Home » Posts tagged 'linux'

Tag Archives: linux

A Sidetrip to Linux with Active Directory

This is a temporary detour into the land of joining a Linux server to your Active Directory. This was one of my first experiences working with Linux on the job so it was quite exciting how there was almost no documentation on how to do this at the time, and what was out there didn’t work quite right or not at all. It took me a while but I eventually got it working. Since there are so many flavors of Linux out there the same methods may or may not work for you. The machine being joined is running CentOS 5.2 with a fresh install.

As always before you start setting this up make sure that your network configuration is set just fine, that you can ping everything and name resolution works. Don’t forget to add an A record for your linux machine. The first thing you need to do is get your kerberos config set up, and set up properly. The majority of the time if something breaks it will be in your kerberos configuration, since the krb config is rather fragile. Open up your /etc/krb5.conf and edit it to look similar to what is below. Remember that the capitalization is extremely important as well as punctuation.

default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

default_realm = SHINRA.INC
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes

kdc = cloudcore.shinra.inc:88
admin_server = cloudcore.shinra.inc:749
default_domain = shinra.inc

.shinra.inc= SHINRA.INC
shinra.inc = SHINRA.INC

Once you have that set up run

kinit administrator

If no errors are returned after entering in your password that should (but not always) mean that your kerberos set up is working fine. Run klist to make sure you have a kerberos ticket. Next up is configuring samba. Edit your /etc/samba/smb.conf file as follows.

workgroup = SHINRA
realm = SHINRA
netbios name = LINUXTEST
security = ads
password server = cloudcore.shinra.inc
domain master = no
idmap uid = 1000-29999
idmap gid = 1000-29999
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
winbind refresh tickets = true

Then edit your /etc/nsswitch.conf as follows.

passwd: files winbind
shadow: files winbind
group: files winbind
hosts: files dns
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files winbind
rpc: files winbind
services: files
netgroup: nisplus winbind
publickey: nisplus
automount: files nisplus winbind
aliases: files nisplus

The important part is adding winbind. Your nsswitch.conf may be customized to your network. Now the final file for you to edit /etc/pam.d/system-auth. Look for a line similar to auth sufficient pam_winbind.so and edit it as follows.

auth sufficient pam_winbind.so krb5_auth krb5_ccache use_first_pass

Now we should have everything configured so let’s start things up and get joined to our AD. First we need to set things to auto start and then we’ll start the services.

chkconfig –level 35 smb on
chkconfig –level 35 winbind on
/etc/init.d/smb stop
/etc/init.d/winbind stop
/etc/init.d/winbind start
/etc/init.d/smb start

Next up is joining the domain.

net ads join -U administrator

This should run successfully. To test and make sure you are joined run wbinfo -u and wbinfo -g. These should list the users and groups respectively in your domain. Now you should be set. I’ll go over a few errors that I’ve encountered and possible solutions. It is a touchy process so if this didn’t work for you it may just require a bit of tweaking for your flavor of Linux and your own AD.

Some possible errors you may encounter.

When attempting net ads join -U administrator I get the error:
Host is not configured as a member server.

Check your smb.conf for errors. Make sure that you set security = ads. Run a testparm to make sure you don’t have other configuration errors.

When attempting net ads join -U administrator I get the error:
[2009/03/11 09:55:32, 0] libads/kerberos.c:create_local_private_krb5_conf_
for_domain(594) create_local_private_krb5_conf_for_domain:
failed to create directory /var/cache/samba/smb_krb5.
Error was Permission denied

Manually create the directory /var/cache/samba/smb_krb5. It may be an issue related to using SELinux. I haven’t researched into it enough to determine a proper work around.

My net ads join -U administrator works but wbinfo -u and wbinfo -g are still returning errors.

Make sure your winbind service is running. It is generally best to start winbind before starting smb in my experience.

%d bloggers like this: