Using winbind to authenticate to an active directory - Part 1

Here I describe how to get various  Unix clients to use winbind for authentication to a Windows AD Domain. For bonus points I will also describe how to make sudo use AD groups for controlling root access.

Setting Up The Domain

I am using a single Windows 2008 R2 standard edition install to host all AD functions.
Once installed and patched add the Active Directory Domain Services role which in turn will install the DNS server role if doing a single box install.

My example config:

FQDN: my.dom
Short domain name: my
Domain controller: dc.my.dom

Set up some groups to control access:

grp-linux-servers: Users in this group will be able to log onto linux hosts
grp-solaris-servers: Users in this group will be able to log onto solaris hosts
grp-root-access: Users in this group will be able to sudo to root

Create some example users to test it all out:

user1: member of grp-linux-servers - will only be able to log onto linux host
user2: member of grp-linux-servers, grp-solaris-servers - will be able to log onto linux & solaris hosts
user3: member of grp-linux-servers, grp-solaris-servers, grp-root-access - will be able to log onto linux & solaris hosts and sudo to root.

Finally add hostname A records into the DNS my.dom zone for your unix clients.

In part 2 I'll describe how to configure a RHEL 6 client to authenticate to this domain.

Further Reading

Red Hat provide some interesting documentation around Active Directory integration.

Here is a Reference Architecture white paper detailing the different AD options available.

You'll need to sign into the Red Hat customer portal to see these ones:
Some introductory concepts are covered here.
Here is a basic guide on how to join RHEL to Active Directory
Here is a guide on how to use the RID backend to solve the SID to UID mapping problems.