3.4. Winbind

Samba must be configured before Winbind can be configured as an identity store for a system. A Samba server must be set up and used for user accounts, or Samba must be configured to use Active Directory as a back end identity store.

Configuring Samba is covered in the Samba project documentation. Specifically configuring Samba as an integration point with Active Directory is also covered in the Red Hat Enterprise Linux Windows Integration Guide.

3.4.1. Enabling Winbind in the authconfig GUI

Install the samba-winbind package. This is required for Windows integration features in Samba services, but is not installed by default.
```
[root@server ~]# yum install samba-winbind
```
Open the authconfig UI.
```
[root2server ~]# authconfig-gtk
```
In the Identity & Authentication tab, select Winbind in the User Account Database drop-down menu.
Set the information that is required to connect to the Microsoft Active Directory domain controller.
- Winbind Domain gives the Windows domain to connect to.
  This should be in the Windows 2000 format, such as DOMAIN.
- Security Model sets the security model to use for Samba clients. authconfig supports four types of security models:
  ads configures Samba to act as a domain member in an Active Directory Server realm. To operate in this mode, the krb5-server package must be installed and Kerberos must be configured properly.
  domain has Samba validate the user name and password by authenticating it through a Windows primary or backup domain controller, much like a Windows server.
  server has a local Samba server validate the user name and password by authenticating it through another server, such as a Windows server. If the server authentication attempt fails, the system then attempts to authenticate using user mode.
  user requires a client to log in with a valid user name and password. This mode does support encrypted passwords.
  The user name format must be domain\user, such as EXAMPLE\jsmith.
  Note
  When verifying that a given user exists in the Windows domain, always use the domain\user_name format and escape the backslash (\) character. For example:
  [root@server ~]# getent passwd domain\\user DOMAIN\user:*:16777216:16777216:Name Surname:/home/DOMAIN/user:/bin/bash
  
  This is the default option.
- Winbind ADS Realm gives the Active Directory realm that the Samba server will join. This is only used with the ads security model.
- Winbind Domain Controllers gives the host name or IP address of the domain controller to use to enroll the system.
- Template Shell sets which login shell to use for Windows user account settings.
- Allow offline login allows authentication information to be stored in a local cache. The cache is referenced when a user attempts to authenticate to system resources while the system is offline.

3.4.2. Enabling Winbind in the Command Line

Windows domains have several different security models, and the security model used in the domain determines the authentication configuration for the local system. For user and server security models, the Winbind configuration requires only the domain (or workgroup) name and the domain controller host names.

The --winbindjoin parameter sets the user to use to connect to the Active Directory domain, and --enablelocalauthorize sets local authorization operations to check the /etc/passwd file.

After running the authconfig command, join the Active Directory domain.

[root@server ~]# authconfig --enablewinbind --enablewinbindauth --smbsecurity=user|server  --enablewinbindoffline --smbservers=ad.example.com --smbworkgroup=EXAMPLE --update --enablelocauthorize --winbindjoin=admin
[root@server ~]# net join ads

Note

The user name format must be domain\user, such as EXAMPLE\jsmith.

When verifying that a given user exists in the Windows domain, always use the domain\user formats and escape the backslash (\) character. For example:

[root@server ~]# getent passwd domain\\user DOMAIN\user:*:16777216:16777216:Name Surname:/home/DOMAIN/user:/bin/bash

For ads and domain security models, the Winbind configuration allows additional configuration for the template shell and realm (ads only). For example:

[root@server ~]# authconfig --enablewinbind --enablewinbindauth --smbsecurity ads  --enablewinbindoffline --smbservers=ad.example.com --smbworkgroup=EXAMPLE --smbrealm EXAMPLE.COM --winbindtemplateshell=/bin/sh --update

There are a lot of other options for configuring Windows-based authentication and the information for Windows user accounts, such as name formats, whether to require the domain name with the user name, and UID ranges. These options are listed in the authconfig help.

Where did the comment section go?

Red Hat's documentation publication system recently went through an upgrade to enable speedier, more mobile-friendly content. We decided to re-evaluate our commenting platform to ensure that it meets your expectations and serves as an optimal feedback mechanism. During this redesign, we invite your input on providing feedback on Red Hat documentation via the discussion platform.

Log in to Your Red Hat Account

Red Hat Account

Customer Portal

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

JBoss Development and Management

JBoss Integration and Automation

Mobile

Services

Tools

Red Hat Product Security Center

Security Updates

Resources

Customer Portal Community

Customer Events

Stories