Using Active Directory for CentOS

From RSWiki
Jump to navigation Jump to search

Announcements.png This information is deprecated. It should be considered end of life and should not be used in any production setting

I am using a default server installation of CentOS with X, KDE and Gnome added. Also I enabled the text editor option for VIM in the package selection section of the installer.

Also this guide is specific to Samba 3.

Where block capitals are used in the config files below, then you should use them also.

Step 1: Edit /etc/krb5.conf

Edit /etc/krb5.conf to look like the following, substituting SWEETNAM.EU and with your active directory domain name. Where ever block capitals are used then make sure your own domain name is in block capitals also. The line in the realms section kdc = should be replaced with the hostname or the IP address of your active directory controller.

 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log 

 default_realm = SWEETNAM.EU
 dns_lookup_realm = true
 dns_lookup_kdc = true

  kdc =
  admin_server =
  default_domain =
  kdc =

[domain_realm] = SWEETNAM.EU = SWEETNAM.EU 

 profile = /var/kerberos/krb5kdc/kdc.conf

 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false

Step 2: Edit /etc/samba/smb.conf

security = ads
netbios name = CENTOS
password server =
workgroup = SWEETNAM
idmap uid = 500-10000000
idmap gid = 500-10000000
winbind separator = +
winbind enum users = no
winbind enum groups = no
winbind use default domain = yes
template homedir = /home/%D/%U
template shell = /bin/bash
client use spnego = yes
domain master = no

Step 4: make the home directories

mkdir /home/SWEETNAM

Step 5: edit /etc/nsswitch.conf

passwd:     compat winbind files
shadow:     compat winbind files
group:      compat winbind files
hosts:      files dns
bootparams: nisplus [NOTFOUND=return] files
ethers:     files
netmasks:   files
networks:   files
protocols:  files winbind
rpc:        files
services:   files winbind
netgroup:   files winbind
publickey:  nisplus
automount:  files winbind
aliases:    files nisplus

Step 6: Edit /etc/pam.d/system-auth

auth        required      /lib/security/$ISA/
auth        sufficient    /lib/security/$ISA/ likeauth nullok
auth        sufficient    /lib/security/$ISA/ use_first_pass
auth        sufficient    /lib/security/$ISA/ use_first_pass nolocal
auth        sufficient    /lib/security/$ISA/ use_first_pass
auth        required      /lib/security/$ISA/

account     required      /lib/security/$ISA/ broken_shadow
account     sufficient    /lib/security/$ISA/ uid < 100 quiet
account     sufficient    /lib/security/$ISA/
account     sufficient    /lib/security/$ISA/
account     required      /lib/security/$ISA/

password    requisite     /lib/security/$ISA/ retry=3
password    sufficient    /lib/security/$ISA/ nullok use_authtok md5 shadow
password    sufficient    /lib/security/$ISA/ use_authtok
password    sufficient    /lib/security/$ISA/ use_authtok
password    required      /lib/security/$ISA/

session     required      /lib/security/$ISA/
session     required      /lib/security/$ISA/
session     optional      /lib/security/$ISA/

Step 7: Stop and start samba and winbind

/etc/init.d/smb stop
/etc/init.d/winbind stop
/etc/init.d/smb start
/etc/init.d/winbind start

Step 8: Initialise Kerberos

kinit administrator@SWEETNAM.EU

Step 9: Join the active directory

net ads join -U administrator@SWEETNAM.EU

You should now be able to log in to your CentOS machine using a Windows Active directory user account. Also note that the time on the Samba server has to be within 5 minutes of the time on the Active Directory controller for kerberos authentication to work.