Install the following packages
yum install pam_krb5 pam_ldap nss-pam-ldapd samba ntp
*If you already have any of these installed, it'll skip them.
First make a backup of the config.
cp /etc/krb5.conf /etc/krb5.conf.bak
</etc/krb5.conf>
[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = DOMAIN.COM dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true [realms] DOMAIN.COM = { kdc = DC.DOMAIN.COM admin_server = DC.DOMAIN.COM kdc = x.x.x.x } [domain_realm] .domain.com = DOMAIN.COM domain.com = DOMAIN.COMAgain backup the config
cp /etc/samba/smb.conf /etc/samba/smb.conf.bak
You can also use system-config-authentication if you have a gui.
</etc/samba/smb.conf>
Note: The workgroup is the left most part of the domain
[global] workgroup = DOMAIN password server = x.x.x.x realm = DOMAIN.COM security = ADS winbind enum users = Yes winbind enum groups = Yes winbind use default domain = No winbind separator = + idmap config * : backend = autorid idmap config * : range = 1000000-19999999 idmap config * : rngesize = 1000000 template homedir= /home/%D/%U template shell = /bin/bash
*Note*
If you don't want the users to have to type DOMAIN+username then remove the winbind separator line and change the winbind user default domain = yes. Restart smb and winbind.
Again backup the config
cp /etc/nsswitch.conf /etc/nsswitch.conf.bak
</etc/nsswitch.conf>
passwd: files winbind group: files winbind shadow: files winbindAgain backup the config
cp /etc/ntp.conf /etc/ntp.conf.bak
</etc/ntp.conf>
Note: The 1.1.1.1 is the ip of your server
server 1.1.1.1
Pick one of these ways:
1. authconfig-tui (select Winbind, click ok. Select Use Shadow Passwords, Use Winbind Authentication, Local authorization is sufficient)
2. Create the files manually.
Again backup the config
cp /etc/pam.d/system-auth /etc/pam.d/system-auth.bak
</etc/pam.d/system-auth>
auth required pam_env.so auth sufficient pam_unix.so try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_sss.so use_first_pass auth sufficient pam_winbind.so use_first_pass auth required pam_deny.so account required pam_access.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account [default=bad success=ok user_unknown=ignore] pam_winbind.so account required pam_permit.so password requisite pam_cracklib.so difok=4 dcredit=-2 ucredit=-2 ocredit=-2 lcredit=-2 minlen=12 retry=3 password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok password sufficient pam_sss.so use_authtok password sufficient pam_winbind.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_oddjob_mkhomedir.so skel=/etc/skel umask=0644 session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so
</etc/pam.d/sshd>
auth required pam_sepermit.so auth include password-auth auth sufficient pam_winbind.so account required pam_nologin.so account include password-auth password include password-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_loginuid.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open env_params session optional pam_keyinit.so force revoke session include password-authEdit your /etc/hosts file
</etc/hosts>
1.1.1.1 dc.server.centos.com dc
Restart the following services:
service smb restart
service winbind restart
service sshd restart
service ntpd restart
chkconfig winbind on
*If any of those fail, you have something configured wrong.
Then run: [root@node001user1]# kinit domainadmin@CENTOS.COM (THIS MUST BE IN ALL CAPS!)
Confirm the ticket was obtained: [root@node001 user1]# klist
Get the time from the server: [root@node001 user1]# net time
Sync the time from the server: [root@node001 user1]# ntpdate -u
Then run the following command to join it to the domain.
[root@node001 user1]# net ads join -U domainadmin (replace with your domain admin username)
Run some more tests:
wbinfo -t
wbinfo -u
wbinfo -g
getent passwd
getent groups
If any of those fail, something isn't configured correctly.
If you want the domain admins and admins to have privileged access, you need to add this to the bottom of your sudoers file. You may have to over write the read only file to save it.
</etc/sudoers> ***NEED TO VERIFY IF THIS STILL WORKS****
[root@node001 user1]# cat /etc/sudoers %BUILTIN\administrators ALL=(ALL) ALL %"domain admins" ALL=(ALL) ALL
Some great additional trouble shooting commands can be found here -> Link
Also if you need to find your base dn to locate the group your user accounts are stored, I explain how to do that here -> Link
Another Great reference is here: Link
If you have a Red Hat Subscription, they provide some good additional information: Link
Integrating Red Hat Enterprise Linux 6 with Active Directory (Last updated 2014): Link
Link
Tested: RHEL 6.4+Windows 2k8 R2, RHEL 6.4+Windows 2k12 R2
Tech Notes: Joining Centos/Rhel (6.X) To Active Directory (Windows Server Domain) [Updated] >>>>> Download Now
ReplyDelete>>>>> Download Full
Tech Notes: Joining Centos/Rhel (6.X) To Active Directory (Windows Server Domain) [Updated] >>>>> Download LINK
>>>>> Download Now
Tech Notes: Joining Centos/Rhel (6.X) To Active Directory (Windows Server Domain) [Updated] >>>>> Download Full
>>>>> Download LINK Pj
That's a great write-up.. Thanks for sharing it. I have seen your post and I think the information you provided is very beneficial for me. Before Some time the visa to Turkey was a very big hurdle to visit . But now the Electronic system is developed and you can easily get your e visa without wasting time
ReplyDeleteIt was a very good post indeed. I thoroughly enjoyed reading it in my lunch time. Will surely come and visit this blog more often. Visa for Turkey from US is electronic travel authorizations provided by the Turkish government to citizens of the United States. In contrast to a regular visa, this one is for travelers who do not want to apply for a visa in advance and wish to travel to Turkey.
ReplyDeleteWhile I have read your article several times, I find many valid points in it. I am confident your readers will enjoy it. Travelers can apply for a Turkey evisa which is very easy. If you have an internet connection and valid documents, you can apply online from anywhere in the world.
ReplyDeleteNavigating through this compelling discourse, I find myself drawn into a tapestry of ideas, each thread unraveling a new dimension of thought. Reading your words is akin to embarking on an intellectual adventure, where every turn of phrase unveils fresh insights waiting to be discovered. Your eloquence paints vivid landscapes of possibility, and I want to share india e visa for sri lanka inviting me to explore the vast expanse of human knowledge with renewed vigor. It's a testament to your mastery of language that I am left captivated, eager to delve deeper into the rich tapestry you've woven with your prose.
ReplyDelete