Using Active Directory for CentOS: Difference between revisions
No edit summary |
No edit summary |
||
Line 1: | Line 1: | ||
{{AdWords}} | {{AdWords}} | ||
'''This information dates from 2006 and may be depreceated. | '''''This information dates from 2006 and may be depreceated. Likewise-Open provides a more convenient method of Active Directory integration.''''' | ||
I am using a default server installation of CentOS with X, KDE and Gnome added. Also I enabled the text editor option for VIM in the package selection section of the installer. | I am using a default server installation of CentOS with X, KDE and Gnome added. Also I enabled the text editor option for VIM in the package selection section of the installer. |
Revision as of 10:27, 30 November 2012
This information dates from 2006 and may be depreceated. Likewise-Open provides a more convenient method of Active Directory integration.
I am using a default server installation of CentOS with X, KDE and Gnome added. Also I enabled the text editor option for VIM in the package selection section of the installer.
Also this guide is specific to Samba 3.
Where block capitals are used in the config files below, then you should use them also.
Step 1: Edit /etc/krb5.conf
Edit /etc/krb5.conf to look like the following, substituting SWEETNAM.EU and sweetnam.eu with your active directory domain name. Where ever block capitals are used then make sure your own domain name is in block capitals also. The line in the realms section kdc = 172.20.1.1 should be replaced with the hostname or the IP address of your active directory controller.
[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = SWEETNAM.EU dns_lookup_realm = true dns_lookup_kdc = true [realms] SWEETNAM.EU = { kdc = 172.20.1.1:88 admin_server = 172.20.1.1:749 default_domain = sweetnam.eu kdc = 172.20.1.1 } [domain_realm] .sweetnam.eu = SWEETNAM.EU sweetnam.eu = SWEETNAM.EU [kdc] profile = /var/kerberos/krb5kdc/kdc.conf [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false }
Step 2: Edit /etc/samba/smb.conf
[global] security = ads netbios name = CENTOS realm = SWEETNAM.EU password server = adpdc.sweetnam.eu workgroup = SWEETNAM idmap uid = 500-10000000 idmap gid = 500-10000000 winbind separator = + winbind enum users = no winbind enum groups = no winbind use default domain = yes template homedir = /home/%D/%U template shell = /bin/bash client use spnego = yes domain master = no
Step 4: make the home directories
mkdir /home/SWEETNAM
Step 5: edit /etc/nsswitch.conf
passwd: compat winbind files shadow: compat winbind files group: compat winbind files hosts: files dns bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files winbind rpc: files services: files winbind netgroup: files winbind publickey: nisplus automount: files winbind aliases: files nisplus
Step 6: Edit /etc/pam.d/system-auth
auth required /lib/security/$ISA/pam_env.so auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok auth sufficient /lib/security/$ISA/pam_krb5.so use_first_pass auth sufficient /lib/security/$ISA/pam_smb_auth.so use_first_pass nolocal auth sufficient /lib/security/$ISA/pam_winbind.so use_first_pass auth required /lib/security/$ISA/pam_deny.so account required /lib/security/$ISA/pam_unix.so broken_shadow account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet account sufficient /lib/security/$ISA/pam_krb5.so account sufficient /lib/security/$ISA/pam_winbind.so account required /lib/security/$ISA/pam_permit.so password requisite /lib/security/$ISA/pam_cracklib.so retry=3 password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow password sufficient /lib/security/$ISA/pam_krb5.so use_authtok password sufficient /lib/security/$ISA/pam_winbind.so use_authtok password required /lib/security/$ISA/pam_deny.so session required /lib/security/$ISA/pam_limits.so session required /lib/security/$ISA/pam_unix.so session optional /lib/security/$ISA/pam_krb5.so
Step 7: Stop and start samba and winbind
/etc/init.d/smb stop /etc/init.d/winbind stop /etc/init.d/smb start /etc/init.d/winbind start
Step 8: Initialise Kerberos
kinit administrator@SWEETNAM.EU
Step 9: Join the active directory
net ads join -U administrator@SWEETNAM.EU
You should now be able to log in to your CentOS machine using a Windows Active directory user account. Also note that the time on the Samba server has to be within 5 minutes of the time on the Active Directory controller for kerberos authentication to work.