Authenticating Against Active Directory in Linux

  2006-11-07


I finally got it. After about 5 hours of working on it, I’ve finally gotten Linux to authenticate against Active Directory on a Windows 2000 Server. I want to post how I have it configured because it seems like most documentation only takes you halfway.

Software used: Debian Etch, Samba 3.0.23c with Winbind and pam_winbind, and MIT Kerberos with pam_libkrb5.

The first step after getting the prerequisite software installed is to join the domain. Luckily Samba has excellent documentation on how to join an Active Directory Domain. Specifically On-the-Fly Creation of Machine Trust Accounts and Samba ADS Domain Membership.

The next step is to hook Linux’s authentication (PAM) into Active Directory. Here are the relevant bits of my configuration files:

NOTE: In the following examples TREMONT is the domain, TREMONT.LOCAL is the realm, and thsdc1 is the Windows 2000 ADS (sometimes referred to as a PDC or Primary Domain Controller).

/etc/samba/smb.conf (relevant bits only)

`[global]

Domain workgroup = Tremont realm = TREMONT.LOCAL security = ADS add machine script = /usr/sbin/useradd -d /var/lib/nobody -g 100 -s /bin/false -M %u

encrypt passwords = true

Commented the following out, but I don’t know if its necessary

passdb backend = tdbsam

obey pam restrictions = yes
idmap uid = 10000-20000
idmap gid = 10000-20000
template shell = /bin/bash

Note: I do not use the separator username format: Domain\User

#winbind separator = ‘\’

The following allows users to login with just Username

winbind use default domain = yes
winbind enum users = yes
winbind enum groups = ye template homedir = /home/%D/%U`

/etc/krb5.conf (from the krb5-config package)

``I finally got it. After about 5 hours of working on it, I’ve finally gotten Linux to authenticate against Active Directory on a Windows 2000 Server. I want to post how I have it configured because it seems like most documentation only takes you halfway.

Software used: Debian Etch, Samba 3.0.23c with Winbind and pam_winbind, and MIT Kerberos with pam_libkrb5.

The first step after getting the prerequisite software installed is to join the domain. Luckily Samba has excellent documentation on how to join an Active Directory Domain. Specifically On-the-Fly Creation of Machine Trust Accounts and Samba ADS Domain Membership.

The next step is to hook Linux’s authentication (PAM) into Active Directory. Here are the relevant bits of my configuration files:

NOTE: In the following examples TREMONT is the domain, TREMONT.LOCAL is the realm, and thsdc1 is the Windows 2000 ADS (sometimes referred to as a PDC or Primary Domain Controller).

/etc/samba/smb.conf (relevant bits only)

`[global]

Domain workgroup = Tremont realm = TREMONT.LOCAL security = ADS add machine script = /usr/sbin/useradd -d /var/lib/nobody -g 100 -s /bin/false -M %u

encrypt passwords = true

Commented the following out, but I don’t know if its necessary

passdb backend = tdbsam

obey pam restrictions = yes
idmap uid = 10000-20000
idmap gid = 10000-20000
template shell = /bin/bash

Note: I do not use the separator username format: Domain\User

#winbind separator = ‘\’

The following allows users to login with just Username

winbind use default domain = yes
winbind enum users = yes
winbind enum groups = ye template homedir = /home/%D/%U`

/etc/krb5.conf (from the krb5-config package)

