this is my experience integrate Linux GUI(GDM/KDM) login with authentication from AD Win2003 to my clients
I'm using sadms http://sadms.sourceforge.net/ with OpenSUSE 10.3
description about SADMS:
---
SADMS takes care of handling configuration
to achieve the integration of
Linux hosts to an Active Directory domain,
to the effect that::
Linux hosts become Windows domain hosts
(and act either as station or server)
Windows domain users become Linux users
(authentication is offloaded to the domain
---
but the join domain not always succeed, so after quite time, I notice that the configuration itself doing this thing below:
(there is weird in the opensuse that sometime, the connected opensuse computer, doesn't want to authenticate to the domain, so I created a custom script in init.d, for restart the samba, winbind at the end of service started, as opensuse doesn't provide rc.local like in fedora distribution)
network: 172.16.x.x - 172.17.x.x
realm (domain in CAPITAL): COMPANY.CO.ID
active directory server hostname: ADServer01
1. create or replace configuration krb5.conf# krb5.conf
# KERBEROS CONFIG FILE
# SADMS
# 2005-07-10 07:47:33
[libdefaults]
ticket_lifetime = 24000
default_realm = COMPANY.CO.ID
default_tgs_entypes = rc4-hmac des-cbc-md5
default_tkt__enctypes = rc4-hmac des-cbc-md5
permitted_enctypes = rc4-hmac des-cbc-md5
# dns_lookup_realm = true
# dns_lookup_kdc = true
dns_fallback = yes
[realms]
COMPANY.CO.ID = {
kdc = ADServer01
default_domain = 172.16.0.5
}
[domain_realm]
.172.16.0.5 = COMPANY.CO.ID
172.16.0.5 = COMPANY.CO.ID
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
#[kdc]
# profile = /var/kerberos/krb5kdc/kdc.conf
2. smb.conf configuration# smb.conf
# SAMBA CONFIG FILE
# SADMS
# 2007-06-21
[global]
# netbios name
netbios name = %h
# server string is the equivalent of the NT Description field
server string = COMPANY Linux Samba Server %h
# realm = Kerberos realm
realm = COMPANY.CO.ID
# workgroup = NT-Domain-Name or Workgroup-Name
workgroup = COMPANY
# Security mode.
security = ADS
# Use password server option only with security = server
password server = *
# Password encryption
encrypt passwords = yes
# This option is important for security. It allows you to restrict
# connections to machines which are on your local network.
hosts allow = 172.16. 172.17. 127.
hosts deny = 0.0.0.0/0.0.0.0
# Uncomment this if you want a guest account, you must add this to /etc/passwd
# otherwise the user "nobody" is used
guest account = nobody
# this tells Samba to use a separate log file for each machine
# that connects
; log file = /var/log/samba/%m.log;
log file = /var/log/samba/samba.log
# The following are needed to allow password changing from Windows to
# update the Linux system password also.
# noTE: Use these with 'encrypt passwords' and 'smb passwd file' above.
# noTE2: You do noT need these to allow workstations to change only
# the encrypted SMB passwords. They allow the Unix password
# to be kept in sync with the SMB password.
; unix password sync = yes
; passwd program = /usr/bin/passwd %u
; passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* %n\n *passwd:*all*authentication*tokens*updated*successfully*
