Home Linux Authentication 
Setup on the windows server:

Add the computer (linux client) in Active Directory

from dos run the following command:

ktpass -princ host/<MACHINE_NAME>.mydomain.com@MYDOMAIN.COM -mapuser <GROUP>\<MACHINE_NAME>$ +rndPass -out c:\<MACHINE_NAME>.keytab


copy keytab in /etc/krb5.keytab  on the linux client.

edit krb5.conf

[[libdefaults]]
       default_realm = MYDOMAIN.COM
       krb4_config = /etc/krb.conf
       krb4_realms = /etc/krb.realms
       kdc_timesync = 1
       ccache_type = 4
       forwardable = true
       proxiable = true
       default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
       default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
       v4_instance_resolve = false
       v4_name_convert = {
               host = {
                       rcmd = host
                       ftp = ftp
               }
               plain = {
                       something = something-else
               }
       }
       fcc-mit-ticketflags = true

[[realms]]
       MYDOMAIN.COM = {
               kdc = winserver.mydomain.com
               admin_server = winserver.mydomain.com
               default_domain = mydomain.com
       }

[[domain_realm]]
   .mydomain.com = MYDOMAIN.COM
    mydomain.com = MYDOMAIN.COM

[[login]]
       krb4_convert = true
       krb4_get_tickets = false


/etc/pam/pam_ldap.conf  ; ln -s pam_ldap.conf libnss-ldap.conf

uri ldap://winserver.mydomain.com/

base dc=dev,dc=mydomain,dc=ca
ldap_version 3

#Add a user to AD, that can read the container
#with the users, that you want use.
binddn cn=<ldapuser>,cn=Users,dc=mydomain,dc=com
bindpw <ldapPasswd>

scope sub
timelimit 30

pam_filter objectclass=User

pam_login_attribute sAMAccountName
pam_lookup_policy yes

#Modify cn=User,dc=e... to your container with your users.
nss_base_passwd OU= ,DC= ,DC= ,DC=ca?sub
nss_base_shadow OU= ,DC= ,DC= ,DC=ca?sub
nss_base_group  OU= ,DC= ,DC= ,DC=ca?sub
nss_base_hosts CN=Computers,DC= ,DC= ,DC=ca

#For MSSFU:
nss_map_objectclass posixAccount User
nss_map_objectclass shadowAccount User
nss_map_attribute uid sAMAccountName
nss_map_attribute uniqueMember member
nss_map_attribute uidNumber msSFU30UidNumber
nss_map_attribute gidNumber msSFU30GidNumber
nss_map_attribute userPassword msSFU30Password
nss_map_attribute homeDirectory msSFU30HomeDirectory
nss_map_attribute loginShell msSFU30LoginShell
nss_map_attribute gecos name
nss_map_attribute cn sAMAccountName
nss_map_objectclass posixGroup Group



/etc/pam.d/common-auth

auth    sufficient        pam_ldap.so
auth    sufficient        pam_unix.so nullok_secure use_first_pass


/etc/pam.d/common-account

account sufficient      pam_ldap.so
account required        pam_unix.so


/etc/pam.d/common-session

session required        pam_unix.so
session optional        pam_krb5.so
session required        pam_mkhomedir.so umask=0022 skel=/etc/skel


/etc/nsswitch.conf

passwd:         compat ldap
group:          compat ldap
shadow:         compat ldap
hosts:          files dns
networks:       files
protocols:      db files
services:       db files
ethers:         db files
rpc:            db files
netgroup:       nis
Updated: 2018-09-01 17:09:43