Skip to main content

winbind

(2016-09-14)

Configuring Winbind On A Fresh CentOS 6 Installation

With this example, AD users in KLONDIKE can log into linux hosts with their AD credentials and will get the same UID and GID values on any linux host so configured.

In this example:

  • my domain is called KLONDIKE, with a DNS name of klondike.xdroop.local
  • the AD server is called ad01.klondike.xdroop.local
  • my home directories are nfs exported from syscon, on /export/home
  • the AD account used to join computers to the domain is dave, with password davesPassword
  • I have an AD group called "wheel" which is why I strip out the default "wheel" group from the local group file.

Adjust accordingly.

#!/bin/bash

yum -y install autofs nfs-utils krb5-libs samba samba-winbind

authconfig \
    --update \
    --kickstart \
    --enablewinbind \
    --enablewinbindauth \
    --smbsecurity=ads \
    --smbworkgroup=KLONDIKE \
    --smbrealm=klondike.xdroop.local \
    --smbservers="ad-01" \
    --winbindtemplatehomedir=/net/syscon/export/home/%U \
    --winbindtemplateshell=/bin/bash \
    --enablewinbindusedefaultdomain \
    --enablelocauthorize

cat > /etc/samba/smb.conf <<END
[global]
#--authconfig--start-line--

# Generated by authconfig on 2016/06/04 16:28:54
# DO NOT EDIT THIS SECTION (delimited by --start-line--/--end-line--)
# Any modification may be deleted or altered by authconfig in future

   workgroup = KLONDIKE
   password server = ad-01.klondike.xdroop.local
   realm = KLONDIKE.XDROOP.LOCAL
   security = ads
   idmap config * : range = 2000-9999
   template homedir = /net/syscon/export/home/%U
   template shell = /bin/bash
   winbind use default domain = true
   winbind offline logon = false

#--authconfig--end-line--
   idmap config KLONDIKE:backend = rid
   idmap config KLONDIKE:range = 10000-99999
   server string = Samba Server Version %v
   log file = /var/log/samba/log.%m
   max log size = 50
   load printers = no
   cups options = raw
END

net rpc join -S ad-01 -Udave%davesPassword
service smb stop
service winbind stop
net cache flush
for i in rpcbind nfs autofs smb winbind ; do
    chkconfig $i on
    service $i start
done
cd /etc
cp group group.org
grep -v wheel group.org > group

echo done!

Now I can log in as any user that A) exists in the zone and B) has a home directory created on syscon.

[dave@syscon ~]$ id
uid=11109(dave) gid=10513(domain users) groups=10513(domain users),2000(BUILTIN\administrators),2001(BUILTIN\users),10512(domain admins),10572(denied rodc password replication group),11111(esx admins),11113(wheel),11115(rwheel)