4.3. Configuring a Domain Member Using authconfig

All of the configuration outlined in Section 4.2, “Summary of Configuration Files, Options, and Packages” can be done automatically using the authconfig utility, with the exception of the DNS configuration. Configuration files can also be backed up by authconfig.

4.3.1. Arguments and Configuration Parameters of authconfig

The Authentication Configuration utility automatically updates the required configuration files for Samba, Kerberos, and Active Directory integration when it is used to configure Winbind as the authentication store for the local system. Table 4.2, “authconfig Arguments and Configuration File Parameters” shows what parameters are set with each command option.

Table 4.2. authconfig Arguments and Configuration File Parameters

Service CLI Option GUI Field Configuration File Configuration Parameter
Samba --smbsecurity Security Model /etc/samba/smb.conf security
Samba --smbworkgroup Winbind Domain /etc/samba/smb.conf workgroup
  • Samba
  • Kerberos
--smbrealm Winbind ADS Realm
  • Samba
    • /etc/samba/smb.conf
  • Kerberos
    • /etc/krb5.conf
  • Samba
    • realm in [global]
  • Kerberos
    • default_realm in [libdefaults]
    • realm entry (REALMNAME = {...}) in [realms]
Kerberos --smbservers Winbind Domain Controllers /etc/krb5.conf The KDC in the realm entry (for example, REALMNAME {...}) in [realms]
Kerberos --krb5realm /etc/krb5.conf The domain entry in [domain_realm]
PAM --enablewinbindauth /etc/pam.d/system-auth auth, account, password, sessions
NSS --enablewinbind /etc/nsswitch.conf passwd, shadow, group
NSS --enablewins /etc/nsswitch.conf hosts
Winbind --enablecache
Winbind --enablewinbindkrb5
Winbind --enablewinbindoffline

Important

The value of the --krb5realm option must be identical to the value given in --smbrealm for the domain to be configured properly.

4.3.2. CLI Configuration of Active Directory Authentication with authconfig

  1. Install the samba-winbind package. It is required for Windows integration features in Samba services, but is not installed by default:
    [root@server ~]# yum install samba-winbind
  2. Install the krb5-workstation package. It is required to connect to a Kerberos realm and manage principals and tickets:
    [root@server ~]# yum install krb5-workstation
  3. Install the samba-winbind-krb5-locator package. It contains a plug-in for the system Kerberos library to allow the local Kerberos library to use the same KDC as Samba and Winbind use.
    [root@server ~]# yum install samba-winbind-krb5-locator
  4. Edit the DNS configuration in the /etc/resolv.conf file to use the Active Directory domain as a name server and for search:
    nameserver 1.2.3.4
    search adexample.com
  5. The authconfig utility does not set any requirements for what options must be invoked at a given time, since it can be used to modify configuration as well as to define new configuration.
    The following example shows all required parameters for Samba, Kerberos, PAM, and NSS. It also includes options for Winbind, which allow offline access, and for the local system, which allow system accounts to continue to work. The example command is split into multiple lines and annotated for better readability.
    [root@server ~]# authconfig 
          // NSS
          --enablewinbind 
          --enablewins
          // PAM
          --enablewinbindauth
          // Samba
          --smbsecurity ads
          --smbworkgroup=ADEXAMPLE
          --smbrealm ADEXAMPLE.COM
          // Kerberos
          --smbservers=ad.example.com
          --krb5realm=ADEXAMPLE.COM
          // winbind
          --enablewinbindoffline
          --enablewinbindkrb5
          --winbindtemplateshell=/bin/sh
          // general
          --winbindjoin=admin
          --update
          --enablelocauthorize
          --savebackup=/backups
    
    [/usr/bin/net join -w ADEXAMPLE -S ad.example.com -U admin]
    The --winbindjoin option automatically runs the net join command to add the system to the Active Directory domain.
    The --enablelocalauthorize option sets local authorization operations to check the /etc/passwd file. This allows local accounts to be used to authenticate users as well as the Active Directory domain.

    Note

    The --savebackup option is recommended but not required. It backs up the configuration files to the specified directory before making the changes. If there is a configuration error or the configuration is later changed, authconfig can use the backups to revert the changes.

4.3.3. Configuring Active Directory Authentication in the authconfig GUI

There are fewer configuration options in the authconfig GUI than are in the CLI. For example, it is possible to configure Samba, NSS, Winbind, and to join the domain, but it does not configure Kerberos or PAM. Those must be configured manually if using the UI.

Note

The authconfig command-line utilities are installed by default, but the GUI requires the authconfig-gtk package, which is not available by default.
  1. Install the samba-winbind package. It is required for Windows integration features in Samba services, but is not installed by default.
    [root@server ~]# yum install samba-winbind
  2. Install the krb5-workstation package. It is required to connect to a Kerberos realm and manage principals and tickets.
    [root@server ~]# yum install krb5-workstation
  3. Configure the Active Directory Kerberos realm as the default realm and KDC for the local system.
    [root@server ~]# vim /etc/krb5.conf
    
    [libdefaults]
    ...
    
      default_realm PLE.COM
    
    [realms]
      ADEXAMPLE.COM 
        kdc = kdc.adcom
    }
    
    [domain_realm]
     adexample.com =LE.COM
      .adexample.comMPLE.COM
  4. Edit the DNS configuration in the /etc/resolv.conf file to use the Active Directory domain as a name server and for search:
    nameserver 1.2.3
    search adexample
  5. Open the Authentication Configuration Tool.
    [root@server ~]# authconfig-gtk
  6. In the Identity & Authentication tab, select Winbind in the User Account Database drop-down menu.
  7. Set the information that is required to connect to the Microsoft Active Directory domain controller.
    • Winbind Domain gives the Windows work group. The entry in this field needs to be in the Windows 2000 format, such as DOMAIN.
    • Security Model sets the security model to use for Samba clients. The correct value is ads that configures Samba to act as a domain member in an Active Directory Server realm.
    • Winbind ADS Realm gives the Active Directory realm that the Samba server will join.
    • Winbind Domain Controllers gives the host name or IP address of the domain controller to use.
    • Template Shell sets which login shell to use for Windows user account settings. This setting is optional.
    • Allow offline login allows authentication information to be stored in a local cache. The cache is referenced when a user attempts to authenticate to system resources while the system is offline.
  8. Click the Join Domain button to run the net ads join command and join the Active Directory domain. This action is to join the domain immediately; the configuration can be saved and then the net ads join command can be run manually later.
  9. Click the Apply button to save the configuration.