Difference between revisions of "Using Active Directory for CentOS"

From RSWiki
Jump to navigation Jump to search
Line 99: Line 99:
  auth        required      /lib/security/$ISA/pam_env.so
  auth        required      /lib/security/$ISA/pam_env.so
  auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
  auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok_secure use_first_pass
auth        sufficent    /lib/security/$ISA/pam_winbind.so
  auth        required      /lib/security/$ISA/pam_deny.so
  auth        required      /lib/security/$ISA/pam_deny.so
Line 114: Line 115:
  session    required      /lib/security/$ISA/pam_limits.so
  session    required      /lib/security/$ISA/pam_limits.so
  session    required      /lib/security/$ISA/pam_unix.so
  session    required      /lib/security/$ISA/pam_unix.so
  session    required      /lib/securoty/$ISA/pam_mkhomedir.so umask=0022 skel=/etc/skel

Revision as of 14:49, 15 May 2006

I am using a default server installation of CentOS with X, KDE and Gnome added. Also i enabled the text editor option for VIM in the package selection section of the installer.

Also this guide is specific to Samba 3.

Step 1: Edit /etc/krb5.conf

Edit /etc/krb5.conf to look like the following, substituting EXAMPLE.DIRECTORY and example.directory with your active directory domain name. Where ever block capitals are used then make sure your own domain name is in block capitals also. The lins in the realms section kdc = should be replaced with the hostname or the IP address of your active directory controller.

default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log 

ticket_lifetime = 24000
default_realm = EXAMPLE.DIRECTORY
dns_lookup_realm = false
dns_lookup_kdc = false 

kdc =
default_domain = example.directory

.example.directory = EXAMPLE.DIRECTORY
example.directory = EXAMPLE.DIRECTORY

profile = /var/kerberos/krb5kdc/kdc.conf

pam = {
     debug = false
     ticket_lifetime = 36000
     renew_lifetime = 36000
     forwardable = true
     krb4_convert = false

Step 2: Configure smb.conf

I found it easier to make a backup of the existing smb.conf and then replacing it with the basic one below. You can add shares later.

security = ads
netbios name = DOMAIN
password server = domainserver.example.directory
workgroup = DOMAIN
idmap uid = 500-10000000
idmap gid = 500-10000000
winbind separator = +
winbind enum users = no
winbind enum groups = no
winbind use default domain = yes
template homedir = /home/%D/%U
template shell = /bin/bash
client use spnego = yes
domain master = no

The line template homedir = /home/%D/%U tells Samba to create the Active Directories user homes to the directory /home/DOMAIN/user. For this to function correctly you must issue the following command:

mkdir /home/DOMAIN

If connecting to a Windows 2003 Active Directory controller they you will need to add the following lines to smb.conf

client use spnego = no
server signing = auto

Now we need to stop and start Samba and winbind. It is important that this is done in the correct order as follows.

/etc/init.d/smb stop
/etc/init.d/winbind stop
/etc/init.d/smb start
/etc/init.d/winbind start

Step 5 Edit nsswitch.conf

copy /etc/nsswitch.conf to a backup file and replace all text in it with the following.

passwd: compat winbind
group: compat winbind
shadow: compat
hosts: files dns wins
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis

Step 4: Modify the PAM settings

Edit /etc/pam.d/system.auth so that it looks like the following

auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok_secure use_first_pass
auth        sufficent     /lib/security/$ISA/pam_winbind.so
auth        required      /lib/security/$ISA/pam_deny.so

account     required      /lib/security/$ISA/pam_unix.so
account     sufficient    /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
account     sufficient    /lib/security/$ISA/pam_winbind.so
account     required      /lib/security/$ISA/pam_permit.so
account     required      /lib/security/$ISA/pam_unix.so

password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3
password    sufficient    /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
password    required      /lib/security/$ISA/pam_deny.so

session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so
session     required      /lib/securoty/$ISA/pam_mkhomedir.so umask=0022 skel=/etc/skel 

Step 5 Initialise Kerberos

kinit domain_admin_account@EXAMPLE.DIRECTORY

Next check to be sure you got a ticket from the domain controller


Step 4: join the Active Directory

net ads join -U domainadminuser@EXAMPLE.DOMAIN