This page will show you how to join your Linux server into the Active Directory domain, how to integrate the Active Directory user accounts into the Linux user accounts and how to authenticate users in Active Directory using Winbind, a component of Samba.
A better way to integrate Active Directory into your Linux mail server is by using Postfix’s Virtual User Accounts.
Samba is installed by default when you select the Server installation type during the installation process. In case you need to install or reinstall it, just add the Windows File Server package located in the Servers category using the Package Manager tool.
Setup and Configure Winbind
1. Click System, select Administration and click Authentication. This will launch the Authentication Configuration window.
2. Check the Enable Winbind Support and click Configure Winbind. This will launch the Winbind Settings window.
If you would like to allow your Active Directory users to login to your Linux system, change Template Shell to /bin/bash.
To ensure the success of the Active Directory integration, make sure that your Active Directory DNS is working, you are using the Active Directory DNS, you can ping the domain controllers and that the difference between the domain controllers’ clock and the mail server’s clock is not more than five minutes.
4. Click Join Winbind Domain. You will be asked to save your changes, click Save. In the Joining Winbind Domain window, fill in the Domain Administrator and Password. Click Ok when you are done. Click Ok again to close the Winbind Settings window.
5. Click the Authentication tab and check the Enable Winbind Support.
6. Click the Options tab and check the Local authorization is sufficient for local users. Click Ok when you are done.
7. Open the file /etc/samba/smb.conf for editing and change the key values below.winbind use default domain = yes winbind enum users = yes winbind enum groups = yes obey pam restrictions = yes allow trusted domains = no idmap backend = idmap_rid:acme=16777216-33554431
The last line activates algorithmic mapping of the Windows IDs to Unix IDs. This enables you to use Samba across several Linux machines or recreate a corrupted mapping database since the mapping is consistent.
8. Create the folder that will contain the home directory of the Active Directory users. From the terminal window, type in the commands below.mkdir /home/DOMAIN
9. Edit the file /etc/pam.d/system-auth and add the line below.session required pam_oddjob_mkhomedir.so skel=/etc/skel/ umask=0022
10. Restart the winbind service and start the oddjobd service. Learn how to start and restart services here.Test the Active Directory Integration
1. From a terminal window, type in wbinfo -u. You should see the Active Directory user accounts.
2. Try the Active Directory authentication, type in wbinfo -a "username"%"password".
3. Finally, type in getent passwd. You should see the Linux system accounts along with the Active Directory user accounts.If it doesn’t work, visit the Active Directory Troubleshooting page.
Related Pages
Active Directory Single Sign On. Use Identity Management for Unix to control access on a per user account basis.***
Posted on 4/25/2007 and last updated on 12/7/2008
Filed under Active Directory , CentOS 5 , Red Hat Enterprise Linux 5 , Samba
February 15th, 2008 at 10:54 am
In a world of dodgy tutorials, especially dodgy linux tutorials,this was brilliant.
Thank you very much
April 28th, 2008 at 10:40 pm
Hi,
May I know the version of samba that was used with this setup? I’m using the latest upgrade from CentOS repos and it doesn’t work. I’m theorizing that it’s a samba version problem since I’ve seen in other forums that some versions work, others just don’t specially the one that came with CentOS 5.1
April 29th, 2008 at 12:37 am
I got this working in CentOS 5.1
wbinfo -V tells me its version is 3.0.25b-0.el5.4
April 29th, 2008 at 11:01 am
Thanks. We have the same version. It worked! I don’t know, maybe may previous setup was just so messed up I guess.
May 5th, 2008 at 10:52 pm
Hi,
In my setup, this line:
winbind use default domain = yes
winbind enum users = yes
obey pam restrictions = yes
should be:
winbind use default domain = true
winbind enum users = true
obey pam restrictions = true
Does this matter in a big way?
May 5th, 2008 at 11:32 pm
No, they are both the same. According to man smb.conf
The values following the equals sign in parameters are all either a string (no quotes needed) or a boolean, which may be given as yes/no, 0/1 or true/false. Case is not significant in boolean values, but is preserved in string values. Some items such as create modes are numeric.
August 8th, 2008 at 11:34 am
Hi….It worked as in we can login using the domain accnt but there are no policies being implemented by AD…Is there a way to give root rights to the domain accnt???
thanks
August 8th, 2008 at 2:24 pm
Sorry, that’s not possible. Check out Centrify DirectControl at http://www.centrify.com/directcontrol/grouppolicy.asp it might help.
September 15th, 2008 at 9:38 pm
I was able to go through all your steps but I am not able to do anything with the centos box.
I can verify, its integrated with active directory, I can verify that the passwd file was populated with all the accounts but I am not able to do log in with my active directory id.
tail end of /var/log/secure
Sep 15 16:32:11 aries gdm[5342]: pam_succeed_if(gdm:auth): error retrieving information about user amendez
Sep 15 16:32:20 aries gdm[5342]: pam_unix(gdm:auth): check pass; user unknown
Sep 15 16:32:20 aries gdm[5342]: pam_unix(gdm:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=
September 23rd, 2008 at 1:37 pm
Hi Alex,
If you would like to allow your Active Directory users to login to your Linux system, set Template Shell to /bin/bash. Please read my guide again, I’ve updated the home directory creation section to make it more secure.