# Unix users can map to different SMB User names
username map = /etc/samba/smbusers
# Using the following line enables you to customise your configuration
# on a per machine basis. The %m gets replaced with the netbios name
# of the machine that is connecting
; include = /etc/samba/smb.conf.%m
# Most people will find that this option gives better performance.
# See speed.txt and the manual pages for details
socket options = TCP_noDELAY SO_RCVBUF=8192 SO_SNDBUF=8192
# All NetBIOS names must be resolved to IP Addresses
# 'Name Resolve Order' allows the named resolution mechanism to be specified
# the default order is "host lmhosts wins bcast". "host" means use the unix
# system gethostbyname() function call that will use either /etc/hosts OR
# DNS or NIS depending on the settings of /etc/host.config, /etc/nsswitch.conf
# and the /etc/resolv.conf file. "host" therefore is system configuration
# dependant. This parameter is most often of use to prevent DNS lookups
# in order to resolve NetBIOS names to IP Addresses. Use with care!
# The example below excludes use of name resolution for machines that are noT
# on the local network segment
# - OR - are not deliberately to be known via lmhosts or via WINS.
; name resolve order = wins lmhosts bcast
# Windows Internet Name Serving Support Section:
# WINS Support - Tells the NMBD component of Samba to enable it's WINS Server
; wins support = yes
# WINS Server - Tells the NMBD components of Samba to be a WINS Client
# note: Samba can be either a WINS Server, or a WINS Client, but noT both
wins server = ADServer01
# if you want to automatically load your printer list rather
# than setting them up individually then you'll need this
printcap name = cups
load printers = yes
# It should not be necessary to spell out the print system type unless
# yours is non-standard. Currently supported print systems include:
# bsd, sysv, plp, lprng, aix, hpux, qnx
printing = cups
# DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names
# via DNS nslookups. The built-in default for versions 1.9.17 is yes,
# this has been changed in version 1.9.18 to no.
dns proxy = no
# PAM-related
obey pam restrictions = yes
pam password change = yes
# Winbind separator
winbind separator = /
# Winbind use default domain
# This parameter specifies whether the winbindd daemon should
# operate on users without domain component in their username.
# Users without a domain component are treated as is part of
# the winbindd server's own domain. While this does not benefit
# Windows users, it makes SSH, FTP and e-mail function in a way
# much closer to the way they would in a native unix system.
# Default: winbind use default domain = no
winbind use default domain = yes
# RID to UID map
; idmap backend = rid:"BUILTIN=1000-9999,COMPANY=10000-60000"
; idmap domains = COMPANY
; idmap config COMPANY:backend = rid
; idmap config COMPANY:range = 10000-60000
; idmap config BUILTIN:backend = rid
; idmap config BUILTIN:range = 1000-9999
# RID idmap does not work with trusted domains
; allow trusted domains = no
# Domain user id range
idmap uid = 1000-60000
# Domain group id range
idmap gid = 1000-60000
# Allow enumeration of domain users and groups
winbind enum users = yes
winbind enum groups = yes
# Allow nested groups
; winbind nested groups = yes
# Winbind templates
# This parameter is designed to control how Winbind retrieves
# Name Service Information to construct a user's home directory
# and login shell. Currently the following settings are available:
# - template - The default, using the parameters of template shell
# and template homedir)
# - sfu - When Samba is running in security = ads and your Active
# Directory Domain Controller does support the Microsoft "Services
# for Unix" (SFU) LDAP schema, winbind can retrieve the login shell
# and the home directory attributes directly from your Directory
# Server. Note that retrieving UID and GID from your ADS-Server
# requires to use idmap backend = idmap_ad as well.
; winbind nss info = template
# When filling out the user information for a Windows NT user, the
# winbindd(8) daemon uses this parameter to fill in the home
# directory for that user. If the string %D is present it is sub-
# stituted with the user’s Windows NT domain name. If the string
# %U is present it is substituted with the user’s Windows NT user
# name.
template homedir = /home/%D/%U
# When filling out the user information for a Windows NT user, the
# winbindd(8) daemon uses this parameter to fill in the login
# shell for that user.
template shell = /bin/bash
# This option defines the default primary group for each user cre-
# ated by winbindd(8)’s local account management functions (simi-
# lar to the ’add user script’).
;template primary group = "COMPANY/Domain Users"
;template primary group = "Domain Users"
# Services
default service = homes
preload = global homes printers
# Default share values
valid users = @"COMPANY/Domain Users"
admin users = "COMPANY/edp"
#==================
create mask = 0644
directory mask = 0711
wins support = True
[homes]
comment = Home Directory
browseable = no
writable = yes
valid users = @"COMPANY/Domain Users"
; read only = No
; create mask = 0664
; directory mask = 0755
;[users]
; path = /home
; comment = All Home Directories
; browseable = yes
; writable = yes
; valid users = @"COMPANY/Domain Users"
; admin users = "COMPANY/edp"
; read list = @"COMPANY/Domain Users"
; write list = @"COMPANY/Domain Users"
;[tmp]
; comment = Temporary file space
; path = /tmp
; read only = no
; public = yes
# NOTE: If you have a BSD-style print system there is no need to
# specifically define each individual printer
[printers]
comment = All Printers
path = /var/tmp
browseable = no
guest ok = yes
writable = no
printable = yes
public = yes
;to allow user 'guest account' to print
3. ntp configuration################################################################################
