Using Active Directory for CentOS: Difference between revisions

From RSWiki
Jump to navigation Jump to search
No edit summary
No edit summary
Line 1: Line 1:
I am using a default server installation of CentOS with X, KDE and Gnome added. Also i enabled the text editor option for VIM in the package selection section of the installer.
I am using a default server installation of CentOS with X, KDE and Gnome added. Also I enabled the text editor option for VIM in the package selection section of the installer.
   
   
Also this guide is specific to Samba 3.
Also this guide is specific to Samba 3.
Line 5: Line 5:
'''Step 1: Edit /etc/krb5.conf'''  
'''Step 1: Edit /etc/krb5.conf'''  


Edit /etc/krb5.conf to look like the following, substituting EXAMPLE.DIRECTORY and example.directory with your active directory domain name. Where ever block capitals are used then make sure your own domain name is in block capitals also. The lins in the realms section kdc = 10.0.0.1 should be replaced with the hostname or the IP address of your active directory controller.
Edit /etc/krb5.conf to look like the following, substituting EXAMPLE.DIRECTORY and example.directory with your active directory domain name. Where ever block capitals are used then make sure your own domain name is in block capitals also. The lins in the realms section kdc = 172.20.1.1 should be replaced with the hostname or the IP address of your active directory controller.
   
   
  [logging]
  [logging]
default = FILE:/var/log/krb5libs.log
  default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
  kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log  
  admin_server = FILE:/var/log/kadmind.log  
   
   
  [libdefaults]
  [libdefaults]
ticket_lifetime = 24000
  default_realm = SWEETNAM.EU
default_realm = EXAMPLE.DIRECTORY
  dns_lookup_realm = true
dns_lookup_realm = false
  dns_lookup_kdc = true
dns_lookup_kdc = false
   
   
  [realms]
  [realms]
EXAMPLE.DIRECTORY = {
  SWEETNAM.EU = {
kdc = 10.0.0.1
  kdc = 172.20.1.1:88
default_domain = example.directory
  admin_server = 172.20.1.1:749
}
  default_domain = sweetnam.eu
  kdc = 172.20.1.1
  }
   
   
  [domain_realm]
  [domain_realm]
.example.directory = EXAMPLE.DIRECTORY
  .sweetnam.eu = SWEETNAM.EU
example.directory = EXAMPLE.DIRECTORY
  sweetnam.eu = SWEETNAM.EU
   
   
  [kdc]
  [kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
  profile = /var/kerberos/krb5kdc/kdc.conf
   
   
  [appdefaults]
  [appdefaults]
pam = {
  pam = {
      debug = false
    debug = false
      ticket_lifetime = 36000
    ticket_lifetime = 36000
      renew_lifetime = 36000
    renew_lifetime = 36000
      forwardable = true
    forwardable = true
      krb4_convert = false
    krb4_convert = false
}
  }
 
 
'''Step 2: Configure smb.conf'''
 
I found it easier to make a backup of the existing smb.conf and then replacing it with the basic one below. You can add shares later.


'''Step 2: Edit /etc/samba/smb.conf'''
  [global]
  [global]
  security = ads
  security = ads
  netbios name = DOMAIN
  netbios name = CENTOS
  realm = EXAMPLE.DIRECTORY
  realm = SWEETNAM.EU
  password server = domainserver.example.directory
  password server = adpdc.sweetnam.eu
  workgroup = DOMAIN
  workgroup = SWEETNAM
  idmap uid = 500-10000000
  idmap uid = 500-10000000
  idmap gid = 500-10000000
  idmap gid = 500-10000000
Line 62: Line 59:
  domain master = no
  domain master = no


'''Step 4: make the home directories'''
mkdir /home/SWEETNAM


The line template homedir = /home/%D/%U tells Samba to create the Active Directories user homes to  the directory /home/DOMAIN/user. For this to function correctly you must issue the following command:
'''Step 5: edit /etc/nsswitch.conf'''
mkdir /home/DOMAIN
 
