Centralized account management. The
best way is to use LDAP authentication over Kerberos security.
Pre-requisites:
yum
install authconfig*
yum
install openldap*
yum
install samba-3.0*
To set AD LDAP athentication
on a Linux client server:
You
computer name has to be listed in /etc/hosts E.g.
127.0.0.1 smb1 smb1.yourdomain.com localhost
#::1 localhost6.localdomain6 localhost6
10.32.11.34 smb1
Modify
/etc/samba/smb.conf
[global]
workgroup = YOURDOMAIN
password server = 10.32.11.11
realm = YOURDOMAIN.COM
security = ads
idmap domains = YOURDOMAIN
idmap config YOURDOMAIN:backend = ad
idmap config YOURDOMAIN:default = yes
idmap config YOURDOMAIN:schema_mode = sfu
winbind enum users = No
winbind enum groups = No
template shell = /bin/bash
winbind use default domain = true
winbind offline logon = false
Join AD
domain
#
net ads join -U Administrator
#
net ads testjoin
#
net ads info
Run authconfig
From the
command line:
#
authconfig --enablemd5 --enableshadow --enableldap --enablekrb5 --ldapserver=10.32.11.11
--ldapbasedn=dc=yourdomain,dc=com --krb5realm=YOURDOMAIN.COM
--krb5kdc=10.32.11.11:88 --krb5adminserver=10.32.11.11:749 --updateall
From the
menu: authconfig-tui
┌────────────────┤ Authentication
Configuration ├─────────────────┐
│
│
│
User Information
Authentication │
│
[*] Cache Information [*] Use
MD5 Passwords │
│
[ ] Use Hesiod [*] Use
Shadow Passwords │
│
[*] Use LDAP [*]
Use LDAP Authentication
│
│
[ ] Use NIS [*] Use
Kerberos │
│
[ ] Use Winbind [ ] Use
SMB Authentication │
│ [ ] Use Winbind
Authentication │
│ [ ] Local
authorization is sufficient │
│
│
│ ┌────────┐ ┌──────┐ │
│ │ Cancel │ │ Next │ │
│ └────────┘ └──────┘ │
│
│
│ │
└─────────────────────────────────────────────────────────────────┘
┌─────────────────┤ LDAP
Settings ├─────────────────┐
│
│
│ [ ] Use TLS │
│
Server: 10.32.11.11_____________________________ │
│ Base DN: dc=yourdomain,dc=com___________________
│
│
│
│ ┌──────┐ ┌──────┐ │
│ │ Back │ │ Next │ │
│ └──────┘ └──────┘ │
│
│
│ │
└───────────────────────────────────────────────────┘
┌─────────────────┤ Kerberos
Settings ├──────────────────┐
│
│
│ Realm: YOURDOMAIN.COM_________________________
│
│ KDC:
10.32.11.11:88__________________________ │
│ Admin Server:
10.32.11.11:749_________________________ │
│ [ ] Use DNS to resolve hosts to
realms │
│ [ ] Use DNS to locate KDCs for
realms │
│
│
│
┌──────┐
┌────┐ │
│ │ Back │ │ Ok │ │
│ └──────┘ └────┘ │
│
│
│
│
└────────────────────────────────────────────────────────┘
Modify
/etc/ldap.conf
In
this case your bind user is "ldapbd". That user is located in
AD container "Users" with password "ldapbd".
#
@(#)$Id: ldap.conf,v 1.38 2006/05/15 08:13:31 Exp $
#host
10.32.11.11
binddn
cn=ldapbd,cn=Users,dc=yourdomain,dc=com
bindpw
[see the password doc for the actual password]
scope
sub
referrals
no
nss_initgroups_ignoreusers
root,ldap,named,avahi,haldaemon,dbus,nscd,gdm
nss_base_passwd
dc=yourdomain,dc=com?sub
nss_base_shadow
dc=yourdomain,dc=com?sub
nss_base_group
dc=yourdomain,dc=com?sub?&(objectCategory=group)(gidnumber=*)
nss_map_objectclass
posixAccount user
nss_map_objectclass
shadowAccount user
nss_map_objectclass
posixGroup group
nss_map_attribute
gecos cn
nss_map_attribute
homeDirectory unixHomeDirectory
nss_map_attribute
uniqueMember member
nss_map_attribute
uid sAMAccountName
nss_map_attribute
shadowLastChange pwdLastSet
pam_login_attribute
sAMAccountName
ssl
no
TLS_CACERTDIR
/etc/openldap/cacerts
pam_password
md5
URI
ldap://10.32.11.11/
BASE
dc=yourdomain,dc=com
Restrict
permissions on ldap.conf to hide the bind account password
#
chmod go-r /etc/ldap.conf
#
ls -l /etc/ldap.conf
-rw-------
1 root root 857 Oct 29 15:56 ldap.conf
Modify
/etc/pam.d/system-auth
#%PAM-1.0
#
This file is auto-generated.