``

/etc/pam.d/common-auth

```I finally got it. After about 5 hours of working on it, I’ve finally gotten Linux to authenticate against Active Directory on a Windows 2000 Server. I want to post how I have it configured because it seems like most documentation only takes you halfway.

Software used: Debian Etch, Samba 3.0.23c with Winbind and pam_winbind, and MIT Kerberos with pam_libkrb5.

The first step after getting the prerequisite software installed is to join the domain. Luckily Samba has excellent documentation on how to join an Active Directory Domain. Specifically On-the-Fly Creation of Machine Trust Accounts and Samba ADS Domain Membership.

The next step is to hook Linux’s authentication (PAM) into Active Directory. Here are the relevant bits of my configuration files:

NOTE: In the following examples TREMONT is the domain, TREMONT.LOCAL is the realm, and thsdc1 is the Windows 2000 ADS (sometimes referred to as a PDC or Primary Domain Controller).

/etc/samba/smb.conf (relevant bits only)

`[global]

Domain workgroup = Tremont realm = TREMONT.LOCAL security = ADS add machine script = /usr/sbin/useradd -d /var/lib/nobody -g 100 -s /bin/false -M %u

encrypt passwords = true

Commented the following out, but I don’t know if its necessary

passdb backend = tdbsam

obey pam restrictions = yes
idmap uid = 10000-20000
idmap gid = 10000-20000
template shell = /bin/bash

Note: I do not use the separator username format: Domain\User

#winbind separator = ‘\’

The following allows users to login with just Username

winbind use default domain = yes
winbind enum users = yes
winbind enum groups = ye template homedir = /home/%D/%U`

/etc/krb5.conf (from the krb5-config package)

``I finally got it. After about 5 hours of working on it, I’ve finally gotten Linux to authenticate against Active Directory on a Windows 2000 Server. I want to post how I have it configured because it seems like most documentation only takes you halfway.

Software used: Debian Etch, Samba 3.0.23c with Winbind and pam_winbind, and MIT Kerberos with pam_libkrb5.

The first step after getting the prerequisite software installed is to join the domain. Luckily Samba has excellent documentation on how to join an Active Directory Domain. Specifically On-the-Fly Creation of Machine Trust Accounts and Samba ADS Domain Membership.

The next step is to hook Linux’s authentication (PAM) into Active Directory. Here are the relevant bits of my configuration files:

NOTE: In the following examples TREMONT is the domain, TREMONT.LOCAL is the realm, and thsdc1 is the Windows 2000 ADS (sometimes referred to as a PDC or Primary Domain Controller).

/etc/samba/smb.conf (relevant bits only)

`[global]

Domain workgroup = Tremont realm = TREMONT.LOCAL security = ADS add machine script = /usr/sbin/useradd -d /var/lib/nobody -g 100 -s /bin/false -M %u

encrypt passwords = true

Commented the following out, but I don’t know if its necessary

passdb backend = tdbsam

obey pam restrictions = yes
idmap uid = 10000-20000
idmap gid = 10000-20000
template shell = /bin/bash

Note: I do not use the separator username format: Domain\User

#winbind separator = ‘\’

The following allows users to login with just Username

winbind use default domain = yes
winbind enum users = yes
winbind enum groups = ye template homedir = /home/%D/%U`

/etc/krb5.conf (from the krb5-config package)

``

/etc/pam.d/common-auth

  
<span style="font-weight: bold">/etc/pam.d/common-account</span>
  
````I finally got it. After about 5 hours of working on it, I&#8217;ve finally gotten **Linux to authenticate against Active Directory on a Windows 2000 Server**. I want to post how I have it configured because it seems like most documentation only takes you halfway.
  
Software used: [<span style="font-weight: bold">Debian</span> Etch][1], [<span style="font-weight: bold">Samba</span> 3.0.23c with <span style="font-weight: bold">Winbind</span> and pam_winbind][2], and [<span style="font-weight: bold">MIT Kerberos</span> with pam_libkrb5][3].

The first step after getting the prerequisite software installed is to <span style="font-weight: bold">join the domain</span>. Luckily Samba has excellent documentation on how to join an Active Directory Domain. Specifically <span class="sect2"><a href="http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/domain-member.html#id2574601">On-the-Fly Creation of Machine Trust Accounts</a> and </span><span class="sect1"><a href="http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/domain-member.html#ads-member">Samba ADS Domain Membership</a>.</span>

The next step is to hook Linux&#8217;s authentication ([PAM][4]) into Active Directory. Here are the relevant bits of my configuration files:

<span style="font-weight: bold">NOTE:</span> In the following examples <span style="font-weight: bold">TREMONT</span> is the domain, <span style="font-weight: bold">TREMONT.LOCAL</span> is the realm, and <span style="font-weight: bold">thsdc1</span> is the Windows 2000 ADS (sometimes referred to as a PDC or Primary Domain Controller).

<span style="font-weight: bold">/etc/samba/smb.conf</span> (relevant bits only)

`[global]<br />
# Domain workgroup = Tremont realm = TREMONT.LOCAL security = ADS add machine script = /usr/sbin/useradd -d /var/lib/nobody -g 100 -s /bin/false -M %u<br />
encrypt passwords = true<br />
## Commented the following out, but I don't know if its necessary<br />
# passdb backend = tdbsam<br />
obey pam restrictions = yes<br />
idmap uid = 10000-20000<br />
idmap gid = 10000-20000<br />
template shell = /bin/bash<br />
# Note: I do *not* use the separator username format: Domain\User<br />
#winbind separator = '\'<br />
# The following allows users to login with just Username<br />
winbind use default domain = yes<br />
winbind enum users = yes<br />
winbind enum groups = ye template homedir = /home/%D/%U`

<span style="font-weight: bold">/etc/krb5.conf</span> (from the <span style="font-style: italic">krb5-config</span> package)
  
``I finally got it. After about 5 hours of working on it, I&#8217;ve finally gotten **Linux to authenticate against Active Directory on a Windows 2000 Server**. I want to post how I have it configured because it seems like most documentation only takes you halfway.
  
