markwilson.it

Last year I wrote a post about using Microsoft Active Directory (AD) to authenticate users on a Red Hat Enterprise Linux (RHEL) computer (and a few weeks back I followed it up for Mac OS X). This week, I’ve been re-visiting that subject, as I built a new FTP server at home and wanted to use AD for authentication.

In the process, I came across a couple of extra resources that might be useful:

• If you want to avoid entering the logon name as domainname\username, then it is possible to configure a default domain for Winbind to use.
• The Ubuntu documentation has a useful guide for adding a Ubuntu box to an AD domain and using AD for authentication.

As I was using an almost-new AD (not the old one that I have been tweaking for years), I found that RHEL5 (and Mac OS X 10.5) did not need me to disable digital signing of communications as recent versions of Samba include client side signing. The Samba documentation suggests that it is necessary to set client use spnego = yes in smb.conf when authenticating against a Windows Server 2003 domain controller but I did not find that to be the case with Samba v3.0.23c and Windows Server 2003 R2 with SP2 (perhaps that is the default?).

The following notes may also be useful:

• SSH does not require any further configuration but if Samba is configured to use the default separator for domainname and username (\) then you will need to escape it – so the connection command would be ssh <em>domainname</em>\<em>username</em>@<em>hostname</em>.
• This also works for FTP (ftp <em>domainname</em>\<em>username</em>@<em>hostname</em>) but I’ve not found a way to make a simple ftp <em>hostname</em> use AD for authentication.
• Even though Linux/Unix usernames are case-sensitive, Windows ones are not, so any combination of lower and upper case is valid for domainname\username. Passwords do need to be entered in the correct case (as in Windows).