Launch the terminal window and type in the highlighted items below.

Test the Kerberos authentication

Kerberos is an authentication mechanism used by Active Directory to verify user or host identity. We will use kinit, an executable used to obtain Kerberos access granting ticket, to test the Kerberos authentication mechanism.

[root@mail ~]# kinit bugsbunny

Change bugsbunny to any Active Directory user account.

If it replies

• Cannot resolve network address for KDC in requested realm while getting initial credentials
  

  DNS problem, check the DNS or use ip addresses in the Domain Controllers field of the Winbind Settings.

• Cannot find KDC for requested realm while getting initial credentials
  

  Check the spelling of your Active Directory realm and check the spelling in Winbind Settings. Capitalization is important.

• Client not found in Kerberos database while getting initial credentials
  

  Check the user name you used if it exists in Active Directory.

• Cannot contact any KDC for requested realm while getting initial credentials
  

  Check if the domain controller you specified in Winbind Settings is indeed working is not firewalled.

See Winbind Setting for RHEL/CentOS 5
See Winbind Setting for RHEL/CentOS 4

Password for bugsbunny@ACME.LOCAL: type in the password here

If it replies

• Preauthentication failed while getting initial credentials
  

  It means the password is wrong.

• Password has expired while getting initial credentials
  

  The password is no longer valid and needs to be changed.

• Clock skew too great while getting initial credentials
  

  Synchronize your clocks using NTP. For a quick and temporary fix, use net time set to synchronize time with the domain controller.

  To permanently fix the problem, both the Active Directory server and the Linux server should synchronize their time with an NTP server. See how to synchronize system clock in Linux. For Windows, use the command

  net time /setsntp:"0.pool.ntp.org 1.pool.ntp.org"
  

  Replace “0.pool.ntp.org …” with your preferred NTP server.

• KDC reply did not match expectations while getting initial credentials
  

  Make sure the realm is correct and capitalized in /etc/krb5.conf. If the realm is ACME.LOCAL, this error will appear if ACME, acme, acme.local is used as the realm.

Join the Active Directory Domain

[root@mail ~]# net ads join -U administrator

Replace administrator with any user name having Domain Admin rights. Specify your password when asked. You should be able to join the Active Directory domain now.

Restart winbind

After successfully joining, you need to restart winbind using the command below.

[root@mail ~]# service winbind restart

A better way to integrate Active Directory into your Linux mail server is by using Postfix’s Virtual User Accounts.

Samba is installed by default when you select the Server installation type during the installation process. In case you need to install or reinstall it, just add the Windows File Server package located in the Servers category using the Package Manager tool.

Setup and Configure Winbind

1. Click System, select Administration and click Authentication. This will launch the Authentication Configuration window.

2. Check the Enable Winbind Support and click Configure Winbind. This will launch the Winbind Settings window.

3. In the Winbind Settings window, set the Security Model to ads and fill in the Winbind Domain, Winbind ADS Realm and Winbind Domain Controllers. See sample settings below.

 

Winbind Domain

acme

Winbind ADS Realm

acme.local

Domain Controllers

server1.acme.local,server2.acme.local

If you would like to allow your Active Directory users to login to your Linux system, change Template Shell to /bin/bash.

To ensure the success of the Active Directory integration, make sure that your Active Directory DNS is working, you are using the Active Directory DNS, you can ping the domain controllers and that the difference between the domain controllers’ clock and the mail server’s clock is not more than five minutes.

4. Click Join Winbind Domain. You will be asked to save your changes, click Save. In the Joining Winbind Domain window, fill in the Domain Administrator and Password. Click Ok when you are done. Click Ok again to close the Winbind Settings window.

5. Click the Authentication tab and check the Enable Winbind Support.

6. Click the Options tab and check the Local authorization is sufficient for local users. Click Ok when you are done.

7. Open the file /etc/samba/smb.conf for editing and change the key values below.

winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
obey pam restrictions = yes
allow trusted domains = no
idmap backend = idmap_rid:acme=16777216-33554431

For the last line, replace acme with the value of workgroup and ensure that the range matches your idmap uid range.