Software used: [<span style="font-weight: bold">Debian</span> Etch][1], [<span style="font-weight: bold">Samba</span> 3.0.23c with <span style="font-weight: bold">Winbind</span> and pam_winbind][2], and [<span style="font-weight: bold">MIT Kerberos</span> with pam_libkrb5][3].

The first step after getting the prerequisite software installed is to <span style="font-weight: bold">join the domain</span>. Luckily Samba has excellent documentation on how to join an Active Directory Domain. Specifically <span class="sect2"><a href="http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/domain-member.html#id2574601">On-the-Fly Creation of Machine Trust Accounts</a> and </span><span class="sect1"><a href="http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/domain-member.html#ads-member">Samba ADS Domain Membership</a>.</span>

The next step is to hook Linux&#8217;s authentication ([PAM][4]) into Active Directory. Here are the relevant bits of my configuration files:

<span style="font-weight: bold">NOTE:</span> In the following examples <span style="font-weight: bold">TREMONT</span> is the domain, <span style="font-weight: bold">TREMONT.LOCAL</span> is the realm, and <span style="font-weight: bold">thsdc1</span> is the Windows 2000 ADS (sometimes referred to as a PDC or Primary Domain Controller).

<span style="font-weight: bold">/etc/samba/smb.conf</span> (relevant bits only)

`[global]<br />
# Domain workgroup = Tremont realm = TREMONT.LOCAL security = ADS add machine script = /usr/sbin/useradd -d /var/lib/nobody -g 100 -s /bin/false -M %u<br />
encrypt passwords = true<br />
## Commented the following out, but I don't know if its necessary<br />
# passdb backend = tdbsam<br />
obey pam restrictions = yes<br />
idmap uid = 10000-20000<br />
idmap gid = 10000-20000<br />
template shell = /bin/bash<br />
# Note: I do *not* use the separator username format: Domain\User<br />
#winbind separator = '\'<br />
# The following allows users to login with just Username<br />
winbind use default domain = yes<br />
winbind enum users = yes<br />
winbind enum groups = ye template homedir = /home/%D/%U`

<span style="font-weight: bold">/etc/krb5.conf</span> (from the <span style="font-style: italic">krb5-config</span> package)
  
