Tuesday 19 March 2013

Join Redhat 6.2 Server to Active Directory 2008

Join Redhat 6.2 Server to Active Directory 2008

Windows 2008 Domain Controller
Domain: linad.lan
Name: dc01
IP: 10.10.10.50
User On domain: user1
Linux Client
Server Name: linux01
IP Address: 10.10.10.60

Files need to e modified
/etc/hosts
/etc/resolv.conf
/etc/samba/smb.conf
/etc/krb5.conf
/etc/nsswitch.conf
/etc/openldap/ldap.conf
/etc/openldap/slapd.conf
/etc/nslcd.conf
/etc/ntp.conf
/etc/pam.d/su
/etc/pam.d/password-auth-ac

#################################################################################################
Hosts File
# vi /etc/hosts
10.10.10.50  dc01 dc01.linad.lan
10.10.10.60  linux01.linad.lan
#################################################################################################
Resolv.conf File
# vi /etc/resolv.conf
domain linad.lan
search linad.lan
nameserver 10.10.10.50
##################################################################################################
Smb.conf File
# vi /etc/samba/smb.conf
workgroup = LINAD
realm = LINAD.LAN
security = ADS
#idmap backend = rid:LIAND=10000-500000
idmap backend = ldap:ldap://dc01.linad.lan
ldap admin dn = CN=user1,OU=Users,OU=Company,DC=Linad,DC=lan
idmap uid = 10000-500000
idmap gid = 10000-500000
template shell = /bin/bash
winbind use default domain = true
winbind offline logon = false
winbind nested groups = yes
encrypt passwords = yes
template homedir = /home/%U
winbind enum groups = yes
winbind enum users = yes
log level = 1
syslog = 0
log file=/var/log/samba/%m
####################################################################################################
krb5.conf File
# vi /etc/krb5.conf
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log
[libdefaults]
 default_realm = LINAD.LAN
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
[realms]
LINAD.LAN = {
 kdc = dc01.linad.lan
 admin_server = dc01.linad.lan
}
[domain_realm]
 .linad.lan = LINAD.LAN
 linad.lan = LINAD.LAN
######################################################################################################
Nsswitch.conf File
# vi /etc/nsswitch.conf
passwd:     files ldap
shadow:     files
group:      files ldap
######################################################################################################
ldap.conf File
# vi /etc/openldap/ldap.conf
URI     ldap://dc01.linad.lan
host 10.10.10.50
BASE    dc=Linad,dc=lan
binddn  CN=user1,OU=Users,OU=Company,DC=Linad,DC=lan
bindpw <password>
rootbinddn  CN=user1,OU=Users,OU=Company,DC=Linad,DC=lan
#SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never
TLS_CACERTDIR /etc/openldap/cacerts
scope sub
bind_policy soft
nss_base_passwd        OU=Users,OU=Company,DC=Linad,DC=lan
nss_base_shadow        OU=Users,OU=Company,DC=Linad,DC=lan
nss_base_group        OU=Groups,OU=Company,DC=Linad,DC=lan?sub?&(objectCategory=group)(gidnumber=*)
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_objectclass posixGroup group
nss_map_attribute uid sAMAccountName
nss_map_attribute uidNumber uidNumber
nss_map_attribute gidNumber gidNumber
nss_map_attribute givenname givenname
nss_map_attribute ou description
nss_map_attribute gecos displayName
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute loginShell loginShell
nss_map_attribute shadowLastChange pwdLastSet
########################################################################################################
slapd.conf File
# vi /etc/openldap/slapd.conf
include         /etc/openldap/schema/samba.schema
index sambaSID                          eq
index sambaPrimaryGroupSID              eq
index sambaDomainName                   eq
#########################################################################################################
nslcd.conf File
# vi /etc/nslcd.conf
uri ldap://10.10.10.50/
base dc=linad,dc=lan
binddn  CN=user1,OU=Users,OU=Company,DC=Linad,DC=lan
bindpw Password123
base   group  OU=Groups,OU=Company,DC=Linad,DC=lan
base   passwd OU=Users,OU=Company,DC=Linad,DC=lan
# Mappings for Active Directory
pagesize 1000
referrals off
filter passwd (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
map    passwd uid              sAMAccountName
map    passwd homeDirectory    unixHomeDirectory
map    passwd gecos            displayName
filter shadow (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
map    shadow uid              sAMAccountName
map    shadow shadowLastChange pwdLastSet
filter group  (objectClass=group)
map    group  uniqueMember     member
###########################################################################################################
ntp.conf File
# vi /etc/ntp.conf
#restrict 127.0.0.1 (comment it out)
server dc01.linad.lan
###########################################################################################################
su File
# vi /etc/pam.d/su
#%PAM-1.0
auth            sufficient      pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth           sufficient      pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth           required        pam_wheel.so use_uid
auth            include         password-auth
account         sufficient      pam_succeed_if.so uid = 0 use_uid quiet
account         include         password-auth
password        include         password-auth
session         include         password-auth
session         optional        pam_xauth.so
############################################################################################################
password-auth-ac File
# vi /etc/pam.d/password-auth-ac
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet

#auth        sufficient    pam_winbind.so  use_first_pass
auth        sufficient    pam_krb5.so  use_first_pass
auth        required      pam_deny.so
account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet

#account   [default=bad success=ok user_unknown=ignore] pam_winbind.so
account   [default=bad success=ok user_unknown=ignore] pam_krb5.so
account     required      pam_permit.so
password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
#password   sufficient     pam_winbind.so use_authtok
password   sufficient     pam_krb5.so use_authtok
password    required      pam_deny.so
session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
#session            required      pam_oddjob_mkhomedir.so skel=/etc/skel umask=0077
session    required      pam_mkhomedir.so skel=/etc/skel umask=0022
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so

Services which must to be running
nslcd
smb

# chkconfig --level 35 nslcd on
# chkconfig --level 35 smb on

Crontab
# crontab -e
0 2 * * * /usr/sbin/ntpdate -s -p 8 -u 10.10.10.50


I hope you enjoy it. This gave me a few head aches. I will tidy it up later and also post the Windows 2008 side.

By Renato de Oliveira
Posted by at
Labels: , , , ,
Location: Cambridge, Cambridgeshire CB3, UK

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)