[CentOS] Help with authenticating against Active Directory.

Toby Bluhm tkb at MidwestInstruments.com
Fri Feb 1 18:02:16 UTC 2008


Milton Calnek wrote:
> Hello all,
>
> I'm trying to authenticate shell login's against an MS-ADS.  I don't 
> have admin access to the ADS, but I can talk to the admins.
>
> I have gotten as far as getting authentication working, but the uid's 
> depend on the order of login.  ie: the first guy to login gets 10000, 
> the next gets 10001, etc.  The problem I have with this is that I want 
> to share the home directories via nfs, which means everyone has to 
> have the same id.
>
> Is anyone else doing this?
>
> My smb.conf and nsswitch.conf files are below.
>
> TIA
>

You can get samba to be a single sign on using MS AD & issue predictable 
uids in linux. The smb.conf option:

   idmap backend = idmap_rid:DOMAIN=100000-3000000

will take the users' RID in AD, add 100000 to it, use that for the uid 
in Linux.

This smb.conf worked for me a couple years ago at my former employer, on 
RH4 type machines. Note I did not have an ldap server defined. This is 
the entire global section I used in all linux boxes that I joined to the 
domain.

[global]
        workgroup = DOMAIN
        realm = DOMAIN.EXAMPLE.COM
        server string = Samba Server
        security = ads
        # log level = 0 vfs:2
        log file = /var/log/samba/ALL.log
        max log size = 500
        socket options = TCP_NODELAY SO_RCVBUF=32768 SO_SNDBUF=32768
        load printers = No
        preferred master = No
        domain master = No
        dns proxy = No
        wins server = 192.168.1.1
        netbios name = LINUX999
        netbios aliases = host999
        ldap ssl = no
        idmap uid = 10000-3000000
        idmap gid = 10000-3000000
        template homedir = /users/%U
        template shell = /bin/bash
        winbind enum users = No
        winbind enum groups = No
        idmap backend = idmap_rid:DOMAIN=100000-3000000
        allow trusted domains = no
        username map = /etc/samba/smbusers
        name resolve order = wins bcast
        cups options = raw
        disable spoolss = Yes
        show add printer wizard = No
        os level = 1
        winbind use default domain = yes
        host msdfs = Yes
        admin users = DOMAIN\admin20 DOMAIN\admin22
 

-- 
Toby Bluhm
Alltech Medical Systems America, Inc.
30825 Aurora Road Suite 100
Solon Ohio 44139
440-424-2240





More information about the CentOS mailing list