Yet another blog about Monkeys and IT
Active Directory integration with Samba for RHEL/CentOS5.5
I’ve been asked to develop an enterprise level of complex network servers that can provide many services including mail server, ftp, web server, file server, print server, backup server, roaming profiles and user’s home directory.. etc. The client demanded at least one Linux machine regardless of the service running on it.
I’ve decided to run the web server (Apache) on it associated with the FTP server for managing the web pages contents, so I had to come out with a solution to join the Linux server to the Domain Controller (which is windows server 2003) as a member server.
It is true that any number of Samba servers can normally be set up in a Windows network without joining them to a domain. However, advantages of domain membership are central management, authentication and single sign-on. So once you’ve done with all the configuration and successfully joined the server to the DC you can use the same account name and password to log on to your Linux or Windows machine as well as the network administrators will be able to logon to the machine with their administrator credentials.
I googled the web and spend countless hours of trial and error, sweat and tears to configure it with heaps of information here and there, I found out there are many ways to get the job done, this was an advantage and disadvantage at the same time cause not all the roads leads to Rome in Linux. At the end I came up with the most successful way to do it as the result of information I’ve gleaned from searching Samba documentation, various blogs, and dozens of other sources.
Please make a backup of any configuration file before you start changing it since this could cause serious authentication problems on your server and you may not be able to log on again if things went wrong.
Pre-requisites:
You need to have the following packages installed before we kick off: Kerberos5, Samba, winbind, OpenLDAP, PAM and nsswitch, as well as ntp.
Steps involved:
- Installing required packages
- Local server configuration
- Synchronising the time between Domain Controller and the Samba server.
- Configuring Kerberos
- Configuring Samba
- Configuring winbind/nsswitch
- Setting up PAM authentication for Active Directory
- Joining into the domain
Note:
In this tutorial I am going to use specific domain name and server name for testing and demonstrating purposes only, obviously you should use yours:
- NJ180DEGREE.NET as the domain name
- SERVER.NJ180DEGREE.NET as the Domain controller server
- CENT.NJ180DEGREE.NET as the Linux server.
- “AD” and “ad” stand for Active directory or Domain controller in this documentation.
- 192.168.100.1 The IP address of the domain controller and DNS server
- 192.168.100.200 the IP address of Centos server that needs to be joined to the Domain Controller
- One more thing my proffered editor will be ‘gedit’.
1. Installing the required packages
If you are not sure if the necessary packages are installed or not just type in a terminal:
# yum install samba krb5-workstation krb5-libs pam_krb5 samba-common ntp
2. Local server configuration
Make sure that your IP addresses of the Linux machine and the Domain controller is perfectly configured as well as a DNS server is up and running on your network, your local DNS client pointing to the DNS server in your network. You may check the connectivity by binging various NIC, IP addresses.
/etc/hosts
Even if listed DNS servers are perfect in every way, it is good idea to add important servers to the local /etc/hosts file in case we have a DNS failure so we can still reach the Domain Controller through this file, this way can also speed up name lookups.
Edit the file /etc/hosts using your preferred editor and add the line:
Ip.address.of.ad.domain.controller youradservername.yourdomainname.local hostname.of.ad.server
Example:
# gedit /etc/hosts 172.0.0.1 CENT.NJ180DEGREE.NET CENT 192.168.100.1 SERVER.NJ180DEGREEE.NET SERVER
Save end exit.
/etc/resolv.conf
The resolv.conf file is the resolver configuration file. It is use to configure client side access to the DNS This file defines which name servers to use to resolve various name servers and IP addresses.
Edit the file /etc/resolv.conf using your preferred editor and add the line:
search yourdomain.local nameserver ip.address.of.ad.domain.dns.server
Save end exit.
Note this IP Address is the domain DNS server IP address NOT the IP address of the Domain controller, however if you setup the DNS server on your Domain Controller in this case the same IP address should be entered in here.
