join ads domain, automount network shares, etc. - Fedora Support Forums and Community
Page 1 of 8 1 2 3 ... LastLast
Results 1 to 15 of 108
  1. #1
    axelseap Guest

    join ads domain, automount network shares, etc.

    Updated for F8
    I see there's posts every now and then about people trying to join a fedora workstation to a domain and different suggestions of how to do it so here's a very easy way to join it and set up automounting network shares at login. This guide also contains other things you might want to do

    First I'll answer some questions you may have:
    Is this the only way to join fedora workstation to a domain? no.
    Is this the best way? I seriously doubt it.
    Is this easy? i've seen harder
    Should I of put these steps in better order? definitely but they still work.
    Does the server need to be modified in any way? NO, put down that keyboard and leave it alone.
    Is this the place to ask for other types of network configurations? No, i'm not a network admin and have no clue how to set that stuff up or even how other configs work.
    What if you follow these and it doesn't work? GOOGLE IT.

    YOU are responsible for backing up all files you modify and knowing what the originals are if you ever need them. This can be easily done with a command like
    cp file file.bak
    For these examples the domain name is
    Do everything below on your fedora workstation.

    Part 1, Joining fedora to the domain

    1. You need samba
    yum groupinstall "Windows File Server"
    you likely will already have this installed so don't worry if yum does nothing here.

    see picture in post #2
    2. Set the hostname, run
    Under the dns tab set a name for the computer. Make sure the hostname is unique or else you will suffer the consequences on a later day. Save and exit. What consequenses you're wondering? Well you could overwrite another workstation's account kicking it off the domain.

    see picture in post #2
    3. Say goodbye to SELinux. run
    if it says 'enforcing' change it to 'disabled' or 'permissive'. If you leave selinux as enforcing, you will not be able to log in on an ads account

    see picture in post #2
    4. Enter the network settings, run
    In the first tab check enable winbind support. Then Under the authorization tab also enable winbind support. Then click on configure and enter the appropriate information for your network.
    Winbind domain is your short domain name. For our example domain, enter test
    For security model select ads
    Winbind ADS Realm under our example enter
    Winbind Domain Controllers is your primary domain controller (pdc) if you don't know what this is ask your network admin.
    For template shell select /bin/bash.

    5. Caching (Optional).
    Caching allows you to log into a machine with your network account when it is outside the network. This is really only useful for laptops. If you would like this then place a tick where it says "Allow offline login". If you enable both caching and also set up automounting in part 2 of this guide, you will run into difficulties when logging in outside the network. This will result from pam_mount not being able to mount the network shares. As of yet I cannot find a solution for this. Live with it.
    Now hit ok to everything and close the window.

    6. In the terminal, as root type
    net ads join -U administrator
    where administrator is a network account with permissions to join the computer to the domain, it doesn't actually have to be administrator.
    If you get an error you probably entered some information wrong. Double check and make sure everything is right. If you feel everything is right I suggest searching google for an answer since that is always the fastest way.

    7. Modify /etc/pam.d/system-auth and at the bottom add this line
    session required skel=/etc/skel umask=0077
    8. Set the default login domain to be on your domain. Edit /etc/samba/smb.conf and at line 71 or close to it you'll see the line
     winbind use default domain = false
    change the false to true. If you don't see it at line 71 search around. You should see that line around your domain realm and password server information. After making this change you must restart winbind to do this type
    /sbin/service winbind restart
    9. (The easiest step) Create the folder /home/TEST where TEST is your domain name in all caps

    At this point you should be able to log onto the domain. Test it out in a tty session (ctrl+alt+f[1-6]). Log in with your domain username and password. You'll get messages about the home folder being created, that is good. If it doesn't work make sure you're joined to the domain and the /etc/pam.d/system-auth file is correct. If you are able to login in the terminal make sure you can login in X also (if desired). Also if it doesn't work try logging in as domain\username and see if that works. If that does you did step 8 wrong.

