Join CentOS to a Windows Domain

3/26/2012 update: I've now done this on CentOS 6.2 as well.

Since I've had to do this a number of times in the last few months, I thought I should post this here so I can't forget it.

Here's some specifics on what I'm using:
  • Windows Server 2008 R2
    • As dc1.devexample.com (192.168.0.201)
    • As Primary Domain Controller of devexample.com
    • As Windows Server 2008 R2 forest functional level
  • CentOS 5 / CentOS 6
    • As app01.devexample.com (192.168.0.203)
    • Samba 3.5.6 / Samba 3.6.3
  • An internet connection. If you are not going to have an internet connection, you'll want to pre-download the files you'll need. I suggest using 'yum downloadonly' to get them.
I've spun up a brand new CentOS 5.5 VM and logged in. Oh man, does anyone else just love logging into a fresh install? Is my nerd showing? Sorry!

The first thing I need to do is take on great responsibility, so for that I'm going to need great power: let's add my account to the sudoers list.
su -
EDITOR=nano visudo
That's better. Now we can stop acting as root.
exit
Now that I can tell the operating system what to do, let's update it.

While that downloads and installs, let's add a /sbin and /usr/sbin to your path. These directories have a lot of commands that need to be run by root. Since we're going to "sudo" a lot of these commands later, having them in our path will save us from having to fully qualify the path all the time (e.g /usr/sbin/something -arg -foo).
nano ~/.bash_profile
Now is also a good time to update our hostname and network settings. On your network at home, you probably just let DHCP assign you an IP address. In a kerberized network environment, though, you'll want to assign your computers a static IP address.
sudo nano /etc/sysconfig/network
and then create an entry for that hostname in your hosts file...
sudo nano /etc/hosts


And now, assuming that you're using eth0 as your ethernet device,
sudo nano /etc/sysconfig/network-scripts/ifcfg-eth0
Since you're configuring everything statically instead of relying on DHCP, you need to configure your DNS server(s) manually too.
sudo nano /etc/resolv.conf
Finally before we reboot, let's configure our network time protocol (ntp) client. KERBEROS WILL NOT WORK unless the computers involved (KDC, Server, Client) have synchronized clocks. Variances larger than 1-2 minutes will cause kerberos to fail.

Configuring NTP correctly is actually not as easy as it should be. I don't understand why "hey go sync your clock with that guy over there every so often" requires so much work, but it does. I found a good tutorial over here, which I will now distill for you.

We're going to completely replace the existing configuration, so you should rename it to a backup file.
sudo mv /etc/ntp.conf /etc/ntp.orig
And then we can create our own
sudo nano /etc/ntp.conf

We're not done! Next, a separate ticker file must be created that lists the servers.
su -
awk '/^server/ {print $2}' /etc/ntp.conf | grep -v '127.127.1.0' > /etc/ntp/step-tickers
And then! We need to sync our clock and then configure the OS to sync every time it boots.

(assuming you're still running as root from the last step)
ntpdate -u dc1.devexample.com
chkconfig --level 345 ntpd on
Whew, all that just for clock synchronization! Now we can stop acting as root:
exit
Our server is now configured as app01.devexample.com, is set to have the IP address 192.168.0.203, and will sync its clock with the domain controller.

Let's do one last thing while your OS is updating: set firewall and SELinux policies. The first time I attempted to join a CentOS box to the domain, I pulled my hair out for a couple of days trying to debug this error: "bind failed on pipe socket /var/lib/samba/winbindd_privileged/pipe: Permission denied". I've only discovered one thing that will make this error go away: SELinux settings. You can either set the system SELinux policy from "Enforcing" to "Permissive", or you can keep it as "Enforcing" but turn off all samba protection. Up to you and your requirements, but for this blog post I'm going to set SELinux to "Permissive".

Open System > Administration > Security Level and Firewall and allow samba through the firewall on the "Firewall Options" tab.

Then go to the "SELinux" tab and change the setting to "Permissive" and apply the changes.

If you haven't installed an X server, you can just edit /etc/selinux/config and set 
SELINUX=permissive.
 
That's it for now: go have a coffee. Or a beer. When the update is finished, reboot. I'll wait right here for you. (P.S. - if you can't get to the internet when you come back, make sure your /etc/resolv.conf still has our custom entries in it!).



