Linux Mail Server Setup and Howto Guide

This page will show you how to join your Linux server into the Active Directory domain, how to integrate the Active Directory user accounts into the Linux user accounts and how to authenticate users in Active Directory using Winbind, a component of Samba.

A better way to integrate Active Directory into your Linux mail server is by using Postfix’s Virtual User Accounts.

Samba is installed by default when you select the Server installation type during the installation process. In case you need to install or reinstall it, just add the Windows File Server package located in the Servers category using the Package Manager tool.

Setup and Configure Winbind

1. Click System, select Administration and click Authentication. This will launch the Authentication Configuration window.

2. Check the Enable Winbind Support and click Configure Winbind. This will launch the Winbind Settings window.

3. In the Winbind Settings window, set the Security Model to ads and fill in the Winbind Domain, Winbind ADS Realm and Winbind Domain Controllers. See sample settings below.

 

Winbind Domain

acme

Winbind ADS Realm

acme.local

Domain Controllers

server1.acme.local,server2.acme.local

To ensure the success of the Active Directory integration, make sure that you can ping the domain controllers and that the difference between the domain controllers’ clock and the mail server’s clock is not more than five minutes.

4. Click Join Winbind Domain. You will be asked to save your changes, click Save. In the Joining Winbind Domain window, fill in the Domain Administrator and Password. Click Ok when you are done. Click Ok again to close the Winbind Settings window.

5. Click the Authentication tab and check the Enable Winbind Support.

6. Click the Options tab and check the Local authorization is sufficient for local users. Click Ok when you are done.

7. Open the file /etc/samba/smb.conf for editing and change the key values below.

winbind use default domain = yes
winbind enum users = yes
obey pam restrictions = yes

8. Create the folder that will contain the home directory of the Active Directory users. From the terminal window, type in the commands below.

mkdir /home/DOMAIN
chmod 777 /home/DOMAIN

Replace DOMAIN with your domain. Make sure to capitalize your domain like ACME in our example.

We changed the directory permission to 777, meaning anyone can read, write and execute because the users’ home directory will be created later by Postfix or Dovecot when a mail is received or a user checks his email. The created home directory on the other hand will have its permission set to read, write and execute by the owner only.

9. Edit the file /etc/pam.d/system-auth and add the line session required pam_mkhomedir.so skel=/etc/skel/ umask=0022. This will automatically create the user’s home directory whenever a PAM session is opened. Dovecot will be opening the PAM session thus automatically creating the user’s home directory.

10. Restart the winbind service. Learn how to restart services here.

Test the Active Directory Integration

1. From a terminal window, type in wbinfo -u. You should see the Active Directory user accounts.

2. Try the Active Directory authentication, type in wbinfo -a “username”%”password”.

3. Finally, type in getent passwd. You should see the Linux system accounts along with the Active Directory user accounts.

If it doesn’t work, visit the Active Directory Troubleshooting page.

 

«« Previous: MailScanner and Postfix Integration

Next: Postfix AD Distribution List »»

 

***
Posted on 4/25/2007 and last updated on 5/31/2008
Filed under Active Directory , CentOS 5 , Red Hat Enterprise Linux 5 , Samba

Share This

 

8 Responses to “Active Directory Integration with Samba for RHEL/CentOS 5”

1. Ian Says:
   February 15th, 2008 at 10:54 am

   In a world of dodgy tutorials, especially dodgy linux tutorials,this was brilliant.
   Thank you very much

2. Francis Says:
   April 28th, 2008 at 10:40 pm

   Hi,

   May I know the version of samba that was used with this setup? I’m using the latest upgrade from CentOS repos and it doesn’t work. I’m theorizing that it’s a samba version problem since I’ve seen in other forums that some versions work, others just don’t specially the one that came with CentOS 5.1

3. consultant Says:
   April 29th, 2008 at 12:37 am

   I got this working in CentOS 5.1
   wbinfo -V tells me its version is 3.0.25b-0.el5.4

4. Francis Says:
   April 29th, 2008 at 11:01 am

   Thanks. We have the same version. It worked! I don’t know, maybe may previous setup was just so messed up I guess.

5. Francis Says:
   May 5th, 2008 at 10:52 pm

   Hi,

   In my setup, this line:

   winbind use default domain = yes
   winbind enum users = yes
   obey pam restrictions = yes

   should be:

   winbind use default domain = true
   winbind enum users = true
   obey pam restrictions = true

   Does this matter in a big way?

6. consultant Says:
   May 5th, 2008 at 11:32 pm

   No, they are both the same. According to man smb.conf

   The values following the equals sign in parameters are all either a string (no quotes needed) or a boolean, which may be given as yes/no, 0/1 or true/false. Case is not significant in boolean values, but is preserved in string values. Some items such as create modes are numeric.

7. Manish Says:
   August 8th, 2008 at 11:34 am

   Hi….It worked as in we can login using the domain accnt but there are no policies being implemented by AD…Is there a way to give root rights to the domain accnt???

   thanks

8. consultant Says:
   August 8th, 2008 at 2:24 pm

   Sorry, that’s not possible. Check out Centrify DirectControl at http://www.centrify.com/directcontrol/grouppolicy.asp it might help.

Leave a Reply