On Thu, Feb 18, 2010 at 7:22 PM, Scott Ehrlich <srehrlich at gmail.com> wrote: > I've been trying to follow samba, centos, ldap, and other > documentation to try and get a CentOS 5 box to permit a user to log > into an existing Windows 200x Active Directory domain without > necessarily having the box as part of the domain. If it has to be > part of the domain, that is fine. The user shall have no local > account on the box - I want their active directory account to > automatically produce their account on the CentOS 5 box, likely with a > shell of bash. > > None of the web pages I've visited thus far have helped me configure > my test C5 box to allow me to successfully at least log into the > console of my C5 box with my AD credentials. > > Leads to proper configuration of krb5.conf, ldap config files, > smb.conf, nsswitch.conf, and whatever else would be most appreciated. > > I do have have any control of the Windows domain controller other than > limited admin rights, which largely allows me to create computer > accounts. Thus, majority of the work must be with the CentOS 5, of > which I have root and can rebuild as often as needed. Easiest way is to just use system-config-authentication. Then 1) Enable Winbind support 2) Enter your domain 3) Select ADS as security model 4) Enter your domain controller 5) Select /bin/bash as template shell. 6) Check "Allow Offline Login" if desired 7) Click "Join Domain" then enter an account with join privileges Repeat for the "Authentication" tab Under the Options tab, I also select Cache user information Use Shadow PWs Local auth is sufficient Check accss.conf Create home dirs on login Finally, edit the /etc/samba/smb.conf and set "winbind user default domain" to true so you don't need to prepend the domain to the login. I.e., ads/jsixpack