Difference between revisions of "Linux Winbind Setup"
Jump to navigation
Jump to search
(Added pam config) |
(The version that actually works) |
||
Line 44: | Line 44: | ||
In Arch, make the following changes to system-auth | In Arch, make the following changes to system-auth | ||
− | + | %PAM-1.0 | |
auth required pam_env.so | auth required pam_env.so | ||
− | + | auth sufficient pam_unix.so try_first_pass nullok | |
− | auth required | + | auth required pam_winbind.so use_first_pass use_authtok |
auth optional pam_permit.so | auth optional pam_permit.so | ||
− | + | account sufficient pam_unix.so | |
− | account | + | account sufficient pam_winbind.so use_first_pass use_authtok |
account optional pam_permit.so | account optional pam_permit.so | ||
account required pam_time.so | account required pam_time.so | ||
− | password | + | password sufficient pam_unix.so try_first_pass nullok sha512 shadow |
+ | password sufficient pam_winbind.so use_first_pass use_authtok | ||
password optional pam_permit.so | password optional pam_permit.so | ||
− | + | session required pam_mkhomedir.so skel=/etc/skel/ umask=0022 | |
− | |||
session required pam_limits.so | session required pam_limits.so | ||
session required pam_env.so | session required pam_env.so | ||
− | session | + | session sufficient pam_unix.so |
+ | session sufficient pam_winbind.so use_first_pass use_authtok | ||
session optional pam_permit.so | session optional pam_permit.so |
Revision as of 01:46, 28 August 2013
Installation
sudo pacman -S krb5 samba
/etc/nsswitch.conf
Add winbind to the passwd and group lines like so:
passwd: files winbind group: files winbind shadow: files
/etc/krb5.conf
Set the default realm to AD.PUMPINGSTATIONONE.ORG (caps matter)
[libdefaults] default_realm = AD.PUMPINGSTATIONONE.ORG dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h forwardable = yes
/etc/samba/smb.conf
[global] workgroup = PS1 realm = AD.PUMPINGSTATIONONE.ORG security = ADS encrypt passwords = Yes winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes winbind trusted domains only = No winbind nss info = rfc2307 idmap config shortdomainname:range = 500-40000 idmap config shortdomainname:schema_mode = rfc2307 idmap config shortdomainname:backend = ad idmap config *:range = 70001-80000 idmap config *:backend = tdb template shell = /bin/bash
/etc/pam.d/system-auth
In Arch, make the following changes to system-auth
%PAM-1.0 auth required pam_env.so auth sufficient pam_unix.so try_first_pass nullok auth required pam_winbind.so use_first_pass use_authtok auth optional pam_permit.so account sufficient pam_unix.so account sufficient pam_winbind.so use_first_pass use_authtok account optional pam_permit.so account required pam_time.so password sufficient pam_unix.so try_first_pass nullok sha512 shadow password sufficient pam_winbind.so use_first_pass use_authtok password optional pam_permit.so session required pam_mkhomedir.so skel=/etc/skel/ umask=0022 session required pam_limits.so session required pam_env.so session sufficient pam_unix.so session sufficient pam_winbind.so use_first_pass use_authtok session optional pam_permit.so