Please create a backup of any configuration file before you begin dynamical it since this might cause serious authentication issues on your server and you will not be ready to go surfing once more if things went wrong.
Pre-requisites:
You need to possess the subsequent packages put in before we have a tendency to kick off: Kerberos5, Samba, winbind, OpenLDAP, PAM and nsswitch, moreover as ntp.
Steps involved:
Installing needed packages
Local server configuration
Synchronising the time between Domain Controller and therefore the Samba server.
Configuring Kerberos
Configuring Samba
Configuring winbind/nsswitch
Setting up PAM authentication for Active Directory
Joining into the domain
Note:
In this tutorial i'm planning to use specific name and server name for testing and demonstrating functions solely, clearly you ought to use yours:
NJ180DEGREE.NET because the name
SERVER.NJ180DEGREE.NET because the Domain controller server
CENT.NJ180DEGREE.NET because the Linux server.
“AD” and “ad” signify Active directory or Domain controller during this documentation.
192.168.100.1 The science address of the domain controller and DNS server
192.168.100.200 the science address of Centos server that must be joined to the Domain Controller
One more issue my proffered editor are ‘gedit’.
1. putting in the desired packages
If {you ar|you're} undecided if the required packages are put in or not simply sort in an exceedingly terminal:
# yum install samba krb5-workstation krb5-libs pam_krb5 samba-common ntp
2. native server configuration
Make sure that your science addresses of the Linux machine and therefore the Domain controller is utterly organized moreover as a DNS server is up and running on your network, your native DNS shopper inform to the DNS server in your network. you will check the property by binging numerous NIC, science addresses.
/etc/hosts
Even if listed DNS servers ar excellent in each method, it's smart plan to feature necessary servers to the native /etc/hosts move into case we've got a DNS failure therefore we are able to still reach the Domain Controller through this file, this fashion may speed up name lookups.
Edit the file /etc/hosts victimization your most popular editor and add the line:
Ip.address.of.ad.domain.controller youradservername.yourdomainname.local hostname.of.ad.server
Example:
# gedit /etc/hosts
172.0.0.1 CENT.NJ180DEGREE.NET CENT
192.168.100.1 SERVER.NJ180DEGREEE.NET SERVER
Save finish exit.
/etc/resolv.conf
The resolv.conf file is that the resolver configuration file. it's use to tack shopper aspect access to the DNS This file defines that name servers to use to resolve numerous name servers and science addresses.
Edit the file /etc/resolv.conf victimization your most popular editor and add the line:
search yourdomain.local
nameserver science.address.of.ad.domain.dns.server
Save finish exit.
Note this science Address is that the domain DNS server science address NOT the science address of the Domain controller, but if you setup the DNS server on your Domain Controller during this case constant science address ought to be entered in here.
Example:
# gedit /etc/resolv.conf
search NJ180DEGREE.NET
nameserver 192.168.100.1
Tip:
Even if you don’t have DNS server on your network you continue to are able to do the on top of configuration by modifying the subsequent files:
On Linux side: /etc/hosts
On windows side: %systemroot%\system32\drivers\etc\hosts
3. Time Synchronisation (setting up NTP):
Since Kerberos is time dependent readjustment time between the Domain Controller and therefore the Linux server is crucial. Windows workstations mechanically synchronise their clocks with the Active Directory server, to emulate this behaviour on Linux we'll use NTP service.
Open and edit the file /etc/ntp.conf and comment out all servers lines and add your Active directory server or a public NTP pool that's applicable for your country/local:
server youradservername.yourdomainname.local
examble:
#gedit /etc/ntp.conf
Server server.nj180degree.net
Save and exit..
On a terminal window run:
#service ntpd restart
4. putting in place Kerberos /etc/krb5.conf:
Actually you have got 2 ways in which to tack Kerberos a GUI one and a manual method. Note CAPITALS and DOTS (.) ar necessary here while not capitalization of realms and domain-realm, Kerberos won't be ready to connect with a billboard server.
GUI method:
If you favor to tack Kerberos through GUI click System, choose Administration and click on Authentication. this can launch the Authentication Configuration window (authconfig).
Click the authentication tab and check “Enable Kerberos Support” so click on “Configure Kerberos”
In the “Kerberos Setting” window fill in Realm, KDCs and Admin server where:
Realm: your domain eg. NJ180DEGREE.NET
KDCs: Key Distribution Center that is your domain controller sometimes eg. server.nj180degree.net
Admin server: Identifies the host wherever the administration server is running. Typically, this can be the master Kerberos server, in our case the domain controller eg. server.nj180degree.net
Click OK double
Manual approach:
Open and edit the file /etc/krb5.conf copy and paste the subsequent and replace the entries in daring with applicable strings, don't forget CAPITALIZATION and therefore the dots (.):
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = NJ180DEGREE.NET
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = affirmative
[realms]
NJ180DEGREE.NET =
[domain_realm]
.nj180degree.net = NJ180DEGREE.NET
nj180degree.net = NJ180DEGREE.NET
[appdefaults]
pam =
Now that settled attempt to connect with the AD server by writing in an exceedingly terminal:
# kinit Administrator
Password for Administrator
Successful association can manufacture nothing out of this command.
