How to authenticate Linux box with windows NT/ 2000 server
Please follow the steps as I have mentioned step by step.
1. Using the appropriate Microsoft utilities, add the Desktop
workstation to the domain. For example, for a Windows 2000 domain, run
Active Directory Users and Computers and add the Desktop machine to the
"Computers" OU (or wherever is appropriate for your environment), making
sure to turn on "Allow pre-Windows 2000 computers to use this account".
NOTE : When adding the computer to the active directory please click on
"Allow pre-Windows 2000 computers to use this account".
2. Please copy nsswitch,conf to /etc . Please copy kde, login, samba and
xscreensaver to /etc/pam.d and set the permissions as of the original files.
Please take a backup of all these original files before you overwrite them.
3. Copy the smb.conf to /etc/samba
4. Edit smb.conf and make changes to the following line as suitable for
your environment.
workgroup = KHADER
Note: (Here, I assume the user is using Komba. Else the user can use windows network neighborhood) To check the domain name please start your My Network and then in
that you will see the domain name, please use that name as visible in
the My Network and when you click on that domain the domain controller's
netbios name will also appear, please use that name as the netbios name.
Here I will give my details on the server and how they were visible in
the My Network. I used the details of My Network and everything worked
ON WINDOWS 2000 SERVER(When logged in as Administrator)
Rightclick on My Computer
Click on Properties
Click on Network Identification
You will see the following:
Full Computer Name : win2000.khader.jit.com (This my configuration, you
might see something else)
Domain : khader.jit.com
But when I start My Network I see this domain as KHADER and PDC as
win2000
5. Start the winbind service.
To join the system to the domain, give the following command
smbpasswd -j khader -r win2000 -U Administrator
Here khader will be replaced by your domain name and win2000 will be
replaced by the netbios name of the pdc
Then give the following commands
wbinfo -u
wbinfo -g
wbinfo -t
The last command should give you he following message
Secret is Good
Then give this command
wbinfo -a KHADER+test%test
KHADER is replaced by your domain name and test by the domain user and
the test password accordingly. This should give you the following
message.
plaintext password authentication succeeded
6. Create directory /home/WINDOWSDOMAIN (where WINDOWSDOMAIN is the
NetBIOS name of your Windows domain. USE CAPITAL LETTERS.)
7. Then Create /usr/local/bin/phdfwda
#!/bin/sh
#phdfwda
if ! [ -f "$HOME/Desktop/Personal Files" ] ; then
cp -R -u -d /etc/skel/* "$HOME"
fi
Run chmod a+x /usr/local/bin/phdfwda
8. Create /opt/kde2/share/autostart/phdfwda.desktop
[Desktop Entry]
Name=Populate home directory for Windows domain accounts
Exec=phdfwda
Type=Application
X-KDE-StartupNotify=false
Now go to the login prompt (X or text based) and type like the
following.
Login: KHADER+test
Password:
Please use DOMAINNAME+DOAMIN_USER_NAME
It will log you on. That's it. From now on you will be authenticated
from windows server and not the linux box. It will authenticate you from local machine if the domain controller is not available.
Please find below the names and contents of the files to be changed.
nsswitch.conf
============
#
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Legal entries are:
