Join Redhat 6.2 Server to Active Directory 2008

Join Redhat 6.2 Server to Active Directory 2008

Windows 2008 Domain Controller
Domain: linad.lan
Name: dc01
IP: 10.10.10.50
User On domain: user1
Linux Client
Server Name: linux01
IP Address: 10.10.10.60

Files need to e modified
/etc/hosts
/etc/resolv.conf
/etc/samba/smb.conf
/etc/krb5.conf
/etc/nsswitch.conf
/etc/openldap/ldap.conf
/etc/openldap/slapd.conf
/etc/nslcd.conf
/etc/ntp.conf
/etc/pam.d/su
/etc/pam.d/password-auth-ac

#################################################################################################
Hosts File
# vi /etc/hosts
10.10.10.50  dc01 dc01.linad.lan
10.10.10.60  linux01.linad.lan
#################################################################################################
Resolv.conf File
# vi /etc/resolv.conf
domain linad.lan
search linad.lan
nameserver 10.10.10.50
##################################################################################################
Smb.conf File
# vi /etc/samba/smb.conf
workgroup = LINAD
realm = LINAD.LAN
security = ADS
#idmap backend = rid:LIAND=10000-500000
idmap backend = ldap:ldap://dc01.linad.lan
ldap admin dn = CN=user1,OU=Users,OU=Company,DC=Linad,DC=lan
idmap uid = 10000-500000
idmap gid = 10000-500000
template shell = /bin/bash
winbind use default domain = true
winbind offline logon = false
winbind nested groups = yes
encrypt passwords = yes
template homedir = /home/%U
winbind enum groups = yes
winbind enum users = yes
log level = 1
syslog = 0
log file=/var/log/samba/%m
####################################################################################################
krb5.conf File
# vi /etc/krb5.conf
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log
[libdefaults]
 default_realm = LINAD.LAN
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
[realms]
LINAD.LAN = {
 kdc = dc01.linad.lan
 admin_server = dc01.linad.lan
}
[domain_realm]
 .linad.lan = LINAD.LAN
 linad.lan = LINAD.LAN
######################################################################################################
Nsswitch.conf File
# vi /etc/nsswitch.conf
passwd:     files ldap
shadow:     files
group:      files ldap
######################################################################################################
ldap.conf File
# vi /etc/openldap/ldap.conf
URI     ldap://dc01.linad.lan
host 10.10.10.50
BASE    dc=Linad,dc=lan
binddn  CN=user1,OU=Users,OU=Company,DC=Linad,DC=lan
bindpw <password>
rootbinddn  CN=user1,OU=Users,OU=Company,DC=Linad,DC=lan
#SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never
TLS_CACERTDIR /etc/openldap/cacerts
scope sub
bind_policy soft
nss_base_passwd        OU=Users,OU=Company,DC=Linad,DC=lan
nss_base_shadow        OU=Users,OU=Company,DC=Linad,DC=lan
nss_base_group        OU=Groups,OU=Company,DC=Linad,DC=lan?sub?&(objectCategory=group)(gidnumber=*)
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_objectclass posixGroup group
nss_map_attribute uid sAMAccountName
nss_map_attribute uidNumber uidNumber
nss_map_attribute gidNumber gidNumber
nss_map_attribute givenname givenname
nss_map_attribute ou description
nss_map_attribute gecos displayName
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute loginShell loginShell
nss_map_attribute shadowLastChange pwdLastSet
########################################################################################################
slapd.conf File
# vi /etc/openldap/slapd.conf
include         /etc/openldap/schema/samba.schema
index sambaSID                          eq
index sambaPrimaryGroupSID              eq
index sambaDomainName                   eq
#########################################################################################################
nslcd.conf File
# vi /etc/nslcd.conf
uri ldap://10.10.10.50/
base dc=linad,dc=lan
binddn  CN=user1,OU=Users,OU=Company,DC=Linad,DC=lan
bindpw Password123
base   group  OU=Groups,OU=Company,DC=Linad,DC=lan
base   passwd OU=Users,OU=Company,DC=Linad,DC=lan
# Mappings for Active Directory
pagesize 1000
referrals off
filter passwd (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
map    passwd uid              sAMAccountName
map    passwd homeDirectory    unixHomeDirectory
map    passwd gecos            displayName
filter shadow (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
map    shadow uid              sAMAccountName
map    shadow shadowLastChange pwdLastSet
filter group  (objectClass=group)
map    group  uniqueMember     member
###########################################################################################################
ntp.conf File
# vi /etc/ntp.conf
#restrict 127.0.0.1 (comment it out)
server dc01.linad.lan
###########################################################################################################
su File
# vi /etc/pam.d/su
#%PAM-1.0
auth            sufficient      pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth           sufficient      pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth           required        pam_wheel.so use_uid
auth            include         password-auth
account         sufficient      pam_succeed_if.so uid = 0 use_uid quiet
account         include         password-auth
password        include         password-auth
session         include         password-auth
session         optional        pam_xauth.so
############################################################################################################
password-auth-ac File
# vi /etc/pam.d/password-auth-ac
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet

#auth        sufficient    pam_winbind.so  use_first_pass
auth        sufficient    pam_krb5.so  use_first_pass
auth        required      pam_deny.so
account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet

#account   [default=bad success=ok user_unknown=ignore] pam_winbind.so
account   [default=bad success=ok user_unknown=ignore] pam_krb5.so
account     required      pam_permit.so
password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
#password   sufficient     pam_winbind.so use_authtok
password   sufficient     pam_krb5.so use_authtok
password    required      pam_deny.so
session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
#session            required      pam_oddjob_mkhomedir.so skel=/etc/skel umask=0077
session    required      pam_mkhomedir.so skel=/etc/skel umask=0022
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so

Services which must to be running
nslcd
smb

# chkconfig --level 35 nslcd on
# chkconfig --level 35 smb on

Crontab
# crontab -e
0 2 * * * /usr/sbin/ntpdate -s -p 8 -u 10.10.10.50


I hope you enjoy it. This gave me a few head aches. I will tidy it up later and also post the Windows 2008 side.