Welcome back!

We've already come a long way together and we haven't even begun to join our box to the domain, have we? For this reason, you might want to consider tools like Centrify or Likewise-Open. I've never used either of them myself, but I'm a fan of the group policy and auditing capability that they advertise. Even after you finish following all of my steps, you're still not going to have those two capabilities.

It's finally time to download and install samba. At http://enterprisesamba.org, you'll find already-compiled binaries of the latest samba for CentOS 5.5 (and CentOS 6 too). These instructions assume you have a connection to the interwebs, so if you don't you'll need to pre-download these files and put them into the correct location yourself.

The enterprise samba site provides a yum repository so that you can install their binaries via the yum command line. Here's how you install the repository:
cd /etc/yum.repos.d
sudo wget http://ftp.sernet.de/pub/samba/3.5/centos/5/sernet-samba.repo # if centos 5
sudo wget http://ftp.sernet.de/pub/samba/3.6/centos/6/sernet-samba.repo # if centos 6
Now that you have the repository installed, you can install samba:
sudo yum install samba3 samba3-client samba3-winbind libsmbclient0 libwbclient0
yum will figure out all the dependencies, which you should accept.

Okay! Let's configure pam, nsswitch, samba, and kerberos! I'm going to use the built-in GUI that comes with CentOS 5.5, but I'll also post screenshots of the files that get updated by the GUI so you can edit the files manually if you aren't running X.

NEW CENTOS 6 INSTRUCTIONS!!  If you are running CentOS 6 instead of CentOS 5, do not use the GUI as I just suggested.  Instead, let's use the authconfig command-line tool to get everything correct.

sudo authconfig
  --enableldap
  --enablemkhomedir
  --ldapserver=ldap://dc1.devexample.com:389
  --ldapbasedn=dc=devexample,dc=com
  --enablewinbind
  --enablewinbindauth
  --smbsecurity ads
  --enablewinbindoffline
  --smbservers=dc1.devexample.com
  --smbworkgroup=DEVEXAMPLE
  --smbrealm DEVEXAMPLE.COM
  --winbindtemplateshell=/bin/bash
  --disableldaptls
  --enablekrb5
  --krb5kdc=dc1.devexample.com
  --krb5adminserver=dc1.devexample.com
  --krb5realm=DEVEXAMPLE.COM
  --enablekrb5kdcdns
  --enablekrb5realmdns
  --smbidmapuid=16777216-33554431
  --smbidmapgid=16777216-33554431
  --winbindseparator=+
  --winbindtemplatehomedir=/home/%U
  --winbindtemplateshell=/bin/bash
  --enablewinbindusedefaultdomain
  --enablewinbindoffline
  --winbindjoin=Administrator
  --disablesssd
  --disablesssdauth
  --enablepamaccess
  --enablesysnetauth
  --nostart
  --update

This will ask you for the domain administrator's password and immediately join you to the domain.  If you have your own domain administrator account that isn't 'Administrator', change --winbindjoin=Administrator to your account name.  Only do this if your account is a domain admin.

This ought to have joined you successfully to the domain in which case you only need to add an entry into DNS on your Windows Domain Controller before you're completely done. See my instructions below on how to add a DNS entry.

END OF CENTOS 6 INSTRUCTIONS.

Open your Authentication Configuration GUI from System > Administration > Authentication.

Check "Enable Winbind Support" and then "Configure Winbind". Here are the settings I'm using - you'll want to replace them with your own, obviously. Don't click "Join Domain" - you have more configuring before you're ready to do that!

It's important that your winbind ADS realm is in ALL UPPERCASE. Notice that the winbind domain doesn't have .com after it - DEVEXAMPLE is the NetBios name of the domain, which is what winbind wants. Also notice that I've set Winbind Domain Controllers to a star (*). This will make winbind use DNS to lookup the domain controller for the devexample.com domain. This is recommended because if you set it to dc1.devexample.com and that server dies, your CentOS box won't automatically go to the backup domain controller. Also, if you want to do things like kerberize JBoss, you need winbind to use DNS to lookup the domain controller because otherwise Java will construct an incorrect service principal name when it tries to bind to LDAP.

Click OK and go to the Authentication tab. Check "Enable Kerberos Support" and then "Configure Kerberos...". Here's what my settings look like.

