Difference between revisions of "Using Active Directory for CentOS"

From RSWiki
Jump to navigation Jump to search
 
Line 1: Line 1:
{{AdWords}}
+
{{Deprecated}}
 
 
'''''This information dates from 2006 and may be depreceated. Likewise-Open provides a more convenient method of Active Directory integration.'''''
 
 
 
 
I am using a default server installation of CentOS with X, KDE and Gnome added. Also I enabled the text editor option for VIM in the package selection section of the installer.
 
I am using a default server installation of CentOS with X, KDE and Gnome added. Also I enabled the text editor option for VIM in the package selection section of the installer.
 
   
 
   
Line 128: Line 125:
 
You should now be able to log in to your CentOS machine using a Windows Active directory user account.
 
You should now be able to log in to your CentOS machine using a Windows Active directory user account.
 
Also note that the time on the Samba server has to be within 5 minutes of the time on the Active Directory controller for kerberos authentication to work.
 
Also note that the time on the Samba server has to be within 5 minutes of the time on the Active Directory controller for kerberos authentication to work.
 
{{AdWords2}}
 
  
 
[[Category:Linux| ]]
 
[[Category:Linux| ]]

Latest revision as of 11:44, 27 February 2017

Announcements.png This information is deprecated. It should be considered end of life and should not be used in any production setting

I am using a default server installation of CentOS with X, KDE and Gnome added. Also I enabled the text editor option for VIM in the package selection section of the installer.

Also this guide is specific to Samba 3.

Where block capitals are used in the config files below, then you should use them also.

Step 1: Edit /etc/krb5.conf

Edit /etc/krb5.conf to look like the following, substituting SWEETNAM.EU and sweetnam.eu with your active directory domain name. Where ever block capitals are used then make sure your own domain name is in block capitals also. The line in the realms section kdc = 172.20.1.1 should be replaced with the hostname or the IP address of your active directory controller.

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log 

[libdefaults]
 default_realm = SWEETNAM.EU
 dns_lookup_realm = true
 dns_lookup_kdc = true

[realms]
 SWEETNAM.EU = {
  kdc = 172.20.1.1:88
  admin_server = 172.20.1.1:749
  default_domain = sweetnam.eu
  kdc = 172.20.1.1
 }

[domain_realm]
 .sweetnam.eu = SWEETNAM.EU
 sweetnam.eu = SWEETNAM.EU 

[kdc]
 profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

Step 2: Edit /etc/samba/smb.conf

[global]
security = ads
netbios name = CENTOS
realm = SWEETNAM.EU
password server = adpdc.sweetnam.eu
workgroup = SWEETNAM
idmap uid = 500-10000000
idmap gid = 500-10000000
winbind separator = +
winbind enum users = no
winbind enum groups = no
winbind use default domain = yes
template homedir = /home/%D/%U
template shell = /bin/bash
client use spnego = yes
domain master = no

Step 4: make the home directories

mkdir /home/SWEETNAM

Step 5: edit /etc/nsswitch.conf

passwd:     compat winbind files
shadow:     compat winbind files
group:      compat winbind files
hosts:      files dns
bootparams: nisplus [NOTFOUND=return] files
ethers:     files
netmasks:   files
networks:   files
protocols:  files winbind
rpc:        files
services:   files winbind
netgroup:   files winbind
publickey:  nisplus
automount:  files winbind
aliases:    files nisplus

Step 6: Edit /etc/pam.d/system-auth

auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/$ISA/pam_krb5.so use_first_pass
auth        sufficient    /lib/security/$ISA/pam_smb_auth.so use_first_pass nolocal
auth        sufficient    /lib/security/$ISA/pam_winbind.so use_first_pass
auth        required      /lib/security/$ISA/pam_deny.so

account     required      /lib/security/$ISA/pam_unix.so broken_shadow
account     sufficient    /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
account     sufficient    /lib/security/$ISA/pam_krb5.so
account     sufficient    /lib/security/$ISA/pam_winbind.so
account     required      /lib/security/$ISA/pam_permit.so

password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3
password    sufficient    /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
password    sufficient    /lib/security/$ISA/pam_krb5.so use_authtok
password    sufficient    /lib/security/$ISA/pam_winbind.so use_authtok
password    required      /lib/security/$ISA/pam_deny.so

session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so
session     optional      /lib/security/$ISA/pam_krb5.so

Step 7: Stop and start samba and winbind

/etc/init.d/smb stop
/etc/init.d/winbind stop
/etc/init.d/smb start
/etc/init.d/winbind start

Step 8: Initialise Kerberos

kinit administrator@SWEETNAM.EU

Step 9: Join the active directory

net ads join -U administrator@SWEETNAM.EU

You should now be able to log in to your CentOS machine using a Windows Active directory user account. Also note that the time on the Samba server has to be within 5 minutes of the time on the Active Directory controller for kerberos authentication to work.