If connecting to a Windows 2003 Active Directory controller they you will need to add the following lines to smb.conf
 
client use spnego = no
server signing = auto


passwd:    compat winbind files
shadow:    compat winbind files
group:      compat winbind files
hosts:      files dns
bootparams: nisplus [NOTFOUND=return] files
ethers:    files
netmasks:  files
networks:  files
protocols:  files winbind
rpc:        files
services:  files winbind
netgroup:  files winbind
publickey:  nisplus
automount:  files winbind
aliases:    files nisplus


Now we need to stop and start Samba and winbind. It is important that this is done in the correct order as follows.
'''Step 6: Edit /etc/pam.d/system-auth'''
 
/etc/init.d/smb stop
/etc/init.d/winbind stop
/etc/init.d/smb start
/etc/init.d/winbind start
 
'''Step 5 Edit nsswitch.conf'''
 
copy /etc/nsswitch.conf to a backup file and replace all text in it with the following.
 
passwd: compat winbind
group: compat winbind
shadow: compat
hosts: files dns wins
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
 
'''Step 4: Modify the PAM settings'''
 
Edit /etc/pam.d/system.auth so that it looks like the following


  auth        required      /lib/security/$ISA/pam_env.so
  auth        required      /lib/security/$ISA/pam_env.so
  auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok_secure use_first_pass
  auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
  auth        sufficent    /lib/security/$ISA/pam_winbind.so
auth        sufficient    /lib/security/$ISA/pam_krb5.so use_first_pass
auth        sufficient    /lib/security/$ISA/pam_smb_auth.so use_first_pass nolocal
  auth        sufficient    /lib/security/$ISA/pam_winbind.so use_first_pass
  auth        required      /lib/security/$ISA/pam_deny.so
  auth        required      /lib/security/$ISA/pam_deny.so
   
   
  account    required      /lib/security/$ISA/pam_unix.so
  account    required      /lib/security/$ISA/pam_unix.so broken_shadow
  account    sufficient    /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
  account    sufficient    /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
account    sufficient    /lib/security/$ISA/pam_krb5.so
  account    sufficient    /lib/security/$ISA/pam_winbind.so
  account    sufficient    /lib/security/$ISA/pam_winbind.so
  account    required      /lib/security/$ISA/pam_permit.so
  account    required      /lib/security/$ISA/pam_permit.so
account    required      /lib/security/$ISA/pam_unix.so
   
   
  password    requisite    /lib/security/$ISA/pam_cracklib.so retry=3
  password    requisite    /lib/security/$ISA/pam_cracklib.so retry=3
  password    sufficient    /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
  password    sufficient    /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
password    sufficient    /lib/security/$ISA/pam_krb5.so use_authtok
password    sufficient    /lib/security/$ISA/pam_winbind.so use_authtok
  password    required      /lib/security/$ISA/pam_deny.so
  password    required      /lib/security/$ISA/pam_deny.so
   
   
  session    required      /lib/security/$ISA/pam_limits.so
  session    required      /lib/security/$ISA/pam_limits.so
  session    required      /lib/security/$ISA/pam_unix.so
  session    required      /lib/security/$ISA/pam_unix.so
  session    required     /lib/securoty/$ISA/pam_mkhomedir.so umask=0022 skel=/etc/skel
  session    optional     /lib/security/$ISA/pam_krb5.so


'''Step 7: Stop and start samba and winbind'''


'''Step 5 Initialise Kerberos'''
/etc/init.d/smb stop
/etc/init.d/winbind stop
/etc/init.d/smb start
/etc/init.d/winbind start


kinit domain_admin_account@EXAMPLE.DIRECTORY
'''Step 8: Initialise Kerberos'''


Next check to be sure you got a ticket from the domain controller
kinit administrator@SWEETNAM.EU


klist
'''Step 9: Join the active directory'''


'''Step 4: join the Active Directory'''
net ads join -U administrator@SWEETNAM.EU


net ads join -U domainadminuser@EXAMPLE.DOMAIN
You should now be able to log in to your CentOS machine using a Windows Active directory user account.
Also note that the time on the Samba server has to be within 5 minutes of the time on the Active Directory controller for kerberos authentication to work.

