Windows Domain Logins from Red Hat 7.3 Workstations

---

by Ken Puckett
http://kpuckett.hopto.org
Last updated: August 15, 2002

This procedure will allow you to configure your Red Hat 7.3 workstations to be able to authenticate users that are part of a Windows NT or Windows 2000 domain. That is, each user will actually use his or her Windows account to login as opposed to using a local Linux account. This is great for environments that have an existing Windows domain and wish to allow users to login to the domain from Red Hat systems without having to create user accounts onto each and every Red Hat system.

Notes on use:

• Users will login using the syntax windowsdomain+username . For example, if my user account is in the Windows domain FOO (note that we're using the NetBIOS Windows domains here) and my user account is BAR , then at the login prompt I would use FOO+BAR.
  
  
• The KDE login screen, if configured to show icons for each user, makes it pretty obvious whether Windows domain logins are working or not, as it will display a "head" silhouette for each local account and Windows domain account. You can enable this feature by running Control Center, select System, Login Manager, Administrator Mode, the Users tab, then turn on All but no-show.
  
  
• The "Primary Group" setting for Windows accounts is a pretty important setting. It is used to signify who has group permissions to access the user's home directory on the Red Hat system.
  
  
• To change your Windows domain password, use the command smbpasswd -r pdc -U username. Replace pdc with the name of your Windows primary domain controller, and replace username with your Windows username (without the domain name and without the "+" symbol).
  
  
• This procedure was tested successfully with:
  • Red Hat 7.3, configured to use the KDE desktop environment
    
  • Windows 2000 Server running as an Active Directory domain controller (in mixed mode) with SP2 and all Critical Updates as of March 9, 2002.
  
  
• For more information about using WinBind, check out the man pages for smb.conf, winbindd, and wbinfo. You can also find some great information on the Internet (which is how I pieced most of this procedure together).
  
  
• I have not tested this procedure with the Gnome desktop environment.

Assumptions when performing procedure:

• Use su to perform the commands as root on the Red Hat system, and log in as a Domain Administrator while using the administrative utilities on the Windows domain controller.
  
  
• Red Hat 7.3 needs to be configured, at a minimum, as a "Workstation" system plus the addition of the "samba" package (listed as smb (Windows File Server) if you are viewing the individual package groups during Red Hat installation). If necessary, you can add the "samba" package to your system after installation by inserting Red Hat 7.3 Disk 2, then use the package manager to find and install the "samba" package.

---

1. Using the appropriate Microsoft utilities, add the Desktop/LX workstation to the domain. For example, for a Windows 2000 domain, run Active Directory Users and Computers and add the Desktop/LX machine to the "Computers" OU (or wherever is appropriate for your environment). Make sure to turn on "Allow pre-Windows 2000 computers to use this account".
   
   
2. Edit /etc/nsswitch.conf. Add winbind to the end of the lines that begin with passwd: and group:.
   
   
3. Edit /etc/samba/smb.conf so that the following lines are added or changed in the [global] section:
   
   domain master = No
   local master = No
   password server = *
   security = domain
   template homedir = /home/%D/%U
   template shell = /bin/bash
   winbind enum groups = yes
   winbind enum users = yes
   winbind gid = 10000-20000
   winbind separator = +
   winbind uid = 10000-20000
   workgroup = windowsdomain
   
   (Replace windowsdomain with the NetBIOS name of your Windows domain. Also, you can set password server to the name of your domain controller if you need to.)
   
   
4. Edit /etc/pam.d/system-auth so that it looks like this: (Note: The added items are in bold)
   
   #%PAM-1.0
   # This file is auto-generated.
   # User changes will be destroyed the next time authconfig is run.
   auth        sufficient    pam_winbind.so
   auth        required      /lib/security/pam_env.so
   auth        sufficient    /lib/security/pam_unix.so likeauth nullok use_first_pass
   auth        required      /lib/security/pam_deny.so
   
   account     sufficient    pam_winbind.so
   account     required      /lib/security/pam_unix.so
   
   password    required      /lib/security/pam_cracklib.so retry=3 type=
   password    sufficient    /lib/security/pam_unix.so nullok use_authtok md5 shadow
   password    required      /lib/security/pam_deny.so
   
   session     required      pam_mkhomedir.so umask=0022
   session     required      /lib/security/pam_limits.so
   session     required      /lib/security/pam_unix.so
   
   NOTE: If you use the utility Authentication Configuration (or the command line utility authconfig), then you may lose the Winbind settings applied during this step. As such, it is recommended that you do not use either configuration utility.
   
   
5. Run ln -s /etc/rc.d/init.d/winbind /etc/rc.d/rc5.d/S92winbind
   
   
6. Run Control Panel, Service Configuration, turn on and also start smb and winbind
   
   
7. Run smbpasswd -j windowsdomain -r pdc, where windowsdomain is the NetBIOS name of your Windows domain, and pdc is the name of a Windows domain controller (the PDC if you're joining to an NT4 domain). Make sure the status message reports that it joined successfully.
   
   
8. Run wbinfo -t to verify that the "Secret is good", which means that Red Hat can validate that its computer account is registered with the Windows domain.
   
   
9. Run wbinfo -u and wbinfo -g to verify that you can view users and groups in the domain.
   
   
10. Run wbinfo -a windowsdomain+domainuser%userpassword to try to authenticate one of your domain user accounts from your Red Hat system. For example, to verify that I can use winbind to authenticate the account BAR in Windows domain FOO using the password DUMMY, then I would type wbinfo -a foo+bar%DUMMY
    
    NOTE: The command is successful as long as one of the authentication methods succeeds, so look closely at the messages. For example, if the messages say "plaintext password authentication succeeded" and "challenge/response password authentication failed", then you should be OK.
    
    
11. Create directory /home/WINDOWSDOMAIN (where WINDOWSDOMAIN is the NetBIOS name of your Windows domain. USE CAPITAL LETTERS.)
    
    

---

Please let me know how this procedure works for you and if any additions or corrections should be made. Thanks!