#
# nisplus or nis+ Use NIS+ (NIS version 3)
# nis or yp Use NIS (NIS version 2), also called YP
# dns Use DNS (Domain Name Service)
# files Use the local files
# db Use the local database (.db) files
# compat Use NIS on compat mode
# hesiod Use Hesiod for user lookups
# [NOTFOUND=return] Stop searching if not found so far
#
# To use db, put the "db" in front of "files" for entries you want to be
# looked up first in the databases
#
# Example:
#passwd: db files nisplus nis
#shadow: db files nisplus nis
#group: db files nisplus nis
passwd: compat winbind
shadow: compat
group: compat winbind
#hosts: db files nisplus nis dns
hosts: files dns
# Example - obey only what nisplus tells us...
#services: nisplus [NOTFOUND=return] files
#networks: nisplus [NOTFOUND=return] files
#protocols: nisplus [NOTFOUND=return] files
#rpc: nisplus [NOTFOUND=return] files
#ethers: nisplus [NOTFOUND=return] files
#netmasks: nisplus [NOTFOUND=return] files
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files
netgroup: files
publickey: nisplus
automount: files
aliases: files nisplus
==================================================================
kde
====
#%PAM-1.0
auth required /lib/security/pam_nologin.so
auth sufficient /lib/security/pam_winbind.so
auth required /lib/security/pam_pwdb.so use_first_pass shadow nullok
account required /lib/security/pam_winbind.so
password required /lib/security/pam_cracklib.so type=user retry=3
password required /lib/security/pam_pwdb.so use_authtok
session required /lib/security/pam_mkhomedir.so skel=/etc/skel umask=0022
session required /lib/security/pam_pwdb.so
=================================================================
login
====
#%PAM-1.0
auth required pam_securetty.so
auth required pam_nologin.so
auth sufficient pam_winbind.so
auth required pam_pwdb.so use_first_pass shadow nullok
auth optional pam_mail.so
account required pam_winbind.so
session required pam_mkhomedir.so skel=/etc/skel umask=0022
session required pam_pwdb.so
session optional pam_lastlog.so
password required pam_pwdb.so
=============================================================
samba
======
#%PAM-1.0
auth sufficient pam_winbind.so
auth required pam_pwdb.so use_first_pass nullok nodelay
account sufficient pam_winbind.so
account required pam_pwdb.so nodelay
session required pam_pwdb.so nodelay
password required pam_pwdb.so shadow md5
=================================================================
smb.conf
========
[global]
domain master = No
local master = No
password server = *
security = domain
template homedir = /home/%D/%U
template shell = /bin/bash
winbind enum groups = yes
winbind enum users = yes
winbind gid = 10000-20000
winbind separator = +
winbind uid = 10000-20000
# workgroup = NT-Domain-Name or Workgroup-Name
workgroup = KHADER
server string = Member of win2000
encrypt passwords = yes
====================================================================
xscreensaver
===========
#%PAM-1.0
# Red Hat says this is right for them, as of 7.3:
auth sufficient pam_winbind.so
auth required pam_pwdb.so use_first_pass shadow nullok
# This is what we were using before:
# auth required pam_pwdb.so shadow nullok
=================================================================
1. Using the appropriate Microsoft utilities, add the Desktop
workstation to the domain. For example, for a Windows 2000 domain, run
Active Directory Users and Computers and add the Desktop machine to the
"Computers" OU (or wherever is appropriate for your environment), making
sure to turn on "Allow pre-Windows 2000 computers to use this account".
NOTE : When adding the computer to the active directory please click on
"Allow pre-Windows 2000 computers to use this account".
2. Please copy nsswitch,conf to /etc . Please copy kde, login, samba and
xscreensaver to /etc/pam.d and set the permissions as of the original files.
Please take a backup of all these original files before you overwrite them.
3. Copy the smb.conf to /etc/samba
4. Edit smb.conf and make changes to the following line as suitable for
your environment.
workgroup = KHADER
Note: (Here, I assume the user is using Komba. Else the user can use windows network neighborhood) To check the domain name please start your My Network and then in
that you will see the domain name, please use that name as visible in
the My Network and when you click on that domain the domain controller's
netbios name will also appear, please use that name as the netbios name.
Here I will give my details on the server and how they were visible in
the My Network. I used the details of My Network and everything worked
ON WINDOWS 2000 SERVER(When logged in as Administrator)
Rightclick on My Computer
Click on Properties
Click on Network Identification
You will see the following:
Full Computer Name : win2000.khader.jit.com (This my configuration, you
might see something else)
Domain : khader.jit.com
But when I start My Network I see this domain as KHADER and PDC as
win2000
5. Start the winbind service.
To join the system to the domain, give the following command
smbpasswd -j khader -r win2000 -U Administrator
Here khader will be replaced by your domain name and win2000 will be
replaced by the netbios name of the pdc
Then give the following commands
wbinfo -u
wbinfo -g
wbinfo -t
The last command should give you he following message
Secret is Good
Then give this command
wbinfo -a KHADER+test%test
KHADER is replaced by your domain name and test by the domain user and
the test password accordingly. This should give you the following
message.
plaintext password authentication succeeded
6. Create directory /home/WINDOWSDOMAIN (where WINDOWSDOMAIN is the
NetBIOS name of your Windows domain. USE CAPITAL LETTERS.)
