Introduction
Many services (such as the database server) make use of PAM for authentication. In this tutorial, we will be setting up our primary server to use our Active Directory as a source for PAM.
Edit the /etc/pam.d/service file
We need to modify the /etc/pam.d/service file on our server to make use of the winbind service. We can do that using the following command:
# sudo nano /etc/pam.d/service
We need to edit that file to have the following:
...
auth required pam_env.so
auth sufficient pam_unix2.so
+++ auth required pam_winbind.so use_first_pass
account requisite pam_unix2.so
+++ account required pam_winbind.so use_first_pass
+++ password sufficient pam_winbind.so
password requisite pam_pwcheck.so cracklib
password required pam_unix2.so use_authtok
session required pam_unix2.so
+++ session required pam_winbind.so
...Save the file.
Edit the /etc/security/pam_winbind.conf file
We need to modify the /etc/security/pam_winbind.conf file on our server to configure the winbind service. We can do that using the following command:
# sudo nano /etc/security/pam_winbind.conf
We need to edit that file to have the following:
debug = no # Gives debugging output to syslog. Defaults to "no". debug_state = no # Gives detailed PAM state debugging output to syslog. Defaults to "no". require_membership_of = OFFICE.LAN\users # Must be a member of the '''users''' group to access the server. try_first_pass = yes krb5_auth = yes # authenticate using Kerberos and Active Directory krb5_ccache_type = cached_login = no silent = no mkhomedir = yes warn_pwd_expire = 21
Save the file
PAM should now authenticate to you Active Directory.