    Part 2, Automouting. Skip down if u don't want this
    Now let's setup fedora to automount a users network share at login.
    This only works if the user's login and password are the same as the one for the share

    1. First we need to inall pam_mount
    yum install pam_mount
    2. Now we need to allow pam_mount to access the password as you login. Edit /etc/pam.d/system-auth and add the line
    auth required
    There can be no auth lines containing sufficient before the above one, or else it won't work. Then somewhere at the bottom add
    session optional
    3. Edit /etc/security/pam_mount.conf. Scroll down to line 72 where you see the line
    options_require       nosuid, nodev
    comment that line out by placing a # in front.

    4. Scroll down further to line 116 where you see
    # volume <user> [cifs|ncp|nfs|local] <server> <volume> <mount point> <mount options> <fs key cipher> <fs key path>
    and using that as your guide add the appropriate line diectly after it. Here's a sample
    volume * cifs server share /home/TEST/&/mountpoint - - -
    This is what's called a template and it will only work for all users if they all have access to that share or if the share is the same as their account name. If the share name is the same as their account put a & where it says share. If this doesn't work for you read the next step. DON"T use smb as since FC5, support was no longer included to mount the smb file system, instead use cifs, it's basically the same thing but a different name.
    The * stands for the user logging in and the & is the account name. ~ is replaced by the user's home folder. The mountpoint should be placed in the users home folder as shown so that more than one user can be logged in at a time without causing problems. For more info on options read the entire /etc/security/pam_mount.conf file, it is very detailed and helpful.

    5. If you can't use a template then you must create an entry in /etc/security/pam_mount.conf for each user. Use the guide above and only change the * to their account name and the share to their share and have fun if you have many users. Alternatively if you can get their network share from the account name then you can create a script and make them log on, off, and back on the first time. I'll attach an example script. Edit /etc/skel/.bashrc and add an entry to run it something like
    and also change the appropriate values in the script. Then
    chmod a+x script.txt
    Also edit /etc/security/pam_mount.conf and at line 38
    luserconf .pam_mount.conf
    uncomment it by removing the #. The only downside to using a script is then the user is forced to login, then off, and back on again the very first time.

    6. Create the folder mountpoint in your network account home folder. Then log off and back on in a tty (ctrl+alt+f[1-6]), NOT X and check if the folder was mounted properly. If it wasn't, scroll up and read all that junk from when you logged in. Specifically see what it says about the share, server and mountpoints and make sure those are all correct and check to see if there are any errors. Once you get it to work edit /etc/security/pam_mount.conf and at line 8 change
    debug 1
    debug 0
    Also create the mountpoint folder in /etc/skel/ so each new user automatically has it made for them.

    Part 3, Final configuration tips.

    1. Set up plugins for firefox or mozilla globally like this
    cd /usr/lib/mozilla/plugins
    ln -s /usr/java/jre1.6.0_03/plugin/i386/ns7/
    ln -s /usr/local/Adobe/Acrobat8.0/Browser/intellinux/
    flash and mplayerplug-in are already installed globally
    if you don't have all these plugins but would like them check FedoraFaq.

    2. I like to create a new local user, login and set up kde or gnome if that's your thing, firefox and everything else so it looks how I want it to. Then copy the folders .kde (or appropriate gnome folder) and .mozilla to /etc/skel/.

    3. If you feel like it in kde under kcontrol, peripherals, keyboard. Click the box that says to turn numlock on by default. Nothing is more annoying than numlock always being off.


    Here are some attachments of what the files look like on the machines I use. The script there assumes that your login is first.last and the share is last.first make sure you change the appropriate values in it.

    Warning:If you uninstall pam_mount after setting this all up you will NOT be able to log into your system at all. You must undo all the changed made to the files in the /etc/pam.d folder before uninstalling pam_mount.
    Attached Files Attached Files
    Last edited by axelseap; 10th February 2008 at 05:57 PM.

