Manually Joining an RHEL/CentOS 5.X Server to a Windows Domain

Posted: April 21, 2010 in Uncategorized
Tags: , , , , , , , ,

  • Install the required packages:

yum install samba krb5-workstation krb5-libs pam_krb5 samba-common ntp

  • Edit /etc/krb5.conf (and replace the entries in bold, do not use the <> symbols!):

 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log
 default_realm = <DOMAIN.LOCAL>
 dns_lookup_realm = true
 dns_lookup_kdc = true
 ticket_lifetime = 24h
 forwardable = yes
 kdc = <domain-controller.domain.local>
 admin_server = <domain-controller.domain.local>

 default_domain = <DOMAIN.LOCAL>
 .<domain.local> = <DOMAIN.LOCAL>
 pam = {
 debug = false
 ticket_lifetime = 36000
 renew_lifetime = 36000
 forwardable = true
 krb4_convert = false

  • Edit /etc/samba/smb.conf [global] section (again replace the entries in bold and do not use with <> symbols):

 workgroup = <DOMAIN>
 netbios name = <COMPUTER-HOST-NAME>
 server string = <Computer Description>
 security = ads
 realm = <DOMAIN.LOCAL>
 encrypt passwords = yes
 smb passwd file = /etc/samba/smbpasswd
 allow trusted domains = yes
 unix password sync = Yes
 passwd program = /usr/bin/passwd %u
 passwd chat = *New*password* %n\n *Retype*new*password* %n\n*passwd:*all*authentication*tokens*updated*successfully*
 pam password change = yes
 obey pam restrictions = yes
 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
 dns proxy = no
 idmap uid = 16777216-33554431
 idmap gid = 16777216-33554431
 winbind use default domain = yes
 # winbind separator = #
 winbind enum users = yes
 winbind enum groups = yes
 template shell = /bin/bash
 template homedir = /home/%U
 load printers = no
 printing = none
 printcap name = /dev/null
 disable spoolss = yes

Note: I don’t like to use the winbind separator feature because I like my domain accounts to authenticate without having to use something like DOMAIN\username or DOMAIN+username to login to the Linux shell. This is up to you. Same with the HOMEDIR location, I like the users to remain within the /home directory rather than /home/DOMAIN/

  • Edit /etc/nsswitch.conf:

passwd:     files winbind
shadow:     files winbind
group:      files winbind
hosts:      files dns

  •  Edit /etc/pam.d/system-auth:

auth required
auth sufficient likeauth nullok
auth sufficient use_first_pass
auth sufficient use_first_pass
auth required
account required broken_shadow
account sufficient uid < 100 quiet
account [default=bad success=ok user_unknown=ignore]
account [default=bad success=ok user_unknown=ignore]
account required
# Use option below if you want to restrict all users but
# those that belong to the ‘unix’ group in AD
# account requisite user ingroup unix
password requisite retry=3
password sufficient nullok use_authtok md5 shadow
password sufficient use_authtok
password sufficient use_authtok
password required
session required
session required
session optional skel=etc/skel/ umask=0027
session optional

  • Once these files are added, you need to turn on winbind manually for the test: 

 /etc/init.d/winbind restart ; /etc/init.d/smb restart

  • Ensure winbind and Samba are running in the proper run levels:

chkconfig –level 345 winbind on ; chkconfig –level 345 smb on

  • You will now want to try to add the computer to the domain. You will need an account with domain admin privileges to do this:

net ads join –U <administrator>@<DOMAIN LOCAL>

This will join the computer to the domain, and will prompt you for the administrator password. It should work successfully. If not, look at log files, conf files, and ensure they match this guide!

To see if you are able to see groups, just type in:

wbinfo –g

  • Other commands to try:

getent passwd (password list, should retrieve domain users as well)
getent group (group list, should retrieve domain groups as well)
wbinfo –g (lists groups from domain)
wbinfo –u  (lists users from domain)

  1. ipangsan says:

    nice artickel. i must to bookmark anda try it

  2. […] mehaboob, I hope these links would help you –…indows-domain/ […]

  3. Henry says:

    I finally got it to work after much trial and error. At first I kept getting what looked like authentication errors (logs were no help because there were none). Eventually I cross referenced your information with this page:

    And I changed two things:
    1) set “security = ads” in all-caps ==> “security = ADS”
    2) set port number for admin_server ==> “admin_server = :749”

    I’m not 100% sure which of the two changes above made the difference but after that I was successfully able to join the domain.

    • zgambitx says:

      There have been changes with Samba/Winbind and the different versions of CentOS. I’m glad you were able to get it to work!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s