The last line activates algorithmic mapping of the Windows IDs to Unix IDs. This enables you to use Samba across several Linux machines or recreate a corrupted mapping database since the mapping is consistent.

8. Create the folder that will contain the home directory of the Active Directory users. From the terminal window, type in the commands below.

mkdir /home/DOMAIN

Replace DOMAIN with your domain. Make sure to capitalize your domain like ACME in our example.

9. Edit the file /etc/pam.d/system-auth and add the line below.

session required pam_oddjob_mkhomedir.so skel=/etc/skel/ umask=0022

10. Restart the winbind service and start the oddjobd service. Learn how to start and restart services here.

Test the Active Directory Integration

1. From a terminal window, type in wbinfo -u. You should see the Active Directory user accounts.

2. Try the Active Directory authentication, type in wbinfo -a "username"%"password".

3. Finally, type in getent passwd. You should see the Linux system accounts along with the Active Directory user accounts.

If it doesn’t work, visit the Active Directory Troubleshooting page.

Related Pages

Active Directory Single Sign On. Use Identity Management for Unix to control access on a per user account basis.

Samba is installed by default when you select the Server installation type during the installation process. In case you need to install or reinstall it, just select the Windows File Server package in the Package Management tool.

Setup and Configure Winbind

1. Click Applications, select System Settings and click Authentication. This will launch the Authentication Configuration window.

2. Check the Enable Winbind Support and click Configure Winbind. This will launch the Winbind Settings window.

3. In the Winbind Settings window, set the Security Model to ads and fill in the Winbind Domain, Winbind ADS Realm and Winbind Domain Controllers. See sample settings below.

 

Winbind Domain

acme

Winbind ADS Realm

acme.local

Domain Controllers

server1.acme.local,server2.acme.local

To ensure the success of the Active Directory integration, make sure that you can ping the domain controllers and that the difference between the domain controllers’ clock and the mail server’s clock is not more than five minutes.

4. Click Join Winbind Domain. You will be asked to save your changes, click Save. In the Joining Winbind Domain window, fill in the Domain Administrator and Password. Click Ok when you are done. Click Ok again to close the Winbind Settings window.

5. Click the Authentication tab and check the Enable Winbind Support and Local authorization is sufficient for local users. Click Ok when you are done.

6. Open the file /etc/samba/smb.conf for editing and change winbind use default domain to yes.

winbind use default domain = yes

7. Create the folder that will contain the home directory of the Active Directory users. From the terminal window, type in the commands below.

mkdir /home/DOMAIN
chmod 777 /home/DOMAIN

Replace DOMAIN with your domain. Make sure to capitalize your domain like ACME in our example.

We changed the directory permission to 777, meaning anyone can read, write and execute because the users’ home directory will be created later by Postfix or Dovecot when a mail is received or a user checks his email. The created home directory on the other hand will have its permission set to read, write and execute by the owner only.

8. Restart the winbind service. Learn how to restart services here.

Test the Active Directory Integration

1. From a terminal window, type in wbinfo -u. You should see the Active Directory user accounts.

2. Try the Active Directory authentication, type in wbinfo -a "username"%"password".

3. Finally, type in getent passwd. You should see the Linux system accounts along with the Active Directory user accounts.

If it doesn’t work, visit the Active Directory Troubleshooting page.

Reconfiguring Postfix and Dovecot to Create the Home Directory

To store the mails, Postfix and Dovecot needs to create the username/Maildir directory. Postfix can create the Maildir directory and all the necessary parent directories. Unfortunately, Dovecot can only create the mail directory which in this case is Maildir and will fail if the parent directory username does not exist. Thus, we need to reconfigure Postfix and Dovecot to skip the Maildir directory and store the mails directly into the username directory which is the user’s home directory.

1. Edit the file /etc/postfix/main.cf and change the line below.

home_mailbox = /

2. Edit the file /etc/dovecot.conf and change the line below.

default_mail_env = maildir:~/

3. Restart Postfix or MailScanner (depends if you installed MailScanner) and Dovecot. Learn how to restart services here.

That’s it. The home directory should be now automatically created by Postfix and Dovecot whenever you receive or retrieve mails.