It's important that the REALM be in ALL UPPERCASE. Click OK. Now check "Enable Winbind Support" and "Configure Winbind...". Again, here are my settings. Again, don't click "Join Domain".

Click OK and then go to the options tab. Here's what I have for that tab:

Click OK to close out the GUI. We're almost done! The reason that we didn't click "Join Domain" at all was because we still have a little bit of configuration and cleanup to do before we attempt domain joining.

There's nothing that needs to be done in your /etc/nsswitch.conf file, but I'm including it here in case you are running a headless server and need to edit it yourself.


First, we need to add some parameters to the pam configuration file, /etc/pam.d/system-auth. Just a few lines up from the bottom of the file, find:
session     optional      pam_mkhomedir.so
and add the parameter skel=/etc/skel umask=0027
sudo nano /etc/pam.d/system-auth
What did you just do? When new domain users log onto your CentOS box for the first time, their home directory will be created and its contents will be copied from /etc/skel and permissions on the new user's home directory will be reasonable.

Next, let's clean up our kerberos configuration file. Even though you just used the GUI to configure kerberos for your domain, /etc/krb5.conf still has "fake" entries for example.com that we should remove. Look at the image below to see the final state of my krb5.conf file.

Finally, let's edit our samba/winbind configuration. Here's my final state:


These are the lines that I added or changed:















template homedir = /home/%U

This tells the system to create home directories for new domain users in /home/[username]. This is nice and clean and lives side-by-side with local users. Because of this, if you're going to have local system users or if your domain forest has more than one domain in it, you'll want to set this to /home/%D/%U instead. That way, there will be no chance of name conflicts. None of those caveats apply to my example, so I used the simpler option (/home/%U).

winbind enum users / groups

This causes the 'getent passwd' and 'getent group' commands to include domain users and groups in its output.

winbind separator

You know how on windows your domain account can be represented as DOMAIN\user? Well, using a backslash as a separator can cause real problems in Linux, or at least headaches and confusion. So what I've done is configure the separator to be the plus symbol (+) - because it has far fewer issues in Linux (actually, I've never had any). Domain users will now log onto your CentOS box as DOMAIN+user. Any scripts that reference domain users or groups will also use DOMAIN+user.

winbind use default domain = true

When this is set to true, I can log into my CentOS box with domain accounts without having to prefix the username with DOMAIN+. If your users will be logging in from multiple domains in equal proportion, you probably don't want to set this to true.
Now that we've configured samba and winbind, let's tell CentOS to start those services every time it boots.
sudo chkconfig --level 345 smb on
sudo chkconfig --level 345 winbind on
We are getting so close to the end! Before we join to the domain, let's configure our sudoers list so that Domain Admins can execute commands as root.
EDITOR=nano visudo
That's it for configuring your CentOS box for membership in an AD domain. You have one more thing to do before joining - create a DNS entry on your domain controller!

Log onto your Windows domain controller and open up your DNS Manager from Administrative Tools. First, you're going to create a reverse lookup zone (if one doesn't already exist), then you're going to add an A entry for your CentOS box.

If you don't have a reverse lookup zone, follow these instructions to create one. When you're done, your DNS Manager ought to look like this:
Now, create an A record for your CentOS box:


IT'S TIME! (Unless you are using CentOS 6, in which case you've already joined to the domain.  Skip the join command here, but definitely reboot even on CentOS 6)

Back on your CentOS box, join to the domain:
su -
net ads join -U Administrator osName="CentOS" osVer="5.5"

Reboot! Reboot! When your CentOS box comes back up, login as a domain user. GOGOGO!

While you're rebooting your CentOS machine, go back to your domain controller and notice that there's now an APP01 entry in your "Active Directory Users and Computers" MMC.


Once your CentOS box comes back up, login with a domain user account and see that it knows who you are and what groups you're a member of.

You have successfully joined CentOS to your Windows domain!

Comments

  1. Awesome Tutorial! I just installed my first ever CentOS box and this was the first thing I wanted to accomplish, Thanks! Definitely couldn't have done it without your help/knowledge/blog_post

    ReplyDelete
  2. Hi realy its good help for me, thanks ,
    i need one more help, how to give the samba share folder access add user delete user from windows ?

    example:
    i have share one data folder from linux ,then i open the data folder from windows add some sub folder like admin,sales, i need to access from windows for admin group,sales group from ads

    ReplyDelete
  3. I havent tried it, But it looks so gr8.

