Name resolution is great, but in order to use the Windows accounts for authentication, you need to configure PAM. The Pluggable Authentication Module subsystem (PAM) provides a layer of abstraction for applications that require authentication. Essentially, an application can authenticate against many different backends without having to know anything about the underlying protocols. A PAM-aware application simply requests authentication and then trusts PAM to retrieve it. This layer of abstraction is achieved via PAM modules.
To allow applications to authenticate against Active Directory, you need to register the pam_winbind module with the PAM system. With winbind properly configured, this module provides the logic necessary to retrieve authentication information from Active Directory. Three files in the PAM configuration directory are of interest to us: /etc/pam.d/common-account, /etc/pam.d/common-auth, and /etc/pam.d/common-session. These files merely represent three different stages in the authentication process. Insert a reference to pam_winbind.so in these files:
# /etc/pam.d/common-account account sufficient pam_winbind.so account required pam_unix.so
# /etc/pam.d/common-auth auth sufficient pam_winbind.so auth required pam_unix.so use_first_pass
# /etc/pam.d/common-session session sufficient pam_winbind.so session required pam_unix.so
Normally, PAM will grant authentication only if all of its modules succeed. By changing the priority of a module from required to sufficient, you instruct PAM to grant authentication as soon as that particular module succeeds. In our configuration, PAM won't bother to check the local files if the user in question resides in Active Directory. This is the desired behavior.
Notice, too, that we added the use_first_pass parameter to modules following pam_winbind in /etc/pam.d/common-auth. In the event that we are logging in as a local user, PAM will check with Active Directory and fail before moving to the next module. Rather than prompt for another password, we tell the pam_unix module to use the password that was previously entered.
Before we can start using our Active Directory accounts, one last change must be made to our PAM configuration. We need to configure our system to create home directories for each of the Active Directory users. Insert a reference to the pam_mkhomedir module in /etc/pam.d/common-session as shown below:
# /etc/pam.d/common-session session required pam_mkhomedir.so skel=/etc/skel/ umask=0022 session sufficient pam_winbind.so session required pam_unix.soWhen an Active Directory user logs in to our system for the first time, the pam_mkhomedir module will create his home directory, populate it with files from /etc/skel/, and set file permissions according to the umask 0022. This saves us the hassle of having to create each user's home directory ourselves. Make sure to set the priority of this module to required, as shown above, to prevent a user from logging in should creation of his home directory fail.