Here's the method we have used on our 4 samba servers:
Configure /etc/krb5.conf:
Code:
[logging]
default = FILE:/var/adm/krb5libs.log
kdc = FILE:/var/adm/krb5kdc.log
admin_server = FILE:/var/adm/kadmind.log
[libdefaults]
default_realm = DOMAIN
kdc_req_checksum_type = 2
dns_lookup_realm = true
dns_lookup_kdc = true
[realms]
DOMAIN= {
kdc = DC.DOMAIN
admin_server = DC.DOMAIN
default_domain = DOMAIN
}
[domain_realm]
.domain = DOMAIN
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
Configure /etc/nsswitch.conf:
Code:
passwd: files winbind
group: files winbind
hosts: files dns
services: files winbind
networks: files
protocols: files winbind
rpc: files
publickey: files winbind
netgroup: files
automount: files winbind
aliases: files
Configure /etc/samba/smb.conf: (truncated for the sake of brevity)
Code:
workgroup = DOMAIN
netbios name = SAMBASERVER
security = ads
winbind separator = +
winbind cache time = 10
template shell = /bin/bash
template homedir = /home/%U
idmap uid = 1000000-3000000
idmap gid = 1000000-3000000
idmap backend = idmap_rid:DOMAIN=1000000-3000000
allow trusted domains = no
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = no
realm = DOMAIN
Restart winbind and samba.
Get a kerberos ticket:
kinit user@DOMAIN
Join the domain:
net ads join
Configure /etc/pam.d/system-auth:
Code:
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth sufficient /lib/security/$ISA/pam_krb5.so use_first_pass
auth sufficient /lib/security/$ISA/pam_winbind.so use_first_pass
auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_unix.so
account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
account [default=bad success=ok user_unknown=ignore] /lib/security/$ISA/pam_krb5.so
account [default=bad success=ok user_unknown=ignore] /lib/security/$ISA/pam_winbind.so
account required /lib/security/$ISA/pam_permit.so
password requisite /lib/security/$ISA/pam_cracklib.so retry=3
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
password sufficient /lib/security/$ISA/pam_krb5.so use_authtok
password sufficient /lib/security/$ISA/pam_winbind.so use_authtok
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
session optional /lib/security/$ISA/pam_krb5.so
Reboot for good measure.
When it comes back up, you can use wbinfo to get info from the domain and verify you are joined correctly.
wbinfo -t (checks shared secret)
wbinfo -n DOMAIN+someuser (should get a sid back from AD)
That's the process to the best of my recollection.