    Thanks

    ReplyDelete
  4. @Josephnetworks - sorry about your comment: it got marked as spam and I just now saw it.

    I think you might want to look at these two links:

    http://www.cyberciti.biz/tips/how-do-i-set-permissions-to-samba-shares.html

    http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/AccessControls.html

    I hope that helps.

    ReplyDelete
  5. CentOS 6.2 Samba 3.6.3
    service winbind start don't start winbindd.
    In log.winbindd:
    [2012/03/15 16:46:48.715072, 0] lib/util_sock.c:1369(create_pipe_sock)
    bind failed on pipe socket /var/lib/samba/winbindd_privileged/pipe: Address already in use

    can you help, or give a link for docs?

    Thanks

    ReplyDelete
  6. "Address already in use" means that something is already bound on the ports that winbind uses. Typically, that means that winbind is already running. In that case, you'll want to use service winbind restart.

    If your old instance of winbind got messed up and crashed but didn't release the port, you might have to kill -9 windbind.

    Good luck

    ReplyDelete
  7. Great Tutorial John!
    Just one issue on the last bit concerning "sudoers" configuration.
    My domain is "EMEA.ABC.YZ.COM" and my domain admin group via AD is called "emea-abc-xyz-sysadmins". So I tried the following configuration in "sudoers":

    %EMEA.ABC.YZ.COM+Domain\emea-abc-xyz-sysadmins ALL=(ALL) ALL

    However, when I try to do something like "sudo nano /etc/sudoers", I get asked for the root password but it always fails :-(

    I even tried the following 2 differnet lines, both failing as well:

    %EMEA.ABC.YZ.COM+Domain\\emea-abc-xyz-sysadmins ALL=(ALL) ALL
    %EMEA+Domain\\emea-abc-xyz-sysadmins ALL=(ALL) ALL

    Any ideas?
    Thanks,
    Mike

    ReplyDelete
  8. Hi Mike,

    I'm really glad that you found the tutorial useful. I see what your error is, yes.

    If you look closely at my screenshot of the sudoers file, you'll notice that what I'm doing is giving Domain Admins sudo privileges. Since domain admins is a group in AD, I prepend the entry with % (percent). So far, so good, right?

    Ok, now notice that the reason that I have Domain\ Admins is because I'm escaping the space in the name "Domain Admins". So my entry takes the format: %REALM+group.

    So what you want for your entry is: %EMEA.ABC.YZ.COM+emea-abc-xyz-sysadmins

    That should do it for you.

    ReplyDelete
  9. Thanks John. This fixed the issue!
    Regards,
    Mike

    ReplyDelete
  10. Hi, I have Centos 6.2 after reboot i can't login to the domain I keep getting authentication failure. I have tried \ user@ etc... i either get Error in Service Module when using only otherwise i get Authentication Failure.

    Thanks,

    Ron

    ReplyDelete
    Replies
    1. I should of clicked preview.
      I tried the various formats of a username for windows...
      When i use only the username I get Error in Service Module. All others give me Authentication Error.

      Thanks again...

      Delete
  11. Ron, that's pretty strange. I've followed these instructions 4 times on vanilla CentOS 6 boxes now, so I'm certain they work. My best guess, therefore, is that you missed a step? Are you working from a vanilla install too? I'm really sorry, but "Error in Service Module" doesn't mean anything to me. My best advice is to re-install and start over again.

    If you found any part of my instructions hard to understand, let me know and I'll try to make them clearer, ok?

    ReplyDelete
    Replies
    1. Sorry late response. I overlooked and didn't try + maybe highlight that part of the doc.

      Thank you!

      Delete
  12. Great article! I have never worked on CentOS at all. Strictly a MS windows admin. Went through these steps and voila! worked like a charm. Thanks for a great article - keep up the work.

    ReplyDelete
  13. BTW - read this article http://www.serverwatch.com/trends/article.php/3884621/From-Obsolete-Servers-to-Private-Cloud-in-3-Easy-Steps.htm
    now I'm going to try to cluster two CentOS systems - both have same exact HW. I need a good article on that. any help would be great!!

