Winbind authentication against active directory

Description

This tip will describe how to configure authentication settings in CentOS to use authentication against Windows Servers. I will describe how to do it in a command line. The command line arguments can be easily adapted in the gui version. It is strongly recommended that you read the samba documentations on this topic to understand how winbind works.

WARNING: The commands given here will reconfigure authentication settings. Do not use them until you fully understand what they do. If you make any mistake you might not be able to login to your system!

Prerequisites

In order to use winbind you need to install the samba-common package.

# yum install samba-common

To join the CentOS machine to the Windows domain you need a valid domain admin account.

Doing it

Actually all is done in one long command line which looks like this (you have to replace the strings starting with $ to match your local settings):

# authconfig \
--update \
--kickstart \
--enablewinbind \
--enablewinbindauth \
--smbsecurity=ads \
--smbworkgroup=$ADSWorkgroup \
--smbrealm=$ADSDomain \
--smbservers=$ADSServer \
--winbindjoin=$AdminUser \
--winbindtemplatehomedir=/home/%U \
--winbindtemplateshell=/bin/bash \
--enablewinbindusedefaultdomain \
--enablelocauthorize

Now that is an awful lot of parameters, lets see what they do:

Additional parameters

Pam in CentOS uses stacking so you can put other authentication methods here, for complete options see

# authconfig --help

or the authconfig gui.

And then...

Once you run the command it will rewrite pam system-auth config, run net join ads for you and ask for the password of the domain admin user given in --winbindjoin. Afterwards it will disable nscd and enable winbindd. If that was successful you can check winbind status with the wbinfo tool. To show list of users use

# wbinfo -u

See wbinfo --help for details.

Additional things

Kerberos Keytabs

If you use kerberos keytabs for services (e.g. httpd kerberos authentication) you can manage it using the net command. To create a keytab file simply use

# net ads keytab create

To add a service realm (e.g. HTTP)

# net ads keytab add HTTP

Restricting access to given groups

in /etc/security/pam_winbind.conf you can specifiy a windows group on the parameter require_membership_of. Once this is set only users being member of this group can authenticate. This will not work if you use additional authentications (e.g. kerberos or ldap) which successfully authenticates the user.

Deterministic userid/groupid mapping

In the described/default setup winbind will do dynamic ActiveDirectory SID to unix UID/GID mapping on each machine. This is not useful in some scenarios where you need identical UIDs on different machines. The typical example for that is NFS. Winbind offers a way to use an algorithmic mapping scheme to map UIDs/GIDs and SIDs. This is done with the idmap rid backend. To use it you have to manually add the following lines to the [global] section of /etc/samba/smb.conf:

   idmap domains = DOMAIN
   idmap config DOMAIN:backend      = rid
   idmap config DOMAIN:base_rid     = 0
   idmap config DOMAIN:range        = 20000 - 49999

Where DOMAIN is the WINS name of your ActiveDirectory domain. You can also map users from another trusted domain to a separate range. For details please consult the idmap_rid documentation: http://samba.org/samba/docs/man/manpages-3/idmap_rid.8.html. On CentOS 5 make sure you add those lines outside the range marked by:

#--authconfig--start-line--
..
#--authconfig--end-line--

so it will not be touched by authconfig.

TipsAndTricks/WinbindADS (last edited 2010-06-07 08:46:20 by TimothyLee)