November 7th, 2008 at 8:44 pm
Would it be possible to only allow certain users to login? kind of editing some passwd file to set /bin/bash to certain users and /sbin/nologin to the rest and give sudo permissions to those allowed to access?
November 29th, 2008 at 8:55 am
Hi Nathan,
Please see my new Active Directory Single Sign On article.
December 4th, 2008 at 10:19 pm
An absolutely brilliant tutorial! This worked first time and was a welcome relief after hours and hours of hair pulling previously.
Many thanks
January 14th, 2009 at 11:44 am
centos 5.2
We couldn’t join the winbind domain until we edited the /etc/hosts file and added the following line at the begining:
127.0.0.1 localhost COMPUTERNAME COMPUTERNAME.acme.local
NB: Replace COMPUTERNAME with the name of your linux box. Replace acme.local with the name of your fully qualified AD Domain.
February 10th, 2009 at 9:54 am
Thank you
what i do to a my visitor can use my mail service
or This server only for a website user and administrator?
i want answer in small time!
please help me!
February 10th, 2009 at 12:24 pm
Hi mr.jake,
To provide a mail service, you can follow my RHEL 5/CentOS 5 Email Server guide
February 10th, 2009 at 3:33 pm
Thank you 4 help me
March 31st, 2009 at 3:17 am
Thanks. Perfect!!!!
Not complaining, but putting this here for others with similar trouble.
Be sure to set oddjobd to run with ‘chkconfig oddjobd on’.
I had to change the system-auth configuration to use pam_mkhomedir.o, the pam_oddjob_mkhomedir.o was ignoring the umask=0077 and it was complaing during login ‘com.redhat.oddjob.Error.ACL: ACL does not allow access’.
Thanks a bunch!
April 2nd, 2009 at 8:14 pm
Great guide!!
I would add that a quick and dirty way to restrict user logins once this guide is implemented (I believe Nathan was asking this), is to use the listfile module in pam.
You can have a simple text file of allowed AD and local groups that all logins are restricted to.
http://www.cyberciti.biz/tips/howto-deny-allow-linux-user-group-login.html
April 23rd, 2009 at 2:39 pm
Thanks mann this work is great
I set up the winbind and it works good with authentication. But I need to control the user access and all to give users specific privileges. Do you know how to configure winbind to allow users give specific access control to other folders and all.
Thank you
April 23rd, 2009 at 9:23 pm
Hi Nishan,
That it is not possible in Samba because it uses a template based security model. If you need finer security control, check out Active Directory Single Sign On
April 28th, 2009 at 4:59 pm
Thank you very much. Ill look in to it.
April 29th, 2009 at 6:22 am
Now that MS released Unix Services 3.5, there’s really no need to do much of this stuff. It provides an NIS server and NFS, so syncing w/ AD is not necessary and so is samba.
April 29th, 2009 at 6:23 am
Btw, Services for Unix 3.5 is FREE.
April 29th, 2009 at 12:15 pm
Hi Clinton,
That’s right. But Samba is still useful if you’re security requirements are simple or you like a Linux based file server to save on MS license cost.
May 8th, 2009 at 8:20 pm
I followed everything, had to improvise here and there to get it working, but the only thing that did not work was the ‘getent passwd’ it did not populate my AD accounts in the list with my linux accounts. Somethings wrong.
May 11th, 2009 at 5:52 pm
Greg, I also have the same problem. Did you or anyone else come across this?
May 14th, 2009 at 10:29 pm
i followed this entire guide exactly and now my rhel 5 server won’t let me login as root. it says “Authentication failed”. i’m pretty sure i messed up somewhere, but not too sure where; i did notice that my smb.conf file looks a little different than the picture.
May 20th, 2009 at 9:15 am
[...] -u To join it to the domain I used this excellent step by step guide for novices like myself Active Directory Integration with Samba for RHEL/CentOS 5 | Linux Mail Server Setup and Howto Guide Any ideas or should I just give up and try and install it on [...]
May 20th, 2009 at 6:59 pm
I figured out my problem. i made all the changes, but winbind was not able to function correctly because SELinux was preventing it from accessing certain files. i set SELinux to permissive and it worked like a charm.
May 28th, 2009 at 3:46 pm
I’m using CentOS 5.3
Is there a way to authenticate users against AD without joining the server to the AD domain?
I basically just want to use AD for authentication while still managing the user within Linux.
May 28th, 2009 at 9:00 pm
I haven’t seen anyway to authenticate without actually joining. Maybe a direct ldap or kerberos lookup rather than using the winbind daemon?
some interesting solutions might be to:
1. modify your /etc/group file to add domain users to wheel group, then enable wheel group in /etc/sudoers
2. setup a full samba server and import (or authenticate against) ldap users from AD
3. check this paid option out (i discovered this yesterday) http://www.likewise.com
June 8th, 2009 at 2:02 pm
Hi Joe,
You can use direct LDAP lookup in Active Directory using the Microsoft provided Identity Management for Unix