    ReplyDelete
  14. Hello, I join centos 6.2 into windows server 2008 R2 successfully, network access by user domain from windows xp successfully, but I open folder which is shared, It appeares "access is denied". Can you help me this problem?

    ReplyDelete
  15. Ron Duong, is the shared folder on Windows XP or on CentOS? If it is on CentOS, what does your smb.conf look like, and what are the unix file permission of the share folder?

    ReplyDelete
    Replies
    1. Hello John Ruiz, The shared folder, named public, is on CenOS. The permission of shared folder is
      drwxrwxrwx. 2 root root 4096 Apr 4 15:12 public
      My smb.conf:( tinhoc is domain group of windows server 2008, I access by DULICHDAINAM\loit from windows xp is the memeber of group tinhoc )

      [global]
      workgroup = DULICHDAINAM
      realm = DULICHDAINAM.COM
      server string = Samba Server Version %v
      security = ADS
      password server = dcsrv.dulichdainam.com
      log file = /var/log/samba/log.%m
      max log size = 50
      idmap uid = 16777216-33554431
      idmap gid = 16777216-33554431
      template homedir = /home/%U
      template shell = /bin/bash
      winbind separator = +
      winbind use default domain = Yes
      winbind offline logon = Yes
      cups options = raw

      #============================ Share Definitions ==============================

      [homes]
      comment = Home Directories
      browseable = no
      writable = yes
      ; valid users = %S
      ; valid users = MYDOMAIN\%S

      [printers]
      comment = All Printers
      path = /var/spool/samba
      browseable = no
      guest ok = no
      writable = no
      printable = yes

      # Un-comment the following and create the netlogon directory for Domain Logons
      ; [netlogon]
      ; comment = Network Logon Service
      ; path = /var/lib/samba/netlogon
      ; guest ok = yes
      ; writable = no
      ; share modes = no


      # Un-comment the following to provide a specific roving profile share
      # the default is to use the user's home directory
      ; [Profiles]
      ; path = /var/lib/samba/profiles
      ; browseable = no
      ; guest ok = yes


      # A publicly accessible directory, but read only, except for people in
      # the "staff" group
      ; [public]
      ; comment = Public Stuff
      ; path = /home/samba
      ; public = yes
      ; writable = yes
      ; printable = no
      ; write list = +staff
      [public]
      path = /public
      valid users = +tinhoc
      write list = +tinhoc

      Delete
  16. John Ruiz, the shared folder, named is public, is on CentOS. The permission is
    drwxrwxrwx. 2 root root 4096 Apr 4 15:12 public
    My smb.conf is
    [global]
    workgroup = DULICHDAINAM
    realm = DULICHDAINAM.COM
    server string = Samba Server Version %v
    security = ADS
    password server = dcsrv.dulichdainam.com
    log file = /var/log/samba/log.%m
    max log size = 50
    idmap uid = 16777216-33554431
    idmap gid = 16777216-33554431
    template homedir = /home/%U
    template shell = /bin/bash
    winbind separator = +
    winbind use default domain = Yes
    winbind offline logon = Yes
    cups options = raw
    [homes]
    comment = Home Directories
    browseable = no
    writable = yes
    [printers]
    comment = All Printers
    path = /var/spool/samba
    browseable = no
    guest ok = no
    writable = no
    printable = yes
    [public]
    path = /public
    valid users = +tinhoc
    write list = +tinhoc


    tinhoc is group domain of AD. I access to CenOS( from WinXp) by DULICHDAINAM\loitt(loitt is the member of tinhoc group) is OK But when open public folder is received "access is denied".

    Please help me this problem.

    ReplyDelete
    Replies
    1. hello John Ruiz, I resolved this problem. I forget to disable SELINUX. So I cannot access folder. Thanks

      Delete
  17. Thank you so much, I was looking for a good tutorial for Centos 6 for quite a while and had to revert some snapshots until I found you :)

    ReplyDelete
  18. Thanks for your help...im an Oracle DBA and I tried following other steps...nothing worked...but this step worked well...I am also a blogger...will create a deployment...and I will be using your page as my reference... thanks...

