Install the following packages
yum install pam_krb5 pam_ldap nss-pam-ldapd samba ntp
*If you already have any of these installed, it'll skip them.
First make a backup of the config.
cp /etc/krb5.conf /etc/krb5.conf.bak
</etc/krb5.conf>
[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = DOMAIN.COM dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true [realms] DOMAIN.COM = { kdc = DC.DOMAIN.COM admin_server = DC.DOMAIN.COM kdc = x.x.x.x } [domain_realm] .domain.com = DOMAIN.COM domain.com = DOMAIN.COMAgain backup the config
cp /etc/samba/smb.conf /etc/samba/smb.conf.bak
You can also use system-config-authentication if you have a gui.
</etc/samba/smb.conf>
Note: The workgroup is the left most part of the domain
[global] workgroup = DOMAIN password server = x.x.x.x realm = DOMAIN.COM security = ADS winbind enum users = Yes winbind enum groups = Yes winbind use default domain = No winbind separator = + idmap config * : backend = autorid idmap config * : range = 1000000-19999999 idmap config * : rngesize = 1000000 template homedir= /home/%D/%U template shell = /bin/bash
*Note*
If you don't want the users to have to type DOMAIN+username then remove the winbind separator line and change the winbind user default domain = yes. Restart smb and winbind.
Again backup the config
cp /etc/nsswitch.conf /etc/nsswitch.conf.bak
</etc/nsswitch.conf>
passwd: files winbind group: files winbind shadow: files winbindAgain backup the config
cp /etc/ntp.conf /etc/ntp.conf.bak
</etc/ntp.conf>
Note: The 1.1.1.1 is the ip of your server
server 1.1.1.1
Pick one of these ways:
1. authconfig-tui (select Winbind, click ok. Select Use Shadow Passwords, Use Winbind Authentication, Local authorization is sufficient)
2. Create the files manually.
Again backup the config
cp /etc/pam.d/system-auth /etc/pam.d/system-auth.bak
</etc/pam.d/system-auth>
auth required pam_env.so auth sufficient pam_unix.so try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_sss.so use_first_pass auth sufficient pam_winbind.so use_first_pass auth required pam_deny.so account required pam_access.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account [default=bad success=ok user_unknown=ignore] pam_winbind.so account required pam_permit.so password requisite pam_cracklib.so difok=4 dcredit=-2 ucredit=-2 ocredit=-2 lcredit=-2 minlen=12 retry=3 password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok password sufficient pam_sss.so use_authtok password sufficient pam_winbind.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_oddjob_mkhomedir.so skel=/etc/skel umask=0644 session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so
</etc/pam.d/sshd>
auth required pam_sepermit.so auth include password-auth auth sufficient pam_winbind.so account required pam_nologin.so account include password-auth password include password-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_loginuid.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open env_params session optional pam_keyinit.so force revoke session include password-authEdit your /etc/hosts file
</etc/hosts>
1.1.1.1 dc.server.centos.com dc
Restart the following services:
service smb restart
service winbind restart
service sshd restart
service ntpd restart
chkconfig winbind on
*If any of those fail, you have something configured wrong.
Then run: [root@node001user1]# kinit domainadmin@CENTOS.COM (THIS MUST BE IN ALL CAPS!)
Confirm the ticket was obtained: [root@node001 user1]# klist
Get the time from the server: [root@node001 user1]# net time
Sync the time from the server: [root@node001 user1]# ntpdate -u
Then run the following command to join it to the domain.
[root@node001 user1]# net ads join -U domainadmin (replace with your domain admin username)
Run some more tests:
wbinfo -t
wbinfo -u
wbinfo -g
getent passwd
getent groups
If any of those fail, something isn't configured correctly.
If you want the domain admins and admins to have privileged access, you need to add this to the bottom of your sudoers file. You may have to over write the read only file to save it.
</etc/sudoers> ***NEED TO VERIFY IF THIS STILL WORKS****
[root@node001 user1]# cat /etc/sudoers %BUILTIN\administrators ALL=(ALL) ALL %"domain admins" ALL=(ALL) ALL
Some great additional trouble shooting commands can be found here -> Link
Also if you need to find your base dn to locate the group your user accounts are stored, I explain how to do that here -> Link
Another Great reference is here: Link
If you have a Red Hat Subscription, they provide some good additional information: Link
Integrating Red Hat Enterprise Linux 6 with Active Directory (Last updated 2014): Link
Link
Tested: RHEL 6.4+Windows 2k8 R2, RHEL 6.4+Windows 2k12 R2
No comments:
Post a Comment