Saturday, January 23, 2010

Active Directory Integration with Samba for RHEL/CentOS 5

SkyHi @ Saturday, January 23, 2010

This article will show you how to join your Linux server into the Active Directory domain, how to integrate the Active Directory user accounts into the Linux user accounts and how to authenticate users in Active Directory using Winbind, a component of Samba.

ImportantA better way to integrate Active Directory into your Linux mail server is by using Postfix’s Virtual User Accounts.
NoteSamba is installed by default when you select the Server installation type during the installation process. In case you need to install or reinstall it, just add the Windows File Server package located in the Servers category using the Package Manager tool.

Setup and Configure Winbind

Authentication
1. Click System, select Administration and click Authentication. This will launch the Authentication Configuration window.
Authentication
2. Check the Enable Winbind Support and click Configure Winbind. This will launch the Winbind Settings window.
Winbind Settings
3. In the Winbind Settings window, set the Security Model to ads and fill in the Winbind Domain, Winbind ADS Realm and Winbind Domain Controllers. See sample settings below.
Winbind Domain
acme
Winbind ADS Realm
acme.local
Domain Controllers
server1.acme.local,server2.acme.local
NoteIf you would like to allow your Active Directory users to login to your Linux system, change Template Shell to /bin/bash.
ImportantTo ensure the success of the Active Directory integration, make sure that your Active Directory DNS is working, you are using the Active Directory DNS, you can ping the domain controllers and that the difference between the domain controllers’ clock and the mail server’s clock is not more than five minutes.
Join Winbind Domain
4. Click Join Winbind Domain. You will be asked to save your changes, click Save. In the Joining Winbind Domain window, fill in the Domain Administrator and Password. Click Ok when you are done. Click Ok again to close the Winbind Settings window.
Authentication Configuration
5. Click the Authentication tab and check the Enable Winbind Support.
Authentication Configuration
6. Click the Options tab and check the Local authorization is sufficient for local users. Click Ok when you are done.
Edit smb.conf7. Open the file /etc/samba/smb.conf for editing and change the key values below.
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
obey pam restrictions = yes
allow trusted domains = no
idmap backend = idmap_rid:acme=16777216-33554431
For the last line, replace acme with the value of workgroup and ensure that the range matches your idmap uid range.
NoteThe last line activates algorithmic mapping of the Windows IDs to Unix IDs. This enables you to use Samba across several Linux machines or recreate a corrupted mapping database since the mapping is consistent.
Service Configuration
8. Create the folder that will contain the home directory of the Active Directory users. From the terminal window, type in the commands below.
mkdir /home/DOMAIN
Replace DOMAIN with your domain. Make sure to capitalize your domain like ACME in our example.
Service Configuration
9. Edit the file /etc/pam.d/system-auth and add the line below.
session required pam_oddjob_mkhomedir.so skel=/etc/skel/ umask=0022
This will automatically create the user’s home directory whenever a PAM session is opened. Winbind and Dovecot will be opening the PAM session thus automatically creating the user’s home directory.
Service Configuration
10. Restart the winbind service and start the oddjobd service. Learn how to start and restart services here.

Test the Active Directory Integration

Service Configuration
1. From a terminal window, type in wbinfo -u. You should see the Active Directory user accounts.
Service Configuration
2. Try the Active Directory authentication, type in wbinfo -a "username"%"password".
Service Configuration
3. Finally, type in getent passwd. You should see the Linux system accounts along with the Active Directory user accounts.
NoteIf it doesn’t work, visit the Active Directory Troubleshooting page.

Related Pages

User Property
Active Directory Single Sign On. Use Identity Management for Unix to control access on a per user account basis.

REFERENCE

http://www.linuxmail.info/active-directory-integration-samba-centos-5/