Winbind authentication against active directory
This tip will describe how to configure authentication settings in CentOS to use authentication against Windows Servers. I will describe how to do it in a command line. The command line arguments can be easily adapted in the gui version. It is strongly recommended that you read the samba documentations on this topic to understand how winbind works.
WARNING: The commands given here will reconfigure authentication settings. Do not use them until you fully understand what they do. If you make any mistake you might not be able to login to your system!
In order to use winbind you need to install the samba-common package.
# yum install samba-common
To join the CentOS machine to the Windows domain you need a valid domain admin account.
3. Doing it
Actually all is done in one long command line which looks like this (you have to replace the strings starting with $ to match your local settings):
# authconfig \ --update \ --kickstart \ --enablewinbind \ --enablewinbindauth \ --smbsecurity=ads \ --smbworkgroup=$ADSWorkgroup \ --smbrealm=$ADSDomain \ --smbservers=$ADSServer \ --winbindjoin=$AdminUser \ --winbindtemplatehomedir=/home/%U \ --winbindtemplateshell=/bin/bash \ --enablewinbindusedefaultdomain \ --enablelocauthorize
Now that is an awful lot of parameters, lets see what they do:
- --kickstart This tells authconfig not to run any ui (text-ui or gtk)
- --enablewinbind Turn on nss lookup via winbind
- --enablewinbindauth Turn on authentication via winbind
- --smbsecurity=ads Set samba security model to active directory mode
- --smbworkgroup= Classic (pre Windows 2003 Server) name of domain
- --smbrealm= Active directory domain (e.g. yourcompany.com)
- --smbservers= Name or list of AD servers to use. For a list of Servers use quotes e.g. "server1 server2 *", actually winbind should figure out the right servers itself by asking DNS but it might make sense to set them.
- --winbindjoin= User name of domain admin user to authenticate the domain join of the machine.
- --winbindtemplatehomedir=/home/%U Path template for home directories of users. (%U is a smb.conf token for username)
- --winbindtemplateshell=/bin/bash Default shell to set for users.
--enablelocauthorize Also enable local authorization against /etc/passwd. Important!
4. Additional parameters
- --enablewinbindusedefaultdomain If you do not set this your usernames will have the form "WORKGROUPNAME\username" if you set it the usernames will have the more common format "username".
- --enablemkhomedir (CentOS 5 only) Enable pam_mkhomedir which automatically generates home dirs on first login. This is only useful if you do not have central homedirs on a network storage. On CentOS 4 you can enable pam_mkhomedirs manually by editing pam config for system-auth but this file is regenerated by each execution of authconfig.
Pam in CentOS uses stacking so you can put other authentication methods here, for complete options see
# authconfig --help
or the authconfig gui.
5. And then...
Once you run the command it will rewrite pam system-auth config, run net join ads for you and ask for the password of the domain admin user given in --winbindjoin. Afterwards it will disable nscd and enable winbindd. If that was successful you can check winbind status with the wbinfo tool. To show list of users use
# wbinfo -u
See wbinfo --help for details.
6. Additional things
6.1. Kerberos Keytabs
If you use kerberos keytabs for services (e.g. httpd kerberos authentication) you can manage it using the net command. To create a keytab file simply use
# net ads keytab create
To add a service realm (e.g. HTTP)
# net ads keytab add HTTP
6.2. Restricting access to given groups
in /etc/security/pam_winbind.conf you can specifiy a windows group on the parameter require_membership_of. Once this is set only users being member of this group can authenticate. This will not work if you use additional authentications (e.g. kerberos or ldap) which successfully authenticates the user.
6.3. Deterministic userid/groupid mapping
In the described/default setup winbind will do dynamic ActiveDirectory SID to unix UID/GID mapping on each machine. This is not useful in some scenarios where you need identical UIDs on different machines. The typical example for that is NFS. Winbind offers a way to use an algorithmic mapping scheme to map UIDs/GIDs and SIDs. This is done with the idmap rid backend. To use it you have to manually add the following lines to the [global] section of /etc/samba/smb.conf:
idmap domains = DOMAIN idmap config DOMAIN:backend = rid idmap config DOMAIN:base_rid = 0 idmap config DOMAIN:range = 20000 - 49999
Where DOMAIN is the WINS name of your ActiveDirectory domain. You can also map users from another trusted domain to a separate range. For details please consult the idmap_rid documentation: http://samba.org/samba/docs/man/manpages-3/idmap_rid.8.html. On CentOS 5 make sure you add those lines outside the range marked by:
#--authconfig--start-line-- .. #--authconfig--end-line--
so it will not be touched by authconfig.