-
22nd March 2009, 04:07 AM
#1
How To: Attach a Fedora/RHEL/CentOS system to an Active Directory Domain
How To: Attach a Fedora/RHEL/CentOS system to an Active Directory Domain
Below is a step by step outline of how to configure a Linux Samba fileserver to use an Active Directory domain for authentication and authorization in place of flat files. Note that this configuration has been replicated using Fedora 10, RHEL 5.3 and CentOS 5 since they all more or less share the same code base. The name of the example server in this document is server1.domain.forest.org, substitute correctly where appropriate. At the very least following packages must also be installed:
samba
samba-common
samba-client
krb5-workstation
openldap-clients
It would be prudent to understand the underlying concepts of how Kerberos and Samba work prior to deploying this type of server. I find that SE-Linux will interfere with Samba services, particularly with winbind. I usually set SE-Linux to be in a permissive mode. It is possible to update the SE-Linux policies but that is outside the scope of this document, i.e you’re on your own. In some cases I turned SE-Linux off since it was causing winbind to stop responding.
1. Set NTP to use the correct server for your Active Directory domain:
shell> system-config-time
Set the primary NTP server to be your domain/forest NTP server
2. Make backups of and edit the following system configuration files:
a. shell> cp /etc/resolv.conf /etc/resolv.conf.bak
b. shell> vi /etc/resolv.conf
nameserver dns_server1_ip_address
nameserver dns_server2_ip_address
search domain.forest.org
c. shell> cp /etc/nsswitch.conf /etc/nsswitch.conf.bak
d. shell> vi /etc/nsswitch.conf
passwd: files winbind
shadow: files winbind
group: files winbind
hosts: files dns wins
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files winbind
rpc: files
services: files winbind
netgroup: files winbind
publickey: nisplus
automount: files winbind
aliases: files nisplus
e. shell> cp /etc/hosts /etc/hosts.bak
f. shell> vi /etc/hosts
127.0.0.1 localhost.localdomain localhost
192.168.1.50 server1.domain.forest.org server1
g. shell> cp /etc/samba/smb.conf /etc/samba/smb.conf.bak
h. shell> vi /etc/samba/smb.conf
workgroup = DOMAIN
netbios name = SERVER1
realm = DOMAIN.FOREST.ORG
server string = SERVER1
security = ADS
password server = kdc_server_ip_address
log level = 5
log file = /var/log/samba/log.smbd
max log size = 50
server signing = AUTO
client use spnego = YES
ntlm auth = YES
lanman auth = NO
use kerberos keytab = YES
encrypt passwords = YES
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
local master = NO
domain master = NO
dns proxy = NO
idmap uid = 10000-30000000
idmap gid = 10000-30000000
template shell = /bin/false
winbind enum users = NO
winbind enum groups = NO
winbind use default domain = YES
winbind refresh tickets = YES
i. shell> cp /etc/krb5.conf /etc/krb5.conf.bak
j. shell> vi /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = DOMAIN.FOREST.ORG
dns_lookup_realm = true
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
[realms]
}
DOMAIN.FOREST.ORG = {
kdc = fqdn_kdc.domain.forest.org.:88
admin_server = fqdn_kdc.domain.forest.org.
}
[domain_realm]
. domain.forest.org = DOMAIN.FOREST.ORG
domain.forest.org = DOMAIN.FOREST.ORG
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
k. shell> /etc/init.d/smb start
l. shell> /etc/init.d/winbindd start
Note that smb and winbindd daemons need to be started and set to start up on boot. In addition the appropriate TCP ports will need to open on the system firewall if you are deploying a SMB/CIFS fileserver.