Revision as of 08:09, 18 May 2006

I am using a default server installation of CentOS with X, KDE and Gnome added. Also I enabled the text editor option for VIM in the package selection section of the installer.

Also this guide is specific to Samba 3.

Step 1: Edit /etc/krb5.conf

Edit /etc/krb5.conf to look like the following, substituting EXAMPLE.DIRECTORY and example.directory with your active directory domain name. Where ever block capitals are used then make sure your own domain name is in block capitals also. The lins in the realms section kdc = 172.20.1.1 should be replaced with the hostname or the IP address of your active directory controller. 

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log 

[libdefaults]
 default_realm = SWEETNAM.EU
 dns_lookup_realm = true
 dns_lookup_kdc = true

[realms]
 SWEETNAM.EU = {
  kdc = 172.20.1.1:88
  admin_server = 172.20.1.1:749
  default_domain = sweetnam.eu
  kdc = 172.20.1.1
 }

[domain_realm]
 .sweetnam.eu = SWEETNAM.EU
 sweetnam.eu = SWEETNAM.EU 

[kdc]
 profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

Step 2: Edit /etc/samba/smb.conf 

[global]
security = ads
netbios name = CENTOS
realm = SWEETNAM.EU
password server = adpdc.sweetnam.eu
workgroup = SWEETNAM
idmap uid = 500-10000000
idmap gid = 500-10000000
winbind separator = +
winbind enum users = no
winbind enum groups = no
winbind use default domain = yes
template homedir = /home/%D/%U
template shell = /bin/bash
client use spnego = yes
domain master = no

Step 4: make the home directories 

mkdir /home/SWEETNAM

Step 5: edit /etc/nsswitch.conf 

passwd:     compat winbind files
shadow:     compat winbind files
group:      compat winbind files
hosts:      files dns
bootparams: nisplus [NOTFOUND=return] files
ethers:     files
netmasks:   files
networks:   files
protocols:  files winbind
rpc:        files
services:   files winbind
netgroup:   files winbind
publickey:  nisplus
automount:  files winbind
aliases:    files nisplus

Step 6: Edit /etc/pam.d/system-auth 

auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/$ISA/pam_krb5.so use_first_pass
auth        sufficient    /lib/security/$ISA/pam_smb_auth.so use_first_pass nolocal
auth        sufficient    /lib/security/$ISA/pam_winbind.so use_first_pass
auth        required      /lib/security/$ISA/pam_deny.so

account     required      /lib/security/$ISA/pam_unix.so broken_shadow
account     sufficient    /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
account     sufficient    /lib/security/$ISA/pam_krb5.so
account     sufficient    /lib/security/$ISA/pam_winbind.so
account     required      /lib/security/$ISA/pam_permit.so

password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3
password    sufficient    /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
password    sufficient    /lib/security/$ISA/pam_krb5.so use_authtok
password    sufficient    /lib/security/$ISA/pam_winbind.so use_authtok
password    required      /lib/security/$ISA/pam_deny.so

session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so
session     optional      /lib/security/$ISA/pam_krb5.so

Step 7: Stop and start samba and winbind 

/etc/init.d/smb stop
/etc/init.d/winbind stop
/etc/init.d/smb start
/etc/init.d/winbind start

Step 8: Initialise Kerberos 

kinit administrator@SWEETNAM.EU

Step 9: Join the active directory 

net ads join -U administrator@SWEETNAM.EU

You should now be able to log in to your CentOS machine using a Windows Active directory user account. Also note that the time on the Samba server has to be within 5 minutes of the time on the Active Directory controller for kerberos authentication to work.

Retrieved from "https://www.sweetnam.eu/index.php?title=Using_Active_Directory_for_CentOS&oldid=1426"