Before I went on vacation last week, I was able to successfully add a Red Hat Enterprise Server (version 3) box to our Windows 2003 Active Directory Domain. I primarily used the following link as a guide through the process:
I will now add some extra commentary to each of the steps on the tutorial for my specific situation:
————————————————–
1. Install and Check Necessary Packages: For this step, I opened a shell and used the up2date utility to verify the named packages were up-to-date. Prior to this, I had let Red Hat update everything it thought needed to be updated; this means that this step was trivial for me, since every necessary package was found and up-to-date. Also, my installation had system-config-samba for the first packaged named in the list.
2. Configure Name Resolution: We chose the easier option of merely configuring the hosts file on both machines. I know the tutorial says to avoid it, but we are not at a place right now where we could easily switch our DNS machine to be a Linux box. We haven’t had any problems so far, but I will keep you updated.
3. Configure Samba and Winbindd: I went ahead and just replaced my smb.conf with the one in the tutorial and then modified the workgroup, netbios name, realm, and password server accordingly.
4. Configure Kerberos: I was able to get the net ads join command to work after changing one configuration setting in the \etc\krb5.conf file (and therefore, not needing to perform the "Manual Approach"). I changed the dns_lookup_kdc property to true and then the Domain server was able to accept the Linux box into the domain. I eventually ended up making a few more changes to this file after seeing an example file on Red Hat’s support site. My config file looks just like the one at this link, with the exception of the property I set to true mentioned above (also don’t forget to replace the EXAMPLE.DIRECTORY and 10.0.0.1 place-holders with your specific values):
http://kbase.redhat.com/faq/FAQ_71_2338.shtm
Next, go ahead and execute the commands in the "(Re)starting Samba and Winbindd" section in order to test that everything is playing nice. For my installation, however, in order to restart the Samba service, I used the following command from a shell:
/etc/rc.d/init.d/smb restart
If everything goes alright, then modify the init.d startup scripts in order to start the smb and winbindd services at boot up. For my installation, I ended up just using the GUI utility provided by Red Hat found under something like System Settings | Server Settings | Services (or you can just type redhat-config-services into a shell). Just check the two services and then be sure to hit the Save button.
5. Configure PAM and Winbind: For this step, I ended up changing a few different config files, and I’m not which ones really mattered or not. So go ahead and make the changes to \etc\pam.d\login; I believe it is 3 lines that need to be added (the auth line for pam_unix.so and two pam_winbind.so lines, one for the auth section and one for the account section). I also added these same 3 lines to \etc\pam.d\remote and \etc\pam.d\sshd. For the \etc\pam.d\su config file, I only added the two pam_winbind.so lines (with no parameters and using the /lib/security/$ISA/ folder structure all of the other lines in the file use).
There is one more change I made to \etc\pam.d\system-auth, which allows the automatic creation of user profiles for your domain accounts upon first login. I added the following script call as required under the session section:
/lib/security/$ISA/pam_mkhomedir.so skel=/etc/skel umask=0077
Be sure to read the article at the following link to understand what this script will and won’t do:
http://kbase.redhat.com/faq/FAQ_85_5367.shtm
————————————————–
After verifying that domain user accounts can login, su, and ssh, I also did a reboot to make sure everything started up correctly on boot up and that the profiles were being automatically created. Also, make sure the login screen will show the box name and it’s newly inherited domain.
I may be trying to do this exact same procedure soon for an Ubuntu machine on our company network. I’m still undecided whether to just try this method above or to try following a pretty well-written tutorial I found on Ubuntu’s support site (currently, I’m leaning toward the latter). I’ll let you know how it goes when I do though.
FOLLOWUP (07/16/08): I just found out the Ubuntu machine is going to be phased out and redone anyway. So I won’t be attempting to migrate it to our Windows Domain anymore. But here are some good links I found in my research specific to doing this process on Ubuntu: