From installation to Active Directory client with CentOS 4.2 – Part two
by Mats Hellman on Aug.22, 2006, under Linux
This is the second part of an article I started a _long_ time ago explaining how to connect a Linux desktop to Microsofts Active Directory, this time with the CentOS distribution. The first part can be found here. Hopefully you now have CentOS setup and are getting eager to get the domain logins working. We will get to that in a minute. First let’s discuss the process overall and what you already need to know or have setup. This guide has no guarantee on working, you should also backup any important data before proceeding. If you run in to trouble post in our forums and we’ll do our best to help you. A good practice is to backup the configuration file you are about to edit, so if you run into problems you can reset it to the original file. Remember, playing with authentication can get you locked out of your system!
You need:
- Working Windows domain with Active Directory.
- CentOS 4 installed on a desktop or virtual machine (VMWare, Microsoft Virtual PC or server).
Also you need to have the following information at hand:
- Your Windows domain name.
- The name of the Active directory domain controller.
- User account and password for an administrative account in the domain.
That’s it. Now let’s get on with configuring the system.
In this article:
- Installing OpenLDAP.
- Configuring Samba .
- Starting the winbind daemon.
- Adding the workstation to the domain.
- Configuring /etc/nsswitch.conf
- Testing winbind
- Testing Windows to Linux account conversion.
- Editing /etc/sysconfig/samba.
- Editing PAM settings.
- Starting the daemons.
- Further reading.
- Troubleshooting.
Well start by installing OpenLDAP and the clients also we need nss_ldap. YUM handles the installations for us nicely so we don’t have to worry about dependencies. Just fire up a terminal because that’s where well spend a lot of time in this part of the article.
| [root@wrkst1~]$yum install openldap-clients openldap |
Configuring kerberos.
When OpenLDAP is installed we can move on to configuring the different authentication handlers. Let’s start by configuring the network authentication protocol Kerberos.
We need to tell Kerberos the windows realm and a few other things. Kerberos configuration file resides in /etc/krb5.conf so fire up your favourite editor, I’m using both Emacs and Vi depending on the situation so no editor wars here, and open the file for editing.
You should see something like this:
| [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] [realms] [domain_realm] [kdc] [appdefaults] |
Now let’s edit the file. You did back it up like I told you didn’t you 
. Remember this file IS case sensitive, so default is not the same as DEFAULT. Remember to change the values if you copy/paste.
| #/etc/krb5.conf |
| [libdefaults] ticket_lifetime = 600 default_realm = NIXADMINS.NET default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc [realms] [domain_realm] [kdc] [logging] |
Save the file and exit. Next let’s make the system a little more error tolerant, in case the DNS service goes down the workstation won’t be able to authenticate the domain users so we add the Active Directory PDC server to the /etc/hosts file. Add the following line to /etc/hosts:
| # /etc/hosts |
| 1.2.3.4 ad-server.nixadmins.net ad-server |
Next we need to test to see if our Kerberos settings are working. Just type the following in your terminal, all it does is return you to the prompt if everything is working.
| [root@wrkst1~]$ kinit aduser@NIXADMINS.NET |
That’s it for Kerberos, it wasn’t that hard now was it.
Samba is used to set some Windows domain information and the machine name. Also we define where and how the user directories are and which the default user shell is. Here is my smb.conf, read it trough and change at least the values workgroup (the wins domain name), realm (the domain DNS name in capitals) and password server (your PDC).
| # /etc/samba/smb.conf |
| [global] workgroup = NIXADMINS netbios name = wrkst1 server string = Linux workstation 1 security = ADS log file = /var/log/samba/samba.%m max log size = 50 local master = no preferred master = no idmap uid = 10000-20000 idmap gid = 10000-20000 winbind gid = 10000-20000 winbind enum users = yes winbind enum groups = yes winbind use default domain = yes template homedir = /home/%U template shell = /bin/bash encrypt passwords = yes dns proxy = no realm = NIXADMINS.NET password server = ad-server.nixadmins.net wins proxy = no |
Before we move on let’s check our /etc/samba/smb.conf file to see if there are any errors in it.
| [root@wrkst1~]$ testparm Load smb config files from /etc/samba/smb.conf Loaded services file OK. Server role: ROLE_DOMAIN_MEMBER Press enter to see a dump of your service definitions # Global parameters |
Let’s start the winbind daemon that is responsible for the queries against Active Directory and find out if our setup is working. Before you do this be sure to check that neither smbd or nmbd are running.
| [root@wrkst1 ~]# service smb status smbd is stopped nmbd is stopped [root@wrkst1 ~]# service winbind start Starting Winbind services: [ OK ] [root@wrkst1 ~]# |
Adding the workstation to the domain.
Now that we have a working winbind we can add the workstation to the Windows domain. Run the following command. Use the Windows Administrator account or another account that has the rights to add a computer to the domain.
| [root@wrkst1 ~]# net ads join -U Administrator Administrator’s password: Using short domain name — NIXADMINS Joined ‘WRKST1′ to realm ‘NIXADMINS.NET’ [root@wrkst1 ~]# |
That’s it. The workstation should now be located in the computers holder in the Windows domain.
Configuring /etc/nsswitch.conf.
Edit the file top part of the file /etc/nsswitch.conf.
| Before: # some text before this part passwd: files shadow: files group: files # and some after also, let them be |
| After: # some text before this part passwd: compat winbind shadow: compat group: compat winbind # and some after also, let them be |
Now let’s test winbind to see if we really are communicating with Active Directory. To do this we use the command wbinfo with the switches -u and -g, -u to query users and -g to query groups.
First let’s query for users in the directory, you output should look something like below.
| [root@wrkst1 ~]# wbinfo -u NIXADMINSAdministrator NIXADMINS******* NIXADMINS******* …………. [root@wrkst1 ~]# |
And next let’s query for groups.
| [root@wrkst1 ~]# wbinfo -g NIXADMINSHelpServicesGroup NIXADMINSTelnetClients NIXADMINSDomain Computers NIXADMINSDomain Controllers …………. [root@wrkst1 ~]# |
Testing Windows to Linux account conversion.
We need to be sure this is working properly or our users won’t be able to log in to the workstation. The command getent shows us all accounts or groups.
First let’s check the users, run the following
| [root@wrkst1 ~]# getent passwd |
And then the groups
| [root@wrkst1 ~]# getent group |
Add -D to the winbindoptions part of /etc/sysconfig/samba, the file should look like this
| # Options to smbd SMBDOPTIONS="-D" # Options to nmbd NMBDOPTIONS="-D" # Options for winbindd WINBINDOPTIONS="-D" |
IMPORTANT! Make a backup of the whole /etc/pam.d folder before you continue.
Made the backup? Ok, let’s continue.
Let’s edit the file that handles the logins. Edit your /etc/pam.d/login to look like this
| #%PAM-1.0 | ||
| auth | required | pam_securetty.so |
| auth | sufficient | pam_winbind.so |
| auth | sufficient | pam_unix.so use_first_pass |
| auth | required | pam_stack.so service=system-auth |
| auth | required | pam_nologin.so |
| account | sufficient | pam_winbind.so |
| account | required | pam_stack.so service=system-auth |
| password | required | pam_stack.so service=system-auth |
| # pam_selinux.so close should be the first session rule | ||
| session | required | pam_mkhomedir.so skel=/etc/skel umask=0022 |
| session | required | pam_selinux.so close |
| session | required | pam_stack.so service=system-auth |
| session | required | pam_loginuid.so |
| session | optional | pam_console.so |
| # pam_selinux.so open should be the last session rule | ||
| session | required | pam_selinux.so open |
Note: we adde
Related posts:
- Getting wireless network working on CentOS 5 and Thinkpad T42 I pulled an old IBM Thinkpad T42 to use...
- Installing Microsoft Corefonts on CentOS 5 This is a thing I always have to google when...
- Software Installation by Group Policy For a large software deployment, most IT departments do not...
8 Comments for this entry
Leave a Reply
-
About the author
I'm Mats Hellman and I'm systems administrator working for Folkhälsan, a healthcare organization in Finland. If you like the posts subscribe to the RSS Feed
You can also subscribe by email by filling the field below:
-
ADVERTISING
March 10th, 2008 on 18:11
Has anyone gotten linux clients connected to ADS, work with cached logons. I mean the same behaviour, that windows clients support, which enables users to login in the absence of a DC. This is one of the things that is keeping me from moving over to Linux.
regards
KIRAN
March 10th, 2008 on 21:34
With recent distros like CentOS 5 you don’t have to edit anything, if you don’t want to set up something special. Like the fact that Linux by default sets the users home directory to /home/domain/user. I don’t like that, I want them to be in /home/user so I edit the smb.conf file. But otherwise you just fill in the information needed, click use Cached and of you go. It has always worked for me.
August 21st, 2008 on 15:06
Sir
thanks for this study mat. i have configured samba with ads in centos 5. i acn view all the doamin user using getent passwd.
but my problem is i cant login using any domain user in centos. and the domain users home directory is not visible in /home directory.
pls hem me to solve these proble.
thanks again
Soumalya
August 21st, 2008 on 18:27
Could you post a little more information. Your
smb.conf
/etc/pam.d/login
krb.conf
CentOS 5 should be able to join the domain during installation also. You shouldn’t have to go trough this manual.
Have you tried to log in to a non graphical prompt? Press CTRL+ALT+1 to get to the normal terminal and try to do a domain log in.
pam_mkhomedir is the module that makes the home directories but if you can’t log in it won’t create the directory either.
You could also try to log in with the full domain\user. For example NIXADMINS\Administrator.
Let’s start with that and see if we can get it sorted out.
August 25th, 2008 on 23:52
What happens if you try to switch user as root?
Does that work? If not what does your logs say? See if anything comes up in /var/log/messages.
If you can list your domain users you are almost there.
August 25th, 2008 on 12:18
whts up sir
i configured thw smb but when i use wbinfo -u its shows all the domain user but not like u said as CENTRALADMINISTRATOR it shows administrator.
[root@telnet ~]# wbinfo -u
Administrator
#Deleted user list#
i also cant login using domain users
pls help me.
thanks in advance
August 22nd, 2008 on 07:44
thanks for ur reply
smb.conf
# This is the main Samba configuration file. You should read the
# smb.conf(5) manual page in order to understand the options listed
# here. Samba has a huge number of configurable options (perhaps too
# many!) most of which are not shown in this example
#
# For a step to step guide on installing, configuring and using samba,
# read the Samba-HOWTO-Collection. This may be obtained from:
# http://www.samba.org/samba/docs/Samba-HOWTO-Collection.pdf
#
# Many working examples of smb.conf files can be found in the
# Samba-Guide which is generated daily and can be downloaded from:
# http://www.samba.org/samba/docs/Samba-Guide.pdf
#
# Any line which starts with a ; (semi-colon) or a # (hash)
# is a comment and is ignored. In this example we will use a #
# for commentry and a ; for parts of the config file that you
# may wish to enable
#
# NOTE: Whenever you modify this file you should run the command “testparm”
# to check that you have not made any basic syntactic errors.
#
#======================= Global Settings =====================================
[global]
# workgroup = NT-Domain-Name or Workgroup-Name, eg: MIDEARTH
workgroup = CENTRAL
# server string is the equivalent of the NT Description field
server string = Samba Server
# Security mode. Defines in which mode Samba will operate. Possible
# values are share, user, server, domain and ads. Most people will want
# user level security. See the Samba-HOWTO-Collection for details.
security = ADS
# This option is important for security. It allows you to restrict
# connections to machines which are on your local network. The
# following example restricts access to two C class networks and
# the “loopback” interface. For more examples of the syntax see
# the smb.conf man page
; hosts allow = 192.168.1. 192.168.2. 127.
# If you want to automatically load your printer list rather
# than setting them up individually then you’ll need this
load printers = yes
# you may wish to override the location of the printcap file
; printcap name = /etc/printcap
# on SystemV system setting printcap name to lpstat should allow
# you to automatically obtain a printer list from the SystemV spool
# system
; printcap name = lpstat
# It should not be necessary to specify the print system type unless
# it is non-standard. Currently supported print systems include:
# bsd, cups, sysv, plp, lprng, aix, hpux, qnx
; printing = cups
# This option tells cups that the data has already been rasterized
cups options = raw
# Uncomment this if you want a guest account, you must add this to /etc/passwd
# otherwise the user “nobody” is used
; guest account = pcguest
# this tells Samba to use a separate log file for each machine
# that connects
log file = /var/log/samba/%m.log
# Put a capping on the size of the log files (in Kb).
max log size = 50
# Use password server option only with security = server
# The argument list may include:
# password server = My_PDC_Name [My_BDC_Name] [My_Next_BDC_Name]
# or to auto-locate the domain controller/s
# password server = *
password server = data-server.central.edu
# Use the realm option only with security = ads
# Specifies the Active Directory realm the host is part of
realm = CENTRAL.EDU
# Backend to store user information in. New installations should
# use either tdbsam or ldapsam. smbpasswd is available for backwards
# compatibility. tdbsam requires no further configuration.
; passdb backend = tdbsam
# Using the following line enables you to customise your configuration
# on a per machine basis. The %m gets replaced with the netbios name
# of the machine that is connecting.
# Note: Consider carefully the location in the configuration file of
# this line. The included file is read at that point.
; include = /usr/local/samba/lib/smb.conf.%m
# Configure Samba to use multiple interfaces
# If you have multiple network interfaces then you must list them
# here. See the man page for details.
; interfaces = 192.168.12.2/24 192.168.13.2/24
# Browser Control Options:
# set local master to no if you don’t want Samba to become a master
# browser on your network. Otherwise the normal election rules apply
local master = no
# OS Level determines the precedence of this server in master browser
# elections. The default value should be reasonable
; os level = 33
# Domain Master specifies Samba to be the Domain Master Browser. This
# allows Samba to collate browse lists between subnets. Don’t use this
# if you already have a Windows NT domain controller doing this job
; domain master = yes
# Preferred Master causes Samba to force a local browser election on startup
# and gives it a slightly higher chance of winning the election
preferred master = no
# Enable this if you want Samba to be a domain logon server for
# Windows95 workstations.
; domain logons = yes
# if you enable domain logons then you may want a per-machine or
# per user logon script
# run a specific logon batch file per workstation (machine)
; logon script = %m.bat
# run a specific logon batch file per username
; logon script = %U.bat
# Where to store roving profiles (only for Win95 and WinNT)
# %L substitutes for this servers netbios name, %U is username
# You must uncomment the [Profiles] share below
; logon path = \\%L\Profiles\%U
# Windows Internet Name Serving Support Section:
# WINS Support – Tells the NMBD component of Samba to enable it’s WINS Server
; wins support = yes
# WINS Server – Tells the NMBD components of Samba to be a WINS Client
# Note: Samba can be either a WINS Server, or a WINS Client, but NOT both
; wins server = w.x.y.z
# WINS Proxy – Tells Samba to answer name resolution queries on
# behalf of a non WINS capable client, for this to work there must be
# at least one WINS Server on the network. The default is NO.
wins proxy = no
# DNS Proxy – tells Samba whether or not to try to resolve NetBIOS names
# via DNS nslookups. The default is NO.
dns proxy = no
# These scripts are used on a domain controller or stand-alone
# machine to add or delete corresponding unix accounts
; add user script = /usr/sbin/useradd %u
; add group script = /usr/sbin/groupadd %g
; add machine script = /usr/sbin/adduser -n -g machines -c Machine -d /dev/null -s /bin/false %u
; delete user script = /usr/sbin/userdel %u
; delete user from group script = /usr/sbin/deluser %u %g
; delete group script = /usr/sbin/groupdel %g
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
template homedir = /home/%U
template shell = /bin/bash
encrypt passwords = yes
#============================ Share Definitions ==============================
[homes]
comment = Home Directories
browseable = no
writable = yes
# Un-comment the following and create the netlogon directory for Domain Logons
; [netlogon]
; comment = Network Logon Service
; path = /usr/local/samba/lib/netlogon
; guest ok = yes
; writable = no
; share modes = no
# Un-comment the following to provide a specific roving profile share
# the default is to use the user’s home directory
;[Profiles]
; path = /usr/local/samba/profiles
; browseable = no
; guest ok = yes
# NOTE: If you have a BSD-style print system there is no need to
# specifically define each individual printer
[printers]
comment = All Printers
path = /usr/spool/samba
browseable = no
# Set public = yes to allow user ‘guest account’ to print
guest ok = no
writable = no
printable = yes
# This one is useful for people to share files
;[tmp]
; comment = Temporary file space
; path = /tmp
; read only = no
; public = yes
# A publicly accessible directory, but read only, except for people in
# the “staff” group
;[public]