By Renato de Oliveira

Setup a Redhat Kickstart Server

Setup a Redhat Kickstart Server

During the Data Centre project, I had to install and configure quite few Linux servers and to make my file easier I configured a Redhat kickstart server.
What this server does is. it allows you to automate the install of multiple servers and replicate the same configuration multiple times. This will make your life much easier.

If you get your kiscksart server right in the end you will need to make very few changes to  all servers, thus reducing your support time and manual errors.

The first things is to install a Linux server. It can be Centos or Redhat. I'll use Centos so I don't need to buy a Redhat license.

I am going to describe first how to setup a kickstart using Apache to install servers using HTTP.

Once the server is fully up and running..

Necessary Software:

• Apache (httpd package)
• nfs-utils-lib
• nfs-utils
• nfs-utils-lib-devel

Step by Step
1. Create an Apache Virtual Host
# vi /etc/httpd/conf.d/kickstart.conf
NameVirtualHost 172.16.180.222 (replace with your server's IP)
<VirtualHost 172.16.180.222> (replace with your server's IP)
        ServerName 172.16.180.222 (replace with your server's IP)
        DocumentRoot /var/www/data/
</VirtualHost>
<Directory /var/www/data/install>
   Options +Indexes
   AllowOverride AuthConfig
   order allow,deny
   allow from all
</Directory>

2. Restart Apache
# service httpd restart

3. Create kickstart folder structure
# mkdir -p /var/www/data/install/RPM
# mkdir -p /var/www/data/source
# mkdir -p /var/www/data/ISO
4. Download Centos iso image
# cd /var/www/data/ISO
# wget http://mirrors.coreix.net/centos/6.3/isos/x86_64/CentOS-6.3-x86_64-bin-DVD1.iso

5. Mount the Centos ISO image
# mount -o loop /var/www/data/ISO/CentOS-6.3-x86_64-bin-DVD1.iso /var/www/data/source

Note: to make this change permanent. You need to edt /etc/fstab
# vi /etc/fstab
add the line below
 /var/www/data/install/ISO/CentOS-6.0-x86_64-bin-DVD1.iso /var/www/data/install/source/ iso9660 loop 0 0
6. Create the Kickstart script:
# vi /var/www/data/install/ks.cfg
add the lines below

# Kickstart generated by Renato de Oliveira
install
url --http://172.16.180.222/install/
lang en_US.UTF-8
keyboard uk
network --device eth0 --bootproto dhcp
rootpw --iscrypted u09u0ojhu0uujoh9y
firewall --disabled
authconfig --enableshadow --enablemd5
selinux --disabled
timezone --utc Europe/London
bootloader --location=mbr --driveorder=sda
clearpart --all --drives=sda

part /boot --fstype ext3 --size=150
part swap --size=10000

part pv.01 --size=15000
volgroup vg_root pv.01
logvol  /  --vgname=vg_root  --size=12000  --name=lv0_root
part pv.02 --size=120000
volgroup vg_local pv.02
logvol /local --vgname=vg_local --size=110000 --name=lv0_local
part pv.03 --size=5000
volgroup vg_afscache pv.03
logvol /local/afs.cache --vgname=vg_afscache --size=4000 --name=lv0_afscache
part pv.04 --size=5000
volgroup vg_log pv.04
logvol /var/log --vgname=vg_log --size=4000 --name=lv0_log
part pv.05 --size=5000
volgroup vg_lvvartmp pv.05
logvol /var/tmp --vgname=vg_lvvartmp --size=4000 --name=lv0_vartmp
part pv.06 --size=5000
volgroup vg_lvtmp pv.06
logvol /tmp --vgname=vg_lvtmp --size=4000 --name=lv0_tmp

%packages
@core
@ X Window System
@ Desktop
@ Sound and Video
bzip2
bash
wget
 
%post
# Turn services off
chkconfig  --level 2345 atd off
chkconfig  --level 2345 bluetooth off
chkconfig  --level 2345 cups off
chkconfig  --level 2345 gpm off
chkconfig  --level 2345 ip6tables off
chkconfig  --level 2345 postfix off
chkconfig --level 2345 NetworkManager off
chkconfig --level 2345 iptables off
chkconfig --level 2345 avahi-daemon off
chkconfig --level 2345 mcelogd off
# Turn necessary services on
chkconfig --level 2345 smb on
chkconfig --level 2345 nslcd on
chkconfig --level 2345 ntpd on
chkconfig --level 2345 postfix on

Note: Save the file and you are almost ready.
Assuming we will use a physical server to install Redhat on.

7. Write the ISO DVD to a DVD media

8. Boot the the server to be installedwith the DVD image you just created.
At boot time type:
linux ks=http://172.16.180.222/install/ks.cfg

 That should give you a fully installed server.

If you want to customise the Kisckstart server, there are many options you can use to automate the install.
 


by Renato de Oliveira