3. Create a computer record in your Active Directory OU Computers container:
For server1.domain.forest.org I created a computer record called server1
4. Initialize Kerberos on the Linux server and attach it to the Active Directory domain:
a. shell> kinit username
b. shell> net ads join –U username
5. Verify the bind to AD is valid:
shell> net ads info
LDAP server: ldap_server_ip_address
LDAP server name: fqdn_ldap_server
Realm: DOMAIN.FOREST.ORG
Bind Path: dc=DOMAIN,dc=FOREST,dc=ORG
LDAP port: 389
Server time: Mon, 12 Nov 2007 12:00:00 PST
KDC server: kdc_server_ip_address
Server time offset: 0
b. shell> net ads testjoin
Join is OK
6. Create a Kerberos /etc/krb5.keytab file:
shell> net ads keytab create
7. Verify the contents of the Kerberos keytab file:
shell> klist -ke
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
3 host/server1.domain.forest.org @ DOMAIN.FOREST.ORG (DES cbc mode with CRC-32)
3 host/server1.domain.forest.org@ DOMAIN.FOREST.ORG (DES cbc mode with RSA-MD5)
3 host/server1.domain.forest.org@ DOMAIN.FOREST.ORG (ArcFour with HMAC/md5)
3 host/SERVER1@DOMAIN.FOREST.ORG (DES cbc mode with CRC-32)
3 host/SERVER1@DOMAIN.FOREST.ORG (DES cbc mode with RSA-MD5)
3 host/SERVER1@DOMAIN.FOREST.ORG (ArcFour with HMAC/md5)
3 SERVER1$@DOMAIN.FOREST.ORG (DES cbc mode with CRC-32)
3 SERVER1$@DOMAIN.FOREST.ORG (DES cbc mode with RSA-MD5)
3 SERVER1$@DOMAIN.FOREST.ORG (ArcFour with HMAC/md5)
4 host/server1.domain.forest.org@DOMAIN.FOREST.ORG (DES cbc mode with CRC-32)
4 host/server1.domain.forest.org@DOMAIN.FOREST.ORG (DES cbc mode with RSA-MD5)
4 host/server1.domain.forest.org@DOMAIN.FOREST.ORG (ArcFour with HMAC/md5)
4 host/SERVER1@DOMAIN.FOREST.ORG (DES cbc mode with CRC-32)
4 host/SERVER1@DOMAIN.FOREST.ORG (DES cbc mode with RSA-MD5)
4 host/SERVER1@DOMAIN.FOREST.ORG (ArcFour with HMAC/md5)
4 SERVER1$@DOMAIN.FOREST.ORG (DES cbc mode with CRC-32)
4 SERVER1$@DOMAIN.FOREST.ORG (DES cbc mode with RSA-MD5)
4 SERVER1$@DOMAIN.FOREST.ORG (ArcFour with HMAC/md5)
8. Restart the server:
shell> shutdown –r now
9. Add a share that has access restricted to an Active Directory group:
a. shell> mkdir /data
b. shell> vi /etc/samba/smb.conf
After the the [homes} section add the following text:
[data]
comment = Data Directory
path = /data
valid users = @"DOMAIN\AD_Group"
writable = yes
browseable = yes
Substitute DOMAIN\AD_Group with an AD group that will be accessing this share.
c. shell> /etc/init.d/smb restart
Last edited by aphilipoff; 9th April 2009 at 03:15 AM.
Reason: simplified krb5.keytab creation process
-
22nd March 2009, 07:15 PM
#2
do you know a way about how shared drives on a windows file server authenticated with windows AD can be auto-mounted on a linux box?
the admin should be able to manage the shares (i.e. which user should get which share) from the windows AD box (centrally).
so the /etc/fstab or the pam_mount will not work in this case.
i was looking for a solution for a client of ours...hence this question here
-
22nd March 2009, 10:26 PM
#3
All is well except I cannot login to Fedora with AD user info
aphilipoff,
Thanks for a good how to. Fedora (My samba server) joined my AD network and all is working well for me, I can browse and access shares in Fedora from the XP clients or from Fedora itself with AD users.
The only problem I'm having is I cannot login interactively into Fedora with AD users.
kinit, net ads, and getent all give me possitive results.
In AD, I gave Admin and Myself Full Control over Fedora.
Nevertheless, I cannot login into Fedora using those two accounts, do you have any idea what I'm missing?
Thanks
-
23rd March 2009, 02:24 AM
#4
In terms of auto-mounting SMB shares on login, I would suggest looking at autofs:
http://www.howtoforge.com/accessing_...s_using_autofs
I have not done this yet since most of my work with Linux and AD are server related.
-
23rd March 2009, 02:42 AM
#5
For interactive logins and remote SSH logins on AD attached Linux systems:
You can configure PAM (Pluggable Authentication Modules) to use AD logins/passwords for SSH, to limit access to sshd to specific local and AD groups and to create a home directory upon first login.
1. Shell> cp -R /etc/pam.d/ /root/backup (make a backup of /etc/pam.d before starting)
2. Shell> vi /etc/pam.d/sshd
Comment out line 4, open a new line for each group that is being granted access to sshd. Then after the last “session required” entry open a new line and add “session required pam_mkhomedir.so skel=/etc/skel umask=0022”. This will create a home directory for a user upon first login if one does not exist.