; comment = Public Stuff
; path = /home/samba
; public = yes
; writable = yes
; printable = no
; write list = @staff
# Other examples.
#
# A private printer, usable only by fred. Spool data will be placed in fred’s
# home directory. Note that fred must have write access to the spool directory,
# wherever it is.
;[fredsprn]
; comment = Fred’s Printer
; valid users = fred
; path = /homes/fred
; printer = freds_printer
; public = no
; writable = no
; printable = yes
# A private directory, usable only by fred. Note that fred requires write
# access to the directory.
;[fredsdir]
; comment = Fred’s Service
; path = /usr/somewhere/private
; valid users = fred
; public = no
; writable = yes
; printable = no
# a service which has a different directory for each machine that connects
# this allows you to tailor configurations to incoming machines. You could
# also use the %U option to tailor it by user name.
# The %m gets replaced with the machine name that is connecting.
;[pchome]
; comment = PC Directories
; path = /usr/pc/%m
; public = no
; writable = yes
# A publicly accessible directory, read/write to all users. Note that all files
# created in the directory by users will be owned by the default user, so
# any user with access can delete any other user’s files. Obviously this
# directory must be writable by the default user. Another user could of course
# be specified, in which case all files would be owned by that user instead.
;[public]
; path = /usr/somewhere/else/public
; public = yes
; only guest = yes
; writable = yes
; printable = no
# The following two entries demonstrate how to share a directory so that two
# users can place files there that will be owned by the specific users. In this
# setup, the directory should be writable by both users and should have the
# sticky bit set on it to prevent abuse. Obviously this could be extended to
# as many users as required.
;[myshare]
; comment = Mary’s and Fred’s stuff
; path = /usr/somewhere/shared
; valid users = mary fred
; public = no
; writable = yes
; printable = no
; create mask = 0765
———————————————————————————————-
login
#%PAM-1.0
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth include system-auth
account required pam_nologin.so
account include system-auth
password include system-auth
account required pam_winbind.so
# pam_selinux.so close should be the first session rule
session required pam_mkhomedir.so skel=/etc/skel umask=002
session required pam_selinux.so close
session include system-auth
session required pam_loginuid.so
session optional pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open
session optional pam_keyinit.so force revoke
————————————————————————————————
nssswitch
#
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry ‘[NOTFOUND=return]‘ means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Legal entries are:
#
# nisplus or nis+ Use NIS+ (NIS version 3)
# nis or yp Use NIS (NIS version 2), also called YP
# dns Use DNS (Domain Name Service)
# files Use the local files
# db Use the local database (.db) files
# compat Use NIS on compat mode
# hesiod Use Hesiod for user lookups
# [NOTFOUND=return] Stop searching if not found so far
#
# To use db, put the “db” in front of “files” for entries you want to be
# looked up first in the databases
#
# Example:
#passwd: db files nisplus nis
#shadow: db files nisplus nis
#group: db files nisplus nis
passwd: compat winbind
shadow: files
group: compat winbind
#hosts: db files nisplus nis dns
hosts: files dns
# Example – obey only what nisplus tells us…
#services: nisplus [NOTFOUND=return] files
#networks: nisplus [NOTFOUND=return] files
#protocols: nisplus [NOTFOUND=return] files
#rpc: nisplus [NOTFOUND=return] files
#ethers: nisplus [NOTFOUND=return] files
#netmasks: nisplus [NOTFOUND=return] files
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files
netgroup: nisplus
publickey: nisplus
automount: files nisplus
aliases: files nisplus
—————————————————
krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = CENTRAL.EDU
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
[realms]
CENTRAL.EDU = {
kdc = data-server.central.edu
default_domain = central.edu
}
[domain_realm]
.central.edu = CENTRAL.EDU
central.edu = CENTRAL.EDU
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
—————————————————————————————
i have all the domain users in linux users. bu i cant log using domain user ven administrator.
plssssssssssssssssss solve.
thanks for ur reply
August 22nd, 2008 on 08:03
sorry
the doamin users are not in the user management window