Difference between revisions of "Using Active Directory for CentOS"

From RSWiki
Jump to navigation Jump to search
Line 79: Line 79:
 
  /etc/init.d/winbind start
 
  /etc/init.d/winbind start
  
'''Step 3 Initialise Kerberos'''
+
'''Step 5 Edit nsswitch.conf'''
 +
 
 +
copy /etc/nsswitch.conf to a backup file and replace all text in it with the following.
 +
 
 +
passwd: compat winbind
 +
group: compat winbind
 +
shadow: compat
 +
hosts: files dns wins
 +
networks: files
 +
protocols: db files
 +
services: db files
 +
ethers: db files
 +
rpc: db files
 +
netgroup: nis
 +
 
 +
'''Step 4: Modify the PAM settings'''
 +
 
 +
Edit /etc/pam.d/system.auth so that it looks like the following
 +
 
 +
auth        required      /lib/security/$ISA/pam_env.so
 +
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
 +
auth        required      /lib/security/$ISA/pam_deny.so
 +
 +
account    required      /lib/security/$ISA/pam_unix.so
 +
account    sufficient    /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
 +
account    sufficient    /lib/security/$ISA/pam_winbind.so
 +
account    required      /lib/security/$ISA/pam_permit.so
 +
account    required      /lib/security/$ISA/pam_unix.so
 +
 +
password    requisite    /lib/security/$ISA/pam_cracklib.so retry=3
 +
password    sufficient    /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
 +
password    required      /lib/security/$ISA/pam_deny.so
 +
 +
session    required      /lib/security/$ISA/pam_limits.so
 +
session    required      /lib/security/$ISA/pam_unix.so
 +
 +
 
 +
 
 +
'''Step 5 Initialise Kerberos'''
  
 
  kinit domain_admin_account@EXAMPLE.DIRECTORY
 
  kinit domain_admin_account@EXAMPLE.DIRECTORY

Revision as of 14:43, 15 May 2006

I am using a default server installation of CentOS with X, KDE and Gnome added. Also i enabled the text editor option for VIM in the package selection section of the installer.

Also this guide is specific to Samba 3.

Step 1: Edit /etc/krb5.conf

Edit /etc/krb5.conf to look like the following, substituting EXAMPLE.DIRECTORY and example.directory with your active directory domain name. Where ever block capitals are used then make sure your own domain name is in block capitals also. The lins in the realms section kdc = 10.0.0.1 should be replaced with the hostname or the IP address of your active directory controller.

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log 

[libdefaults]
ticket_lifetime = 24000
default_realm = EXAMPLE.DIRECTORY
dns_lookup_realm = false
dns_lookup_kdc = false 

[realms]
EXAMPLE.DIRECTORY = {
kdc = 10.0.0.1
default_domain = example.directory
}

[domain_realm]
.example.directory = EXAMPLE.DIRECTORY
example.directory = EXAMPLE.DIRECTORY

[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
pam = {
     debug = false
     ticket_lifetime = 36000
     renew_lifetime = 36000
     forwardable = true
     krb4_convert = false
}


Step 2: Configure smb.conf

I found it easier to make a backup of the existing smb.conf and then replacing it with the basic one below. You can add shares later.

[global]
security = ads
netbios name = DOMAIN
realm = EXAMPLE.DIRECTORY
password server = domainserver.example.directory
workgroup = DOMAIN
idmap uid = 500-10000000
idmap gid = 500-10000000
winbind separator = +
winbind enum users = no
winbind enum groups = no
winbind use default domain = yes
template homedir = /home/%D/%U
template shell = /bin/bash
client use spnego = yes
domain master = no


The line template homedir = /home/%D/%U tells Samba to create the Active Directories user homes to the directory /home/DOMAIN/user. For this to function correctly you must issue the following command:

mkdir /home/DOMAIN

If connecting to a Windows 2003 Active Directory controller they you will need to add the following lines to smb.conf

client use spnego = no
server signing = auto


Now we need to stop and start Samba and winbind. It is important that this is done in the correct order as follows.

/etc/init.d/smb stop
/etc/init.d/winbind stop
/etc/init.d/smb start
/etc/init.d/winbind start

Step 5 Edit nsswitch.conf

copy /etc/nsswitch.conf to a backup file and replace all text in it with the following.

passwd: compat winbind
group: compat winbind
shadow: compat
hosts: files dns wins
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis

Step 4: Modify the PAM settings

Edit /etc/pam.d/system.auth so that it looks like the following

auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        required      /lib/security/$ISA/pam_deny.so

account     required      /lib/security/$ISA/pam_unix.so
account     sufficient    /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
account     sufficient    /lib/security/$ISA/pam_winbind.so
account     required      /lib/security/$ISA/pam_permit.so
account     required      /lib/security/$ISA/pam_unix.so

password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3
password    sufficient    /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
password    required      /lib/security/$ISA/pam_deny.so

session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so


Step 5 Initialise Kerberos

kinit domain_admin_account@EXAMPLE.DIRECTORY

Next check to be sure you got a ticket from the domain controller

klist

Step 4: join the Active Directory

net ads join -U domainadminuser@EXAMPLE.DOMAIN