`` 
  
<span style="font-weight: bold">/etc/pam.d/common-auth</span>
  
```I finally got it. After about 5 hours of working on it, I&#8217;ve finally gotten **Linux to authenticate against Active Directory on a Windows 2000 Server**. I want to post how I have it configured because it seems like most documentation only takes you halfway.
  
Software used: [<span style="font-weight: bold">Debian</span> Etch][1], [<span style="font-weight: bold">Samba</span> 3.0.23c with <span style="font-weight: bold">Winbind</span> and pam_winbind][2], and [<span style="font-weight: bold">MIT Kerberos</span> with pam_libkrb5][3].

The first step after getting the prerequisite software installed is to <span style="font-weight: bold">join the domain</span>. Luckily Samba has excellent documentation on how to join an Active Directory Domain. Specifically <span class="sect2"><a href="http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/domain-member.html#id2574601">On-the-Fly Creation of Machine Trust Accounts</a> and </span><span class="sect1"><a href="http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/domain-member.html#ads-member">Samba ADS Domain Membership</a>.</span>

The next step is to hook Linux&#8217;s authentication ([PAM][4]) into Active Directory. Here are the relevant bits of my configuration files:

<span style="font-weight: bold">NOTE:</span> In the following examples <span style="font-weight: bold">TREMONT</span> is the domain, <span style="font-weight: bold">TREMONT.LOCAL</span> is the realm, and <span style="font-weight: bold">thsdc1</span> is the Windows 2000 ADS (sometimes referred to as a PDC or Primary Domain Controller).

<span style="font-weight: bold">/etc/samba/smb.conf</span> (relevant bits only)

`[global]<br />
# Domain workgroup = Tremont realm = TREMONT.LOCAL security = ADS add machine script = /usr/sbin/useradd -d /var/lib/nobody -g 100 -s /bin/false -M %u<br />
encrypt passwords = true<br />
## Commented the following out, but I don't know if its necessary<br />
# passdb backend = tdbsam<br />
obey pam restrictions = yes<br />
idmap uid = 10000-20000<br />
idmap gid = 10000-20000<br />
template shell = /bin/bash<br />
# Note: I do *not* use the separator username format: Domain\User<br />
#winbind separator = '\'<br />
# The following allows users to login with just Username<br />
winbind use default domain = yes<br />
winbind enum users = yes<br />
winbind enum groups = ye template homedir = /home/%D/%U`

<span style="font-weight: bold">/etc/krb5.conf</span> (from the <span style="font-style: italic">krb5-config</span> package)
  
``I finally got it. After about 5 hours of working on it, I&#8217;ve finally gotten **Linux to authenticate against Active Directory on a Windows 2000 Server**. I want to post how I have it configured because it seems like most documentation only takes you halfway.
  
Software used: [<span style="font-weight: bold">Debian</span> Etch][1], [<span style="font-weight: bold">Samba</span> 3.0.23c with <span style="font-weight: bold">Winbind</span> and pam_winbind][2], and [<span style="font-weight: bold">MIT Kerberos</span> with pam_libkrb5][3].

The first step after getting the prerequisite software installed is to <span style="font-weight: bold">join the domain</span>. Luckily Samba has excellent documentation on how to join an Active Directory Domain. Specifically <span class="sect2"><a href="http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/domain-member.html#id2574601">On-the-Fly Creation of Machine Trust Accounts</a> and </span><span class="sect1"><a href="http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/domain-member.html#ads-member">Samba ADS Domain Membership</a>.</span>

The next step is to hook Linux&#8217;s authentication ([PAM][4]) into Active Directory. Here are the relevant bits of my configuration files:

<span style="font-weight: bold">NOTE:</span> In the following examples <span style="font-weight: bold">TREMONT</span> is the domain, <span style="font-weight: bold">TREMONT.LOCAL</span> is the realm, and <span style="font-weight: bold">thsdc1</span> is the Windows 2000 ADS (sometimes referred to as a PDC or Primary Domain Controller).

<span style="font-weight: bold">/etc/samba/smb.conf</span> (relevant bits only)

`[global]<br />
# Domain workgroup = Tremont realm = TREMONT.LOCAL security = ADS add machine script = /usr/sbin/useradd -d /var/lib/nobody -g 100 -s /bin/false -M %u<br />
encrypt passwords = true<br />
## Commented the following out, but I don't know if its necessary<br />
# passdb backend = tdbsam<br />
obey pam restrictions = yes<br />
idmap uid = 10000-20000<br />
idmap gid = 10000-20000<br />
template shell = /bin/bash<br />
# Note: I do *not* use the separator username format: Domain\User<br />
#winbind separator = '\'<br />
# The following allows users to login with just Username<br />
winbind use default domain = yes<br />
winbind enum users = yes<br />
winbind enum groups = ye template homedir = /home/%D/%U`

<span style="font-weight: bold">/etc/krb5.conf</span> (from the <span style="font-style: italic">krb5-config</span> package)
  
`` 
  
<span style="font-weight: bold">/etc/pam.d/common-auth</span>
  

/etc/pam.d/common-account

  
<span style="font-weight: bold">/etc/pam.d/common-session</span>
  
`````I finally got it. After about 5 hours of working on it, I&#8217;ve finally gotten **Linux to authenticate against Active Directory on a Windows 2000 Server**. I want to post how I have it configured because it seems like most documentation only takes you halfway.
  
Software used: [<span style="font-weight: bold">Debian</span> Etch][1], [<span style="font-weight: bold">Samba</span> 3.0.23c with <span style="font-weight: bold">Winbind</span> and pam_winbind][2], and [<span style="font-weight: bold">MIT Kerberos</span> with pam_libkrb5][3].

The first step after getting the prerequisite software installed is to <span style="font-weight: bold">join the domain</span>. Luckily Samba has excellent documentation on how to join an Active Directory Domain. Specifically <span class="sect2"><a href="http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/domain-member.html#id2574601">On-the-Fly Creation of Machine Trust Accounts</a> and </span><span class="sect1"><a href="http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/domain-member.html#ads-member">Samba ADS Domain Membership</a>.</span>

The next step is to hook Linux&#8217;s authentication ([PAM][4]) into Active Directory. Here are the relevant bits of my configuration files:

<span style="font-weight: bold">NOTE:</span> In the following examples <span style="font-weight: bold">TREMONT</span> is the domain, <span style="font-weight: bold">TREMONT.LOCAL</span> is the realm, and <span style="font-weight: bold">thsdc1</span> is the Windows 2000 ADS (sometimes referred to as a PDC or Primary Domain Controller).

