This article describes how to join an Red Hat in an Active Directory domain and to authenticate the user with AD.
Environment
Red Hat Enterprise Linux Server release 6.3
Windows Server 2008 R2
Install
You need to install the following packages:
# yum install samba-client samba-winbind samba-winbind-clients
Configure
Open the /etc/samba/smb.conf file and modify as below:
[global] workgroup = DOMAIN realm = REALM.LOCAL log level = 2 syslog = 0 server string = Linux File Server security = ads log file = /var/log/samba/%m max log size = 50 printcap name = cups printing = cups winbind enum users = Yes winbind enum groups = Yes winbind use default domain = true winbind separator = + idmap uid = 1000000-2000000 idmap gid = 1000000-2000000 template shell = /bin/bash
Now, join to domain:
# net ads join -U Administrator
Start winbind and enable it on boot.
# service winbind start
# chkconfig winbind on
Verify the system can talk to AD with the commands:
Checks whether the trust secret via RPC calls succeeded.
# wbinfo -t
Lists all domain users.
# wbinfo -u
Lists all domain groups.
# wbinfo -g
Now let’s go configure the NSS and PAM.
# authconfig –enablewinbind –enablewinbindauth –smbsecurity=ads –smbrealm=<realm> –smbworkgroup=<workgroup> –smbidmaprange=1000000-2000000 –winbindtemplateshell=/bin/bash –enablewinbindusedefaultdomain –winbindseparator=+ –enablemkhomedir –updateall
Where:
enablewinbind: enable winbind for user information by default.
enablewinbindauth: enable winbind for authentication by default.
smbsecurity: security mode to use for samba and winbind.
smbrealm: default realm for samba and winbind when security=ads.
smbworkgroup: Classic (pre Windows 2003 Server) name of domain.
smbidmaprange: configures winbind to assume that users with no domain in their user names are domain users.
winbindtemplateshell: the shell which winbind-created users will have as their login shell.
enablewinbindusedefaultdomain: configures winbind to assume that users with no domain in their user names are domain users.
winbindseparator: the character which will be used to separate the domain and user part of winbind-created user names if winbindusedefaultdomain is not enabled.
enablemkhomedir: create home directories for users on their first login.
updateall: update all configuration files.
Follow some commands to test the configuration:
# getent passwd <user>
# id <user>
# getent group <domain group>
Done! Your linux system is authenticating against on Active Directory.