Rudder

It would be nice to have a Winbind technique. Winbind is part of the Samba software suite and makes it possible to logon to Active Directory from a UNIX node.

The technique should:

- Install the winbind package >= version 3.5
- On Ubuntu install krb5-user, krb5-config and libpam-krb5

- On Red Hat configure /etc/pam.d/system-auth:

auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_winbind.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_winbind.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so retry=3 type=
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    sufficient    pam_winbind.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so

- On Red Hat configure /etc/sysconfig/authconfig:

USEWINBINDAUTH=yes
USEKERBEROS=no
USESYSNETAUTH=no
USEPAMACCESS=no
USEMKHOMEDIR=no
FORCESMARTCARD=no
USESMBAUTH=no
USESMARTCARD=no
USELDAPAUTH=no
USEDB=no
USEWINBIND=yes
USESHADOW=yes
PASSWDALGORITHM=md5
USELOCAUTHORIZE=yes
USEHESIOD=no
USELDAP=no
USEPASSWDQC=no
USECRACKLIB=yes
USENIS=no

- Add winbind to /etc/nsswitch.conf:

passwd:     files winbind
shadow:     files winbind
group:      files winbind
...

- On Red Hat configure /etc/krb5.conf:

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = EXAMPLE.COM
 dns_lookup_realm = true
 dns_lookup_kdc = true
 ticket_lifetime = 24h
 forwardable = yes

[realms]
 WINTERSHALL.NL = {
   default_domain = example.com
 }

[domain_realm]
 .example.com = EXAMPLE.COM
 example.com = EXAMPLE.COM

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

- Configure Winbind (/etc/samba/smb.conf), which should have the following items:

[global]
 workgroup = WORKGROUP
 realm = EXAMPLE.COM
 security = ADS
 idmap uid = 1000-65535                          # Lowest/highest possible uid
 idmap gid = 1000-65535                          # Lowest/highest possible gid
 template homedir = /home/%U                     # Relative home dir
 template shell = /bin/bash                      # Default shell
 winbind use default domain = true
 winbind offline logon = false
 preferred master = no
 hosts allow = 192.168. 127.                     # Optional
 encrypt passwords = yes
 log level = 3                                   # 1 to 10 (integer, higher is more verbose)
 log file = /var/log/samba/%m
 max log size = 50
 printcap name = cups
 printing = cups
 winbind enum users = Yes
 winbind enum groups = Yes
 winbind nested groups = Yes
 idmap backend = idmap_rid:WORKGROUP=1000-65535
 winbind normalize names = Yes                   # This makes all users/groups lowercase and replaces a space with an underscore (user/groups names with underscores will not work

The config above applies to Winbind 3.5. If Winbind is version 3.6, you need to change:

idmap backend = idmap_rid:WORKGROUP=1000-65535

to:

idmap config * : backend = rid
idmap config * : range = 1000 - 65535

- Join the domain

net ads join createcomputer=$OU -U $AD_ADMIN%$AD_PWD

- Start Winbind
- Make sure Winbind starts at boot