RHEL Winbind Authentication Against Active Directory

So you have a RHEL system and you want to authenticate it against your active directory. The good news is that Red Hat has made it easy for you to do this. The bad news is that they only get the most basic structure working for you. Here I will show you how to get WinBind authentication working using Authconfig, and how make it a little more seamless than this utility leaves it off.

It should be noted that while this works perfectly well, it is really not the best way to authenticate users against a UNIX host. Given the option, having your users in Open Ldap and PAM authenticating them against that would be a much better option. However, we don’t live in a perfect world, and sometimes we just have to make things work.

Let’s start by using authconfig to join your machine to the domain. This should all be done as the root user.

# authconfig

  • Select “Use Winbind” and Use “Winbind Authentication”. Remember to leave “Cache Information”, “Use MD5 Passwords” and “Use Shadow Passwords” selected.
  • Select “Next”
  • Under “Security Model” select “ads”
  • “Domains:” examplead (substatute with the name of your Active Directory)
  • “Domain Controllers:” adserver.domain.com (Again, substitute with the name of your Active Directory server)
  • “Template Shell:” /bin/bash
  • Select “Join Domain”
  • Select “OK”

Now your machine should be be on the domain. Test it to make sure you can see your AD users:

# wbinfo -u

You should see your users in the list.

The only problem is that to do anything with them, you have to express their user name in that annoying way Windows likes you to. Something like this:


Not very usefull. To get around this, simply edit “/etc/samba/smb.conf” and change this line:

winbind use default domain = no

to this:

winbind use default domain = yes

You should now be able to express AD usernames without the domain nonsense before it. Try it:

# finger username
Login: username                            Name: Username
Directory: /home/EXAMPLEAD/username        Shell: /bin/bash
Never logged in.
No mail.
No Plan.

Finally check your “/etc/nsswhich.conf” file to make sure RHEL knows to use WinBind. Authconfig should have set this up for you, and it should have lines that look like this:

passwd:     files winbind
shadow:     files winbind
group:      files winbind

That should do it you should be able to create home directories for all your AD users and let them authenticate away. Have fun.

17 thoughts on “RHEL Winbind Authentication Against Active Directory

  1. How does this get the username and password of a domain administrator that has the ability to add the computer to the domain? Or must “net ads join” be used if a username and password is required to add a user?


  2. Thanks, I’ll give it a try. I had specifically read something that had said not to join the domain from within authconfig so I was curious when I saw your post.

  3. Hey Mont,
    Let me know how it goes. I confess that I needed to get this task done quickly, so I saw authconfig as my best bet. I know there is a way to do it on the command line as well. It pretty much just worked for me, so hopefully it will do the same for you 🙂

  4. I’m looking for a way to provide single-sign-on to an environment without having to explicitly configure every single UNIX client to join the domain and auth against the ADS; my thought was to set up an LDAP server which would perform the authentication against the ADS by proxy.

    Is this possible? I have Solaris, HP and Linux clients, all of which I wish to be able to use single-sign-on.


  5. Pingback: markwilson.it » Some more on using Active Directory for Linux/Mac OS X user authentication

    • I think, that if you look closely at the post date of the article above that you will find it was written during the days of RHEL 4. I think also, that if you had taken the time to investigate, you would have found that authconfig-tui did not exist on that release, and was not part of RHEL until release 5. I should also say thatauthconfig-tui supports all options of authconfig but it implies –update as the default action.

      So, before writing wise ass comments, you may want to take some time and do a little research beforehand so that it’s not you who comes off looking foolish. Just some friendly advice.

  6. Hey there, thanks for the post.
    In a related vein, I have a RH server that used to do local NIS/Kerb authentication but now it authenticates users against an organization wide kerberos server. Everything is humming along except for cups/samba – windows users cannot connect to the print server and get an “access denied” info box. Most prominent error is the samba log stating “NT_STATUS_NO_LOGON_SERVERS”.
    Any hints on where to go from here?

  7. Cliff,
    After 2 days of trials, I did some thinking about our setup and there was really no need to do authentication on these shares so I made the security = share and that fixed my problems for now. 😉

  8. Thanks so much! It’s a permanent bookmark for me.

    A troubleshooting checklist would have helped in my case, as I was “cloning” a VMWare guest and ran into Winbind issues.

    Here’s my troubleshooter list thus far – Please feel free to contribute!

    1) DNS – is the host resolving properly, both at the AD server and on the system itself?

    2) /etc/hosts – Is it accurate and does it match DNS?

    3) AD – Did the server *really* join the domain? FIND the AD Object for the Computer.

    If it does not exist, then use:
    net ads join -U administrator
    and see where it went wrong.

    A very good source to explain the error codes and further diagnose:


  9. Pingback: /etc/PAM_UNIX2.conf on Redhat 5.5

Leave a Reply