User story #3651
closed
Request for Winbind technique
Description
It would be nice to have a Winbind technique. Winbind is part of the Samba software suite and makes it possible to logon to Active Directory from a UNIX node.
The technique should:
- Install the winbind package >= version 3.5
- On Ubuntu install krb5-user, krb5-config and libpam-krb5
- On Red Hat configure /etc/pam.d/system-auth:
auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_winbind.so use_first_pass auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_winbind.so account required pam_permit.so password requisite pam_cracklib.so retry=3 type= password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_winbind.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so
- On Red Hat configure /etc/sysconfig/authconfig:
USEWINBINDAUTH=yes
USEKERBEROS=no
USESYSNETAUTH=no
USEPAMACCESS=no
USEMKHOMEDIR=no
FORCESMARTCARD=no
USESMBAUTH=no
USESMARTCARD=no
USELDAPAUTH=no
USEDB=no
USEWINBIND=yes
USESHADOW=yes
PASSWDALGORITHM=md5
USELOCAUTHORIZE=yes
USEHESIOD=no
USELDAP=no
USEPASSWDQC=no
USECRACKLIB=yes
USENIS=no
- Add winbind to /etc/nsswitch.conf:
passwd: files winbind shadow: files winbind group: files winbind ...
- On Red Hat configure /etc/krb5.conf:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes
[realms]
WINTERSHALL.NL = {
default_domain = example.com
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
- Configure Winbind (/etc/samba/smb.conf), which should have the following items:
[global] workgroup = WORKGROUP realm = EXAMPLE.COM security = ADS idmap uid = 1000-65535 # Lowest/highest possible uid idmap gid = 1000-65535 # Lowest/highest possible gid template homedir = /home/%U # Relative home dir template shell = /bin/bash # Default shell winbind use default domain = true winbind offline logon = false preferred master = no hosts allow = 192.168. 127. # Optional encrypt passwords = yes log level = 3 # 1 to 10 (integer, higher is more verbose) log file = /var/log/samba/%m max log size = 50 printcap name = cups printing = cups winbind enum users = Yes winbind enum groups = Yes winbind nested groups = Yes idmap backend = idmap_rid:WORKGROUP=1000-65535 winbind normalize names = Yes # This makes all users/groups lowercase and replaces a space with an underscore (user/groups names with underscores will not work
The config above applies to Winbind 3.5. If Winbind is version 3.6, you need to change:
idmap backend = idmap_rid:WORKGROUP=1000-65535
to:
idmap config * : backend = rid idmap config * : range = 1000 - 65535
- Join the domain
net ads join createcomputer=$OU -U $AD_ADMIN%$AD_PWD
- Start Winbind
- Make sure Winbind starts at boot
Updated by 
Updated by 
Updated by Jonathan CLARKE 
Updated by