Windows Domain Authentication

Very often companies run a Windows networks: a bunch of Windows work stations, Windows domain controllers, and several Linux machines for server specific tasks. In such situations, it is convenient to authenticate Linux users through the Windows domain controllers. This problem can be solved by mans of pam_smb module.

First of all, make sure this module is already installed on your system by running

# yum list | grep pam_smb
pam_smb          1.1.7-7.2.2          installed

and install it if it's not.

Then, we need to let Linux know that some of the users will be authenticated against the domain controller: run the Authentication program through System/Administration/Authentication menu.

In the program, enter the root user password and click on the Authentication tab.

Make sure that the Enable SMB support box is checked and click on the Configure SMB button.

In the "SMB Settings" window we need to enter information important for the SMB authentication: name of the Windows domain we would like to authenticate against and name of the domain controllers that perform the authentication. In our case the name of the domain is Marshall and there are two domain controllers: mudc01 and mudc03.

Close out of the Authentication program by clicking OK. Now, you can check the settings in the /etc/pam_smb.conf file. If everything is done correctly, the file should look like

MARSHALL
mudc01
mudc03

The first line contains the domain name, the second line contains the primary Windows controller, and the last line of the configuration file has the secondary domain controller.

Please note that pam_smb module doesn't perform NetBIOS name lookup; that is, it doesn't know the IP addresses of the machines (in our case mudc01.marshall.edu and mudc03.marshall.edu) we entered. To let the Linux know what these addresses are, look them up by either running nslookup

# nslookup mudc01.marshall.edu
Name:   mudc01.marshall.edu
Address: 10.101.4.30

or by running ping command and enter these addresses with the controller names in the /etc/hosts file:

10.101.4.30       mudc01
10.101.4.29       mudc03

As the last touch, we need to create users that would be authenticated against the Windows domain. In order to do this, we simply need to create users with the same login names as their Windows login names and with no password:

# useradd btester112

When done, reboot the system and login as the newly created user providing the user's Windows password.

Note: this authentication will not overwrite native linux authentication. For example, you still connect as the root user with its Linux password.