I'm going to top-post this message to say THANK YOU to Tarun, Phil,
Craig, Patrick and Michael. Will try it all out. I had a feeling that
Xandros guy was being a little misleading.
On 05/28/2004 03:47 PM, Tarun Reddy wrote:
I agree with Craig.
I'm using FC2 against Windows 2003 active directory servers very
successfully (well, minus one part).
However, note that system-config-authentication is woefully
broken/incomplete when it comes to winbind configuration.
But here are my general steps using FC2.
Install FC2 with "Windows File Sharing"
during firstboot, skip over creating an account
run system-config-authentication
click enable Winbind support
click the configure button
fill in:
winbind domain: <DOMAIN> (no .com/.org/etc here)
Security model: ads
winbind ads realm: <DOMAIN.COM>
winbind domain controllers: dc.domain.com (I put in my primary ADS
server)
Template shell: (your choice)
now as root edit /etc/krb5.conf
You'll see where the system-config-authentication has not replaced
anything correctly here.
You need to change EXAMPLE.COM -> DOMAIN.COM and .example.com to
.domain.com as needed
Also change kerberos.example.com to your ads server and admin_server
to your ads server.
Now open /etc/samba/smb.conf
search for password server. You'll notice two entries here. You should
only have your ads server here.
I've added below template shell line
template homedir = /home/%U
so I don't have to have /home/DOMAIN/USER as the location for my home
directory.
I also changed winbind use default domain to yes so that users can
login as USER instead of DOMAIN+USER.
The final step is to add the machine to the domain
as root
net ads join -w DOMAIN -S ADSSERVER.DOMAIN.COM -U Administrator
/etc/rc.d/init.d/winbind restart
/etc/rc.d/init.d/sshd restart
(or even safer reboot)
You will have to add the users homedirs by hand before they can login
and that's the final piece I'm trying to solve. samba's add user
script doesn't work for me.
Hope this helps,
Tarun
On May 28, 2004, at 12:21 PM, Craig White wrote:
On Fri, 2004-05-28 at 10:40, Matt Morgan wrote:
Has anybody done this on their system with more open tools? Or another
option seems to be maintaining an NIS server that somehow replicates
accounts with the AD servers, so that NIS handles Linux login, while AD
handles only Windows--anybody tried that? Or if anybody else has
come up
with other solutions to this or similar problems, please write in. We
have looked at all the PAM options--kerberos, LDAP, etc.--and none of
them look quite as good as what Xandros has done; but if they work for
you, I'm very interested in hearing your stories.
-----
samba / winbind
if you need documentation
www.samba.org -> documentation, samba-3 howto
Craig
