Linux Active Directory HOWTO
See also
- ApacheActiveDirectory HOWTO
Note
Joining the domain during installation seems to work pretty well
Active Directory
Time sync
First install ntp and set to sync with the domain controllers
yum install ntp
edit /etc/ntp.conf and look for the lines that say server. Change the server to be the domain controller IP address.
server 192.168.0.18
Stop the server if it is running
/etc/init.d/ntp stop
Now run the time sync manually
ntpdate 192.168.0.18
and start the server
/etc/init.d/ntp start
Samba
In order to manage user access to the box it can be added to the domain. This will require adding the samba packages to the system if they are not already installed.
yum install samba samba-common samba-client
Debian/Ubuntu
apt-get install samba winbind krb5-user
It's probably a good idea to backup everything in /etc before configuring anything else in case something goes wrong.
Edit /etc/samba/smb.conf and add lines to turn off master browser elections. You can put these next to the example lines if they exist
domain master = no local master = no preferred master = no
/etc/hosts
Make sure that the domain controller is in /etc/hosts. Also make sure the short version of the hostname is listed here. Even if it is just in the localhost line. I use myserver in this example. If setting up a dev server use myserver-dev.
127.0.0.1 localhost.localdomain localhost myserver.domain.com myserver ::1 localhost6.localdomain6 localhost6 192.168.0.18 ad01.domain.com
Authentication Configuration
Redhat/CentOS
At a shell prompt type setup and choose Authentication Configuration. In the next dialog should look like this
[ ] Cache Information [*] Use MD5 Passwords
[ ] Use Hesiod [*] Use Shadow Passwords
[ ] Use LDAP [ ] Use LDAP Authentication
[ ] Use NIS [*] Use Kerberos
[*] Use Winbind [ ] Use SMB Authentication
[*] Use Winbind Authentication
[ ] Local authorization is sufficient
Debian/Ubuntu
You might have to manually setup the lines for pam that get done automatically on RedHat.
pam.d/common-account
account sufficient /lib/security/pam_winbind.so account required pam_unix.so
pam.d/common-auth
auth required /lib/security/pam_securetty.so auth sufficient /lib/security/pam_winbind.so auth sufficient /lib/security/pam_unix.so use_first_pass auth optional pam_smbpass.so migrate missingok auth required /lib/security/pam_nologin.so
pam.d/common-session
session required pam_unix.so session required /lib/security/pam_mkhomedir.so skel=/etc/skel umask=0022
/etc/nsswitch.conf
Change these lines
passwd: compat winbind group: compat winbind
Kerberos Settings
Redhat/CentOS
Realm: DOMAIN.COM___________________
KDC: ad01.domain.com___________
Admin Server: ad01.domain.com___________
[*] Use DNS to resolve hosts to realms
[*] Use DNS to locate KDCs for realms
Debian/Ubuntu
The package will ask you for this info when it is installed. If not edit /etc/krb5.conf and edit/add these sections:
[libdefaults]
default_realm = DOMAIN.COM
[realms]
DOMAIN.COM = {
kdc = ad01.domain.com
admin_server = ad01.domain.com
}
Winbind Settings
Redhat/CentOS
Security Model: (*) ads
( ) domain
Domain: DOMAIN_______________________________
Domain Controllers: ad01.domain.com___________
ADS Realm: DOMAIN.COM___________________
Template Shell: ( ) /bin/false
( ) /sbin/nologin
(*) /bin/sh
Try joining the domain with the Join Domain button. If it fails see thenext section. It will prompt you for a username and password. You need to use a domain user that has authority to join a machine to the domain.
Choose OK. and OK again to exit the setup dialog.
Debian/Ubuntu
Edit /etc/samba/smb.conf. Look for these lines or add them if missing
[global] realm = REALMNAME security = ads idmap uid = 10000-20000 idmap gid = 10000-20000 template shell = /bin/bash template homedir = /home/%D/%U winbind use default domain = yes workgroup = CSCDOMAIN
Join the Domain
If the joining the domain failed try typing at the prompt
RedHat/CentOS
/usr/bin/net join -w CSCDOMAIN -U <username> or /usr/bin/net join -w CSCDOMAIN -S ad01.domain.com -U <username>
Debian/Ubuntu
/usr/bin/net ads join -w CSCDOMAIN -U <username> or /usr/bin/net ads join -w CSCDOMAIN -S ad01.domain.com -U <username>
where <username> is your user (don't put the angle brackets). Using the domain administrator works best. (need to test this theory)
If you need to add a system with the same netbios name use the -n option. It may say that it fails but it seems to work in spite of this message.
/usr/bin/net join -w CSCDOMAIN -U <username> -n foo.dev
Restart winbind
service winbind restart
SELinux
SELinux may be denying things from working so check /var/log/messages for errors. You may need to enable winbind stuff by changing a few things.
If winbind is not working you may not have joined the domain. Try again as the domain administrator. If that does not work you can set this variable.
setsebool -P winbind_disable_trans 1
If the errors are about the 'secrets.tdb' file edit /etc/samba/smb.conf to add this line
private dir = /var/cache/samba/winbindd_privileged
Testing
Watch the logfiles for information while you test.
tail -f /var/log/messages
Get a list of users
wbinfo -u
and a list of groups
wbinfo -g
If those lists do not have domain users and domain groups something is not working.
Get a kerberos ticket with kinit and a domain user.
kinit <user>
Type the password for the user and check with klist
klist
You should see information about tickets being issued.
I find the getent stuff does not work easily and may require ldap setup. Now test with getent.
getent passwd administrator getent group "domain users"
Try connecting to the box with a domain user
username: cscdomain\jtmoree password: ******
User home dirs
If you want users to have a home directory when they access this box you need to have it created automatically. Edit the file /etc/pam.d/system-auth. Add this line
session required pam_mkhomedir.so skel=/etc/skel umask=0077
to the end of the file. You may want to put it above the optional lines like this
session required /lib/security/$ISA/pam_unix.so session required pam_mkhomedir.so skel=/etc/skel umask=0077 session optional /lib/security/$ISA/pam_krb5.so
Default Domain
When you connect to the system as a domain user you must put the domain before the user with a backslash. If you don't want the user to have to type the domain this option can be configured in /etc/samba/smb.conf
winbind use default domain = yes
