Red Hat Training

A Red Hat training course is available for Red Hat Enterprise Linux

3.4. Winbind

Samba must be configured before Winbind can be configured as an identity store for a system. A Samba server must be set up and used for user accounts, or Samba must be configured to use Active Directory as a back end identity store.
Configuring Samba is covered in the Samba project documentation. Specifically configuring Samba as an integration point with Active Directory is also covered in the Red Hat Enterprise Linux Windows Integration Guide.

3.4.1. Enabling Winbind in the authconfig GUI

  1. Install the samba-winbind package. This is required for Windows integration features in Samba services, but is not installed by default.
    [root@server ~]# yum install samba-winbind
  2. Open the authconfig UI.
    [root2server ~]# authconfig-gtk
  3. In the Identity & Authentication tab, select Winbind in the User Account Database drop-down menu.
  4. Set the information that is required to connect to the Microsoft Active Directory domain controller.
    • Winbind Domain gives the Windows domain to connect to.
      This should be in the Windows 2000 format, such as DOMAIN.
    • Security Model sets the security model to use for Samba clients. authconfig supports four types of security models:
      • ads configures Samba to act as a domain member in an Active Directory Server realm. To operate in this mode, the krb5-server package must be installed and Kerberos must be configured properly.
      • domain has Samba validate the user name and password by authenticating it through a Windows primary or backup domain controller, much like a Windows server.
      • server has a local Samba server validate the user name and password by authenticating it through another server, such as a Windows server. If the server authentication attempt fails, the system then attempts to authenticate using user mode.
      • user requires a client to log in with a valid user name and password. This mode does support encrypted passwords.
        The user name format must be domain\user, such as EXAMPLE\jsmith.

        Note

        When verifying that a given user exists in the Windows domain, always use the domain\user_name format and escape the backslash (\) character. For example:
        [root@server ~]# getent passwd domain\\user DOMAIN\user:*:16777216:16777216:Name Surname:/home/DOMAIN/user:/bin/bash
        This is the default option.
    • Winbind ADS Realm gives the Active Directory realm that the Samba server will join. This is only used with the ads security model.
    • Winbind Domain Controllers gives the host name or IP address of the domain controller to use to enroll the system.
    • Template Shell sets which login shell to use for Windows user account settings.
    • Allow offline login allows authentication information to be stored in a local cache. The cache is referenced when a user attempts to authenticate to system resources while the system is offline.

3.4.2. Enabling Winbind in the Command Line

Windows domains have several different security models, and the security model used in the domain determines the authentication configuration for the local system. For user and server security models, the Winbind configuration requires only the domain (or workgroup) name and the domain controller host names.
The --winbindjoin parameter sets the user to use to connect to the Active Directory domain, and --enablelocalauthorize sets local authorization operations to check the /etc/passwd file.
After running the authconfig command, join the Active Directory domain.
[root@server ~]# authconfig --enablewinbind --enablewinbindauth --smbsecurity=user|server  --enablewinbindoffline --smbservers=ad.example.com --smbworkgroup=EXAMPLE --update --enablelocauthorize --winbindjoin=admin
[root@server ~]# net join ads

Note

The user name format must be domain\user, such as EXAMPLE\jsmith.
When verifying that a given user exists in the Windows domain, always use the domain\user formats and escape the backslash (\) character. For example:
[root@server ~]# getent passwd domain\\user DOMAIN\user:*:16777216:16777216:Name Surname:/home/DOMAIN/user:/bin/bash
For ads and domain security models, the Winbind configuration allows additional configuration for the template shell and realm (ads only). For example:
[root@server ~]# authconfig --enablewinbind --enablewinbindauth --smbsecurity ads  --enablewinbindoffline --smbservers=ad.example.com --smbworkgroup=EXAMPLE --smbrealm EXAMPLE.COM --winbindtemplateshell=/bin/sh --update
There are a lot of other options for configuring Windows-based authentication and the information for Windows user accounts, such as name formats, whether to require the domain name with the user name, and UID ranges. These options are listed in the authconfig help.