Experiences with using Active Directory for Linux authentication
Neil Joseph Schelly
neil at jenandneil.com
Wed Sep 21 21:08:01 EDT 2005
On Wednesday 21 September 2005 02:49 pm, Dan Coutu wrote:
> Surely there are people in the group that have had experience setting up
> a Linux system so that it
> uses an Active Directory server via PAM for login authentication. Since
> we live in world where
> Linux has to sometimes take over gradually it is often useful to be able
> to set this up in environments
> where otherwise the M$ weenies would rule.
>
> How about some tips, hints, war stories, etc. on the topic?
I've got lots of experience with this and more than I'd like to remember
crashing/burning with RHEL3. Ultimately, I found that the version of
Samba/Winbind there just didn't work in our environment with all my effort.
That said, I've never had trouble getting my various Debian desktops and
servers to join the 2003 AD at work in a really mixed up Windows atmosphere
with several disjoined domains in different forests and with an NT4 domain
thrown in for a little more excitement.
Anyway, the best tips I can come up with are to find several how-tos online
and make sure to be familiar with at least a few good ones. Start off with
getting Kerberos to work and authenticate with kinit. Once you've got kinit
successfully authenticating username/password combos in the AD, this step is
done.
Next step is to make sure samba is configured such that you can join the
domain you want to join. "net ads join -U Administrator" and a password
should do it if the smb.conf file is configured right.
The most flexible part of joining an AD is through PAM and WinBind. Winbind
can become a valid part of authentication by adding it to nsswitch.conf as a
valid source of user and group information and adding the PAM winbind modules
to the account and authentication sequences in PAM. wbinfo can be used to
verify Winbind is working alright and again should work if smb.conf is good.
Another great help I've found is pam_mkhomedir as a session module. If you
have users from the AD logging into the Linux machine and expecting to find a
home directory, this can set them up at login with a skeleton directory.
Anyway, exact configurations of everything vary as always from network to
network, but if you're looking for specific help, just let me know and I'll
see what I can offer.
-N
More information about the gnhlug-discuss
mailing list