Tip:
If you organized Kerberos through the GUI methodology there's no method that you simply will set the default_realm (default_domain). therefore after you connect with AD server you have got to specify THEREALM.LOCAL at the tip of administrator account, eg.
# kinit Administrator@NJ180DEGREE.NET
Password for Administrator@NJ180DEGREE.NET
You may add the default_domain manually by writing /etc/krb5.conf file once configuring Kerberos through GUI within the applicable section.
5. Configuring Samba:
Open and edit /etc/samba/smb.conf, at the [global] section amendment the subsequent strings (the daring lines only) with yours:
[global]
workgroup = NJ180DEGREE
realm = NJ180DEGREE.NET
server string = Samba Server Version and television
preferred master = no
password encrypted = affirmative
password server = server.nj180degree.net
security = ads
log level = three
log file = /var/log/samba/%m
max log size = fifty
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
template shell = /bin/bash
winbind use default domain = affirmative
winbind offline logon = true
# winbind setup = +#
winbind enum users = affirmative
winbind enum teams = affirmative
winbind nested teams = affirmative
passdb backend = tdbsam
load printers = affirmative
printing = cups
Once you’ve through with the configuration save and shut the file then restart samba for configuration to require place:
# service smb restart
6. configuring winbind/nsswitch:
The winbind package is a component of the samba-common package, open and edit the file /etc/nsswitch.conf This file has numerous configurations in keeping with your system; but we'd like solely to edit 3 lines in it:
passwd: files winbind
shadow: files winbind
group: files winbind
Once you’ve done you're virtually there.
7. putting in place PAM authentication for Active Directory:
Well, this step remains confusing ME although, I even have tried totally different|completely different} manual PAM’s configuration provided by different system directors nevertheless I couldn’t get constant result with each server, in different words it works generally and doesn’t in others. therefore i made a decision to trick “authconfig” to try and do the duty on behalf of me victimization GUI:
Click on Administration then Authentication, this can launch the Authentication Configuration window (authconfig).
Click on possibility tab and choose the following:
Use shadow secret
The native authorization is spare for native users
Create home directories on the primary login:
The last choice to generate home directories on the fly once the user 1st login to the Linux machine.
Tip:
About Configuring PAM manually:
- it's important to backup the /etc/pam.d directory before you begin configuring it manually, failure at this stage will lock the complete machine. you will log in an exceedingly root account on a virtual terminal and leave it logged in till such time that the new configuration has tested with success.
- As i discussed earlier there's no actual PAM configuration that worked on behalf of me however the subsequent document is that the most correct one that worked on behalf of me on many machines, you will use it on your own risk.
- Open and edit the file /etc/pam.d/system-auth and replace it with the subsequent example:
#%PAM-1.0
# This file is auto-generated.
# User changes are destroyed succeeding time authconfig is run.
auth needed pam_env.so
auth spare pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= five hundred quiet
auth spare pam_krb5.so use_first_pass
auth spare pam_smb_auth.so use_first_pass nolocal
auth spare pam_winbind.so cached_login use_first_pass
auth needed pam_deny.so
account needed pam_unix.so
account spare pam_localuser.so
account spare pam_succeed_if.so uid < one hundred quiet
account [default=bad success=ok user_unknown=ignore] pam_krb5.so
account [default=bad success=ok user_unknown=ignore] pam_winbind.so cached_login
account needed pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3
password spare pam_unix.so md5 shadow nullok try_first_pass use_authtok
password spare pam_krb5.so use_authtok
password spare pam_winbind.so cached_login use_authtok
password needed pam_deny.so
session elective pam_keyinit.so revoke
session needed pam_limits.so
session elective pam_mkhomedir.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session needed pam_unix.so
session elective pam_krb5.so
8. connexion into the domain
Once you’ve through with configurations files its time to place all that into a test:
- restart samba and winbind
# /etc/init.d/winbind restart ; /etc/init.d/smb restart
#service smb restart
#service winbind restart
- guarantee winbind and Samba ar running within the correct run levels:
# chkconfig --level 345 winbind on
# chkconfig --level 345 smb on
- Add the pc to the domain. you may want AN account with domain administrator privileges, then sort in an exceedingly teminal:
# internet ads be part of –U Administrator@THEREALM.LOCAL
This will be part of the pc to the domain, and Administrator secret is required to be getting into after you asked to try and do therefore.
eg.
#net ads be part of –U administrator@NJ180DEGREE.NET
Administrator’s secret
Joined ‘CENT’ to realm ‘NJ180DEGREE.NET’.
- Check winbind trough a number of these commands, simply sort in:
wbinfo –g (lists teams from domain)
wbinfo –u (lists users from domain
getent passwd (password list, ought to retrieve domain users as well)
getent cluster (group list, ought to retrieve domain teams as well)
Finally open a virtual terminal and check out to logon jointly of the domain users.
0 comments:
Post a Comment