For When You Can't Have The Real Thing
[ start | index | login ]
start > CentOS > 6 > samba > winbind

winbind

Created by dave. Last edited by dave, 7 years and 186 days ago. Viewed 2,289 times. #7
[diff] [history] [edit] [rdf]
labels
attachments
(2016-09-14)

Configuring Winbind On A Fresh CentOS 6 Installation

With this example, AD users in KLONDIKE can log into linux hosts with their AD credentials and will get the same UID and GID values on any linux host so configured.

In this example:

  • my domain is called KLONDIKE, with a DNS name of klondike.xdroop.local
  • the AD server is called ad01.klondike.xdroop.local
  • my home directories are nfs exported from syscon, on /export/home
  • the AD account used to join computers to the domain is dave, with password davesPassword
  • I have an AD group called "wheel" which is why I strip out the default "wheel" group from the local group file.
Adjust accordingly.

#!/bin/bash

yum -y install autofs nfs-utils krb5-libs samba samba-winbind

authconfig \ --update \ --kickstart \ --enablewinbind \ --enablewinbindauth \ --smbsecurity=ads \ --smbworkgroup=KLONDIKE \ --smbrealm=klondike.xdroop.local \ --smbservers="ad-01" \ --winbindtemplatehomedir=/net/syscon/export/home/%U \ --winbindtemplateshell=/bin/bash \ --enablewinbindusedefaultdomain \ --enablelocauthorize

cat > /etc/samba/smb.conf <<END [global] #--authconfig--start-line--

# Generated by authconfig on 2016/06/04 16:28:54 # DO NOT EDIT THIS SECTION (delimited by --start-line--/--end-line--) # Any modification may be deleted or altered by authconfig in future

workgroup = KLONDIKE password server = ad-01.klondike.xdroop.local realm = KLONDIKE.XDROOP.LOCAL security = ads idmap config * : range = 2000-9999 template homedir = /net/syscon/export/home/%U template shell = /bin/bash winbind use default domain = true winbind offline logon = false

#--authconfig--end-line-- idmap config KLONDIKE:backend = rid idmap config KLONDIKE:range = 10000-99999 server string = Samba Server Version %v log file = /var/log/samba/log.%m max log size = 50 load printers = no cups options = raw END

net rpc join -S ad-01 -Udave%davesPassword service smb stop service winbind stop net cache flush for i in rpcbind nfs autofs smb winbind ; do chkconfig $i on service $i start done cd /etc cp group group.org grep -v wheel group.org > group

echo done!

Now I can log in as any user that A) exists in the zone and B) has a home directory created on syscon.

[dave@syscon ~]$ id
uid=11109(dave) gid=10513(domain users) groups=10513(domain users),2000(BUILTIN\administrators),2001(BUILTIN\users),10512(domain admins),10572(denied rodc password replication group),11111(esx admins),11113(wheel),11115(rwheel)
no comments | post comment
This is a collection of techical information, much of it learned the hard way. Consider it a lab book or a /info directory. I doubt much of it will be of use to anyone else.

Useful:


snipsnap.org | Copyright 2000-2002 Matthias L. Jugel and Stephan J. Schmidt