Jump to content


  • Content Count

  • Joined

  • Last visited

Community Reputation

0 Neutral

About GBKevin

  • Rank
  1. This is how I was able to configure Suse 10.0 to authenticate on a Windows 2003 Active Directory Server. I do not know if it will work on previous versions of Windows or with previous versions of Suse Linux. Notes: 1.Any text that reads domain.internal (lower case) you will replace with your domain. 2.Any text that reads DOMAIN.INTERNAL (upper case) you will replace with your domain in upper case. 3.Any text that reads DOMAIN (upper case) you will replace with your domain (no .internal) 4.The NetBios name is the name of your client (workstation/computer) This process will require the krb5-client (I installed all of it), Samba, and Samba-Winbind. Steps Step 1: Install the Required Packages – This can be done through Yast Step 2: Edit the /etc/krb5.conf File [logging] default = FILE10000:/var/log/krb5lib.log [libdefaults] ticket_lifetime = 24000 default_realm = DOMAIN.INTERNAL default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5 aes256-cts arcfour-hmac-md5 default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5 aes256-cts arcfour-hmac-md5 [realms] DOMAIN.INTERNAL = { kdc = domainserver.domain.internal admin_server = domainserver.domain.internal default_domain = DOMAIN.INTERNAL } [domain_realm] .domain.internal = DOMAIN.INTERNAL domain.internal = DOMAIN.INTERNAL Step 3: Edit /etc/samba/smb.conf [global] security = ads netbios name = NetBios Name realm = DOMAIN.INTERNAL password server = domainserver.domain.internal workgroup = DOMAIN idmap uid = 1000-29999 idmap gid = 1000-29999 winbind separator = + winbind enum users = yes winbind enum groups = yes winbind use default domain = yes template homedir = /home/%D/%U template shell = /bin/bash client use spnego = yes domain master = no server string = Step 4: Test the configuration with the testparm command – You should be able to see what you entered in the samba.conf file. Step 5: Edit /etc/nsswitch.conf to look like the example below passwd: compat winbind group: compat winbind shadow: compat hosts: files dns wins networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis Step 6: Modify the PAM settings These files are all located in the /etc/pam.d folder File: common-account (It should contain only the following lines) account sufficient pam_winbind.so account required pam_unix.so File: common-auth (It should contain only the following lines) auth sufficient pam_winbind.so auth required pam_unix.so nullok_secure use_first_pass File: common-password file password required pam_unix.so nullok obscure min=4 max=50 md5 File: common-session session required pam_mkhomedir.so umask=0022 skel=/etc/skel Step 7: Make a directory to hold domain user home directories Note: Use Konsole for this Note: Use the value you put in the WORKGROUP tag smb.conf file mkdir /home/DOMAIN Step 8: Initialize Kerberos Note: Use Konsole for this kinit domain_admin_account@DOMAIN.INTERNAL Step 9: Check to be sure you got a ticket from the domain controller Note: Use Konsole for this klist Step 10: Join the Domain Note: Use Konsole for this net ads join -U domainadminuser@DOMAIN.INTERNAL Step 11: Restart Samba-related Services Note: The order is important Note: Use Konsole for this /etc/init.d/smb stop /etc/init.d/winbind stop /etc/init.d/smb start /etc/init.d/winbind start Step 12: Attempt to switch user and logon as a domain member. If you can logon than you are successful. Step 13: Configure SUDO Add the “Domain Admins” group from windows to the /etc/sudoers file %Domain Admins ALL=(ALL) ALL Example: # sudoers file # Host alias specification # User alias specification # Cmnd alias specification # Defaults specification Defaults targetpw # ask for the password of the target user i.e. root %users ALL=(ALL) ALL # WARNING! Only use this together with 'Defaults targetpw'! # Runas alias specification # User privilege specification root ALL=(ALL) ALL # Uncomment to allow people in group wheel to run all commands %Domain Admins ALL=(ALL) ALL # Same thing without a password # %wheel ALL=(ALL) NOPASSWD: ALL # Samples # %users ALL=/sbin/mount /cdrom,/sbin/umount /cdrom # %users localhost=/sbin/shutdown -h now Step 14: See if Konsole will list user names and group names from Windows: wbinfo -u wbinfo -g Step 15: Make sure the permission on the DOMAIN folder under Homes is set to the correct permissions so that the new users can create their folder on login.
  • Create New...