Using Active Directory for CentOS: Difference between revisions
No edit summary |
No edit summary |
||
Line 79: | Line 79: | ||
/etc/init.d/winbind start | /etc/init.d/winbind start | ||
'''Step 3 Initialise Kerberos''' | '''Step 5 Edit nsswitch.conf''' | ||
copy /etc/nsswitch.conf to a backup file and replace all text in it with the following. | |||
passwd: compat winbind | |||
group: compat winbind | |||
shadow: compat | |||
hosts: files dns wins | |||
networks: files | |||
protocols: db files | |||
services: db files | |||
ethers: db files | |||
rpc: db files | |||
netgroup: nis | |||
'''Step 4: Modify the PAM settings''' | |||
Edit /etc/pam.d/system.auth so that it looks like the following | |||
auth required /lib/security/$ISA/pam_env.so | |||
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok | |||
auth required /lib/security/$ISA/pam_deny.so | |||
account required /lib/security/$ISA/pam_unix.so | |||
account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet | |||
account sufficient /lib/security/$ISA/pam_winbind.so | |||
account required /lib/security/$ISA/pam_permit.so | |||
account required /lib/security/$ISA/pam_unix.so | |||
password requisite /lib/security/$ISA/pam_cracklib.so retry=3 | |||
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow | |||
password required /lib/security/$ISA/pam_deny.so | |||
session required /lib/security/$ISA/pam_limits.so | |||
session required /lib/security/$ISA/pam_unix.so | |||
'''Step 5 Initialise Kerberos''' | |||
kinit domain_admin_account@EXAMPLE.DIRECTORY | kinit domain_admin_account@EXAMPLE.DIRECTORY |
Revision as of 14:43, 15 May 2006
I am using a default server installation of CentOS with X, KDE and Gnome added. Also i enabled the text editor option for VIM in the package selection section of the installer.
Also this guide is specific to Samba 3.
Step 1: Edit /etc/krb5.conf
Edit /etc/krb5.conf to look like the following, substituting EXAMPLE.DIRECTORY and example.directory with your active directory domain name. Where ever block capitals are used then make sure your own domain name is in block capitals also. The lins in the realms section kdc = 10.0.0.1 should be replaced with the hostname or the IP address of your active directory controller.
[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] ticket_lifetime = 24000 default_realm = EXAMPLE.DIRECTORY dns_lookup_realm = false dns_lookup_kdc = false [realms] EXAMPLE.DIRECTORY = { kdc = 10.0.0.1 default_domain = example.directory } [domain_realm] .example.directory = EXAMPLE.DIRECTORY example.directory = EXAMPLE.DIRECTORY [kdc] profile = /var/kerberos/krb5kdc/kdc.conf [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false }
Step 2: Configure smb.conf
I found it easier to make a backup of the existing smb.conf and then replacing it with the basic one below. You can add shares later.
[global] security = ads netbios name = DOMAIN realm = EXAMPLE.DIRECTORY password server = domainserver.example.directory workgroup = DOMAIN idmap uid = 500-10000000 idmap gid = 500-10000000 winbind separator = + winbind enum users = no winbind enum groups = no winbind use default domain = yes template homedir = /home/%D/%U template shell = /bin/bash client use spnego = yes domain master = no
The line template homedir = /home/%D/%U tells Samba to create the Active Directories user homes to the directory /home/DOMAIN/user. For this to function correctly you must issue the following command:
mkdir /home/DOMAIN
If connecting to a Windows 2003 Active Directory controller they you will need to add the following lines to smb.conf
client use spnego = no server signing = auto
Now we need to stop and start Samba and winbind. It is important that this is done in the correct order as follows.
/etc/init.d/smb stop /etc/init.d/winbind stop /etc/init.d/smb start /etc/init.d/winbind start
Step 5 Edit nsswitch.conf
copy /etc/nsswitch.conf to a backup file and replace all text in it with the following.
passwd: compat winbind group: compat winbind shadow: compat hosts: files dns wins networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis
Step 4: Modify the PAM settings
Edit /etc/pam.d/system.auth so that it looks like the following
auth required /lib/security/$ISA/pam_env.so auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok auth required /lib/security/$ISA/pam_deny.so account required /lib/security/$ISA/pam_unix.so account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet account sufficient /lib/security/$ISA/pam_winbind.so account required /lib/security/$ISA/pam_permit.so account required /lib/security/$ISA/pam_unix.so password requisite /lib/security/$ISA/pam_cracklib.so retry=3 password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow password required /lib/security/$ISA/pam_deny.so session required /lib/security/$ISA/pam_limits.so session required /lib/security/$ISA/pam_unix.so
Step 5 Initialise Kerberos
kinit domain_admin_account@EXAMPLE.DIRECTORY
Next check to be sure you got a ticket from the domain controller
klist
Step 4: join the Active Directory
net ads join -U domainadminuser@EXAMPLE.DOMAIN