<span style="font-weight: bold">/etc/samba/smb.conf</span> (relevant bits only)

`[global]<br />
# Domain workgroup = Tremont realm = TREMONT.LOCAL security = ADS add machine script = /usr/sbin/useradd -d /var/lib/nobody -g 100 -s /bin/false -M %u<br />
encrypt passwords = true<br />
## Commented the following out, but I don't know if its necessary<br />
# passdb backend = tdbsam<br />
obey pam restrictions = yes<br />
idmap uid = 10000-20000<br />
idmap gid = 10000-20000<br />
template shell = /bin/bash<br />
# Note: I do *not* use the separator username format: Domain\User<br />
#winbind separator = '\'<br />
# The following allows users to login with just Username<br />
winbind use default domain = yes<br />
winbind enum users = yes<br />
winbind enum groups = ye template homedir = /home/%D/%U`

<span style="font-weight: bold">/etc/krb5.conf</span> (from the <span style="font-style: italic">krb5-config</span> package)
  
``I finally got it. After about 5 hours of working on it, I&#8217;ve finally gotten **Linux to authenticate against Active Directory on a Windows 2000 Server**. I want to post how I have it configured because it seems like most documentation only takes you halfway.
  
Software used: [<span style="font-weight: bold">Debian</span> Etch][1], [<span style="font-weight: bold">Samba</span> 3.0.23c with <span style="font-weight: bold">Winbind</span> and pam_winbind][2], and [<span style="font-weight: bold">MIT Kerberos</span> with pam_libkrb5][3].

The first step after getting the prerequisite software installed is to <span style="font-weight: bold">join the domain</span>. Luckily Samba has excellent documentation on how to join an Active Directory Domain. Specifically <span class="sect2"><a href="http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/domain-member.html#id2574601">On-the-Fly Creation of Machine Trust Accounts</a> and </span><span class="sect1"><a href="http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/domain-member.html#ads-member">Samba ADS Domain Membership</a>.</span>

The next step is to hook Linux&#8217;s authentication ([PAM][4]) into Active Directory. Here are the relevant bits of my configuration files:

<span style="font-weight: bold">NOTE:</span> In the following examples <span style="font-weight: bold">TREMONT</span> is the domain, <span style="font-weight: bold">TREMONT.LOCAL</span> is the realm, and <span style="font-weight: bold">thsdc1</span> is the Windows 2000 ADS (sometimes referred to as a PDC or Primary Domain Controller).

<span style="font-weight: bold">/etc/samba/smb.conf</span> (relevant bits only)

`[global]<br />
# Domain workgroup = Tremont realm = TREMONT.LOCAL security = ADS add machine script = /usr/sbin/useradd -d /var/lib/nobody -g 100 -s /bin/false -M %u<br />
encrypt passwords = true<br />
## Commented the following out, but I don't know if its necessary<br />
# passdb backend = tdbsam<br />
obey pam restrictions = yes<br />
idmap uid = 10000-20000<br />
idmap gid = 10000-20000<br />
template shell = /bin/bash<br />
# Note: I do *not* use the separator username format: Domain\User<br />
#winbind separator = '\'<br />
# The following allows users to login with just Username<br />
winbind use default domain = yes<br />
winbind enum users = yes<br />
winbind enum groups = ye template homedir = /home/%D/%U`

<span style="font-weight: bold">/etc/krb5.conf</span> (from the <span style="font-style: italic">krb5-config</span> package)
  
