RHEL Winbind Authentication Against Active Directory

So you have a RHEL system and you want to authenticate it against your active directory. The good news is that Red Hat has made it easy for you to do this. The bad news is that they only get the most basic structure working for you. Here I will show you how to get WinBind authentication working using Authconfig, and how make it a little more seamless than this utility leaves it off.

It should be noted that while this works perfectly well, it is really not the best way to authenticate users against a UNIX host. Given the option, having your users in Open Ldap and PAM authenticating them against that would be a much better option. However, we don’t live in a perfect world, and sometimes we just have to make things work.

Let’s start by using authconfig to join your machine to the domain. This should all be done as the root user.

# authconfig

  • Select “Use Winbind” and Use “Winbind Authentication”. Remember to leave “Cache Information”, “Use MD5 Passwords” and “Use Shadow Passwords” selected.
  • Select “Next”
  • Under “Security Model” select “ads”
  • “Domains:” examplead (substatute with the name of your Active Directory)
  • “Domain Controllers:” adserver.domain.com (Again, substitute with the name of your Active Directory server)
  • “ADS Realm:” ADSERVER.DOMAIN.COM
  • “Template Shell:” /bin/bash
  • Select “Join Domain”
  • Select “OK”

Now your machine should be be on the domain. Test it to make sure you can see your AD users:

# wbinfo -u

You should see your users in the list.

The only problem is that to do anything with them, you have to express their user name in that annoying way Windows likes you to. Something like this:

“EXAMPLEAD\\username”

Not very usefull. To get around this, simply edit “/etc/samba/smb.conf” and change this line:

winbind use default domain = no

to this:

winbind use default domain = yes

You should now be able to express AD usernames without the domain nonsense before it. Try it:

# finger username
Login: username                            Name: Username
Directory: /home/EXAMPLEAD/username        Shell: /bin/bash
Never logged in.
No mail.
No Plan.

Finally check your “/etc/nsswhich.conf” file to make sure RHEL knows to use WinBind. Authconfig should have set this up for you, and it should have lines that look like this:

passwd:     files winbind
shadow:     files winbind
group:      files winbind

That should do it you should be able to create home directories for all your AD users and let them authenticate away. Have fun.

Joining Samba Domains with Symantec Ghost

Because Symantec Ghost expects that everyone is going to use a “real” Active Directory Domain Controller, it fails when trying to automatically join samba domains, and I’ve always had to visit each machine after imaging it to manually join the newly imaged system to our domain. Needless to say, this is annoying when you manage over 300 systems.

Luckily, Alan Baker (who does not have a blog for me to link to) has managed to come up with a solution… For this, he is my hero of the month!
Here is how you do it… The trick is to create a post image command in your Ghost task that calls a little application called netdom.exe. You can add this file to your image and call it locally if you wish, or you can put it on a server and execute it using a UNC.

  • Download netdom.exe by clicking here. It is included in the Windows Support Tools package.
  • Modify your Ghost Distribute Task, click on the “Execute Command” Tab and add the following command, modifying it for your environment:

C:\Path\To\netdom.exe JOIN %computername% /Domain:Your_Domain /UserD:YourDomainAdmin /PasswordD:YourDomainAdminPassword /UserO:LocalMachineAdministrator /PasswordO:LocalMachineAdministratorPassword /REBoot


  • If you will be calling netdom.exe using a UNC, the command will look something like this:

\servername\sharename\netdom.exe JOIN %computername% /Domain:Your_Domain /UserD:YourDomainAdmin /PasswordD:YourDomainAdminPassword /UserO:LocalMachineAdministrator /PasswordO:LocalMachineAdministratorPassword /REBoot

This should save you a lot of time…. I know it has for Alan and I! Again, Thanks to Alan Baker for figuring this out, and sharing the info with me.