#%PAM-1.0
auth include system-auth
account required pam_nologin.so
#account include system-auth
account sufficient pam_succeed_if.so user ingroup local_group_name
account sufficient pam_succeed_if.so user ingroup AD_group_name
password include system-auth
session optional pam_keyinit.so force revoke
session include system-auth
session required pam_loginuid.so
session required pam_mkhomedir.so skel=/etc/skel umask=0022
Replace local_group_name and AD_group_name with your local and AD group names. Note that the group names cannot a space in the group name. Also make sure that at least one local group is added, otherwise you will not be able to SSH into your own server with a local account.
3. Shell> mkdir /home/DOMAIN (where DOMAIN = the name of the AD domain where the users of your AD group are located)
Now try logging in as a user in the AD group that has access to sshd via a SSH shell. As you login the following message should appear in your terminal window “Creating directory '/home/DOMAIN/username”.
Last edited by aphilipoff; 9th April 2009 at 05:08 AM.
Reason: correcting errors
-
23rd March 2009, 04:46 PM
#6
thanks for your reply.
the auto mount, setting the /etc/fstab, pam_mount or the automout will mount the windows shares no doubt, but which user should get which shares cannot be centrally managed from the windows AD end. if you need to change the mount options the admin will have to ssh into the users machines to make the changes in the respective files.
so around 300 desktop users who are looking to migrate to linux from windows, cannot be managed centrally from the windows AD.
thanks.
-
26th March 2009, 05:53 PM
#7
Which krb5 package do you mean to install? There's no krb5-client package in Fedora 10 or RHEL5.
Cheers
Duncan
P.S. Excellent HOWTO.
Last edited by drunkahol; 26th March 2009 at 05:55 PM.
Reason: be thankful
-
26th March 2009, 06:09 PM
#8
Sorry I meant krb5-workstation. Thanks for catching that, I corrected that in the How-To.
-
29th March 2009, 06:16 PM
#9
Hi there aphilipoff ,
Thanks for the great tutorial , I followed your instructions on my Centos 5.2
I have few more questions:
1. In /etc/krb5.conf is the dot after org is a typo? And why did you set dns_lookup_kdc = false ?
[realms]
}
DOMAIN.FOREST.ORG = {
kdc = fqdn_kdc.domain.forest.org
.:88
admin_server = fqdn_kdc.domain.forest.org
.
}
2. what settings did you use in /var/kerberos/krb5kdc/kdc.conf ?
..
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
..
3. I had issues connecting via SSH (from putty)
I got: Server refused to allocate pty
Thanks in advance
Last edited by grimshnakh; 29th March 2009 at 06:22 PM.
-
29th March 2009, 08:32 PM
#10
Q: In /etc/krb5.conf is the dot after org is a typo? And why did you set dns_lookup_kdc = false ?
A: The trailing dot is not a typo. The dns_lookup_kdc = false setting is the default in /etc/krb5.conf. Almost all articles on attaching Linux systems to AD domains specify these same settings.
Q: What settings did you use in /var/kerberos/krb5kdc/kdc.conf ?
A: None, editing that section of /etc/krb5.conf should only required if your server is a KDC.
Q: I had issues connecting via SSH (from putty). I got: Server refused to allocate pty.
A: Sorry I have not seen that error message on our servers, so I don't know what the cause of the error message might be. I searched for "Server refused to allocate pty" on google and the following URL seems to imply that may be a bug in putty that can be resolved by updating to a newer version of putty:
http://www.derkeiler.com/Newsgroups/.../msg00020.html
-
29th March 2009, 10:33 PM
#11
Thanks a lot for the prompt reply!
You've been extremely helpful!
Similar Threads
-
By Keldorn in forum Servers & Networking
Replies: 3
Last Post: 31st March 2009, 06:56 AM
-
By lemon8h8ead in forum Linux Chat
Replies: 13
Last Post: 21st October 2008, 08:57 AM
-
By jvroig in forum Linux Chat
Replies: 5
Last Post: 29th May 2008, 12:38 AM
-
By Effie04 in forum Linux Chat
Replies: 0
Last Post: 9th November 2006, 11:06 AM
-
By Trol in forum Servers & Networking
Replies: 2
Last Post: 30th April 2005, 04:31 PM
Tags for this Thread
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
[[template footer(Guest)]]