> -----Original Message-----
> From: [email protected]
> [mailto:[email protected]] On Behalf Of Norman Bauer
> Sent: Tuesday, January 27, 2009 4:25 PM
> To: [email protected]
> Subject: [U2] UV, Linux, and Active Directory
[snip]
> How are you authenticating against AD on Linux?
We're using samba/winbind for a UV server on RH ES 5.1 and
authenticating against a W2K3 domain running in native mode. Here are
the relevant lines from the [global] section of smb.conf:
workgroup = OURDOMAIN
server string = Samba Server Version %v
nt acl support = no
security = ADS
passdb backend = tdbsam
realm = OURDOMAIN.COM
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
template shell = /bin/bash
allow trusted domains = no
idmap domains = OURDOMAIN
idmap config OURDOMAIN:backend = rid
idmap config OURDOMAIN:range = 10000-20000
local master = no
domain master = no
preferred master = no
dns proxy = no
And this is what's in /etc/pam.d/system-auth:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_winbind.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_succeed_if.so uid < 500 quiet
account sufficient pam_winbind.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass
use_authtok
password sufficient pam_winbind.so use_authtok
password required pam_deny.so
session required pam_mkhomedir.so umask=0022 skel=/etc/uv_skel
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in
crond quiet use_uid
session required pam_unix.so
Be forwarned that RedHat's own documentation on the idmap config syntax
for smb.conf is incorrect. The syntax above actually works. The "rid"
option for idmap insures that the linux gid and uid numbers always map
to the same domain users and groups, even on different linux hosts.
That's very important for us since we run UV on an active/passive 2-node
HA cluster. When we switched nodes on the prior RH 3.0 cluster, we had
to run a script to correct all the user and group assignments.
The /etc/uv_skel directory that pam_mkhomedir.so clones when a new user
logs in for the first time has a custom .bash_profile that executes the
following environment variable assignment prior to executing uv:
# Make all logins upper case
LOGNAME=`echo $LOGNAME | tr "[:lower:]" "[:upper:]"`
export LOGNAME
Newer versions of samba/winbind force user and group names to all
lower-case. This prevents a user from having multiple home directories
created when they log on with different or mixed case, but would have
caused a problem for us since we have lots of files and programs that
expect an all uppercase user name. The linux LOGNAME variable is what
UV returns for the basic @LOGNAME variable.
I think that's about all we had to do. I can't remember off the top of
my head the command to actually join the machine to the domain once the
configs are in place, but you should have no trouble googling an
example.
-John
-------
u2-users mailing list
[email protected]
To unsubscribe please visit http://listserver.u2ug.org/
