How to properly authenticate a Linux client in a Windows domain

To help, we will take a step-by-step look at the process of configuring a Red Hat Fedora client into a Windows Server 2003 domain. This procedure can be fairly straightforward using a Linux utility called authconfig (which is GUI-based to make Windows folks feel at home).

It is advantageous for Linux clients to join a Windows domain so they can access resources. Using the winbindd daemon, pam_winbind and libnss_winbindd modules, Active Directory user accounts are also recognized by Linux, allowing them to telnet and FTP to the Linux system without having to map AD accounts to Linux accounts.

Before we begin the steps, here are a few important things to keep in mind:

The following steps describe the process of joining the Fedora client to the ABC.com domain.

Log in to the Fedora client as root. On the desktop you will see an icon called Terminal. Double-click it to get a command window. From command (#) prompt, enter authconfig (this is a wizard-like program that will lead you through the configuration).

The first screen you see is Authentication Configuration, shown in Figure 1. Use the Tab ke...

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Microsoft Active Directory Design and Administration Active Directory in Windows 2008 R2 What is Next Generation Active Directory? Utilizing Active Directory snapshots in Windows Server 2008 Active Directory tops the list of hot Windows Server 2008 R2 features Creating Windows taskpad views for Active Directory management When to add new domains to your Windows environment Forcing the removal of a Windows Server 2008 domain controller Performing a staged installation of an RODC in Windows Server 2008 Using Active Directory to manage Macs in a Windows environment Scripting domain controller installations: A must for Server Core Microsoft Windows Server 2003 Administration How to install Windows Server 2003 patches when offline Validating Windows server clusters with ClusPrep Exploring the Windows Server 2003 Resource Kit: Clusfileport.dll Exploring the Windows Server 2003 Resource Kit: Cmdhere.inf and CMGetCer.inf Windows server security management: Security expert roundup Windows server management with Remote Desktop Avoid DC restoration problems with authoritative restore Exploring the Windows Server 2003 Resource Kit: Confdisk.exe Exploring the Windows Server 2003 Resource Kit: Compress.exe and Expand.exe Exploring the Windows Server 2003 Resource Kit: Clusterrecovery.exe Microsoft Windows Server 2003 Administration Research Active Directory Administration How to find and remove lingering objects in Active Directory Utilizing Active Directory snapshots in Windows Server 2008 Creating Windows taskpad views for Active Directory management When to add new domains to your Windows environment Debugging Windows client logon delays: Narrowing the scope Using Active Directory to manage Macs in a Windows environment Troubleshooting poor Windows logon performance in Active Directory environments Common Active Directory security oversights Scripting domain controller installations: A must for Server Core Taming the LSASS.exe process for Active Directory performance and security

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Active Directory  (SearchWindowsServer.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

y to move between fields on the screen and the space bar to select options. An asterisk (*) in the option indicates an option is selected. In the first screen, under User Information, select 'Use Winbind'. Under Authentication, select 'Use MD5 Passwords', 'Use Shadow Passwords' and 'Use Winbind Authentication' (although these will probably already be selected). Tab to the Next button and hit Enter to select it.

Figure 1
[IMAGE]

Step 2

In the Kerberos Settings screen, make sure the two DNS options at the bottom of the screen are selected. These options are:

Step 3

In the Winbind Settings screen, make sure the security model is ADS and the shell is /bin/bash. Make sure the 'Domain', 'Domain Controllers' and 'ADS Realm' are correct.

When prompted to save changes, select Yes.

Step 4

Now we want to run the wbinfo command to list users in the windows domain. (Although authconfig should start winbindd to make this command work, it won't work until you close authconfig and start winbindd from the command line).

Do the following:

It is important to verify that authconfig has done its job by testing the Kerberos setup with kinit and klist and verifying you can look up Active Directory group information with getent, as shown in Figure 2.

Figure 2
[IMAGE]

Step 6

Now we can set up home directories for the users. To do this we need to edit three files on the Red Hat client using the (ugh!) VI Editor. But have no fear -- the sidebar to the right has a few tips in it to help you through this.

First, you will need to add this line:

Now add that same line so that it is the next to the last line of this file:

Figure 3 shows an example of editing the sshd file:

Figure 3
[IMAGE]

Typically, you want users' home directories in a common place. In this example, we named it for the Windows domain. This is a typical configuration for Windows domains. Use this procedure to create the following directory, with Linux permissions 755:

Of course, the whole goal of this process is to successfully authenticate to a Windows domain account. To check this, use the Administrator account and enter this command:

Figure 4
[IMAGE]

Note that we had to qualify our login name with the NetBIOS Name or Short Domain Name\\ username. If you would like to leave off the Short Domain Name\\ qualifier, then change the /etc/samba/smb.conf parameter: Then you can simply log in as: Now, execute the Klist command as we did previously from the command prompt to verify that Kerberos tickets were granted. Next, go to ABC-DC1 and open the ADUC snap-in. Look in the Computers container and verify that there is a computer object for Red-1.

Then, on ABC-DC1, open the event viewer and look at the security log. You should be able to find the event for the Red-1 logon (Event 540), Event 648 regarding the admin using the Microsoft authorization package, and Event 576 where it assigns privileges to the admin session.

For more information, I recommend checking out WinLinAnswers.com, an excellent Web site that is devoted to Windows and Linux interoperability.

Do you have an Active Directory issue or problem that you'd like Gary to write an article about? Email him at glo11749@yahoo.com. Note: Gary cannot answer each query personally or guarantee that all will be answered. However those queries that have widespread interest or involve common AD issues will be addressed.

Gary Olsen is a systems software engineer for Hewlett-Packard in Global Solutions Engineering. He authored Windows 2000: Active Directory Design and Deployment and co-authored Windows Server 2003 on HP ProLiant Servers. Gary is a Microsoft MVP for Directory Services and formerly for Windows File Systems.

Rate this Tip To rate tips, you must be a member of SearchWindowsServer.com. Register now to start rating these tips. Log in if you are already a member. Submit a Tip DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.