This is the fast instruction to Join window AD domain with samba and winbind
(0) Update the time and sync with AD server
ntpdate 192.168.0.2
hwclock -w
(1) # upgrade the samba to the latest version save a lot of your time.
yum install samba samba-common samba-client krb5-workstation
(2) # 4 files to configure to get it work:
/etc/samba/smb.conf, /etc/nsswitch.conf, /etc/krb5.conf, /etc/krb.realms
(3) # replacing lines in /etc/nsswitch.conf with these:
passwd: files winbind
shadow: files
group: files winbind
(4) # Modify /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
ticket_lifetime = 24000
default_realm = DOMAIN.COM
dns_lookup_realm = false
dns_lookup_kdc = false
forwardable = true
proxiable = true
default_etypes = des-cbc-crc des-cbc-md5
default_etypes_des = des-cbc-crc des-cbc-md5
[realms]
DOMAIN.COM = {
kdc = DC.DOMAIN.COM:88
admin_server = DC.DOMAIN.COM:749
default_domain = DOMAIN.COM
}
[domain_realm]
.example.com = DOMAIN.COM
example.com = DOMAIN.COM
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
kdc_timesync = 1
ccache_type = 4
(4.5) # test for krb5
kinit user@DOMAIN.COM
If it is success login , it will show nothing
(5) # Modify /etc/samba/smb.conf (assume 192.168.0.2 is DC ip)
[global]
workgroup = domain
realm = domain.com
netbios name = server
server string = server
preferred master = no
local master = no
domain master = no
password server = 192.168.0.2
security = ads
encrypt passwords = yes
## winbind ##
winbind separator = +
printcap name = cups
printing = cups
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%D/%U
template shell = /bin/bash
winbind cache time = 10
wins server = 192.168.0.2
name resolve order = lmhosts host wins bcast
client schannel = no
## log & charset ##
log file = /var/log/samba/%m.log
max log size = 5000
dns proxy = No
cups options = raw
dos charset = big5
unix charset = big5
log level = 3 winbind:3
[homes]
comment = Home directory for %u on %h
browseable = no
writable = yes
path = /home/%D/%U
(6) # vi /etc/hosts - 192.168.0.2 dc.domain.com domain.com DC.DOMAIN.COM DOMAIN.COM
- 127.0.0.1 server server.domain.com
(7) # restart smb and winbind servcie
(Cool # joining the linux server to domain:
net rpc join -U Administrator (<= or any other DC domain admin)
net ads join -U Administrator (<= or any other DC domain admin)
system will then prompt a welcome message if everything is going fine
(9) # after joining to domain, you can check the something of domain:
wbinfo -t (check trust connectivity with domain controller)
wbinfo -u (check domain user)
wbinfo -g (check domain group)
net ads info (check DC info)
getent passwd (check home path)
(10) # afterwards, configure your server application to handle authentication with PAM,
e.g. proftpd.conf, squid.conf. Then configure stuff in pam.d
to use winbind module for authentication (see the post above)
Add this in pam.d :
vi /etc/pam.d/system-auth (centos5)
vi /etc/pam.d/password-auth (centos6)
auth sufficient pam_winbind.so
auth required pam_env.so
.
.
account sufficient pam_winbind.so
account required pam_unix.so
.
.
session required pam_unix.so
session required pam_mkhomedir.so
/etc/init.d/winbind restart
/etc/init.d/samba restart
11) Test ssh login with AD account (It should auto generate home directory)
ssh DOMAIN+user@localhost
12) make script to auto create home folder for AD user per 5 minutes
vi create-ADhome.sh
#!/bin/bash
rm -fr /tmp/chown-user.sh
wbinfo -u > /tmp/wbinfo.txt
for user in `cat /tmp/wbinfo.txt` ;do
su --command="exit" $user
#echo $user
echo "chown -R $user ~$user" >> /tmp/chown-user.sh
done
chmod +x /tmp/chown-user.sh
/tmp/chown-user.sh
chmod +x create-ADhome.sh
crontab -e
*/5 * * * * /root/create-ADhome.sh &> /dev/null
Server is hosted by Alanstudio
Linux Operating System
Recommend screen resolution 1024 x 768 / IE / FireFox
Alan Studio © 2007 by Alan Cheung Hin Lun. All rights reserved.