I am being asked to stand up a dedicated mail and web server in a network that runs Active Directory 2008 domain. All users are running Windows XP and or Windows 7. I have stood up two dedicated Linux servers (64-bit) for the requested tasks and everything is working perfect except for the fact that users now have three individual passwords:

1. Windows domain login credentials
2. Postfix / Dovecot (email) credentials are the Linux shell login (set to /bin/false)
3. Apache / Intranet access is used from a '.htpasswd' file

Does anyone recommend a way that I could somehow synchronize the users mail & web credentials with their Windows / Kerberos credentials.

Thanks for any help!

For #3, this works for me, but I'm still running Windows 2000 AD:
http://modauthkerb.sourceforge.net/configure.html

For #2, Samba's Winbind module + pam should work - I had working at one time, but again Windows 2000 AD.

#2 is the most important for me and I would like to get as much info on this as possible. Do you know if there's a guide showing how I can configure something like this?

I had this site bookmarked when I originally did this years ago - I do not know if there is better info out there now:
http://www.flatmtn.com/article/setting-email-server

Here's how I configured popa3d to use Samba Winbind PAM authentication after Samba is all set - if Dovecot supports pam it should be similar. I do not remember postfix requiring much extra config - once you get Samba/Winbind to make the AD user accounts automatic Linux users, postfix just sees them as any other user. Of course, I was not using SMTP auth.

Here's the text of an old Word document I had wrote about Samba and Winbind. Please note it is a little out of date.


Samba / Windows 2000 Active Directory Integration under Debian Sarge

Here is how I get Samba on a Debian Sarge Linux server to integrate with my Windows 2000 Active Directory domain, so Windows domain users can transparently access the Samba server just like it was a Windows File Server in out domain. Samba's Winbind daemon is the critical piece of the puzzle, and once this is working you can use the PAM Winbind module to get other services to use your user's Windows username and passwords - such as a Postfix/Popa3d email server that automatically has accounts for all the Windows users (not covered here, hopefully I'll get around to posting it later).

1. This was originally written to my environment, you may need to adjust it to fit yours. I'll use MYDOMAIN for the Windows Domain Name, MYDOMAIN.COM for the DNS domain name, DC1 and DC2 are Windows Domain Controllers, and "admin" is a Windows Account with Domain Admin privileges. "Sarge" is the name of the Debian Sarge server.
2. Install the following Samba packages:
aptitude install samba smbclient smbfs winbind
3. Debian will prompt you for some configuration options, answer them as follows:
1. Workgroup: MYDOMAIN
2. password encryption: yes
3. WINS from DHCP: no
4. Run As: daemons
5. Create Samba password db: yes
4. Immediately stop the Samba and Winbind daemons as we are going to need to configure them better:
/etc/init.d/winbind stop
/etc/init.d/samba stop
5. Next we need to install MIT Kerberos as AD uses Kerberos for authentication:
aptitude install krb5-user krb5-config
6. Debian will then prompt you for basic Kerberos configuration (note this is case sensitive & you specify in all caps):
1. default KRB5 realm: MYDOMAIN.COM
2. servers: DC1 DC2
3. admin server: DC1
7. This automatically configures Kerberos in the file /etc/krb5.conf – which should work fine with Windows Kerberos, but can be tweaked if necessary.
8. Test out Kerberos with:
kinit admin@MYDOMAIN.COM
It should prompt for a password, enter it & it should work with no errors. You can view your Kerberos tickets and encryption types with:
klist -e
You can then access the Windows Servers using Kerberos without needing to specify a username or password. The following should list the shares a a Windows server without prompting for a password:
smbclient -k -L //dc1
9. Configure Samba by editing the file /etc/samba/smb.conf. Here is a basic working configuration (change to match your local network):
[global]
workgroup = MYDOMAIN
netbios name = SARGE
security = ADS
realm = MYDOMAIN.COM
encrypt passwords = yes
password server = DC1.MYDOMAIN.COM
hosts allow = 192.168.0. 127.
log file = /var/log/samba/log.%m
log level = 3
winbind separator = +
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes

[shared]
comment = Shared Files
path = /var/shared
read only = no
admin users = "@Domain Admins"

10. Note you will need to create the /var/shared folder and security is set on it so that users in the "Domain Admins" Windows Group access the folder as root. You will need to set up better permissions later after it works.
11. Run the following the test the Samba configuration and make sure it is okay:
testparm
12. Now we are ready to join Samba to the Active Directory domain. Kerberos should still be initialized from earlier from step 8 above, but if not you'll have to run the kinit command from step 8.
13. Now we will join Samba to the domain
net ads join
14. Next we need edit the nsswith.conf file so Linux with see the Windows users as local users (although they won't be able to access anything besides Samba on the Linux server without further modifications to PAM). All you have to do is add winbind to the passwd and group sections as follows:
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd: compat winbind
group: compat winbind
shadow: compat

hosts: files dns
networks: files

protocols: db files
services: db files
ethers: db files
rpc: db files

netgroup: nis

15. Now we can start up Samba and Winbind.
/etc/init.d/samba start
/etc/init.d/winbind start
16. Run the following tests to make sure everything is working:
1. wbinfo -u – should show domain users
2. wbinfo -g – should show domain groups
3. net ads testjoin – should be OK
4. net ads info - should show domain info
4. wbinfo -a user%password – should succeed (use a Windows username & their password)
5. getent passwd – should return domain users as well as local Linux users
6. getent group – should return domain groups as well as local Linux groups
17. On a Windows PC logged in as a Domain Admin, you should be able to access \\SARGE and create and modify files in the "Shared" folder without being prompted for a username or password.