`` 
  
<span style="font-weight: bold">/etc/pam.d/common-auth</span>
  
```I finally got it. After about 5 hours of working on it, I&#8217;ve finally gotten **Linux to authenticate against Active Directory on a Windows 2000 Server**. I want to post how I have it configured because it seems like most documentation only takes you halfway.
  
Software used: [<span style="font-weight: bold">Debian</span> Etch][1], [<span style="font-weight: bold">Samba</span> 3.0.23c with <span style="font-weight: bold">Winbind</span> and pam_winbind][2], and [<span style="font-weight: bold">MIT Kerberos</span> with pam_libkrb5][3].

The first step after getting the prerequisite software installed is to <span style="font-weight: bold">join the domain</span>. Luckily Samba has excellent documentation on how to join an Active Directory Domain. Specifically <span class="sect2"><a href="http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/domain-member.html#id2574601">On-the-Fly Creation of Machine Trust Accounts</a> and </span><span class="sect1"><a href="http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/domain-member.html#ads-member">Samba ADS Domain Membership</a>.</span>

The next step is to hook Linux&#8217;s authentication ([PAM][4]) into Active Directory. Here are the relevant bits of my configuration files:

<span style="font-weight: bold">NOTE:</span> In the following examples <span style="font-weight: bold">TREMONT</span> is the domain, <span style="font-weight: bold">TREMONT.LOCAL</span> is the realm, and <span style="font-weight: bold">thsdc1</span> is the Windows 2000 ADS (sometimes referred to as a PDC or Primary Domain Controller).

<span style="font-weight: bold">/etc/samba/smb.conf</span> (relevant bits only)

`[global]<br />
# Domain workgroup = Tremont realm = TREMONT.LOCAL security = ADS add machine script = /usr/sbin/useradd -d /var/lib/nobody -g 100 -s /bin/false -M %u<br />
encrypt passwords = true<br />
## Commented the following out, but I don't know if its necessary<br />
# passdb backend = tdbsam<br />
obey pam restrictions = yes<br />
idmap uid = 10000-20000<br />
idmap gid = 10000-20000<br />
template shell = /bin/bash<br />
# Note: I do *not* use the separator username format: Domain\User<br />
#winbind separator = '\'<br />
# The following allows users to login with just Username<br />
winbind use default domain = yes<br />
winbind enum users = yes<br />
winbind enum groups = ye template homedir = /home/%D/%U`

<span style="font-weight: bold">/etc/krb5.conf</span> (from the <span style="font-style: italic">krb5-config</span> package)
  
``I finally got it. After about 5 hours of working on it, I&#8217;ve finally gotten **Linux to authenticate against Active Directory on a Windows 2000 Server**. I want to post how I have it configured because it seems like most documentation only takes you halfway.
  
Software used: [<span style="font-weight: bold">Debian</span> Etch][1], [<span style="font-weight: bold">Samba</span> 3.0.23c with <span style="font-weight: bold">Winbind</span> and pam_winbind][2], and [<span style="font-weight: bold">MIT Kerberos</span> with pam_libkrb5][3].

The first step after getting the prerequisite software installed is to <span style="font-weight: bold">join the domain</span>. Luckily Samba has excellent documentation on how to join an Active Directory Domain. Specifically <span class="sect2"><a href="http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/domain-member.html#id2574601">On-the-Fly Creation of Machine Trust Accounts</a> and </span><span class="sect1"><a href="http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/domain-member.html#ads-member">Samba ADS Domain Membership</a>.</span>

The next step is to hook Linux&#8217;s authentication ([PAM][4]) into Active Directory. Here are the relevant bits of my configuration files:

<span style="font-weight: bold">NOTE:</span> In the following examples <span style="font-weight: bold">TREMONT</span> is the domain, <span style="font-weight: bold">TREMONT.LOCAL</span> is the realm, and <span style="font-weight: bold">thsdc1</span> is the Windows 2000 ADS (sometimes referred to as a PDC or Primary Domain Controller).

<span style="font-weight: bold">/etc/samba/smb.conf</span> (relevant bits only)

`[global]<br />
# Domain workgroup = Tremont realm = TREMONT.LOCAL security = ADS add machine script = /usr/sbin/useradd -d /var/lib/nobody -g 100 -s /bin/false -M %u<br />
encrypt passwords = true<br />
## Commented the following out, but I don't know if its necessary<br />
# passdb backend = tdbsam<br />
obey pam restrictions = yes<br />
idmap uid = 10000-20000<br />
idmap gid = 10000-20000<br />
template shell = /bin/bash<br />
# Note: I do *not* use the separator username format: Domain\User<br />
#winbind separator = '\'<br />
# The following allows users to login with just Username<br />
winbind use default domain = yes<br />
winbind enum users = yes<br />
winbind enum groups = ye template homedir = /home/%D/%U`

<span style="font-weight: bold">/etc/krb5.conf</span> (from the <span style="font-style: italic">krb5-config</span> package)
  
`` 
  
<span style="font-weight: bold">/etc/pam.d/common-auth</span>
  
