Em Sex 11 Mai 2007, azeem ahmad escreveu: > >From: "Marcelo Magno T. Sales" <marcelo.sales@xxxxxxxxxxxxxxx> > >Reply-To: For users of Fedora <fedora-list@xxxxxxxxxx> > >To: For users of Fedora <fedora-list@xxxxxxxxxx> > >Subject: Re: AD logins > >Date: Thu, 10 May 2007 09:46:53 -0300 > > > >Em Qui 10 Mai 2007, azeem ahmad escreveu: > > > hi list > > > i have a windows 2000 active directory domain environment. and now i > > > got > > > >a > > > > > few fedora core 4 workstations. i want them to authenticate user logins > > > from Windows active directory > > > > > > what i think is one possible way of doing this is to configure Samba > > > >with > > > > > Winbind. am i right??? > > > >Yes, this is one possible solution. > > > >1. Verify in your /etc/hosts if there is localhost configuration for IPv4. > >I've found that in several of my FC6 installations, there was only IPv6 > >localhost information here, despite I had disabled IPv6 during > >installation. > >If IPv4 localhost information is not present in /etc/hosts, you won't be > >able > >to authenticate against AD. > > > >2. Setup the ntpd service so that it keeps the time of your workstation > >synchronized with some domain controller of your AD domain. If time is not > >synchronized, you won't be able to authenticate against AD. Check this > >first > >if authentication fails after you finish the procedures listed here. The > >winbind service has to be (re)started after the time is synchronized. > > > >3. Run system-config-authentication and: > > > >3.1. check winbind, kerberos (optional, but recommended) and smb in the > >first > >two tabs. > > > >3.2. In winbind configuration, fill in the following: > >Winbind domain: the NetBIOS name of your AD domain (the short name), in > >capital letters. > >Security model: ads > >Winbind ADS Realm: the fully qualified domain name of your AD domain (in > >capital letters) > >Domain Controllers: the addresses or names (if your workstation can > > resolve them) of your nearest domain controllers, in a comma separated > > list. Template Shell: /usr/bin/bash > > > >3.3. In Kerberos configuration, fill in the following: > >Realm: the fully qualified domain > >KDCs: the addresses or names (if your workstation can resolve them) of > > your nearest domain controllers, in a comma separated list. > >Admin servers: leave blank or fill in the same as in KDCs, above. > > > >3.4. Check the checkbox "Use DNS to find the hosts for the realms" > >The other checkbox should be checked if you have your DCs all in the same > >site, or unchecked otherwise. Whatever you choose to do with this > > checkbox, this will not break your configuration, but it may slow down > > the > >authentication process. > > > >3.5. In the Options tab, check "Use shadows passwords", "Use MD5 > > passwords" and "Local authorization is sufficient for local users". > > > >4. If you want home directories to be created automatically for AD users > >when > >they log in (recommended), edit /etc/pam.d/system-auth-ac and add the > >following line at the end of the file: > >session required /lib/security/pam_mkhomedir.so skel=/etc/skel umask 007 > > > >5. Edit /etc/krb5.conf and add / update the following: > >[libdefaults] > >clockskew = 300 > >default_realm = YOURDOMAIN.COM > > > >[domain_realm] > >.yourdomain.com = YOURDOMAIN.COM > >yourdomain.com = YOURDOMAIN.COM > > > >6. Edit /etc/samba/smb.conf and add / update the following: > >[global] > >wins server = the IP addresses of your WINS servers (if you have them) in > > a blank space separated list. If you don't use WINS, comment out this > > line. winbind enum users = yes > >winbind enum groups = yes > >template homedir = /home/%U > >winbind use default domain = yes > > > >7. Setup smb and winbind daemons so that they start automatically when the > >machine is booted: > >chkconfig --level 35 winbind on > >chkconfig --level 35 smb on > > > >8. Reboot the system > > > >9. Join the AD domain. You'll need an AD account with enough rights to do > >that. Run the following command: > >net ads join -U <username> > >The account you use in the above command must have permission to create > >computer objects in the Computers container of your AD domain. If it does > >not, create the computer object previously in the desired OU using AD > > Users and Computers. > > > >That's all. > > > >[]'s > >Marcelo > > thanx Mr. Marcelo > i have done it and its working now. but one problem yet exists, and that is > i am unable to automatically create users' home directories. it is because > i am unable to find any such file as u mentiones " > /etc/pam.d/system-auth-ac" > > can u guide me a bit more Should be there... What files do you have in /etc/pam.d? []'s Marcelo
