Sunday, 8 November 2015

Active Directory integration with Samba for RHEL/CentOS 6.3


Please create a backup of any configuration file before you begin dynamical it since this might cause serious authentication issues on your server and you will not be ready to go surfing once more if things went wrong.

Pre-requisites:
You need to possess the subsequent packages put in before we have a tendency to kick off: Kerberos5, Samba, winbind, OpenLDAP, PAM and nsswitch, moreover as ntp.

Steps involved:

Installing needed packages
Local server configuration
Synchronising the time between Domain Controller and therefore the Samba server.
Configuring Kerberos
Configuring Samba
Configuring winbind/nsswitch
Setting up PAM authentication for Active Directory
Joining into the domain
Note:

In this tutorial i'm planning to use specific name and server name for testing and demonstrating functions solely, clearly you ought to use yours:

NJ180DEGREE.NET because the name
SERVER.NJ180DEGREE.NET because the Domain controller server
CENT.NJ180DEGREE.NET because the Linux server.
“AD” and “ad” signify Active directory or Domain controller during this documentation.
192.168.100.1 The science address of the domain controller and DNS server
192.168.100.200 the science address of Centos server that must be joined to the Domain Controller
One more issue my proffered editor are ‘gedit’.

1. putting in the desired packages

If {you ar|you're} undecided if the required packages are put in or not simply sort in an exceedingly terminal:

# yum install samba krb5-workstation krb5-libs pam_krb5 samba-common ntp
2. native server configuration

Make sure that your science addresses of the Linux machine and therefore the Domain controller is utterly organized moreover as a DNS server is up and running on your network, your native DNS shopper inform to the DNS server in your network. you will check the property by binging numerous NIC, science addresses.

/etc/hosts

Even if listed DNS servers ar excellent in each method, it's smart plan to feature necessary servers to the native /etc/hosts move into case we've got a DNS failure therefore we are able to still reach the Domain Controller through this file, this fashion may speed up name lookups.

Edit the file /etc/hosts victimization your most popular editor and add the line:

Ip.address.of.ad.domain.controller   youradservername.yourdomainname.local  hostname.of.ad.server
Example:

# gedit /etc/hosts
172.0.0.1   CENT.NJ180DEGREE.NET   CENT
192.168.100.1   SERVER.NJ180DEGREEE.NET   SERVER
Save finish exit.

/etc/resolv.conf

The resolv.conf file is that the resolver configuration file. it's use to tack shopper aspect access to the DNS This file defines that name servers to use to resolve numerous name servers and science addresses.

Edit the file /etc/resolv.conf victimization your most popular editor and add the line:

search    yourdomain.local
nameserver science.address.of.ad.domain.dns.server
Save finish exit.

Note this science Address is that the domain DNS server science address NOT the science address of the Domain controller, but if you setup the DNS server on your Domain Controller during this case constant science address ought to be entered in here.

Example:

# gedit /etc/resolv.conf
search NJ180DEGREE.NET
nameserver 192.168.100.1
Tip:

Even if you don’t have DNS server on your network you continue to are able to do the on top of configuration by modifying the subsequent files:

On Linux side: /etc/hosts

On windows side: %systemroot%\system32\drivers\etc\hosts

3. Time Synchronisation (setting up NTP):

Since Kerberos is time dependent readjustment time between the Domain Controller and therefore the Linux server is crucial. Windows workstations mechanically synchronise their clocks with the Active Directory server, to emulate this behaviour on Linux we'll use NTP service.

Open and edit the file /etc/ntp.conf and comment out all servers lines and add your Active directory server or a public NTP pool that's applicable for your country/local:

server  youradservername.yourdomainname.local
examble:

#gedit /etc/ntp.conf
Server   server.nj180degree.net
Save and exit..
On a terminal window run:

#service ntpd restart
4. putting in place Kerberos /etc/krb5.conf:

Actually you have got 2 ways in which to tack Kerberos a GUI one and a manual method. Note CAPITALS and DOTS (.) ar necessary here while not capitalization of realms and domain-realm, Kerberos won't be ready to connect with a billboard server.

GUI method:

If you favor to tack Kerberos through GUI click System, choose Administration and click on Authentication. this can launch the Authentication Configuration window (authconfig).
Click the authentication tab and check “Enable Kerberos Support” so click on “Configure Kerberos”
In the “Kerberos Setting” window fill in Realm, KDCs and Admin server where:
Realm: your domain eg. NJ180DEGREE.NET
KDCs: Key Distribution Center that is your domain controller sometimes eg. server.nj180degree.net
Admin server: Identifies the host wherever the administration server is running. Typically, this can be the master Kerberos server, in our case the domain controller eg. server.nj180degree.net

Click OK double
Manual approach:

Open and edit the file /etc/krb5.conf copy and paste the subsequent and replace the entries in daring with applicable strings, don't forget CAPITALIZATION and therefore the dots (.):

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = NJ180DEGREE.NET
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = affirmative

[realms]
NJ180DEGREE.NET = 

[domain_realm]
.nj180degree.net = NJ180DEGREE.NET
nj180degree.net = NJ180DEGREE.NET

[appdefaults]
pam = 
Now that settled attempt to connect with the AD server by writing in an exceedingly terminal:

# kinit Administrator
Password for Administrator
Successful association can manufacture nothing out of this command.

Tip:

If you organized Kerberos through the GUI methodology there's no method that you simply will set the default_realm (default_domain). therefore after you connect with AD server you have got to specify THEREALM.LOCAL at the tip of administrator account, eg.

