For Mandriva Linux, GPL, 2006
Herman Oosthuysen, Aerospace Software Ltd.
This document briefly describes how to configure a GNU/Linux machine to authenticate users against a Microsoft Server 2003 Active Directory Server.
The idea is to use the Windows 2003 ADS to authenticate a foreign user and allow him to use a Linux machine which is a member of the Windows domain, without having to create him a user account manually on the Linux machine. This is very useful when you have large numbers of machines and users.
If everything works as it should, then you only need to configure the users on the Active Directory machine. The users can then walk up to any machine on the network and log on. If a user never used that machine before, a user account will be magically created. This magical trick is known as Single Sign-On (SSO).
This whole process is rather complicated and relies on a number of subsystems working together:
– Pluggable Authentication Modules (PAM)
– Server Message Block (SMB, Samba)
– WinBIND (part of Samba)
– Kerberos 5 (By MIT, with Microsoft compatibility hacks)
Note that most documentation on the web, is written for Samba authentication to a NT4 domain. There is precious little information on authenticating to an ADS domain. Therefore, most of the available documentation is either wrong or misleading. Also, since Microsoft is very secretive about everything, you won’t find any useful information on their web site either the most useful information is on the Samba project web site at http://www.samba.org, but even that needs to be read carefully, since it mostly concerns NT4.
The biggest problem is configuring Samba and determining exactly what identifiers and spelling to use where, since Kerberos and NETBIOS are fond of upper case, while everything else prefers lower case. Of course, nothing works, until every last little detail is correct, so these and other subtleties can lead to many hours of happy debugging and experimentation before it will suddenly begin to work.
Just about every imaginable error message was discovered the hard way and they were all documented below. Of course, since you will be following this great guide, you won’t ever see them – let’s hope anyway.
Note that everything here was tested on Linux, but it should also apply almost directly to Solaris, since Samba is cross platform.