Home » Tutorials » A Sidetrip to Linux with Active Directory

A Sidetrip to Linux with Active Directory

This is a temporary detour into the land of joining a Linux server to your Active Directory. This was one of my first experiences working with Linux on the job so it was quite exciting how there was almost no documentation on how to do this at the time, and what was out there didn’t work quite right or not at all. It took me a while but I eventually got it working. Since there are so many flavors of Linux out there the same methods may or may not work for you. The machine being joined is running CentOS 5.2 with a fresh install.

As always before you start setting this up make sure that your network configuration is set just fine, that you can ping everything and name resolution works. Don’t forget to add an A record for your linux machine. The first thing you need to do is get your kerberos config set up, and set up properly. The majority of the time if something breaks it will be in your kerberos configuration, since the krb config is rather fragile. Open up your /etc/krb5.conf and edit it to look similar to what is below. Remember that the capitalization is extremely important as well as punctuation.

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = SHINRA.INC
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes

[realms]
SHINRA.INC = {
kdc = cloudcore.shinra.inc:88
admin_server = cloudcore.shinra.inc:749
default_domain = shinra.inc
}

[domain_realm]
.shinra.inc= SHINRA.INC
shinra.inc = SHINRA.INC

Once you have that set up run

kinit administrator

If no errors are returned after entering in your password that should (but not always) mean that your kerberos set up is working fine. Run klist to make sure you have a kerberos ticket. Next up is configuring samba. Edit your /etc/samba/smb.conf file as follows.

[global]
workgroup = SHINRA
realm = SHINRA
netbios name = LINUXTEST
security = ads
password server = cloudcore.shinra.inc
domain master = no
idmap uid = 1000-29999
idmap gid = 1000-29999
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
winbind refresh tickets = true

Then edit your /etc/nsswitch.conf as follows.

passwd: files winbind
shadow: files winbind
group: files winbind
hosts: files dns
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files winbind
rpc: files winbind
services: files
netgroup: nisplus winbind
publickey: nisplus
automount: files nisplus winbind
aliases: files nisplus

The important part is adding winbind. Your nsswitch.conf may be customized to your network. Now the final file for you to edit /etc/pam.d/system-auth. Look for a line similar to auth sufficient pam_winbind.so and edit it as follows.

auth sufficient pam_winbind.so krb5_auth krb5_ccache use_first_pass

Now we should have everything configured so let’s start things up and get joined to our AD. First we need to set things to auto start and then we’ll start the services.

chkconfig –level 35 smb on
chkconfig –level 35 winbind on
/etc/init.d/smb stop
/etc/init.d/winbind stop
/etc/init.d/winbind start
/etc/init.d/smb start

Next up is joining the domain.

net ads join -U administrator

This should run successfully. To test and make sure you are joined run wbinfo -u and wbinfo -g. These should list the users and groups respectively in your domain. Now you should be set. I’ll go over a few errors that I’ve encountered and possible solutions. It is a touchy process so if this didn’t work for you it may just require a bit of tweaking for your flavor of Linux and your own AD.

Some possible errors you may encounter.

When attempting net ads join -U administrator I get the error:
Host is not configured as a member server.

Check your smb.conf for errors. Make sure that you set security = ads. Run a testparm to make sure you don’t have other configuration errors.

When attempting net ads join -U administrator I get the error:
[2009/03/11 09:55:32, 0] libads/kerberos.c:create_local_private_krb5_conf_
for_domain(594) create_local_private_krb5_conf_for_domain:
failed to create directory /var/cache/samba/smb_krb5.
Error was Permission denied

Manually create the directory /var/cache/samba/smb_krb5. It may be an issue related to using SELinux. I haven’t researched into it enough to determine a proper work around.

My net ads join -U administrator works but wbinfo -u and wbinfo -g are still returning errors.

Make sure your winbind service is running. It is generally best to start winbind before starting smb in my experience.

Advertisements

1 Comment

  1. ferricoxide says:

    I notice that you had “automount: files nisplus winbind” in your nsswitch.conf file. I presume that nisplus is only relevant to your environment and may be omitted.

    I am looking to store automounter map files (e.g., auto.master, auto.home and auto.direct) in (and extract from) Active Directory. I would prefer to be able to pull those maps directly from AD using the winbind API.

    Previously, when I’ve wanted to pull automounter maps from an AD, I went through the ordeal of creating them in the IDMU extensions to Windows Server 2003R2 (`nismap`) and setting up the *N*X clients to use NIS for those queries.

    If I use “automount: files winbind” on my Linux clients, do I still need to install the IDMU extensions on Windows Server 2003R2 to create my automounter AD objects? What additional client-side and/or AD server-side configuration do I need to do to pull automounter map information from AD?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

wordpress visitor counter

RSS Subscriptions

Contact Me

%d bloggers like this: