Join Linux to Active Directory With Winbind - Page 2
From time synchronization to wrestling with PAM, there are a lot of ins and outs to join your Linux systems with Active Directory. Here's how to manage it.
The use_first_pass argument tells PAM to re-use the previously entered password. This works only for auth and passwordmodules.
session required /lib/security/pam_mkhomedir.so skel=/etc/skel umask=0022is a slick little PAM feature that creates home directories for users on the fly.
This does the same thing on Red Hat:
#/etc/pam.d/login auth required /lib/security/pam_securetty.so auth sufficient /lib/security/pam_winbind.so auth sufficient /lib/security/pam_unix.so use_first_pass auth required /lib/security/pam_stack.so service=system-auth auth required /lib/security/pam_nologin.so account sufficient /lib/security/pam_winbind.so account required /lib/security/pam_stack.so service=system-auth password required /lib/security/pam_stack.so service=system-auth session required /lib/security/pam_stack.so service=system-auth session required /lib/security/pam_mkhomedir.so skel=/etc/skel umask=0022 session optional /lib/security/pam_console.so
What if you want to authenticate SSH logins via PAM? Do this in /etc/pam.d/ssh:
auth required /lib/security/pam_securetty.so auth sufficient /lib/security/pam_winbind.so auth sufficient /lib/security/pam_unix.so auth required /lib/security/pam_pwdb.so use_first_pass account sufficient /lib/security/pam_unix.so account required /lib/security/ pam_winbind.so session required /lib/security/pam_unix.so session required /lib/security/pam_winbind.so password required /lib/security/pam_unix.so password required /lib/security/pam_winbind.so
How to configure other services? As a general rule, stick your pam_winbind.so module next to any existing line that references a standard Linux auth, account, session, or passwordmodule. I don't promise that this will always work, but it's a good starting point. Or you can study the PAM documentation. Or wait for my detailed PAM howto.
Make sure that you do not have more than one account that has UID=0 in the password database. If there are two accounts in the passdb backend that have the same UID, winbind will break.
Now you can restart smbd and windbinddand try logging in from a Linux workstation. If you run into trouble look for help in Resources. The Samba mail list archives contain a wealth of excellent information.
Resources
- The Linux-PAM System Administrators' Guide
- man 7 pam
- Chapter 22 of The Official Samba-3 HOWTO and Reference Guide, "Winbind: Use of Domain Accounts"
- Chapter 26. "PAM-Based Distributed Authentication"
- Samba mail list
- Chapter 19 of the Linux Cookbook, "Keeping Time With NTP", and chapter 23 "File and Printer Sharing, and Domain Authentication With Samba"