    ReplyDelete
  19. Dear John,

    When I'm trying to log with my Domain Username And password its Says "System Administrator has been Disabled your Account"

    also I'm fail to edit /etc/sudoers as its Says once save file 'Read Only'

    Please help me on this as I'm little bit stuck here

    Thank You

    ReplyDelete
  20. Chathura -

    Sorry to hear that you're having problems.

    First, the reason you can't save your /etc/sudoers file is because you're not root. Did you successfully run "su -" before trying to run the "visudo" command?

    The error message you're getting when you log in with your domain username and password doesn't make any sense - it's not a grammatically correct sentence. Could you please copy it more precisely? Also, are you trying to log in with DOMAIN+username, or just with username?

    ReplyDelete
  21. Dear John,

    Thanks for your support on regards.i just install fresh copy of do the above steps again and i successfully joined the Cents OS to Windows domain enviroment.

    but i had another issue,I'm trying to using cent OS 5.8 as my Company File server purpose.

    Could you please let me know how do i manage the shares with windows user permissions

    your support is regarding this highly appreciated



    ReplyDelete
  22. Hey John,

    Thanks for the write up. I followed it on test DC and CentOS6 VM I spun up before I try it on a company production server. I am a noob at Linux mainly a Windows Server guy, I am unable to log in to the CentOS box keep getting authentication failed.

    username@testdc.com
    username@testdc01.testdc.com
    TESTDC01\username

    Thanks for any assistance in advance.

    ReplyDelete
    Replies
    1. Hi Ruchirp,

      Did you try Centryfidc to join Linux Box to AD Environment??

      it has worked for me

      Delete
  23. RuchirP,

    If you followed my steps, then the separator character between the domain and the username is the plus sign (+), not the backslash that you're used to on windows (\). This is because linux can have all sorts of issues with backslashes, but is typically pretty good with the plus sign.

    ReplyDelete
  24. Thanks! The domain+username did the trick.

    ReplyDelete
  25. Hello John,

    Thank you for this Tutorial, I followed the advice and everything works well.

    Just a problem, when I create a shared, I reach very inside but I cannot create a "new file".

    I shall also like managing the rights from Windows 2003 to server.
    I am understandable:

    Add since Windows of the users of the domain on file. But it does not walk(work).

    Here is my smb.conf:

    [global]
    w
    t
    #--authconfig--start-line--

    # Generated by authconfig on 2013/02/05 17:41:25
    # DO NOT EDIT THIS SECTION (delimited by --start-line--/--end-line--)
    # Any modification may be deleted or altered by authconfig in future

    workgroup = EPHAD
    password server = *
    realm = EPHAD.LAN
    security = ads
    idmap uid = 16777216-33554431
    idmap gid = 16777216-33554431
    template shell = /bin/false
    template homedir = /home/%U
    winbind enum users = true
    winbind enum groups = true
    winbind separator = +
    winbind use default domain = true
    winbind offline logon = true
    nt acl support = yes
    inherit acls = Yes
    map acl inherit = Yes
    map archive = no
    map hidden = no
    map read only = no
    map system = no
    store dos attributes = yes
    inherit permissions = Yes

    #--authconfig--end-line--
    ; printing = cups
    printcap name = cups
    load printers = yes

    [administration]
    valid users=Mydomain\Administrateur
    comment="Fichiers Administration"
    path=/volume
    browseable=yes
    public = yes
    writable = yes
    printable = no
    nt acl support = yes

    Thanks John.

    ReplyDelete
    Replies
    1. Nice tutorial John. its fully works for me. fine. but how to do vice verse means how to add windows machine into linux domains (Samba DC/LDAP DC)..?

      Delete
    2. Haha. Good luck! It's supposedly possible with Samba 4, but I'll believe it when I see it.

      Delete
  26. Hello John,

    I've followed your steps but unfortunately am having trouble logging in as a domain user. Have tried using DOMAIN\user and DOMAIN+user (following your previous comment) but I still get "Access Denied".

    As this is fairly generic, where should I begin troubleshooting? Can post you config files (or a section thereof) if you need.

    Thanks in advance,

    Ben

    ReplyDelete
    Replies
    1. Hi Ben. Without looking at any logs at all, my best guess is that there's something going on with the trust relationship between your CentOS box and your domain controller. There's a number of tests that you can run to check that your trust is setup correctly. Here's a good resource that I just found: http://cainmanor.com/tech/basic-samba-active-directory-troubleshooting-using-wbinfo/ I'll bet you that one or more of those commands fails for you.

