Monday, June 16, 2008

GNU/Linux as an ADC member

Configuring GNU/Linux as an active directory member:
-----------------------------------------------------------------------------
This time we are doing the reverse of what we did in the last blog. Adding a GNU/Linux machine (RHEL 5.0) to an Win 2k3 Domain Controller.

Configure a M$ Windows 2003 Server as a Domain Controller(DC)
for the domain JOINME.COM. The Active Directory Server name is ads.joinme.com with an ip address of 172.24.10.1
Note: Active Directory howto can be found here
Samba server machine is RHEL 5.0 with SELinux in permissive mode.

To Readers: All those starting with # are run by root user and ;'s are comments inside the configuration files

#vim /etc/samba/smb.conf
;for better performance add this
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

;name of the domain we want to join
workgroup = JOINME
server string = Member of JOINME.COM

;this samba server is not the local master browser
;for the subnet. local master browser stores all the
;NetBIOS names of all other machines in the subnet.
local master = no

;this server does not act as a Domain Master Browser too.
;DMB stores the NetBIOS names of all
;machines in the network. DMB collates
;browselists from all local master browsers.
domain master = no

;never force an election on startup of the
;machine to become local/domain master browser.
preferred master = no

;do not act as a wins server. Let some other host take up that burden.
wins support = no

;then who is the WINS Server?
wins server = 172.24.10.1

;never try DNS queries when an unregistered NetBIOS name has been found.
dns proxy = no

;the kerberos realm to use
realm = JOINME.COM

;make this machine a member of domain
;in an ADS realm. Kerberos should be installed
;and properly configured.
;join to ADS using the 'net' command
security = ADS

;do username/password validation using the ADS
password server = 172.24.10.1

;the seperator to be used between the
;domain name and the username.
;used in conjuction with pam_winbind.so
winbind separator = +

;winbind should operate without domain component.
;JOINME/mj0vy should be treated as mj0vy.
winbind use default domain = yes

;userid/grpid allocation for mapping
;windows SIDs to unix userids/grpids
idmap uid = 27000-33000
idmap gid = 27000-33000

;donot know why this parameters are used. Will do some
;R&D and come up with the solution soon.
winbind enum users = yes
winbind enum groups = yes

;home directory to be used by the domain users
;when winbind creates the unix password
;database from the windows SIDs.
template homedir = /home/%U
template shell = /bin/bash
log file = /var/log/samba/%m.log

;maximum log file size in KB (5 MB here)
max log size = 5120
printcap name = /etc/printcap
load printers = no

These are the default shares configured already.

[homes]
comment = Home directories for the users.
browseable = no
writeable = yes

[printers]
comment = Connected Printers
path = /var/spool/samba
browseable = no
guest ok = no
writeable = no
printable = yes

Kerberos Configuration:
----------------------------------
The Kerberos system authenticates individual users in a network environment. After authenticatin yourself to kerberos, we can use network facilities (rcp,rsh) without having to present passwords to remote hosts, provided the remote hosts support Kerberos system.When we authenticate with kerberos, we will get an initial kerberos ticket. Kerberos uses this ticket for network utilies as rlogin and rcp. However the tickets expire, privileged tickets, those with 'root' instance expire in a few minutes, others might live for more than a day depending on the policy.
Commands 'kinit' and 'kdestroy' are used to initiate and destroy tickets respectievely.

#vim /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5libs.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = JOINME.COM
dns_lookup_realm = yes
dns_lookup_kdc = yes
ticket_lifetime = 24h

[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}

Adding the GNU/Linux machine to Active Directory:
-------------------------------------------------------------------------
Start the samba service.
#/etc/init.d/smb start

Initiate a kerberos ticket
#kinit ADMINISTRATOR@JOINME.COM
enter the administrator password in the DC.
Note: Make sure the GNU/Linux machine and the ADS are
having the same time. Othewise some clock skew error
message may throw up!

Now join the machine to ADS.
#net ads join

Winbind Configuration:
----------------------
#vim /etc/nsswitch.conf
passwd: files winbind
shadow: files
hosts: files winbind

#vim /etc/sysconfig/samba
WINBINDOPTIONS = "-B"

Tweak The Name Service Caching Daemon(NSCD):
----------------------------------------------------------------------
enable-cache passwd no
enable-cache group no
enable-cache hosts no

Now restart the network service
#/etc/init.d/network restart

Configure the pam aware services to use the pam_winbind.so shared object.

#vim /etc/pam.d/login
auth sufficient pam_winbind.so
account sufficient pam_winbind.so
session required pam_mkhomedir.so skel=/etc/skel umask=0022

Now restart the samba and winbind daemon.
#/etc/init.d/smb restart
#/etc/init.d/winbind restart
#chkconfig smb on ; chkconfig winbind on

Testing the whole configuration:
--------------------------------
#getent passwd
#getent group
#wbinfo -u
this will display the domain users
#wbinfo -g
this will display the domain groups
Note: The domain and the users/groups will be
separated by a '+' sign which we specified
with 'winbind separator'

No comments: