WinbindPam

Files to edit to configure PAM to use winbind

/etc/samba/smb.conf

[global]
        workgroup = DOMAIN
        security = domain
        password server = AD
        wins server = AD

        local master = no
        domain master = no
        preferred master = no

        encrypt passwords = true

        dns proxy = no

        allow trusted domain = no
        idmap backend = rid:DOMAIN=15000-20000
        idmap uid = 15000-20000
        idmap gid = 15000-20000

#        winbind separator = +
        winbind uid = 15000-20000
        winbind gid = 15000-20000
        winbind cache time = 15
        winbind enum users = yes
        winbind enum groups = yes
        template homedir = /home/%U
        template shell = /bin/bash
        winbind use default domain = yes
        name resolve order = wins lmhosts host bcast

• Replace AD with the IP address of your active directory server.
• Replace DOMAIN with the name of your active directory domain.

/etc/nsswitch.conf

passwd:         compat winbind
group:          compat winbind
shadow:         compat

/etc/pam.d/common-account

account sufficient       pam_winbind.so
account required         pam_unix.so

/etc/pam.d/common-auth

auth sufficient pam_winbind.so
auth sufficient pam_unix.so nullok_secure use_first_pass
auth required   pam_deny.so

/etc/pam.d/common-session

session required pam_unix.so
session required pam_mkhomedir.so umask=0022 skel=/etc/skel

Add users to local groups as needed

/etc/groups

• Add users you want to have sudo access to the group admin.
• Add users you want to have access to things like power, audio, cdrom etc to the respective groups.

Join the domain

You will need to join the domain to authenticate.

sudo net -u <adusername> join

Restart winbind and samba

/etc/init.d/samba restart
/etc/init.d/winbind restart

Optional if you already have a user

You will need to do this as a root account, and make sure you are not logged in.

Delete the old user name

deluser <username>

Change the ownership of the home directory to the AD user

chown -R <username>:users /home/<username>