## /etc/ntp.conf
##
## Sample NTP configuration file.
## See package 'ntp-doc' for documentation, Mini-HOWTO and FAQ.
## Copyright (c) 1998 S.u.S.E. GmbH Fuerth, Germany.
##
## Author: Michael Andres,
##
################################################################################
##
## Radio and modem clocks by convention have addresses in the
## form 127.127.t.u, where t is the clock type and u is a unit
## number in the range 0-3.
##
## Most of these clocks require support in the form of a
## serial port or special bus peripheral. The particular
## device is normally specified by adding a soft link
## /dev/device-u to the particular hardware device involved,
## where u correspond to the unit number above.
##
## Generic DCF77 clock on serial port (Conrad DCF77)
## Address: 127.127.8.u
## Serial Port: /dev/refclock-u
##
## (create soft link /dev/refclock-0 to the particular ttyS?)
##
# server 127.127.8.0 mode 5 prefer
##
## Undisciplined Local Clock. This is a fake driver intended for backup
## and when no outside source of synchronized time is available.
##
server 127.127.1.0 # local clock (LCL)
fudge 127.127.1.0 stratum 10 # LCL is unsynchronized
##
## Outside source of synchronized time
##
## server xx.xx.xx.xx # IP address of server
##
## Miscellaneous stuff
##
driftfile /var/lib/ntp/drift/ntp.drift # path for drift file
logfile /var/log/ntp # alternate log file
server ADServer01.company.co.id
restrict 127.0.0.1
restrict default ignore
restrict ADServer01.company.co.id nomodify notrap noquery
# logconfig =syncstatus + sysevents
# logconfig =all
# statsdir /tmp/ # directory for statistics files
# filegen peerstats file peerstats type day enable
# filegen loopstats file loopstats type day enable
# filegen clockstats file clockstats type day enable
#
# Authentication stuff
#
# keys /etc/ntp.keys # path for keys file
# trustedkey 1 2 3 4 5 6 14 15 # define trusted keys
# requestkey 15 # key (7) for accessing server variables
# controlkey 15 # key (6) for accessing server variables
4. pam.d 5 related files(common-account, common-auth, common-password, common-session, samba)
- common-account
#%PAM-1.0
#
# This file is autogenerated by pam-config. All changes
# will be overwritten.
#
# Account-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the accountorization modules that define
# the central access policy for use on the system. The default is to
# only deny service to users whose accounts are expired.
#
account sufficient pam_unix2.so
account [default=bad success=ok user_unknown=ignore] pam_winbind.so
account required pam_permit.so
- common-auth
#%PAM-1.0
#
# This file is autogenerated by pam-config. All changes
# will be overwritten.
#
# Authentication-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
# traditional Unix authentication mechanisms.
#
auth required pam_env.so
auth required pam_mount.so
auth sufficient pam_unix2.so use_first_pass
auth sufficient pam_winbind.so use_first_pass
auth required pam_deny.so
- common-password
#%PAM-1.0
#
# This file is autogenerated by pam-config. All changes
# will be overwritten.
#
# Password-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define the services to be
# used to change user passwords.
#
password requisite pam_pwcheck.so nullok cracklib
password sufficient pam_unix2.so use_authtok nullok
password sufficient pam_winbind.so use_authtok
password required pam_deny.so
- common-session
#%PAM-1.0
#
# This file is autogenerated by pam-config. All changes
# will be overwritten.
#
# Session-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define tasks to be performed
# at the start and end of sessions of *any* kind (both interactive and
# non-interactive
#
session required pam_mkhomedir.so skel=/etc/skel/ umask=0066
session required pam_limits.so
session required pam_unix2.so
session optional pam_umask.so
#session optional pam_mount.so
- samba
#%PAM-1.0
auth required pam_nologin.so
auth include system-auth
account include system-auth
session include system-auth
password include system-auth
5. change nsswitch.conf
passwd: compat winbind
group: compat winbind
shadow: compat winbind
hosts: files dns wins
networks: files dns
services: files
protocols: files
rpc: files
ethers: files
netmasks: files
netgroup: files nis
publickey: files
bootparams: files
automount: files nis
aliases: files