Example:
# gedit /etc/resolv.conf search NJ180DEGREE.NET nameserver 192.168.100.1
Tip:
Even if you don’t have DNS server on your network you still can achieve the above configuration by modifying the following files:
On Linux side: /etc/hosts
On windows side: %systemroot%\system32\drivers\etc\hosts
3. Time Synchronisation (setting up NTP):
Since Kerberos is time dependent synchronising time between the Domain Controller and the Linux server is essential. Windows workstations automatically synchronise their clocks with the Active Directory server, to emulate this behaviour on linux we will use NTP service.
Open and edit the file /etc/ntp.conf and comment out all servers lines and add your Active directory server or a public NTP pool that is appropriate for your country/local:
server youradservername.yourdomainname.local
examble:
#gedit /etc/ntp.conf Server server.nj180degree.net
Save and exit..
On a terminal window run:
#service ntpd restart
4. Setting up Kerberos /etc/krb5.conf:
Actually you have two ways to configure Kerberos a GUI one and a manual way. Note CAPITALS and DOTS (.) are important here without capitalization of realms and domain-realm, Kerberos will not be able to connect to an AD server.
GUI method:
- If you prefer to configure Kerberos through GUI click System, select Administration and click Authentication. This will launch the Authentication Configuration window (authconfig).
- Click the authentication tab and check “Enable Kerberos Support” and then click on “Configure Kerberos”
- In the “Kerberos Setting” window fill in Realm, KDCs and Admin server where:
Realm: your domain eg. NJ180DEGREE.NET
KDCs: Key Distribution Center which is your domain controller usually eg. server.nj180degree.net
Admin server: Identifies the host where the administration server is running. Typically, this is the master Kerberos server, in our case the domain controller eg. server.nj180degree.net
- Click OK twice
Manual approach:
Open and edit the file /etc/krb5.conf copy and paste the following and replace the entries in bold with appropriate strings, DO NOT forget CAPITALIZATION and the dots (.):
[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = NJ180DEGREE.NET
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes
[realms]
NJ180DEGREE.NET = {
kdc = server.nj180degree.net
admin_server = server.nj180degree.net
default_domain = nj180degree.net
}
[domain_realm]
.nj180degree.net = NJ180DEGREE.NET
nj180degree.net = NJ180DEGREE.NET
[appdefaults]
pam = {
debug = false
ticket_lifetime = 360000
renew_lifetime = 360000
forwardable = true
krb4_convert = false
}
Now that settled try to connect to the AD server by typing in a terminal:
# kinit Administrator Password for Administrator
Successful connection will produce nothing out of this command.
Tip:
If you configured Kerberos through the GUI method there is no way that you can set the default_realm (default_domain). So when you connect to AD server you have to specify THEREALM.LOCAL at the end of administrator account, eg.
# kinit Administrator@NJ180DEGREE.NET Password for Administrator@NJ180DEGREE.NETYou may add the default_domain manually by editing /etc/krb5.conf file after configuring Kerberos through GUI in the appropriate section.
5. Configuring Samba:
Open and edit /etc/samba/smb.conf, at the [global] section change the following strings (the Bold lines only) with yours:
[global] workgroup = NJ180DEGREE realm = NJ180DEGREE.NET server string = Samba Server Version %v preferred master = no password encrypted = yes password server = server.nj180degree.net security = ads log level = 3 log file = /var/log/samba/%m max log size = 50 idmap uid = 16777216-33554431 idmap gid = 16777216-33554431 template shell = /bin/bash winbind use default domain = yes winbind offline logon = true # winbind separator = +# winbind enum users = Yes winbind enum groups = Yes winbind nested groups = Yes passdb backend = tdbsam load printers = yes printing = cups
Once you’ve done with the configuration save and close the file then restart samba for configuration to take place:
# service smb restart
6. configuring winbind/nsswitch:
The winbind package is part of the samba-common package, open and edit the file /etc/nsswitch.conf This file has various configurations according to your system; however we need only to edit three lines in it:
passwd: files winbind shadow: files winbind group: files winbind
Once you’ve done you are almost there.