#
User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_krb5.so use_first_pass
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok
user_unknown=ignore] pam_ldap.so
account [default=bad success=ok
user_unknown=ignore] pam_krb5.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok
try_first_pass use_authtok
password sufficient pam_krb5.so use_authtok
#password sufficient pam_ldap.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_mkhomedir.so skel=/etc/skel
umask=0077
session [success=1 default=ignore]
pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_krb5.so
session optional
pam_ldap.so
Start nscd
and samba services
#
service nscd restart ; service smb restart
Troubleshooting
Make sure
that you see the AD users:
#
getent passwd |grep ldapbd
ldapbd:*:10000:901:ldapbd:/home/ldapbd:/bin/sh
Make sure
that you can do ldapsearch:
#
ldapsearch -x -LLL -b "cn=Users,dc=yourdomain,dc=com " -D
"cn=ldapbd,cn=Users,dc=yourdomain,dc=com " -w yourpassword -H ldap://10.32.11.11
'cn=Guest'
$
ldapsearch -x -D "cn=ldapbd,cn=Users,dc=yourdomain,dc=com
" -w yourpassword -h 10.32.11.11 -b "" -s base
"objectclass=*"
$
ldapsearch -x -D "cn=ldapbd,cn=Users,dc=yourdomain,dc=com
" -w yourpassword -h 10.32.11.11 -b "dc=yourdomain,dc=com"
"uid=igor"
User
unknown error:
[root@nfs1
~]# su - igor
id:
cannot find name for user ID 1118
id:
cannot find name for group ID 571
id:
cannot find name for user ID 1118
Solution:
NFS1 lost connection to the AD controller. Restart nscd service:
NFS1 lost connection to the AD controller. Restart nscd service:
#
service nscd restart
Below is RedHat documentation. My doc above is basically a working example compiled from RedHat pieces.
<< "Run authconfig" just shows me the usage.
>>
I think you are running this on RHEL 5 machine and in RHEL 5 you need to use
"authconfig-tui".
Running
only "authconfig" will show you the usage and options.
As
you have mentioned that you want to use Active Directory authentication on your
RHEL workstation.
There
are two ways to accomplish this -
1.
Use LDAP + Kerberos
Please
check this Kbase article -
Topic:
How do I configure Red Hat Enterprise Linux 4 to authenticate against Windows
Active Directory using LDAP and Kerberos?
http://kbase.redhat.com/faq/docs/DOC-3639
2.
Use Winbind + Kerberos
Topic:
What steps do I need to follow to join a Red Hat Enterprise Linux Samba server
to an Active Directory domain in security = ADS mode?
http://kbase.redhat.com/faq/docs/DOC-3051
I
would like to inform you that Winbind + Kerberos is the recommended method for
integration with Windows AD. Although it is possible to authenticate over LDAP,
you lose all the cool extra functionality (password-changing, single sign-on,
etc) that you get with Kerberos.
From
the provided output -
-----
Failed
to set servicePrincipalNames. Please ensure that the DNS domain of this server
matches the AD domain,
-----
Please
make sure you have proper entry in /etc/hosts for RHEL workstation.
I
would recommend you to follow these steps and modify files (/etc/krb5.conf,
/etc/samba/smb.conf) by referring my files -
1.
Take a backup of your current files -
#
mkdir /root/backup
#
cp /etc/samba/smb.conf /root/backup
#
cp /etc/krb5.conf /root/backup
#
cp /etc/pam.d/system-auth /root/backup
2.
Time should be in sync with Domain Controller.
3.
/etc/samba/smb.conf should have following entries.
==============================
[global]
workgroup = PNQ
realm = PNQ.REDHAT.COM
log level = 3
syslog = 0
preferred master = no
server string = Linux Test Machine
security = ads
encrypt passwords = yes
log level = 3
log file = /var/log/samba/%m
max log size = 50
printcap name = cups
printing = cups
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = yes
winbind nested groups = Yes
idmap uid = 600-20000
idmap gid = 600-20000
;template primary group = "Domain
Users"
template shell = /bin/bash
password server = 10.65.6.13
==============================
4.
/etc/krb5.conf
==============================
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = PNQ.REDHAT.COM
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
PNQ.REDHAT.COM = {
kdc = 10.65.6.13:88
default_domain = pnq.redhat.com
admin_server = 10.65.6.13:749
kdc = 10.65.6.13
}
[domain_realm]
.pnq.redhat.com = PNQ.REDHAT.COM
pnq.redhat.com = PNQ.REDHAT.COM
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
==============================
5.
Add Domain Controller details in /etc/hosts and /etc/resolv.conf
Follow
these steps now -
Run
this command -
#
authconfig-tui
User
Information - [*] Use Winbind
Authentication
- [*] Use MD5 Passwords [*] Use Shadow Passwords [*] Use Kerberos
>>Next>>
Kerberos
Settings
Realm:
PNQ.REDHAT.COM (Should be in upper case letters)
KDC:
10.65.6.13:88
Admin
Server: 10.65.6.13:749
>>Next>>
Winbind
Settings
Security
Model: (*) ads
Domain
: PNQ (Netbios Name)
Domain
Controllers: 10.65.6.13
ADS
Realm: PNQ.REDHAT.COM (Should be in upper case letters)
Template
Shell: (*) /bin/bash
>>Join
Domain>>
Administrator
Password
Output
should be like this -
--------
Using
short domain name -- PNQ
Joined
'DHCP6-178' to realm 'PNQ.REDHAT.COM'
setsebool: SELinux is disabled.
Shutting
down Winbind services: [ OK ]
Starting
Winbind services: [ OK ]
---------
Now
restart winbind and verify -
#
wbinfo -t
#
wbinfo -g
#
wbinfo -u
Once
"wbinfo" gives you information about AD users and group then check -
#
getent passwd
#
getent group
You
should be able to see AD users and groups.
Now
try to login as AD user -
#
su - <AD user>"
Or
Login
directly on command line
If
still you are facing problem then try this command provide us the output and
let me know the exact step which is failing.
#
net ads join -U Administrator
#
net ads info
Winbind caches user ID when you
login for the first time. Those maps are stored under:
/var/cache/samba/winbindd_*
No comments:
Post a Comment