``` 
  
<span style="font-weight: bold">/etc/pam.d/common-account</span>
  
````I finally got it. After about 5 hours of working on it, I&#8217;ve finally gotten **Linux to authenticate against Active Directory on a Windows 2000 Server**. I want to post how I have it configured because it seems like most documentation only takes you halfway.
  
Software used: [<span style="font-weight: bold">Debian</span> Etch][1], [<span style="font-weight: bold">Samba</span> 3.0.23c with <span style="font-weight: bold">Winbind</span> and pam_winbind][2], and [<span style="font-weight: bold">MIT Kerberos</span> with pam_libkrb5][3].

The first step after getting the prerequisite software installed is to <span style="font-weight: bold">join the domain</span>. Luckily Samba has excellent documentation on how to join an Active Directory Domain. Specifically <span class="sect2"><a href="http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/domain-member.html#id2574601">On-the-Fly Creation of Machine Trust Accounts</a> and </span><span class="sect1"><a href="http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/domain-member.html#ads-member">Samba ADS Domain Membership</a>.</span>

The next step is to hook Linux&#8217;s authentication ([PAM][4]) into Active Directory. Here are the relevant bits of my configuration files:

<span style="font-weight: bold">NOTE:</span> In the following examples <span style="font-weight: bold">TREMONT</span> is the domain, <span style="font-weight: bold">TREMONT.LOCAL</span> is the realm, and <span style="font-weight: bold">thsdc1</span> is the Windows 2000 ADS (sometimes referred to as a PDC or Primary Domain Controller).

<span style="font-weight: bold">/etc/samba/smb.conf</span> (relevant bits only)

`[global]<br />
# Domain workgroup = Tremont realm = TREMONT.LOCAL security = ADS add machine script = /usr/sbin/useradd -d /var/lib/nobody -g 100 -s /bin/false -M %u<br />
encrypt passwords = true<br />
## Commented the following out, but I don't know if its necessary<br />
# passdb backend = tdbsam<br />
obey pam restrictions = yes<br />
idmap uid = 10000-20000<br />
idmap gid = 10000-20000<br />
template shell = /bin/bash<br />
# Note: I do *not* use the separator username format: Domain\User<br />
#winbind separator = '\'<br />
# The following allows users to login with just Username<br />
winbind use default domain = yes<br />
winbind enum users = yes<br />
winbind enum groups = ye template homedir = /home/%D/%U`

<span style="font-weight: bold">/etc/krb5.conf</span> (from the <span style="font-style: italic">krb5-config</span> package)
  
``I finally got it. After about 5 hours of working on it, I&#8217;ve finally gotten **Linux to authenticate against Active Directory on a Windows 2000 Server**. I want to post how I have it configured because it seems like most documentation only takes you halfway.
  
Software used: [<span style="font-weight: bold">Debian</span> Etch][1], [<span style="font-weight: bold">Samba</span> 3.0.23c with <span style="font-weight: bold">Winbind</span> and pam_winbind][2], and [<span style="font-weight: bold">MIT Kerberos</span> with pam_libkrb5][3].

The first step after getting the prerequisite software installed is to <span style="font-weight: bold">join the domain</span>. Luckily Samba has excellent documentation on how to join an Active Directory Domain. Specifically <span class="sect2"><a href="http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/domain-member.html#id2574601">On-the-Fly Creation of Machine Trust Accounts</a> and </span><span class="sect1"><a href="http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/domain-member.html#ads-member">Samba ADS Domain Membership</a>.</span>

The next step is to hook Linux&#8217;s authentication ([PAM][4]) into Active Directory. Here are the relevant bits of my configuration files:

<span style="font-weight: bold">NOTE:</span> In the following examples <span style="font-weight: bold">TREMONT</span> is the domain, <span style="font-weight: bold">TREMONT.LOCAL</span> is the realm, and <span style="font-weight: bold">thsdc1</span> is the Windows 2000 ADS (sometimes referred to as a PDC or Primary Domain Controller).

<span style="font-weight: bold">/etc/samba/smb.conf</span> (relevant bits only)

`[global]<br />
# Domain workgroup = Tremont realm = TREMONT.LOCAL security = ADS add machine script = /usr/sbin/useradd -d /var/lib/nobody -g 100 -s /bin/false -M %u<br />
encrypt passwords = true<br />
## Commented the following out, but I don't know if its necessary<br />
# passdb backend = tdbsam<br />
obey pam restrictions = yes<br />
idmap uid = 10000-20000<br />
idmap gid = 10000-20000<br />
template shell = /bin/bash<br />
# Note: I do *not* use the separator username format: Domain\User<br />
#winbind separator = '\'<br />
# The following allows users to login with just Username<br />
winbind use default domain = yes<br />
winbind enum users = yes<br />
winbind enum groups = ye template homedir = /home/%D/%U`

<span style="font-weight: bold">/etc/krb5.conf</span> (from the <span style="font-style: italic">krb5-config</span> package)
  
`` 
  
<span style="font-weight: bold">/etc/pam.d/common-auth</span>
  
```I finally got it. After about 5 hours of working on it, I&#8217;ve finally gotten **Linux to authenticate against Active Directory on a Windows 2000 Server**. I want to post how I have it configured because it seems like most documentation only takes you halfway.
  
Software used: [<span style="font-weight: bold">Debian</span> Etch][1], [<span style="font-weight: bold">Samba</span> 3.0.23c with <span style="font-weight: bold">Winbind</span> and pam_winbind][2], and [<span style="font-weight: bold">MIT Kerberos</span> with pam_libkrb5][3].