7. Setting up PAM authentication for Active Directory:
Well, this step is still confusing me though, I have tried different manual PAM’s configuration provided by different system administrators yet I couldn’t get the same result with every server, in other words it works sometimes and doesn’t in others. So I decided to trick “authconfig” to do the job for me using GUI:
- Click on Administration then Authentication, This will launch the Authentication Configuration window (authconfig).
- Click on option tab and select the following:
Use shadow password
The local authorization is sufficient for local users
Create home directories on the first login:
- The last option to generate home directories on the fly when the user first login to the Linux machine.
Tip:
About Configuring PAM manually:
- It is very important to backup the /etc/pam.d directory before you start configuring it manually, failure at this stage can lock the entire machine. You may log in a root account on a virtual terminal and leave it logged in until such time that the new configuration has tested successfully.- As I mentioned earlier there is no exact PAM configuration that worked for me but the following document is the most accurate one that worked for me on several machines, you may use it on your own risk.
- Open and edit the file /etc/pam.d/system-auth and replace it with the following example:
#%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_krb5.so use_first_pass auth sufficient pam_smb_auth.so use_first_pass nolocal auth sufficient pam_winbind.so cached_login use_first_pass auth required pam_deny.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 100 quiet account [default=bad success=ok user_unknown=ignore] pam_krb5.so account [default=bad success=ok user_unknown=ignore] pam_winbind.so cached_login account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_krb5.so use_authtok password sufficient pam_winbind.so cached_login use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_mkhomedir.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_krb5.so
8. Joining into the domain
Once you’ve done with configurations files its time to put all that into a test:
- restart samba and winbind
# /etc/init.d/winbind restart ; /etc/init.d/smb restart #service smb restart #service winbind restart
- Ensure winbind and Samba are running in the proper run levels:
# chkconfig --level 345 winbind on # chkconfig --level 345 smb on
- Add the computer to the domain. You will need an account with domain administrator privileges, then type in a teminal:
# net ads join –U Administrator@THEREALM.LOCAL
This will join the computer to the domain, and Administrator password is needed to be entering when you asked to do so.
eg.
#net ads join –U administrator@NJ180DEGREE.NET Administrator’s password Joined ‘CENT’ to realm ‘NJ180DEGREE.NET’.
- Check winbind trough some of these commands, just type in:
- wbinfo –g (lists groups from domain)
- wbinfo –u (lists users from domain
- getent passwd (password list, should retrieve domain users as well)
- getent group (group list, should retrieve domain groups as well)
Finally open a virtual terminal and try to logon as one of the domain users.
GOOD LUCK you gonna need it.. :)
Related posts:
| Print article | This entry was posted by Nathan on 04/09/2010 at 10:19 pm, and is filed under Active Directory, CentOS, Microsoft, Networking, Unix/Linux. Follow any responses to this post through RSS 2.0. You can leave a response or trackback from your own site. |
about 1 year ago
would there be much difference in this process if I where using server 2008
about 1 year ago
To be honest I haven’t tried it on Windows server 2008 yet.. but i think it should work just fine..
Give it a shot and let me know how did you go.
about 8 months ago
One of the best how to kodus !!! been looking all over the web until finaly found this one which worked great on centos 6
For me one thing was missing in order to be able to login from ssh & auto create home dir :
add to /etc/pam.d/sshd -
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
Regards,
Danny
about 6 months ago
I followed everything here and was able to join the samba server to the DC/ADS… but got stucked in logging user to the domain using ssh.
Thinking what I could have missed, I looked at the prerequisites you listed, I see OpenLDAP. But I don’t see use of it in any of your steps even in Step 1 Installing the required packages.
Should OpenLDAP be included in Step 1? Where does OpenLDAP comes of use here?
Thank you for this guide,
Apps Tester