winbind
(2016-09-14)
Configuring Winbind On A Fresh CentOS 6 Installation
With this example, AD users in KLONDIKE can log into linux hosts with their AD credentials and will get the same UID and GID values on any linux host so configured.
In this example:
- my domain is called KLONDIKE, with a DNS name of klondike.xdroop.local
- the AD server is called ad01.klondike.xdroop.local
- my home directories are nfs exported from syscon, on /export/home
- the AD account used to join computers to the domain is dave, with password davesPassword
- I have an AD group called "wheel" which is why I strip out the default "wheel" group from the local group file.
Adjust accordingly.
#!/bin/bash
yum -y install autofs nfs-utils krb5-libs samba samba-winbind
authconfig \
--update \
--kickstart \
--enablewinbind \
--enablewinbindauth \
--smbsecurity=ads \
--smbworkgroup=KLONDIKE \
--smbrealm=klondike.xdroop.local \
--smbservers="ad-01" \
--winbindtemplatehomedir=/net/syscon/export/home/%U \
--winbindtemplateshell=/bin/bash \
--enablewinbindusedefaultdomain \
--enablelocauthorize
cat > /etc/samba/smb.conf <<END
[global]
#--authconfig--start-line--
# Generated by authconfig on 2016/06/04 16:28:54
# DO NOT EDIT THIS SECTION (delimited by --start-line--/--end-line--)
# Any modification may be deleted or altered by authconfig in future
workgroup = KLONDIKE
password server = ad-01.klondike.xdroop.local
realm = KLONDIKE.XDROOP.LOCAL
security = ads
idmap config * : range = 2000-9999
template homedir = /net/syscon/export/home/%U
template shell = /bin/bash
winbind use default domain = true
winbind offline logon = false
#--authconfig--end-line--
idmap config KLONDIKE:backend = rid
idmap config KLONDIKE:range = 10000-99999
server string = Samba Server Version %v
log file = /var/log/samba/log.%m
max log size = 50
load printers = no
cups options = raw
END
net rpc join -S ad-01 -Udave%davesPassword
service smb stop
service winbind stop
net cache flush
for i in rpcbind nfs autofs smb winbind ; do
chkconfig $i on
service $i start
done
cd /etc
cp group group.org
grep -v wheel group.org > group
echo done!
Now I can log in as any user that A) exists in the zone and B) has a home directory created on syscon.
[dave@syscon ~]$ id
uid=11109(dave) gid=10513(domain users) groups=10513(domain users),2000(BUILTIN\administrators),2001(BUILTIN\users),10512(domain admins),10572(denied rodc password replication group),11111(esx admins),11113(wheel),11115(rwheel)