Winbind Logins on Centos 55

Posted on 2010/09/07 by pauljohn

How to set up Winbind logins

Remove the samba- packages, get sambax, including sambax-winbind, from Centos Updates. Then Hit it!

1. Put /etc/samba/smb.conf like so:

===========

[global]
workgroup = HOME
password server = ad-home-1 ad-home-2
realm = HOME.KU.EDU
security = ads
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
template shell = /bin/bash
winbind use default domain = yes
winbind offline logon = true
winbind enum users = yes
winbind enum groups = yes

template homedir = /home/%U

passdb backend = tdbsam

2. Reconfigure /etc/pam.d/system-auth-ac
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_winbind.so cached_login use_first_pass
auth required pam_deny.so

account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_winbind.so cached_login account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_winbind.so cached_login use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_mkhomedir.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.s 3. VITAL: The machine's FQDN has to end with the domain's name, so "fred" has to be fred.home.ku.edu That has to be set in /etc/hosts and in Centos it also has to be in /etc/sysconfig/network. (I set that with system-config-network on the last few machines I set up. worked fine). /etc/hosts needs to have the domain controllers in it. In my case "ad-home-1" and "ad-home-2" After that, you can join the domain. After doing this the manual way with "/usr/bin/net join -w HOME -S ad-home-1 -U paulj" I learned that system-config-authentication can do it as well. Output is like this: Using short domain name -- HOME Joined 'POLS11' to realm 'home.ku.edu' DNS update failed! I'm told the last line is harmless. My systems are joined to the domain, but the domain does not know about my machines, so it does not update its DNS records to take into account my systems.

About pauljohn

Paul E. Johnson is a Professor of Political Science at the University of Kansas. He is an avid Linux User, an adequate system administrator and C programmer, and humility is one of his greatest strengths.
This entry was posted in Linux. Bookmark the permalink.