This is from a decade ago and is based on winbind. sssd has supplanted winbind in modern distros and will likely work better.
Joining the domain during installation seems to work pretty well
First install ntp and set to sync with the domain controllers
yum install ntp
edit /etc/ntp.conf and look for the lines that say server. Change the server to be the domain controller IP address.
server 192.168.0.18
Stop the server if it is running
/etc/init.d/ntp stop
Now run the time sync manually
ntpdate 192.168.0.18
and start the server
/etc/init.d/ntp start
In order to manage user access to the box it can be added to the domain. This will require adding the samba packages to the system if they are not already installed.
yum install samba samba-common samba-client
Debian/Ubuntu
apt-get install samba winbind krb5-user
It's probably a good idea to backup everything in /etc before configuring anything else in case something goes wrong.
Edit /etc/samba/smb.conf and add lines to turn off master browser elections. You can put these next to the example lines if they exist
domain master = no
local master = no
preferred master = no
Make sure that phxad01 is in /etc/hosts. Also make sure the short version of the hostname is listed here. Even if it is just in the localhost line. I use myserver in this example. If setting up a dev server use myserver-dev.
127.0.0.1 localhost.localdomain localhost myserver.domain.com myserver
::1 localhost6.localdomain6 localhost6
192.168.0.18 phxad01.domain.com
At a shell prompt type setup and choose Authentication Configuration. In the next dialog should look like this
[ ] Cache Information [*] Use MD5 Passwords
[ ] Use Hesiod [*] Use Shadow Passwords
[ ] Use LDAP [ ] Use LDAP Authentication
[ ] Use NIS [*] Use Kerberos
[*] Use Winbind [ ] Use SMB Authentication
[*] Use Winbind Authentication
[ ] Local authorization is sufficient
You might have to manually setup the lines for pam that get done automatically on RedHat.
pam.d/common-account
account sufficient /lib/security/pam_winbind.so
account required pam_unix.so
pam.d/common-auth
auth required /lib/security/pam_securetty.so
auth sufficient /lib/security/pam_winbind.so
auth sufficient /lib/security/pam_unix.so use_first_pass
auth optional pam_smbpass.so migrate missingok
auth required /lib/security/pam_nologin.so
pam.d/common-session
session required pam_unix.so
session required /lib/security/pam_mkhomedir.so skel=/etc/skel umask=0022
Realm: DOMAIN.COM___________________
KDC: phxad01.domain.com___________
Admin Server: phxad01.domain.com___________
[*] Use DNS to resolve hosts to realms
[*] Use DNS to locate KDCs for realms
The package will ask you for this info when it is installed. If not edit /etc/krb5.conf and edit/add these sections:
[libdefaults]
default_realm = DOMAIN.COM
[realms]
DOMAIN.COM = {
kdc = phxad01.domain.com
admin_server = phxad01.domain.com
}
Security Model: (*) ads
( ) domain
Domain: CSCDOMAIN_______________________________
Domain Controllers: phxad01.domain.com___________
ADS Realm: DOMAIN.COM___________________
Template Shell: ( ) /bin/false
( ) /sbin/nologin
(*) /bin/sh
Try joining the domain with the Join Domain button. If it fails see thenext section. It will prompt you for a username and password. You need to use a domain user that has authority to join a machine to the domain.
Choose OK. and OK again to exit the setup dialog.
Edit /etc/samba/smb.conf. Look for these lines or add them if missing
[global]
realm = REALMNAME
security = ads
idmap uid = 10000-20000
idmap gid = 10000-20000
template shell = /bin/bash
template homedir = /home/%D/%U
winbind use default domain = yes
workgroup = CSCDOMAIN
If the joining the domain failed try typing at the prompt
/usr/bin/net join -w CSCDOMAIN -U <username>
or /usr/bin/net join -w CSCDOMAIN -S phxad01.domain.com -U <username>
where <username> is your user (don't put the angle brackets). Using the domain administrator works best. (need to test this theory)
If you need to add a system with the same netbios name use the -n option. It may say that it fails but it seems to work in spite of this message.
/usr/bin/net join -w CSCDOMAIN -U <username> -n foo.dev
Restart winbind
service winbind restart
SELinux may be denying things from working so check /var/log/messages for errors.
If winbind is not working you may not have joined the domain. Try again as the domain administrator. If that does not work you can set this variable.
setsebool -P winbind_disable_trans 1
If the errors are about the 'secrets.tdb' file edit /etc/samba/smb.conf to add this line
private dir = /var/cache/samba/winbindd_privileged
2011/2/1: SELinux is also denying the creation of /etc/krb5.keytab. I was getting errors in the system logs even though auth is working. In this case I am using a deprecated pam module mod_auth_pam to have apache authenticate against PAM which authenticates against Active Directory.
Feb 2 11:55:27 devwebl1 httpd: pam_unix(httpd:auth): authentication failure; logname= uid=48 euid=48 tty= ruser= rhost= user=adjt
Feb 2 11:55:27 hostname httpd: pam_krb5[8987]: error reading keytab 'FILE:/etc/krb5.keytab'
Feb 2 11:55:27 hostname httpd: pam_krb5[8987]: TGT verified
Feb 2 11:55:27 hostname httpd: pam_krb5[8987]: authentication succeeds for 'adjt' (adjt@DOMAIN.COM)
Feb 2 11:55:27 hostname httpd: pam_winbind(httpd:account): user 'adjt' OK
Feb 2 11:55:27 hostname httpd: pam_winbind(httpd:account): user 'adjt' granted access
I temporarily disable SELinux to create the file.
echo 0 > /selinux/enforce
net ads keytab create -UAdministrator -P
echo 1 > /selinux/enforce
klist -k -t -e #to show the current keys listed
There were still errors about localhost keys so I had to edit the keytab file using ktutil and delete the localhost entries. An alternative may be to change /etc/hosts to use the machine name in the localhost entry. Then I had to give apache read access to the file so that it could authenticate. This may be dangerous and the authentication worked without this so this is just to clean up the errors in the logs.
mv /etc/krb5.keytab /etc/krb5.keytab.orig
ktutil
read_kt /etc/krb5.keytab.orig
list
delent 1
write_kt /etc/krb5.keytab
quit
setfacl -m u:apache:r /etc/krb5.keytab
Watch the logfiles for information while you test.
tail -f /var/log/messages
Get a list of users
wbinfo -u
and a list of groups
wbinfo -g
If those lists do not have domain users and domain groups something is not working.
Get a kerberos ticket with kinit and a domain user.
kinit <user>
Type the password for the user and check with klist
klist
You should see information about tickets being issued.
I find the getent stuff does not work easily and may require ldap setup. Now test with getent.
getent passwd administrator
getent group "domain users"
Try connecting to the box with a domain user
username: cscdomain\jtmoree
password: ******
If you want users to have a home directory when they access this box you need to have it created automatically. Edit the file /etc/pam.d/system-auth. Add this line
session required pam_mkhomedir.so skel=/etc/skel umask=0077
to the end of the file. You may want to put it above the optional lines like this
session required /lib/security/$ISA/pam_unix.so
session required pam_mkhomedir.so skel=/etc/skel umask=0077
session optional /lib/security/$ISA/pam_krb5.so
When you connect to the system as a domain user you must put the domain before the user with a backslash. If you don't want the user to have to type the domain this option can be configured in /etc/samba/smb.conf
winbind use default domain = yes