View previous topic :: View next topic |
Author |
Message |
keet Guru

Joined: 09 Sep 2008 Posts: 534
|
Posted: Thu Oct 29, 2015 11:52 pm Post subject: Seems fixed:Join Active Directory domain using Samba/Winbind |
|
|
Does anyone here have experience joining Gentoo to a Windows Active Directory domain? I have a home server running Windows Server 2012, acting as the domain controller. Let's say that the domain is called GREYCAT.LOCAL. I am trying the Samba/Winbind method.
It seems to be partly working:
Code: |
sudo net ads join -U myusername
Password:
Ignoring unknown parameter "winbind offline login"
Enter myusername's password:
Using short domain name -- GREYCAT
Joined 'LAPTOP' to dns domain 'greycat.local'
net_update_dns_internal: Failed to connect to our DC!
DNS update failed!
|
'wbinfo -u' shows a list of domain users.
However, no-one can log into my Linux laptop using domain credentials. It is working fine on the Windows computers (or the same laptop if I reboot into Windows)
Does anyone here know how to make it work properly?
/etc/krb5.conf
Code: |
[libdefaults]
default_realm = GREYCAT.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = false
forwardable = true
# kdc_timesync = 1
# ccache_type = 4
# proxiable = true
# fcc-mit-ticketflags = true
# default_keytab_name = FILE:/etc/krb5.keytab
# default_tkt_enctypes = aes256-cts-hmac-sha1-96
[realms]
GREYCAT.LOCAL = {
kdc = ipaddressofdomaincontroller
admin_server = ipaddressofdomaincontroller
default_domain = GREYCAT.LOCAL
}
[domain_realm]
.greycat.local = GREYCAT.LOCAL
greycat.local = GREYCAT.LOCAL
#[login]
# krb4_convert = true
# krb4_get_tickets = false
[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log
|
/etc/samba/smb.conf (and smb2.conf)
Code: |
[global]
workgroup = GREYCAT
password server = ipaddressofdomaincontroller
realm = GREYCAT.LOCAL
security = ads
idmap config * : range = 16777216-33554431
template homedir=/home/%U
template shell = /bin/bash
winbind use default domain = true
winbind offline login = true
kerberos method = secrets and keytab
winbind refresh tickets = true
server string = dd Samba Server Version %v
netbios name = LAPTOP
log file = /var/log/samba/log.%m
max log size = 50
passdb backend = tdbsam
encrypt passwords = yes
# winbind enum groups = yes
# winbind enum users = yes
[homes]
comment = Home Directories
browseable = no
writeable = yes
|
/etc/security/pam_winbind.conf
Code: |
(censored)
krb5_auth = yes
krb5_ccache_type = FILE
(censored)
|
/etc/pam.d/system-auth
Code: |
#%PAM-1.0
# $Id$
auth required pam_env.so
auth sufficient pam_winbind.so
auth sufficient pam_unix.so likeauth nullok use_first_pass
auth required pam_deny.so
account sufficient pam_winbind.so
account required pam_unix.so
password required pam_cracklib.so retry=3
password sufficient pam_unix.so nullok use_authtok md5 shadow
password required pam_deny.so
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
session required pam_limits.so
session required pam_unix.so
|
/etc/pam.d/samba
Code: |
#%PAM-1.0
# * pam_smbpass.so authenticates against the smbpasswd file
# * changed Redhat's 'pam_stack' with 'include' for *BSD compatibility
# (Diego "Flameeyes" Petteno'): enable with pam>=0.78 only
auth required pam_smbpass.so nodelay
account include system-auth
session include system-auth
password required pam_smbpass.so nodelay smbconf=/etc/samba/smb.conf
|
Edit: I might have fixed it. I set this laptop to use the same hostname in Windows and in Linux. I had also not configured /etc/hosts properly, I think; I had '127.0.0.1 localhost...', so I changed my hostname to 'laptop_gentoo' and in /etc/hosts '127.0.0.1 laptop_gentoo.greycat laptop_gentoo'. Now, it seems to be working properly; I can log into my Linux laptop using accounts that I made on my Windows domain controller. |
|
Back to top |
|
 |
keet Guru

Joined: 09 Sep 2008 Posts: 534
|
Posted: Fri Oct 30, 2015 8:54 pm Post subject: |
|
|
It is working more or less well. When users log in, their home directories are readable by all and owned by 'users:domain users' by default. I needed to add 'auth sufficient pam_winbind.so' to /etc/pam.d/lightdm for lightdm to work with domain credentials. |
|
Back to top |
|
 |
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|