Linux systems can
be authenticated with Windows Active Directory. Here I define the exact steps
for configuring Linux servers with Active Directory. Here I am using “example.com”
domain name and “dc01.example.com” hostname of Active Directory Server.
Follow the
following steps to integrate Linux system with Active Directory. In this
scenario Linux systems will be authenticated by AD domain users.
- On
Linux machine configure hosts file to enter the AD domain server entry to
resolve their name.
#vim /etc/hosts
10.226.1.1 dc01 dc01.example.com
2. /etc/resolv.conf
Search example.com
nameserver
10.226.1.1
- Configure
the NTP on Linux Server.
Open file /etc/ntp.conf
and make following entry.
#vim /etc/ntp.conf
server 10.226.1.1
restrict 10.226.1.1
mask 255.255.255.255 nomodify notrap noquery
- Restart
NTP Service.
#service ntpd
restart
#chkconfig ntpd on
- KERBROS
CONFIGURATION
: (/etc/krb5.conf)
Remove all entries in /etc/krb5.conf and add following entries in this
file.
[libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
[realms]
EXAMPLE.COM = {
kdc = dc01.example.com
kdc = *
admin_server = dc01.example.com
kdc = EXAMPLE.COM
}
[domain_realm]
example.com = example.com
.example.com = example.com
[appdefaults]
pam = {
ticket_lifetime =
36000
renew_lifetime = 36000
forwardable = true
proxiable = false
retain_after_close = false
minimum_uid = 0
debug = false
}
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/kdc.log
admin_server =
FILE:/var/log/kadmind.log
- Verify
your Kerberos configuration by trying to get a Kerberos ticket for an
Active Directory user.
# kinit <username>@EXAMPLE.COM
Password for <username>@EXAMPLE.COM:
# klist -5
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: <username>@EXAMPLE.COM
Valid starting Expires Service principal
11/07/06 13:58:31 11/07/06
23:58:31 krbtgt/ EXAMPLE.COM @ EXAMPLE.COM
Note: It's
very important that the kerberos domain is specified using ALL-UPPERCASE characters. After the test, destroy the ticket by running
the kdestroy command.
- SMB
Configuration: (/etc/samba/smb.conf)
Add the following
steps in /etc/samba/smb.conf file to communicate with AD using winbind.
[global]
workgroup = EXAMPLE
password server = EXAMPLE.COM
realm = EXAMPLE.COM
security = ads
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
template homedir = /home/%D/%U
template shell = /bin/bash
winbind use default domain = true
winbind offline logon = true
encrypt passwords = true
idmap backend = rid
passdb backend = tdbsam
Except these entries comment out all other parameters.
- JOIN to
Domain:
Join the Linux
System using Administrator password of AD.
# net ads join -U Administrator
Administrator's password:
Using short domain name -- EXAMPLE
Joined 'SystemName' to
realm 'EXAMPLE.COM'
NOTE: # net ads join –U Administrator –d 10
The above cmd will display
the configuring procedure (verbose mode).
- NSSWITCH
Configuration
Configure the Name Service Switch
library by editing /etc/nsswitch.conf. The lines beginning with passwd:
and group: needs to be changed
into the following:
passwd: files winbind
shadow: files winbind
group: files winbind
Verify that you can do lookups for
single AD users and groups using the getent command as below:
# getent passwd <username>
testuser:x:12580:10000:testuser:/home/DOMAIN/<username>:/bin/bash
# getent group <username>
<groupname>:x:10222:<username>
If wbinfo -g and wbinfo -u works, but getent passwd <username> and/or getent group <username> fails to produce expected results, the problem is probably located in the NSS library rather than in the Winbind setup.
9.
Restart Winbind Service on Linux Server
# /etc/init.d/winbind
restart
# chkconfig winbind on
- Check the AD Integration with
Linux is ok.
# net ads testjoin
Join is OK
# wbinfo –t
It will test the trust relationship between the machine and the domain
# wbinfo -u
wbinfo -u should return a list of users from your domain
# wbinfo -g
wbinfo -g should return a list of groups from your domain
- PAM
Configuration
The Pluggable Authentication
Modules (PAM) subsystem must now be configured to allow users to authenticate
to Active Directory. Common to most Linux distributions is that the configuration
files for PAM reside in the directory /etc/pam.d./system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_fprintd.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_winbind.so cached_login use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad
success=ok user_unknown=ignore] pam_winbind.so cached_login
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3
minlen=8 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1
password sufficient pam_unix.so md5 shadow nullok
try_first_pass use_authtok
password sufficient pam_winbind.so cached_login use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_oddjob_mkhomedir.so skel=/etc/skel
umask=0022
session [success=1
default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
No comments:
Post a Comment