  2. #2
    axelseap Guest
    here's some pics of settings up system-config-network and system-config-authentication and system-config-selinux
    Attached Thumbnails Attached Thumbnails Click image for larger version. 

Name:	snapshot1.png 
Views:	1438 
Size:	38.2 KB 
ID:	14232   Click image for larger version. 

Name:	snapshot2.png 
Views:	1208 
Size:	27.5 KB 
ID:	14233   Click image for larger version. 

Name:	snapshot3.png 
Views:	1193 
Size:	34.7 KB 
ID:	14234   Click image for larger version. 

Name:	snapshot4.png 
Views:	1723 
Size:	19.5 KB 
ID:	14235  
    Last edited by axelseap; 7th December 2007 at 04:05 AM.

  3. #3
    SWT-TEAM Guest

    Problems... with pam_mount

    Hi, axelseap!

    You created a really nice tutorial. It worked almost (authentication), but automounting with pam is not possible at the moment.

    We figured out, that there is a problem with the username. The pam process tries to login with domainname\username, which results in a “13, permission denied”-error. When we try to mount with the username only on the bash it works.

    Is there any way to login to domain without domainname\ ?

    Structure of the windows share:

    -all_user (share) premission(all, admin)
    -user1(folder)(prem. user,admin)
    -user2(folder)(prem. user,admin)
    -user3(folder)(prem. user,admin)
    -user4(folder)(prem. user,admin)
    -user5(folder)(prem. user,admin)

  4. #4
    axelseap Guest
    try this, edit /etc/samba/smb.conf and go to line 185 it looks like this
    winbind use default domain = no
    change that to yes. then just login with username and password, don't add the domain to the front and see if that works, if it does please tell me

    EDIT I had some others try that and it seems to work great, howto has been updated with those changes
    Last edited by axelseap; 1st February 2006 at 11:33 PM.

  5. #5
    SWT-TEAM Guest

    it works without domainname\ after chaining line 185 at smb.conf

    our problem with share are solved by changing some premissions(w2k3)...
    Last edited by SWT-TEAM; 3rd February 2006 at 08:58 AM.

  6. #6
    SWT-TEAM Guest
    Hi axelseap,

    Your tutorial works really fine now, compliments!

    But we have a new problem, we want to set the home-directory directly to the windows share mountpoint (export HOME=~/mountpoint/$USER). The bash works fine with this, but KDE is not able to start, because it wants to set locks and create symbolic links on the net share. Both result in error messages.

    For us, it is not neccesary that every user can configure his own kde profile. A write protected profile for all users would be enough.

    Can you give us a hint, how to setup the home directory to the windows share, and KDE working with this?


    Last edited by SWT-TEAM; 10th February 2006 at 01:15 PM.

  7. #7
    axelseap Guest
    hmm... i'm not sure how to do that, but you did say it works fine in bash? can you have the users log into a tty session and then type startx? does that work? or does it still have the same problem? if that doesn't work i don't think i can help you anymore with this.

  8. #8
    H8-TRAIN Guest
    ok i need some help with the domain controller. I have three machiens here running fedora core 4 (one is my laptop) adn none of them can see eachother as far as file shareing, i can ping each from each but when i look under "samba shares" i see nothing. I have one that is my mythtv box adn I want to set that up as the MAIN server, samba is running on all three adn i have them all setup to use WORKGROUP as the workgroup (mainly because i allready have two other machiens running win2k on WORKGROUP so....). I need to know if I need to setup the mythtv box as the PDC adn if so, HOW?

    OR should I just get SAMBA working correctly adn be done with it? adn if I should just get samba running correctly then is therre a howto on that here? I havent looked yet so dont start yelling "use the search feature n00b" . I tried following a samba tutorial before and got no were.

