How to authenticate against the Active Directory by using Winbind

This article describes how to join an Red Hat in an Active Directory domain and to authenticate the user with AD.

Environment

Red Hat Enterprise Linux Server release 6.3
Windows Server 2008 R2

Install

You need to install the following packages:

# yum install samba-client  samba-winbind samba-winbind-clients

Configure

Open the /etc/samba/smb.conf file and modify as below:

[global]
workgroup = DOMAIN
realm = REALM.LOCAL
log level = 2
syslog = 0
server string = Linux File Server
security = ads
log file = /var/log/samba/%m
max log size = 50
printcap name = cups
printing = cups
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = true
winbind separator = +
idmap uid = 1000000-2000000
idmap gid = 1000000-2000000
template shell = /bin/bash

Now, join to domain:

# net ads join -U Administrator

Start winbind and enable it on boot.

# service winbind start
# chkconfig winbind on

Verify the system can talk to AD with the commands:

Checks whether the trust secret via RPC calls succeeded.

# wbinfo -t

Lists all domain users.

# wbinfo -u

Lists all domain groups.

# wbinfo -g

Now let’s go configure the NSS and PAM.

# authconfig –enablewinbind –enablewinbindauth –smbsecurity=ads –smbrealm=<realm> –smbworkgroup=<workgroup> –smbidmaprange=1000000-2000000 –winbindtemplateshell=/bin/bash –enablewinbindusedefaultdomain –winbindseparator=+ –enablemkhomedir –updateall

Where:

enablewinbind: enable winbind for user information by default.
enablewinbindauth: enable winbind for authentication by default.
smbsecurity: security mode to use for samba and winbind.
smbrealm: default realm for samba and winbind when security=ads.
smbworkgroup: Classic (pre Windows 2003 Server) name of domain.
smbidmaprange: configures winbind to assume that users with no domain in their user names are domain users.
winbindtemplateshell: the shell which winbind-created users will have as their login shell.
enablewinbindusedefaultdomain: configures winbind to assume that users with no domain in their user names are domain users.
winbindseparator: the character which will be used to separate the domain and user part of winbind-created user names if winbindusedefaultdomain is not enabled.
enablemkhomedir: create home directories for users on their first login.
updateall: update all configuration files.

Follow some commands to test the configuration:

# getent passwd <user>
# id <user>
# getent group <domain group>

Done! Your linux system is authenticating against on Active Directory.