After a couple of days spent figuring out what was missing in terms of packages and configuration stuff. I finally got my test workstation talking to the Active Directory at the location I work at. It was a bit tricky because a few settings have changed with the newer version of Samba that were very different from the settings I use with RHEL5/6.
First, this assumes that selinux is off, and it also assumes that all updates are applied. Outside of that, this is with a basic Desktop install of Fedora 16.
Some extra packages need to be installed that aren’t installed by default, use the following command for that:
yum -y install samba-winbind samba samba-winbind-krb5-locator
Next, as root, run the following command
Change User Account Database to “Winbind”
Winbind Domain = Your Active Directory Domain Short Name, Example: MYDOMAIN
Security Model = ads
Winbind ADS Realm = Your Active Directory Domain Long Name, Example: DS.MYDOMAIN.COM
Winbind Domain Controllers = Your Active Directory Domain Controllers separated by commas, Example: dc1.mydomain.com,dc2.mydomain.com
Template Shell: This is the default shell you want for all domain users, for mine, I choose /bin/bash
If you click over to the Advanced Options tab, you may want to check “Create home directories on the first login”
Then click Join Domain, then Save, then type in an AD user that has permissions to join computers to the domain and the password that accompanies that user. Then click Okay. Back in the terminal, you should see a message like Joined ‘YOURWORKSTATION’ to realm ‘ds.Mydomain.com’ You may see some DNS Update failed messages after that, but they shouldn’t matter.
To test if your join worked, do the following:
service winbind restart wbinfo -u
If wbinfo returns nothing, then your join wasn’t fully successful. You may need to look at /var/log/messages to see if selinux stopped you or something else went wrong. If wbinfo -u returns a list of users, then you are doing good so far. You can also test an individual user by typing “id MYDOMAINmyuser” You should even be able to login with your users via SSH, but we are not quite there yet with logging into Gnome with a domain user.
I found a missing setting(which might be a bug) that prevents you from logging into Gnome using the system-config-authentication tool. Use the following command as root to add the missing line into the correct file. *You should backup the file by making a copy of it just in case something goes wrong*
echo "session required pam_winbind.so" >> /etc/pam.d/password-auth
After this, you should be able to login to the main screen by choosing “Not Listed” and putting YOURDOMAINlogin for the Username and then your domain password. If you checked on to auto-create the home directory earlier, that should all happen automatically. If for some reason, it still doesn’t work, you may want to try a reboot. During one test while writing this, I had to do that. During another, it just worked right away.
*THIS APPEARS TO HAVE BEEN FIXED IN AN UPDATE*
After this, I noticed I had an issue where I was not getting my full listing of group memberships. I found a setting in /etc/nsswitch.conf that wasn’t documented in the man page that fixed this problem. Took forever to troubleshoot. There is a new line called initgroups that defaults to just files. I changed it to the following: initgroups: files winbind
Extra Settings for different options:
I figured I would add some other useful things that you can do to your configuration that I generally do to make things work better.
Pull UID/GID numbers from AD instead of local database
Be default, Samba/Winbind authentication is setup to generate it’s own database of UID/GID numbers for users and groups. If you are setting up a group of computers that mount a shared filesystem and you want to make sure that all users and groups on each workstation have the same UID/GID. You can change some settings to have those numbers pulled from AD instead of generated locally. To fix this, we make changes in the /etc/samba/smb.conf file
Below are the settings configured by system-config-authentication:
idmap uid = 16777216-33554431 idmap gid = 16777216-33554431
Here is what I replace them with to get UID/GID numbers pulled from AD.
idmap config * : backend = rid idmap config * : range = 2000-50000000
After applying that conf change, do the following to clean out the winbind local database caches.
service winbind stop && rm -f /var/lib/samba/*.tdb && service winbind start
Remove domain name from username/login and change home directory location
To fix your login names from being something like MYDOMAIN\mylogin or mylogin@MYDOMAIN and instead have it just be mylogin, you will need to change a setting in the /etc/samba/smb.conf file. Below is the setting and it defaults to false, you just have to change it to true.
winbind use default domain = true
Another helpful setting is the one below for changing the default location where home directories are created. By default, they are created as /home/DOMAIN/username, this is best added in /etc/samba/smb.conf above the template shell line.
template homedir = /home/%U
Hi, I can ping the domain machine, but when I click on JOIN DOMAIN, the message in terminal is that the logon failed for user or password incorrect, but it’s right, I have tried thousand times. Could you please help me?
What are you seeing in your log files? Do you have permission to add computers to your domain with that login?
Think you have a typo there, in the section ‘Remove domain name from username/login and change home directory location’, in the issues command. In my case (Fuduntu) the correct command is : winbindd use default domain = true (run as root)
Thanks a lot, got my company’s Active Directory working on my Fuduntu 12.04 box 🙂
how to configure sssd with this??
Make sufe the Capture packets in promiscuous mode box is check in thhe
Wireshark Capture Options check box. ‘A new, free, open-source tool called Reaver exploits a security hole in wireless routers and
can crack most routers’ current passwords with relative ease.
The principle device yourself network will be your access point or
Holy hell, man. I’ve read so many different guides from likewise-open to realm to Centrify to PBIS trying to get my Fedora Core 22 box working with AD logins, and this was the guide that finally worked for me. Bookmarked, shared, and appended to my religious text of choice.