My Profile Photo

hagridaaron


A place to post things from my brain. External memory. My thoughts are my own.


Configuring Winbindd on Linux

Authentication on Linux via Windows Active Directory

Managing a fleet of servers is not an easy task, even when you have a small user base. Passwords and homedirs all have to be managed from server to server. Sysadmins from across the ages have used many different systems to help manage this problem. OpenLDAP and other LDAP systems are useful, but most enterprise’s don’t use OpenLDAP. Here we will review using Active Directory as an authentication LDAP source.

Rescissory Packages

Using your favorite package manager, install the following packages:

  • samba
  • samba-winbind
  • samba4-winbind-clients
  • Samba-winbind-krb5-locator
  • ntp

It’s possible that some of these aren’t required, or I missed a package. There are some great resources out there if you google “Installing Winbind on Linux”

Important Files - “Gotchas”

When installing and configuring winbindd there are a few utilities and files that will be very important.

authconfig-tki

This command will give you a text-based interface for configuring the authentication methods on your Linux machine. Note: Running this command will make changes to some of the winbind system files, most notably /etc/pam.d/system-auth-ac if you’re running a new install this shouldn’t be a problem

/etc/pam.d/system-auth-ac as mentioned before this is a very important file for system auth. This is where you will make the majority of your changes when configuring winbind.

/etc/pam.d/password-auth-ac

/etc/krb5.conf

/etc/samba/smb.conf

/etc/security/pam_winbind.conf

Joining the Windows Active Directory Domain

Use the following command to join the AD Domain

# net ads join -S server.address -U Administrator

If you get an error, you can test to see if your join worked with the following command:

# net ads testjoin
# net rpc testjoin

If you got OK from those commands, you should be fine, but see below for further troubleshooting.

Troubleshooting

The following commands with help you get a little bit more incite into what’s going on with your server. Before we get into that, it’s important to note that logs are going to be your best friend when troubleshooting this - or any - linux issue. On CentOS the log you want to look at is /var/log/secure. What I usually do is open two console windows, one to work in, and the other to tail the log. Use this command to watch the log file life (aka “tailing”)

tail -f /var/log/secure

From there you can use the wbinfo command to query information from the winbind daemon.

wbinfo -u 

This will give you a list of domain users.

wbinfo -g 

This will give you a list of domain groups.

net ads info

This gives information about the active directory domain you are joined to.