# kinit Administrator@NJ180DEGREE.NET
Password for Administrator@NJ180DEGREE.NET
You may add the default_domain manually by writing /etc/krb5.conf file once configuring Kerberos through GUI within the applicable section.

5. Configuring Samba:

Open and edit /etc/samba/smb.conf, at the [global] section amendment the subsequent strings (the daring lines only) with yours:

[global]
workgroup = NJ180DEGREE
realm = NJ180DEGREE.NET
server string = Samba Server Version and television
preferred master = no

password encrypted = affirmative
password server = server.nj180degree.net
security = ads

log level = three
log file = /var/log/samba/%m
max log size = fifty

idmap uid = 16777216-33554431
idmap gid = 16777216-33554431

template shell = /bin/bash
winbind use default domain = affirmative
winbind offline logon = true
#  winbind setup = +#
winbind enum users = affirmative
winbind enum teams = affirmative
winbind nested teams = affirmative
passdb backend = tdbsam

load printers = affirmative
printing = cups
Once you’ve through with the configuration save and shut the file then restart samba for configuration to require place:

# service smb restart
6. configuring winbind/nsswitch:

The winbind package is a component of the samba-common package, open and edit the file /etc/nsswitch.conf This file has numerous configurations in keeping with your system; but we'd like solely to edit 3 lines in it:

passwd:     files winbind
shadow:     files winbind
group:      files winbind
Once you’ve done you're virtually there.

7. putting in place PAM authentication for Active Directory:



Well, this step remains confusing ME although, I even have tried totally different|completely different} manual PAM’s configuration provided by different system directors nevertheless I couldn’t get constant result with each server, in different words it works generally and doesn’t in others. therefore i made a decision to trick “authconfig” to try and do the duty on behalf of me victimization GUI:

Click on Administration then Authentication, this can launch the Authentication Configuration window (authconfig).
Click on possibility tab and choose the following:
Use shadow secret
The native authorization is spare for native users
Create home directories on the primary login:

The last choice to generate home directories on the fly once the user 1st login to the Linux machine.
Tip:
About Configuring PAM manually:
- it's important to backup the /etc/pam.d directory before you begin configuring it manually, failure at this stage will lock the complete machine. you will log in an exceedingly root account on a virtual terminal and leave it logged in till such time that the new configuration has tested with success.

- As i discussed earlier there's no actual PAM configuration  that worked on behalf of me however the subsequent document is that the most correct one that worked on behalf of me on many machines, you will use it on your own risk.

- Open and edit the file /etc/pam.d/system-auth and replace it with the subsequent example:

#%PAM-1.0

# This file is auto-generated.

# User changes are destroyed succeeding time authconfig is run.

auth needed      pam_env.so

auth spare    pam_unix.so nullok try_first_pass

auth        requisite     pam_succeed_if.so uid >= five hundred quiet

auth spare    pam_krb5.so use_first_pass

auth spare    pam_smb_auth.so use_first_pass nolocal

auth spare    pam_winbind.so cached_login use_first_pass

auth needed      pam_deny.so

account needed      pam_unix.so

account spare    pam_localuser.so

account spare    pam_succeed_if.so uid < one hundred quiet

account     [default=bad success=ok user_unknown=ignore] pam_krb5.so

account     [default=bad success=ok user_unknown=ignore] pam_winbind.so cached_login

account needed      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3

password spare    pam_unix.so md5 shadow nullok try_first_pass use_authtok

password spare    pam_krb5.so use_authtok

password spare    pam_winbind.so cached_login use_authtok

password needed      pam_deny.so

session elective      pam_keyinit.so revoke

session needed      pam_limits.so

session elective      pam_mkhomedir.so

session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid

session needed      pam_unix.so

session elective      pam_krb5.so
8. connexion into the domain

Once you’ve through with configurations files its time to place all that into a test:

- restart samba and winbind

# /etc/init.d/winbind restart ; /etc/init.d/smb restart
#service smb restart
#service winbind restart
- guarantee winbind and Samba ar running within the correct run levels:

# chkconfig --level 345 winbind on
# chkconfig --level 345 smb on
- Add the pc to the domain. you may want AN account with domain administrator privileges, then sort in an exceedingly teminal:

# internet ads be part of –U Administrator@THEREALM.LOCAL
This will be part of the pc to the domain, and Administrator secret is required to be getting into after you asked to try and do therefore.
eg.

#net ads be part of –U administrator@NJ180DEGREE.NET
Administrator’s secret
Joined ‘CENT’ to realm ‘NJ180DEGREE.NET’.
- Check winbind trough a number of these commands, simply sort in:

wbinfo –g (lists teams from domain)
wbinfo –u (lists users from domain
getent passwd (password list, ought to retrieve domain users as well)
getent cluster (group list, ought to retrieve domain teams as well)
Finally open a virtual terminal and check out to logon jointly of the domain users.

No comments:

Post a Comment