3.4. Winbind
Samba must be configured before Winbind can be configured as an identity store for a system. A Samba server must be set up and used for user accounts, or Samba must be configured to use Active Directory as a back end identity store.
Configuring Samba is covered in the Samba project documentation. Specifically configuring Samba as an integration point with Active Directory is also covered in the Using Samba for Active Directory Integration section in the Windows Integration Guide.
3.4.1. Enabling Winbind in the authconfig GUI
- Install the
samba-winbind
package. This is required for Windows integration features in Samba services, but is not installed by default.[root@server ~]# yum install samba-winbind
- Open the
authconfig
UI.[root2server ~]# authconfig-gtk
- In the Identity & Authentication tab, select in the User Account Database drop-down menu.
- Set the information that is required to connect to the Microsoft Active Directory domain controller.
- Winbind Domain gives the Windows domain to connect to.This should be in the Windows 2000 format, such as
DOMAIN
. - Security Model sets the security model to use for Samba clients.
authconfig
supports four types of security models:- ads configures Samba to act as a domain member in an Active Directory Server realm. To operate in this mode, the
krb5-server
package must be installed and Kerberos must be configured properly. - domain has Samba validate the user name and password by authenticating it through a Windows primary or backup domain controller, much like a Windows server.
- server has a local Samba server validate the user name and password by authenticating it through another server, such as a Windows server. If the server authentication attempt fails, the system then attempts to authenticate using
user
mode. - user requires a client to log in with a valid user name and password. This mode does support encrypted passwords.The user name format must be domain\user, such as
EXAMPLE\jsmith
.Note
When verifying that a given user exists in the Windows domain, always use thedomain\user_name
format and escape the backslash (\) character. For example:[root@server ~]# getent passwd domain\\user DOMAIN\user:*:16777216:16777216:Name Surname:/home/DOMAIN/user:/bin/bash
This is the default option.
- Winbind ADS Realm gives the Active Directory realm that the Samba server will join. This is only used with the ads security model.
- Winbind Domain Controllers gives the host name or IP address of the domain controller to use to enroll the system.
- Template Shell sets which login shell to use for Windows user account settings.
- Allow offline login allows authentication information to be stored in a local cache. The cache is referenced when a user attempts to authenticate to system resources while the system is offline.
3.4.2. Enabling Winbind in the Command Line
Windows domains have several different security models, and the security model used in the domain determines the authentication configuration for the local system. For user and server security models, the Winbind configuration requires only the domain (or workgroup) name and the domain controller host names.
The
--winbindjoin
parameter sets the user to use to connect to the Active Directory domain, and --enablelocalauthorize
sets local authorization operations to check the /etc/passwd
file.
After running the
authconfig
command, join the Active Directory domain.
[root@server ~]# authconfig --enablewinbind --enablewinbindauth --smbsecurity=user|server --enablewinbindoffline --smbservers=ad.example.com --smbworkgroup=EXAMPLE --update --enablelocauthorize --winbindjoin=admin [root@server ~]# net join ads
Note
The user name format must be domain\user, such as
EXAMPLE\jsmith
.
When verifying that a given user exists in the Windows domain, always use the domain\user formats and escape the backslash (\) character. For example:
[root@server ~]# getent passwd domain\\user DOMAIN\user:*:16777216:16777216:Name Surname:/home/DOMAIN/user:/bin/bash
For ads and domain security models, the Winbind configuration allows additional configuration for the template shell and realm (ads only). For example:
[root@server ~]# authconfig --enablewinbind --enablewinbindauth --smbsecurity ads --enablewinbindoffline --smbservers=ad.example.com --smbworkgroup=EXAMPLE --smbrealm EXAMPLE.COM --winbindtemplateshell=/bin/sh --update
There are a lot of other options for configuring Windows-based authentication and the information for Windows user accounts, such as name formats, whether to require the domain name with the user name, and UID ranges. These options are listed in the
authconfig
help.