elfLegolas
asked on
Join a Windows 2000 Domain
I scoured the forums here and googled all information on this topic but was not able to do what I want to do. I'd really appreciate it if someone can walk me through this -
All I want to do is to get a RedHat 9 machine to join a Windows 2000 domain so I can log in with my network login here. Without joining the domain, I can still get to the internet but using other network resources is a bear. I have limited Administrative privileges for my department where I can easily create a machine name in Windows and attach it to the domain. In Windows XP Professional, all I have to do is go into the Computer Name tab in Systems properties and click on the Network ID button and can type in details like the machine name and domain and it joins the domain!
How do I do this exact thing in RH9?
Thanks in advance
All I want to do is to get a RedHat 9 machine to join a Windows 2000 domain so I can log in with my network login here. Without joining the domain, I can still get to the internet but using other network resources is a bear. I have limited Administrative privileges for my department where I can easily create a machine name in Windows and attach it to the domain. In Windows XP Professional, all I have to do is go into the Computer Name tab in Systems properties and click on the Network ID button and can type in details like the machine name and domain and it joins the domain!
How do I do this exact thing in RH9?
Thanks in advance
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
We current have a NT domain but will be moving to AD pretty soon (about 3 months or so). td_miles' suggestion worked wonderfully and I got the 'welcome to the domain' message. However, two questions:
1. Where to from here. Thinking in Windows terms, I can select the domain name at the login prompt and enter a valid username and password, and I would be authenticated. Does it work the same way in Linux/Samba?
2. How does the equation change when we move to AD?
Thanks
1. Where to from here. Thinking in Windows terms, I can select the domain name at the login prompt and enter a valid username and password, and I would be authenticated. Does it work the same way in Linux/Samba?
2. How does the equation change when we move to AD?
Thanks
for the second question, check http://insight.zdnet.co.uk/software/developer/0,39020469,2122363,00.htm
for the first part, i dont know exactly but you should check the support of your window manager.(i.e. KDE, gnome)
i know that you can make it against an LDAP server.
hope this helps.
for the first part, i dont know exactly but you should check the support of your window manager.(i.e. KDE, gnome)
i know that you can make it against an LDAP server.
hope this helps.
1. To authenticate your Linux box logons against the windows domain, you need to do two things:
(i). create an account on the linux box that has the SAME username as the windows domain account. Don't worry about making the password the same, just the username.
(ii). run the command "authconfig" from a Linux shell. Go to the section to configure SMB authentication. Enable it and put it your domain controller IP address(es).
Now when you logon to the Linux box will use the windows domain controller to authenticate your password. There may be a way to do this without a local user profile on the linux box, but I don't know of it. It is still using the local profile, just verifying the password using SMB authentication back to the windows domain.
2. Shouldn't change at all in AD. We have the exact same setup in a win2k AD domain and it works just fine.
(i). create an account on the linux box that has the SAME username as the windows domain account. Don't worry about making the password the same, just the username.
(ii). run the command "authconfig" from a Linux shell. Go to the section to configure SMB authentication. Enable it and put it your domain controller IP address(es).
Now when you logon to the Linux box will use the windows domain controller to authenticate your password. There may be a way to do this without a local user profile on the linux box, but I don't know of it. It is still using the local profile, just verifying the password using SMB authentication back to the windows domain.
2. Shouldn't change at all in AD. We have the exact same setup in a win2k AD domain and it works just fine.
What if you want any domain user to be able to log in to a linux box without having to add accounts for all users on the windows domain to the linux box.
Hi nerak99,
First you add winbind in your nsswitch.conf
passwd: files winbind
group: files winbind
hosts: files dns winbind
Add your realm to kerberos in krb.conf
Authenticate
#kinit user@REALM
Join the domain in Active directory
#net ads join -S DOMAIN -U user%passwd
Join the domain in NT Direcotry
#net rpc join -S DOMAIN -U user%passwd
In smb.conf ¨
Active Directory
[global]
security = ADS
password encrypt = yes
realm = REALM.COM
idmap uid = 10000-20000
idmap gid = 10000-20000
template shell = /bin/bash
template home = /home/win2k/%D/%U
winbind separator = +
NT directory
[global]
security = DOMAIN
idmap uid = 10000-20000
idmap gid = 10000-20000
template shell = /bin/bash
template home = /home/win2k/%D/%U
winbind separator = +
Create the home directories
run smb, nmb and winbind
you can probe winbind with
#wbinfo -u
#wbinfo -g
#getent passwd
#getent group
To a local login you need to edit your PAM settings, depend of your system.
In red hat, you need to edit the file system-auth.
In SuSe, login and xdm.
First you add winbind in your nsswitch.conf
passwd: files winbind
group: files winbind
hosts: files dns winbind
Add your realm to kerberos in krb.conf
Authenticate
#kinit user@REALM
Join the domain in Active directory
#net ads join -S DOMAIN -U user%passwd
Join the domain in NT Direcotry
#net rpc join -S DOMAIN -U user%passwd
In smb.conf ¨
Active Directory
[global]
security = ADS
password encrypt = yes
realm = REALM.COM
idmap uid = 10000-20000
idmap gid = 10000-20000
template shell = /bin/bash
template home = /home/win2k/%D/%U
winbind separator = +
NT directory
[global]
security = DOMAIN
idmap uid = 10000-20000
idmap gid = 10000-20000
template shell = /bin/bash
template home = /home/win2k/%D/%U
winbind separator = +
Create the home directories
run smb, nmb and winbind
you can probe winbind with
#wbinfo -u
#wbinfo -g
#getent passwd
#getent group
To a local login you need to edit your PAM settings, depend of your system.
In red hat, you need to edit the file system-auth.
In SuSe, login and xdm.
Check out:
http://www.redmondmag.com/columns/article.asp?EditorialsID=858
I followed this paper to the letter with Fedora Core 3 and it works very well... The only step I found missing was that I also needed to add a folder /home/"my domain name", and set its permissions to 777. Now I can login with any windows account. I have been trying to make this work for months, and this is the only time I have had success.
After you follow this article, then do the command:
wbinfo -g
This will show you your AD groups.
This next part is easiest if you install SWAT.
Start your samba daemons, create a share in samba and add:
valid users = "domain\security group"
Use the quotes, especially if your windows group name has any spaces in it, and make sure it matches what you saw in the wbinfo –g command.
http://www.redmondmag.com/columns/article.asp?EditorialsID=858
I followed this paper to the letter with Fedora Core 3 and it works very well... The only step I found missing was that I also needed to add a folder /home/"my domain name", and set its permissions to 777. Now I can login with any windows account. I have been trying to make this work for months, and this is the only time I have had success.
After you follow this article, then do the command:
wbinfo -g
This will show you your AD groups.
This next part is easiest if you install SWAT.
Start your samba daemons, create a share in samba and add:
valid users = "domain\security group"
Use the quotes, especially if your windows group name has any spaces in it, and make sure it matches what you saw in the wbinfo –g command.
also i dont think there is a need for password server entry. you can code the wins server's ip(in case you work with an nt domain.)