Linux integration with Active Directory Authentication
	with Winbind and PAM (Pluggable Authentication Modules)



Q. What separates this effort from the all the other Samba + Active Directory 
   + User Authentication documents that are already available?

A. We don't use shares, we use ADS only as the authoritative repository
   for authentication data, and we needed a way to restrict to specific
   users or groups, or combinations thereof, the ability to login to hosts.



This document assumes you have a basic familiarity with PAM and Fedora Core
Linux, and the ability to install RPM based packages using YUM.  Other than 
the installation of the packages, and possibly the location of some files, most
of the information contained herein should be portable to other flavors of 
Linux.


The large portion of the data presented here is taken directly from Chapter
21 of the Samba Documentation "Winbind: Use of Domain Accounts", under Part 3
Advanced Configuration.

The Winbindd Daemon is a part of the Samba Installation.  The winbindd daemon
listens on a UNIX domain socket for AAA requests generated by NSS or PAM.
Winbindd allows a *nix system to use PAM requests, translated into MSRPC calls,
to directly query a Windows PDC for user and group information.  Winbind then 
maps the NT accounts and groups onto UNIX uids/gids.


INSTALLATION

	To install Winbind on Fedora Core Linux, if you have YUM working:
	as root: 'yum install winbind'

	If you don't have YUM working, you'll need to locate the RPMs for 
	SAMBA and Winbind and install them.  Try http://rpmseek.com.


CONFIGURATION

	change in /etc/nsswitch.conf:
	-------------------------------------------------------------
	passwd:	files
	shadow: files
	group:  files
	-------------------------------------------------------------

	to:
	-------------------------------------------------------------
	passwd: files winbind
	shadow: files winbind
	group:  files winbind
	-------------------------------------------------------------


	create the file /etc/samba/smb.conf:
	replace: DOMAIN		with your domain
	         CONTROLLER1	with the ip address of your 1st DC
		 CONTROLLER2	with the ip address of your 2nd DC
		 DOMAIN.TLD	with your realm DOMAIN and TLD
	-------------------------------------------------------------
	[global]
	   winbind separator = +
	   winbind cache time = 10
	   workgroup = DOMAIN
	   password server = CONTROLLER1 CONTROLLER1
	   winbind use default domain = yes
	   realm = DOMAIN.COM
	   security = ads
	   encrypt passwords = yes
	   idmap uid = 10000-20000
	   idmap gid = 10000-20000
	   winbind enum users = yes
	   winbind enum groups = yes
	   template shell = /bin/bash
	   template homedir = /home/%D/%U
	-------------------------------------------------------------


	join the linux server to the domain:
	-------------------------------------------------------------
	root# net ads join -U  

	the username you use must have administrative privileges on
	the domain. if successful you will see a message like:
	  Joined 'LINUXSERVER1' to realm 'DOMAIN.TLD'
	-------------------------------------------------------------
	
	
	start winbindd:
	-------------------------------------------------------------
	root# /etc/init.d/winbind start

	winbind by default runs as two processes.  One answers client
	queries, and the other updates the winbind cache with the 
	most current answer for the query the first process just 
	answered for.
	-------------------------------------------------------------
	
	
	make sure you have a backup of /etc/pam.d directory:	
	-------------------------------------------------------------
	root# cp -a /etc/pam.d /etc/pam.d.bak
	-------------------------------------------------------------

	
	These are the relevant lines for the various pam controlled
	methods: account, auth, password, and session.
	Just place these lines into the pam.d file of any service 
	for which you'd like to control authorization by ADS.
	-------------------------------------------------------------
	auth        sufficient    pam_winbind.so
	account     sufficient    pam_winbind.so
	password    sufficient    pam_winbind.so use_authtok
	-------------------------------------------------------------


	And this goes into /etc/pam.d/system-auth:
	-------------------------------------------------------------
 	session     required      pam_mkhomedir.so skel=/etc/skel umask=0022
	-------------------------------------------------------------


	Now.  All of that sets up your linux box to allow Active Directory
	Domain users to log in, with a bash shell, into a homedir in
	/home/DOMAIN/user.  It will even create the home directories for 
	any user that doesn't already have one, provided the session
	portion of the file contains the call to system-auth.

	Now.  let's say you want to be able to limit access to the 
	server to only users from certain groups.  well, it actually 
	turned out to be kind of simple to do.

	Well, it's actually quite simple.  As we know, all users and 
	groups from active directory are mapped to unix uids and gids.
	Well, we can make that work for us.  

	first, let's see what groups I'm in (tkennedy):
	-------------------------------------------------------------
	root# getent group | grep tkennedy
	Domain Users:x:10000:tkennedy,mmouse,ckent,gbush,bclinton,cpowell
	Domain Admins:x:10001:tkennedy,cpowell,ckent
	Enterprise Admins:x:10002:tkennedy,ckent
	Unix Admins:x:10003:tknenedy,bschmidt,eroberts
	-------------------------------------------------------------
	by replacing the account entries in /etc/pam.d/sshd with:
	account	  sufficient    pam_succeed_if.so gid = 10003

	you can limit ssh access to the server to only members of the 
	Unix Admins group.
	-------------------------------------------------------------


	By using lines like that in other per-service pam.d files, you 
	set up quite complex authentication rules to control logins on
	a per service/per group basis.



	Any questions?  You can reach me at tim@timkennedy.net



	-------------------------------------------------------------