7. Then Create /usr/local/bin/phdfwda
#!/bin/sh
#phdfwda
if ! [ -f "$HOME/Desktop/Personal Files" ] ; then
cp -R -u -d /etc/skel/* "$HOME"
fi
Run chmod a+x /usr/local/bin/phdfwda
8. Create /opt/kde2/share/autostart/phdfwda.desktop
[Desktop Entry]
Name=Populate home directory for Windows domain accounts
Exec=phdfwda
Type=Application
X-KDE-StartupNotify=false
Now go to the login prompt (X or text based) and type like the
following.
Login: KHADER+test
Password:
Please use DOMAINNAME+DOAMIN_USER_NAME
It will log you on. That's it. From now on you will be authenticated
from windows server and not the linux box. It will authenticate you from local machine if the domain controller is not available.
Please find below the names and contents of the files to be changed.
nsswitch.conf
============
#
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Legal entries are:
#
# nisplus or nis+ Use NIS+ (NIS version 3)
# nis or yp Use NIS (NIS version 2), also called YP
# dns Use DNS (Domain Name Service)
# files Use the local files
# db Use the local database (.db) files
# compat Use NIS on compat mode
# hesiod Use Hesiod for user lookups
# [NOTFOUND=return] Stop searching if not found so far
#
# To use db, put the "db" in front of "files" for entries you want to be
# looked up first in the databases
#
# Example:
#passwd: db files nisplus nis
#shadow: db files nisplus nis
#group: db files nisplus nis
passwd: compat winbind
shadow: compat
group: compat winbind
#hosts: db files nisplus nis dns
hosts: files dns
# Example - obey only what nisplus tells us...
#services: nisplus [NOTFOUND=return] files
#networks: nisplus [NOTFOUND=return] files
#protocols: nisplus [NOTFOUND=return] files
#rpc: nisplus [NOTFOUND=return] files
#ethers: nisplus [NOTFOUND=return] files
#netmasks: nisplus [NOTFOUND=return] files
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files
netgroup: files
publickey: nisplus
automount: files
aliases: files nisplus
==================================================================
kde
====
#%PAM-1.0
auth required /lib/security/pam_nologin.so
auth sufficient /lib/security/pam_winbind.so
auth required /lib/security/pam_pwdb.so use_first_pass shadow nullok
account required /lib/security/pam_winbind.so
password required /lib/security/pam_cracklib.so type=user retry=3
password required /lib/security/pam_pwdb.so use_authtok
session required /lib/security/pam_mkhomedir.so skel=/etc/skel umask=0022
session required /lib/security/pam_pwdb.so
=================================================================
login
====
#%PAM-1.0
auth required pam_securetty.so
auth required pam_nologin.so
auth sufficient pam_winbind.so
auth required pam_pwdb.so use_first_pass shadow nullok
auth optional pam_mail.so
account required pam_winbind.so
session required pam_mkhomedir.so skel=/etc/skel umask=0022
session required pam_pwdb.so
session optional pam_lastlog.so
password required pam_pwdb.so
=============================================================
samba
======
#%PAM-1.0
auth sufficient pam_winbind.so
auth required pam_pwdb.so use_first_pass nullok nodelay
account sufficient pam_winbind.so
account required pam_pwdb.so nodelay
session required pam_pwdb.so nodelay
password required pam_pwdb.so shadow md5
=================================================================
smb.conf
========
[global]
domain master = No
local master = No
password server = *
security = domain
template homedir = /home/%D/%U
template shell = /bin/bash
winbind enum groups = yes
winbind enum users = yes
winbind gid = 10000-20000
winbind separator = +
winbind uid = 10000-20000
# workgroup = NT-Domain-Name or Workgroup-Name
workgroup = KHADER
server string = Member of win2000
encrypt passwords = yes
====================================================================
xscreensaver
===========
#%PAM-1.0
# Red Hat says this is right for them, as of 7.3:
auth sufficient pam_winbind.so
auth required pam_pwdb.so use_first_pass shadow nullok
# This is what we were using before:
# auth required pam_pwdb.so shadow nullok
=================================================================
posted by Abdul Khader | 10:39 PM
0 Comments:
Post a Comment
<< Home