Skip to main content
Home

Configure Winbind and PAM for authentication

The first step is to get the Linux box to treat Windows ADS accounts as local accounts — i.e. people can log into the Linux box using their Windows ADS usernames and passwords.

This is quite easily done using Fedora Core 4, and is described in this article. The article actually describes the steps for Fedora Core 2 (Fedora 3 Beta), but the steps are even simpler and less error-prone for Fedora Core 4.

In Fedora Core 4, using the KDE Desktop, you can simply use these steps:

System Settings->Authentication->Authentication->Enable Winbind Support->Configure Winbind

Type in the appropriate values for your Domain, Domain Controller, and ADS Realm, and click "Join Domain"

If you don't have KDE, you can follow the manual steps - using authconfig — as discussed in the article referred to above. There is another excellent step-by-step guide here.

Once Winbind is configured, you should edit your smb.conf file (located in /etc/samba/smb.conf in my distribution — YMMV), and check or insert the following:

template homedir = /home/%D/%U
winbind separator = '\'
security = ads
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
winbind trusted domains only = no
workgroup = SOMEDOMAIN
realm = SOMEDOMAIN.EXAMPLE.COM
password server = ADSCONTROLLER.SOMEDOMAIN.EXAMPLE.COM    
obey pam restrictions = yes

Don't forget to create the folder

/home/SOMEDOMAIN

as it is not automatically created, and although your users will be able to log into your Linux box, they will have no home directories.

The next step is to ensure that home directories are automatically created when your Windows users log in to your Linux box. You do this by including the pam module mkhomedir.so in two PAM configuration files located under /etc/pam.d — login and gdm

Simply add the line

session    required     pam_mkhomedir.so skel=/etc/skel/ umask=0077

at the end of each of those two files.

Warning!! Make sure you back up your PAM configuration files before you change anything!!

At this point, your users should be able to access your Linux box using their ADS credentials.

As we enjoy great Advantages from the Inventions of others, we should be glad of an Opportunity to serve others by any Invention of ours, and this we should do freely and generously.

— Benjamin Franklin

quoted in Benjamin Franklin by Edmund S. Morgan.

View

Reclaim your computer!

A personal computer is called a personal computer because it's yours. Anything that runs on that computer, you should have control over.
— Andrew Moss, Microsoft's senior director of technical policy, 2005

The most serious impediment to a lasting archive is the evolution of media, platforms, formats, and the applications that create them. Unique, proprietary, and constantly evolving data formats such as Acrobat-4, MPEG-4, Oracle 8, Quicken 2001, Real G2, and Word 2000 suggest or even guarantee obsolescence.
— Gordon Bell, Senior Researcher in Microsoft's Media Presence Research Group.

LIMITATION ON AND EXCLUSION OF DAMAGES. You can recover from Microsoft and its suppliers only direct damages up to the amount you paid for the software. You cannot recover any other damages, including consequential, lost profits, special, indirect or incidental damages.
— Clause 26 of the Windows 7 License.

Moodle Resources

Open source web conference systems

Premium Drupal Themes by Adaptivethemes