Using Active Directory for CentOS: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
(General tidy up with contents) |
||
| Line 5: | Line 5: | ||
Where block capitals are used in the config files below, then you should use them also. | Where block capitals are used in the config files below, then you should use them also. | ||
==Step 1: Edit /etc/krb5.conf== | |||
Edit /etc/krb5.conf to look like the following, substituting SWEETNAM.EU and sweetnam.eu with your active directory domain name. Where ever block capitals are used then make sure your own domain name is in block capitals also. The line in the realms section kdc = 172.20.1.1 should be replaced with the hostname or the IP address of your active directory controller. | Edit /etc/krb5.conf to look like the following, substituting SWEETNAM.EU and sweetnam.eu with your active directory domain name. Where ever block capitals are used then make sure your own domain name is in block capitals also. The line in the realms section kdc = 172.20.1.1 should be replaced with the hostname or the IP address of your active directory controller. | ||
| Line 43: | Line 43: | ||
} | } | ||
==Step 2: Edit /etc/samba/smb.conf== | |||
[global] | [global] | ||
security = ads | security = ads | ||
| Line 61: | Line 61: | ||
domain master = no | domain master = no | ||
==Step 4: make the home directories== | |||
mkdir /home/SWEETNAM | mkdir /home/SWEETNAM | ||
==Step 5: edit /etc/nsswitch.conf== | |||
passwd: compat winbind files | passwd: compat winbind files | ||
| Line 82: | Line 82: | ||
aliases: files nisplus | aliases: files nisplus | ||
==Step 6: Edit /etc/pam.d/system-auth== | |||
auth required /lib/security/$ISA/pam_env.so | auth required /lib/security/$ISA/pam_env.so | ||
| Line 107: | Line 107: | ||
session optional /lib/security/$ISA/pam_krb5.so | session optional /lib/security/$ISA/pam_krb5.so | ||
==Step 7: Stop and start samba and winbind== | |||
/etc/init.d/smb stop | /etc/init.d/smb stop | ||
| Line 114: | Line 114: | ||
/etc/init.d/winbind start | /etc/init.d/winbind start | ||
==Step 8: Initialise Kerberos== | |||
kinit administrator@SWEETNAM.EU | kinit administrator@SWEETNAM.EU | ||
==Step 9: Join the active directory== | |||
net ads join -U administrator@SWEETNAM.EU | net ads join -U administrator@SWEETNAM.EU | ||
Revision as of 10:29, 2 December 2006
I am using a default server installation of CentOS with X, KDE and Gnome added. Also I enabled the text editor option for VIM in the package selection section of the installer.
Also this guide is specific to Samba 3.
Where block capitals are used in the config files below, then you should use them also.
Step 1: Edit /etc/krb5.conf
Edit /etc/krb5.conf to look like the following, substituting SWEETNAM.EU and sweetnam.eu with your active directory domain name. Where ever block capitals are used then make sure your own domain name is in block capitals also. The line in the realms section kdc = 172.20.1.1 should be replaced with the hostname or the IP address of your active directory controller.
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = SWEETNAM.EU
dns_lookup_realm = true
dns_lookup_kdc = true
[realms]
SWEETNAM.EU = {
kdc = 172.20.1.1:88
admin_server = 172.20.1.1:749
default_domain = sweetnam.eu
kdc = 172.20.1.1
}
[domain_realm]
.sweetnam.eu = SWEETNAM.EU
sweetnam.eu = SWEETNAM.EU
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
Step 2: Edit /etc/samba/smb.conf
[global] security = ads netbios name = CENTOS realm = SWEETNAM.EU password server = adpdc.sweetnam.eu workgroup = SWEETNAM idmap uid = 500-10000000 idmap gid = 500-10000000 winbind separator = + winbind enum users = no winbind enum groups = no winbind use default domain = yes template homedir = /home/%D/%U template shell = /bin/bash client use spnego = yes domain master = no
Step 4: make the home directories
mkdir /home/SWEETNAM
Step 5: edit /etc/nsswitch.conf
passwd: compat winbind files shadow: compat winbind files group: compat winbind files hosts: files dns bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files winbind rpc: files services: files winbind netgroup: files winbind publickey: nisplus automount: files winbind aliases: files nisplus
Step 6: Edit /etc/pam.d/system-auth
auth required /lib/security/$ISA/pam_env.so auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok auth sufficient /lib/security/$ISA/pam_krb5.so use_first_pass auth sufficient /lib/security/$ISA/pam_smb_auth.so use_first_pass nolocal auth sufficient /lib/security/$ISA/pam_winbind.so use_first_pass auth required /lib/security/$ISA/pam_deny.so account required /lib/security/$ISA/pam_unix.so broken_shadow account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet account sufficient /lib/security/$ISA/pam_krb5.so account sufficient /lib/security/$ISA/pam_winbind.so account required /lib/security/$ISA/pam_permit.so password requisite /lib/security/$ISA/pam_cracklib.so retry=3 password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow password sufficient /lib/security/$ISA/pam_krb5.so use_authtok password sufficient /lib/security/$ISA/pam_winbind.so use_authtok password required /lib/security/$ISA/pam_deny.so session required /lib/security/$ISA/pam_limits.so session required /lib/security/$ISA/pam_unix.so session optional /lib/security/$ISA/pam_krb5.so
Step 7: Stop and start samba and winbind
/etc/init.d/smb stop /etc/init.d/winbind stop /etc/init.d/smb start /etc/init.d/winbind start
Step 8: Initialise Kerberos
kinit administrator@SWEETNAM.EU
Step 9: Join the active directory
net ads join -U administrator@SWEETNAM.EU
You should now be able to log in to your CentOS machine using a Windows Active directory user account. Also note that the time on the Samba server has to be within 5 minutes of the time on the Active Directory controller for kerberos authentication to work.