The first step after getting the prerequisite software installed is to <span style="font-weight: bold">join the domain</span>. Luckily Samba has excellent documentation on how to join an Active Directory Domain. Specifically <span class="sect2"><a href="http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/domain-member.html#id2574601">On-the-Fly Creation of Machine Trust Accounts</a> and </span><span class="sect1"><a href="http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/domain-member.html#ads-member">Samba ADS Domain Membership</a>.</span>

The next step is to hook Linux&#8217;s authentication ([PAM][4]) into Active Directory. Here are the relevant bits of my configuration files:

<span style="font-weight: bold">NOTE:</span> In the following examples <span style="font-weight: bold">TREMONT</span> is the domain, <span style="font-weight: bold">TREMONT.LOCAL</span> is the realm, and <span style="font-weight: bold">thsdc1</span> is the Windows 2000 ADS (sometimes referred to as a PDC or Primary Domain Controller).

<span style="font-weight: bold">/etc/samba/smb.conf</span> (relevant bits only)

`[global]<br />
# Domain workgroup = Tremont realm = TREMONT.LOCAL security = ADS add machine script = /usr/sbin/useradd -d /var/lib/nobody -g 100 -s /bin/false -M %u<br />
encrypt passwords = true<br />
## Commented the following out, but I don't know if its necessary<br />
# passdb backend = tdbsam<br />
obey pam restrictions = yes<br />
idmap uid = 10000-20000<br />
idmap gid = 10000-20000<br />
template shell = /bin/bash<br />
# Note: I do *not* use the separator username format: Domain\User<br />
#winbind separator = '\'<br />
# The following allows users to login with just Username<br />
winbind use default domain = yes<br />
winbind enum users = yes<br />
winbind enum groups = ye template homedir = /home/%D/%U`

<span style="font-weight: bold">/etc/krb5.conf</span> (from the <span style="font-style: italic">krb5-config</span> package)
  
``I finally got it. After about 5 hours of working on it, I&#8217;ve finally gotten **Linux to authenticate against Active Directory on a Windows 2000 Server**. I want to post how I have it configured because it seems like most documentation only takes you halfway.
  
Software used: [<span style="font-weight: bold">Debian</span> Etch][1], [<span style="font-weight: bold">Samba</span> 3.0.23c with <span style="font-weight: bold">Winbind</span> and pam_winbind][2], and [<span style="font-weight: bold">MIT Kerberos</span> with pam_libkrb5][3].

The first step after getting the prerequisite software installed is to <span style="font-weight: bold">join the domain</span>. Luckily Samba has excellent documentation on how to join an Active Directory Domain. Specifically <span class="sect2"><a href="http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/domain-member.html#id2574601">On-the-Fly Creation of Machine Trust Accounts</a> and </span><span class="sect1"><a href="http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/domain-member.html#ads-member">Samba ADS Domain Membership</a>.</span>

The next step is to hook Linux&#8217;s authentication ([PAM][4]) into Active Directory. Here are the relevant bits of my configuration files:

<span style="font-weight: bold">NOTE:</span> In the following examples <span style="font-weight: bold">TREMONT</span> is the domain, <span style="font-weight: bold">TREMONT.LOCAL</span> is the realm, and <span style="font-weight: bold">thsdc1</span> is the Windows 2000 ADS (sometimes referred to as a PDC or Primary Domain Controller).

<span style="font-weight: bold">/etc/samba/smb.conf</span> (relevant bits only)

`[global]<br />
# Domain workgroup = Tremont realm = TREMONT.LOCAL security = ADS add machine script = /usr/sbin/useradd -d /var/lib/nobody -g 100 -s /bin/false -M %u<br />
encrypt passwords = true<br />
## Commented the following out, but I don't know if its necessary<br />
# passdb backend = tdbsam<br />
obey pam restrictions = yes<br />
idmap uid = 10000-20000<br />
idmap gid = 10000-20000<br />
template shell = /bin/bash<br />
# Note: I do *not* use the separator username format: Domain\User<br />
#winbind separator = '\'<br />
# The following allows users to login with just Username<br />
winbind use default domain = yes<br />
winbind enum users = yes<br />
winbind enum groups = ye template homedir = /home/%D/%U`

<span style="font-weight: bold">/etc/krb5.conf</span> (from the <span style="font-style: italic">krb5-config</span> package)
  
`` 
  
<span style="font-weight: bold">/etc/pam.d/common-auth</span>
  
``` 
  
<span style="font-weight: bold">/etc/pam.d/common-account</span>
  

/etc/pam.d/common-session

`````

  • Note 1: Once you’re satisfied with your setup, remove “debug” from the end of each line.
  • Note 2: I have not setup /etc/pam.d/common-password so password changing will not affect the domain.
  • Note 3: Using pam_ldap may be a better/easier way to integrate with Active Directory. I haven’t played with it, but there are plenty of resources talking about it.

PS: How do you post code in WordPress without it borking all your newlines and causing much pain and suffering? Please let me know.