We do this on a daily basis and sometimes this can be a pretty daunting task. For that reason, I put this article together based on documentation I’ve written for work. Please let me know in the comments if you run into any issues.

The benefit of using something like AD for authentication is that users are less likely to share passwords with each other for one off generic accounts created on boxes as well as easier account management.

Start by installing samba3x packages for your respective architecture


yum install samba3x-winbind.x86_64

This will install winbind and any other dependencies.

Next, verify your /etc/hosts and /etc/resolv.conf and make sure it’s correct. Hosts should not have something like


127.0.0.1 FQDN_OF_HOST localhost.localdomain localhost

it should be


127.0.0.1 localhost.localdomain localhost
REAL.IP.OF.HOST FQDN_OF HOST HOSTNAME

Next, check the date and time and make sure that’s correct and extremely close to the time on the server.

Next, run this command to add the host to the domain, configure samba, etc.


/usr/sbin/authconfig-tui \
--enablewinbind \
--enablewinbindauth \
--enablemkhomedir \
--enablepamaccess \
--enablelocauthorize \
--smbsecurity=ads \
--smbrealm=DOMAIN.EXTENSION \
--smbworkgroup=DOMAIN \
--smbservers=DOMAINCONTROLLER1.DOMAIN.EXT,DOMAINCONTROLLER2.DOMAIN.EXT
--winbindtemplatehomedir="/home/%U" \
--winbindtemplateshell="/bin/bash" \
--enablewinbindusedefaultdomain \
--kickstart \
--winbindjoin=ADMINISTRATORACCOUNTNAME

Provide your password for the account above and watch the error messages that appear. This command will also restart winbind for you.

Ensure that it’s still running with


service winbind status

or look for errors in the log files. Possibly /var/log/messages or /var/log/samba/wb-DOMAIN.log

If that’s working, you should be able to login now over ssh


ssh username@host

Access Controls

You can control which groups/users can login from /etc/security/access.conf. The ” –enablepamaccess” instructed PAM to look at access.conf whenever anyone tries to login. Watch for spaces in the group/usernames. It doesn’t work as well


+ : GROUP_NAME or USER_NAME : IPs or ttys or ALL
- : ALL : ALL

+ says that a user can login.
- says that a user cannot. The second line says deny everyone.

Sudo privileges

You can use the same group above to setup sudo privileges as well using ‘visudo’ as root

NOTE: these instructions may differ a bit if you’re trying to login with an account in a subdomain.
NOTE: You may or may not want to setup DNS for this host in AD prior to joining the domain. I recommend doing it prior to. Creating a computer account for it is not necessary prior to joining.