdir /home/DOMAIN
chmod 770 /home/DOMAIN
chgrp -R "DOMAIN+domain users" /home/DOMAIN
Configure authentication to enable Winbind.
authconfig --update --kickstart \
--enablewinbind --enablewinbindauth --smbsecurity=ads \
--smbworkgroup=DOMAIN --smbrealm=DOMAIN.COM \
--smbservers=windows.domain.com -winbindjoin=Administrator \
--winbindtemplatehomedir=/home/DOMAIN/%U \
--enablelocauthorize
There is obviously a good deal of configuration tweaks that
can be done through Samba and the PAM authentication mechanisms.
This document should provide you with a good baseline that will
get your machine on the domain and accepting domain users.
- Scotech
| 