    Thanks in advance


  9. #9
    Kreichek Guest
    Interesting. As soon as I login in Fedora Core 5 I get logged out immediately with the message "The system administrator has disabled your account", which is not true actually. Here's what I have in /var/log/messages
    Mar 25 17:32:27 bordeaux pam_winbind[3186]: user '201204030' granted access
    Mar 25 17:32:27 bordeaux pam_winbind[3186]: user '201204030' granted access

    It just looks OK, but the user is logged out as if there is no shell or graphical environment to be run. Strange, eh? Any ideas?

    Btw I had to comment the lines auth optional use_first_pass and session optional, because I don't have the file in the system.
    Last edited by Kreichek; 25th March 2006 at 04:46 PM.

  10. #10
    axelseap Guest
    i'm not sure what causes that error, i haven't really looked into joining fc5 to a domain because pam_mount doesn't seem to be included in extras anymore, and unless it is there's no point in upgrading since compiling pam_mount doesn't work, but as soon as i can figure out how to get pam_mount installed on a system i'll update the guide with any necessary changes/new pictures

  11. #11
    sigtom Guest
    Wanted to say thanks, this guide helped me in getting a FC5 box to authenticate against our Win2k ADS. Im not mounting any drives/shares to this box, so I have no need for pam_mount. The only thing I had to add to get this to work was to edit the smb.conf and add
    smb ports = 139 445
    . This got rid of the pesky error msg, Transport endpoint is not connected. Thanks so much, Im able to assign ADS groups to shares on my FC5 samba share and only have those users I want to access it.


  12. #12
    Join Date
    Apr 2006
    Aachen, Germany
    0 Post(s)
    0 Thread(s)

    pam_mount is in extras-development atm

    Quote Originally Posted by axelseap
    pam_mount doesn't seem to be included in extras anymore, and unless it is there's no point in upgrading since compiling pam_mount doesn't work, but as soon as i can figure out how to get pam_mount installed on a system i'll update the guide with any necessary changes/new pictures
    You can install pam_mount with
    yum --enablerepo extras-development install pam_mount
    at the moment. glibc-kernelheaders and the actuall kernelheaders are not in sync at this time and for this reason pam_mount did not compile (See It would be great if you update your guide to FC5 because I do not know the correct settings in /etc/pam.d/login resp. /etc/pam.d/gdm, the files changed a lot since FC4 and I only used pam_mount with debian, yet.

  13. #13
    axelseap Guest
    thx, i have pam_mount installed and working! as soon as i get a chance to update one of these computers and join it, i'll update the guide

  14. #14
    obviousheart221 Guest
    Is there a way I can change the join process so that Fedora doesn't attempt to create the new machine on the directory? I don't have administrator access to our corporate domain, however the machine's host exists on the directory. I just need to skip the step where it tries to create the machine on the domain and just bond with it. Any ideas?
    Last edited by obviousheart221; 10th April 2006 at 11:03 PM.

  15. #15
    WeLsHWiZaRd Guest
    Im afraid the System-Config-Authentication and System-Config-Networking do not work.

    The replacements are





Page 1 of 8 1 2 3 ... LastLast

Similar Threads

  1. Samba: can not join ADS domain
    By The_Source_HIM in forum Servers & Networking
    Replies: 1
    Last Post: 13th December 2007, 02:04 PM
  2. Join FC5 box to Win2k3 domain...
    By phearthepenguin in forum Servers & Networking
    Replies: 0
    Last Post: 15th December 2006, 06:46 PM
  3. Cannot join ADS Domain
    By jrmontg in forum Using Fedora
    Replies: 0
    Last Post: 12th May 2006, 02:39 PM
  4. can't join Samba Domain
    By budds in forum Servers & Networking
    Replies: 4
    Last Post: 14th July 2005, 08:42 AM
  5. join company's domain from FC2
    By cuongvt in forum Servers & Networking
    Replies: 0
    Last Post: 12th November 2004, 03:58 AM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts