21.9 About Winbind Authentication

21.9.1 Enabling Winbind Authentication

Winbind is a client-side service that resolves user and group information on a Windows server, and allows Oracle Linux to understand Windows users and groups. To be able to configure Winbind authentication, use yum to install the samba-winbind package. This package includes the winbindd daemon that implements the winbind service.

21.9.1 Enabling Winbind Authentication

If you use the Authentication Configuration GUI and select Winbind as the user account database, you are prompted for the information that is required to connect to a Microsoft workgroup, Active Directory, or Windows NT domain controller. Enter the name of the Winbind domain and select the security model for the Samba server:

ads

In the Activity Directory Server (ADS) security model, Samba acts as a domain member in an ADS realm, and clients use Kerberos tickets for Active Directory authentication. You must configure Kerberos and join the server to the domain, which creates a machine account for your server on the domain controller.

domain

In the domain security model, the local Samba server has a machine account (a domain security trust account) and Samba authenticates user names and passwords with a domain controller in a domain that implements Windows NT4 security.

Warning

If the local machine acts as a Primary or Backup Domain Controller, do not use the domain security model. Use the user security model instead.

server

In the server security model, the local Samba server authenticates user names and passwords with another server, such as a Windows NT server.

Warning

The server security model is deprecated as it has numerous security issues.

user

In the user security model, a client must log in with a valid user name and password. This model supports encrypted passwords. If the server successfully validates the client's user name and password, the client can mount multiple shares without being required to specify a password.

Depending on the security model that you choose, you might also need to specify the following information:

  • The name of the ADS realm that the Samba server is to join (ADS security model only).

  • The names of the domain controllers. If there are several domain controllers, separate the names with spaces.

  • The login template shell to use for the Windows NT user account (ADS and domain security models only).

  • Whether to allow user authentication using information that has been cached by the System Security Services Daemon (SSSD) if the domain controllers are offline.

Your selection updates the security directive in the [global] section of the /etc/samba/smb.conf configuration file.

If you have initialized Kerberos, you can click Join Domain to create a machine account on the Active Directory server and grant permission for the Samba domain member server to join the domain.

You can also use the authconfig command to configure Winbind authentication. To use the user-level security models, specify the name of the domain or workgroup and the host names of the domain controllers. for example:

# authconfig --enablewinbind --enablewinbindauth --smbsecurity user \
  [--enablewinbindoffline] --smbservers="ad1.mydomain.com ad2.mydomain.com" \
  --smbworkgroup=MYDOMAIN --update

To allow user authentication using information that has been cached by the System Security Services Daemon (SSSD) if the domain controllers are offline, specify the --enablewinbindoffline option.

For the domain security model, additionally specify the template shell, for example:

# authconfig --enablewinbind --enablewinbindauth --smbsecurity domain \
  [--enablewinbindoffline] --smbservers="ad1.mydomain.com ad2.mydomain.com" \
  --smbworkgroup=MYDOMAIN --update --winbindtemplateshell=/bin/bash --update

For the ADS security model, additionally specify the ADS realm and template shell, for example:

# authconfig --enablewinbind --enablewinbindauth --smbsecurity ads \
  [--enablewinbindoffline] --smbservers="ad1.mydomain.com ad2.mydomain.com" \
  --smbworkgroup=MYDOMAIN --update --smbrealm MYDOMAIN.COM \
  --winbindtemplateshell=/bin/bash --update

For more information, see the authconfig(8) manual page.