Suse 10.0 Client in a Windows Domain

This is how I was able to configure Suse 10.0 to authenticate on a Windows
2003 Active Directory Server. I do not know if it will work on previous
versions of Windows or with previous versions of Suse Linux.

Notes:

1.Any text that reads domain.internal (lower case) you will replace with
your domain.
2.Any text that reads DOMAIN.INTERNAL (upper case) you will replace with
your domain in upper case.
3.Any text that reads DOMAIN (upper case) you will replace with your domain
(no .internal)
4.The NetBios name is the name of your client (workstation/computer)


This process will require the krb5-client (I installed all of it), Samba,
and Samba-Winbind.

Steps

Step 1: Install the Required Packages – This can be done through Yast

Step 2: Edit the /etc/krb5.conf File

[logging]
default = FILE10000:/var/log/krb5lib.log
[libdefaults]
ticket_lifetime = 24000
default_realm = DOMAIN.INTERNAL
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5 aes256-cts
arcfour-hmac-md5
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5 aes256-cts
arcfour-hmac-md5
[realms]
DOMAIN.INTERNAL = {
kdc = domainserver.domain.internal
admin_server = domainserver.domain.internal
default_domain = DOMAIN.INTERNAL
}
[domain_realm]
.domain.internal = DOMAIN.INTERNAL
domain.internal = DOMAIN.INTERNAL

Step 3: Edit /etc/samba/smb.conf

[global]
security = ads
netbios name = NetBios Name
realm = DOMAIN.INTERNAL
password server = domainserver.domain.internal
workgroup = DOMAIN
idmap uid = 1000-29999
idmap gid = 1000-29999
winbind separator = +
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
template homedir = /home/%D/%U
template shell = /bin/bash
client use spnego = yes
domain master = no
server string =

Step 4: Test the configuration with the testparm command – You should be
able to see what you entered in the samba.conf file.

Step 5: Edit /etc/nsswitch.conf to look like the example below

passwd: compat winbind
group: compat winbind
shadow: compat
hosts: files dns wins
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis

Step 6: Modify the PAM settings

These files are all located in the /etc/pam.d folder

File: common-account (It should contain only the following lines)

account sufficient pam_winbind.so
account required pam_unix.so


File: common-auth (It should contain only the following lines)

auth sufficient pam_winbind.so
auth required pam_unix.so nullok_secure use_first_pass

File: common-password file

password required pam_unix.so nullok obscure min=4 max=50 md5

File: common-session

session required pam_mkhomedir.so umask=0022 skel=/etc/skel

Step 7: Make a directory to hold domain user home directories

Note: Use Konsole for this
Note: Use the value you put in the WORKGROUP tag smb.conf file

mkdir /home/DOMAIN

Step 8: Initialize Kerberos

Note: Use Konsole for this

kinit domain_admin_account@DOMAIN.INTERNAL

Step 9: Check to be sure you got a ticket from the domain controller

Note: Use Konsole for this

klist

Step 10: Join the Domain

Note: Use Konsole for this

net ads join -U domainadminuser@DOMAIN.INTERNAL

Step 11: Restart Samba-related Services

Note: The order is important
Note: Use Konsole for this

/etc/init.d/smb stop
/etc/init.d/winbind stop
/etc/init.d/smb start
/etc/init.d/winbind start

Step 12: Attempt to switch user and logon as a domain member. If you can
logon than you are successful.

Step 13: Configure SUDO

Add the “Domain Admins� group from windows to the /etc/sudoers file

%Domain Admins ALL=(ALL) ALL

Example:
# sudoers file
# Host alias specification
# User alias specification
# Cmnd alias specification
# Defaults specification
Defaults targetpw # ask for the password of the target user i.e. root
%users ALL=(ALL) ALL # WARNING! Only use this together with 'Defaults
targetpw'!
# Runas alias specification
# User privilege specification
root ALL=(ALL) ALL

# Uncomment to allow people in group wheel to run all commands
%Domain Admins ALL=(ALL) ALL

# Same thing without a password
# %wheel ALL=(ALL) NOPASSWD: ALL
# Samples
# %users ALL=/sbin/mount /cdrom,/sbin/umount /cdrom
# %users localhost=/sbin/shutdown -h now
Step 14: See if Konsole will list user names and group names from Windows:

wbinfo -u
wbinfo -g

Step 15: Make sure the permission on the DOMAIN folder under Homes is set
to the correct permissions so that the new users can create their folder on
login.

Kevin Grove Bowling adjusted his/her tinfoil beanie to post:

> This is how I was able to configure Suse 10.0 to authenticate on a
> Windows
> 2003 Active Directory Server. I do not know if it will work on
> previous versions of Windows or with previous versions of Suse Linux.


<<snip very good instructions>>


Thanks for that Kevin, have snarfed it for future usage :-)

All the best for the season.

--
Mark
Twixt hill and high water
N. Wales, UK
Novell Support Forums SysOp