      If that ends up being the case, here are some common things to check:
      1. Believe it or not, it's often the case that clocks get out of sync. I often find myself surprised (and mad) that somehow my previously in-sync CentOS box is now randomly 4 hours off.
      2. Stupid mistakes like typos in your smb.conf, or your pam stuff
      3. samba/winbind has just decided to stop working. this happens to me every so often. restart your CentOS box. Yes, sometimes that works for linux too :)
      4. nscd is running on your machine. ncsd? whatever. can't remember which it is any longer. one of those.
      5, 6, & 7. ??? welcome to the wonderful world of kerberos.

      let me know!

      Delete
  27. Hello John,

    I think you may be onto something. Have gone through the steps listed in the article you found (thank you for posting that) and all but one of the tests complete successfully. The one which doesn't shows:

    $ wbinfo -t
    checking the trust secret for domain MYDOMAIN via RPC calls failed
    failed to call wbcCheckTrustCredentials: WBC_ERR_WINBIND_NOT_AVAILABLE
    Could not check secret

    I've Googled this but haven't found anything particularly helpful. Have you seen this before?

    nscd is indeed installed on my machine.

    Thanks,

    Ben

    ReplyDelete
  28. @BenWatson ... your problem is probably the same thing that i faced ...

    Start winbindd /usr/sbin/winbindd restart should do the trick

    ReplyDelete
  29. Hello John,

    Fabulous tutorial .. wish I got here first when i was setting up my Samba Server.

    A couple of requests ...

    a) Would be nice if there is a small write up on setting up share of the home folder for the AD users
    b) Small write up on using Groups.

    I understand that each topic is quite expansive by itself, but seeing how you compressed large books into one great blog - it would really be useful for folks if these shares are setup and explained.

    Thanks for this blog once again. I just wish i had gotten here first.

    ReplyDelete
    Replies
    1. @Pats,

      I was considering re-writing this blog post to remove all GUI elements - so that you could easily do this on a headless server. But since I wrote this article, it's become a LOT easier to join windows domains, to the point where I'm not sure it'd be worth the effort (this was a large article!).

      Now as for the samba configuration and group configuration, that would probably still be pertinent. Could you expand a little bit on what you mean when you say "on using Groups"? How do you mean?

      Delete
  30. John,

    What I was thinking of was along the lines of specifying Groups (for example - "smbuser" / "smbadmin" in the Windows Server, and then giving members of that Group(s) permissions on the Samba share.

    About the large article or the GUI elements, there are folks who prefer UI based Admin tools. As for the CLI folks, there are plenty of site to cater to them. I think your article is by far the best when it came to explaining "How to Join your CentOS server to a Windows Domain?"

    I'd be happy to supply you with a write-up for the part I suggested, once i fine-tune the Samba server.

    Great work on this blog - :)!

    ReplyDelete
  31. I'm trying this with Samba 4 and CentOS 7. When I run the line for CentOS 6 (hoping the line is still accurate) I get:

    [/usr/bin/net join -w mimedxinc -S 10.0.112.32 -U sgenevish]
    /bin/sh: /usr/bin/net: No such file or directory
    authconfig: Winbind domain join was not successful.

    ReplyDelete
  32. I know this is an old post but I wanted to thank you for this guide and to let you know that this still works today even with CentOS 6.7.

    We have a new set of AD environments and wanted to be able to authenticate Linux using the AD system. In our legacy environments we are using a mish mash of NIS and LDAP and have wanted to move to AD for some time.

    I've tried following the RedHat documentation for sssd and AD and didn't have much success. This how to was just the ticket to get everything moving.

    ReplyDelete
    Replies
    1. Darin,

      Super-glad that 1) it still works, and 2) people are still finding it useful. It took me a long time and lots of debugging to distill it all into a How-To.

      Delete
  33. Thanks for sharing such amazing content which is very helpful for us. Please keep sharing like this. Also check to learnLinux PAM Administration or many more.

    ReplyDelete

Post a Comment

Popular posts from this blog

Establishing a SSL connection to RabbitMQ using the .NET client

Invalid provider type specified when accessing X509Certificate2.PrivateKey