Visit Jeremy's Blog.
Go Back > Forums > Linux Forums > Linux - Server
User Name
Linux - Server This forum is for the discussion of Linux Software used in a server related context.


  Search this Thread
Old 05-29-2012, 03:42 PM   #1
LQ Newbie
Registered: Sep 2001
Posts: 6

Rep: Reputation: 0
Winbind / KRB / SSSD / Active Directory Howto?

I'm trying to set up a CentOS_6.2 server to authenticate SSH/shell sessions against a 2K8R2 Active Directory. Ideally I'd like to use only the default AD features (R2 does include Unix Attributes like uidNUmber and gidNumber), have no local accounts on the linux server, and have the users get the AD values for UID and GID when they log in. Shell access and sudo rights should also be limited to specific AD groups.

I've been hammering on this for a week and can't make it work. The closest I've been able to come is using winbind/pam with a rid backend for idmapping. This gives consistent numbers for UID and GID across multiple servers, but different than our AD values and all users get a GID that maps to "Domain Users." This would work if I could find a way to map UID and GID to the AD values.

I can make KRB/pam authentication work but only if there's a local account on the machine for the user. That way I also have to hard-code their UID and GID so what's the point?

Has anyone set this up? Can you point me toward a howto or some other documentation?

Hope to hear from you,

Old 05-29-2012, 05:50 PM   #2
Senior Member
Registered: Mar 2012
Distribution: Red Hat
Posts: 1,604

Rep: Reputation: 415Reputation: 415Reputation: 415Reputation: 415Reputation: 415
Take a look at and Those should point you in the right direction, make sure you have your krb5 packages installed krb5-libs, krb5-workstation, and samba-common. Change your /etc/krb5.conf and /etc/samba/smb.conf to point to your AD domains. Then use the net ads join command to join your workstation to the AD server.

Best of luck, if you run into something specific let us know.
Old 10-11-2012, 12:48 PM   #3
LQ Newbie
Registered: Sep 2001
Posts: 6

Original Poster
Rep: Reputation: 0
Been away from this issue for a while and am finally getting back in.

Never managed to make winbind work using the idmap backend AD options. Can run it using a local (random) tdb file mapping for UID's and GID's, or can use the RID mapping (non-random numbers that are consistent from machine to machine but still not the AD value for UID and GID), but if I turn on the AD mapping the client can no longer identify the user at all and logins fail.

Worse, winbind in the included samba version for CentOS_6 seems to eventually go pathological and lock up the machine. For now we're running using krb5 authentication against the AD, and need to create local accounts for all users on the machine. Winbind is no longer running.

I'm currently leaning toward using SSSD with LDAP for account info and KRB5 for authentication. Have found several simple-looking howtos (i.e. for this, all claiming to do exactly what I want and easy-peasy. However, none of them work.

Has anyone made this work? Can anyone point me toward a howto they know to be accurate and complete?

Hope to hear from you.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Active Directory Integration (Winbind)-- Cannot find name for group ID grungerokker13 Linux - Server 1 12-08-2011 10:03 AM
squid + winbind + samba + active directory fernfrancis Linux - Newbie 8 10-19-2010 06:54 AM
Active Directory groups via Samba/Winbind? dsdonut Linux - Newbie 3 01-23-2009 03:26 PM
replacing active directory when using samba and winbind wastingtime Linux - Server 0 09-14-2008 03:20 PM
winbind- cannot make user authentication with Active Directory chenboly Linux - Networking 1 04-12-2008 09:09 AM > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 03:20 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration