On the Net

|Main Blog|Yearning|  

Words of God


About Linux News and OpenSource




and below are my posts....


Tuesday, August 21, 2007

Authenticating Linux to Active Directory

I will describe here joining a Linux Centos 4.4 host to Windows 2003 Active Directory.

Files to consider

/etc/samba/smb.conf
/etc/krb5.conf
/etc/pam.d/system-auth

Package that should be installed:

samba-common
samba (samba-server)
krb5-libs

My Configuration files:
/etc/samba/smb.conf

#/etc/samba/smb.conf
[global]

workgroup = mydomain
realm = MYDOMAIN.COM
netbios name = linuxhost
security = ads
encrypt passwords = yes
log file = /var/log/samba/%m.log
log level = 2
max log size = 50
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
winbind separator = +
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users=yes
winbind enum groups=yes
template homedir = /home/%D/%U
template shell = /bin/bash
winbind use default domain = yes


/etc/krb5.conf

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = mydomain.com
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes
default_tgs_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC
default_tkt_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC
preferred_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC

[realms]
mydomain.com = {
kdc = srvad01.mydomain.com:88
admin_server = 192.168.1.10:749
default_domain = mydomain.com
}

MYDOMAIN.COM = {
}

[domain_realm]
# .example.com = EXAMPLE.COM
example.com = mydomain.com

[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}


And the most important entry is the

/etc/pam.d/system-auth




#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth sufficient /lib/security/$ISA/pam_winbind.so use_first_pass
auth required /lib/security/$ISA/pam_deny.so

account required /lib/security/$ISA/pam_unix.so broken_shadow
account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
account [default=bad success=ok user_unknown=ignore] /lib/security/$ISA/pam_winbind.so
account required /lib/security/$ISA/pam_permit.so

password requisite /lib/security/$ISA/pam_cracklib.so retry=3
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
password sufficient /lib/security/$ISA/pam_winbind.so use_authtok
password required /lib/security/$ISA/pam_deny.so

session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so



Ok, Dont forget to change the mydomain.com to the legitimate domain name of your AD and the srv01.mydomain.com to the hostname of AD.

Also make sure that you have an Administrator or Domain admin rights on that AD since it is required when joining the domain.


After having those files on your host, try to restart the ff: by the command.



/etc/init.d/winbind restart
/etc/init.d/smb restart



I know there are other command to do that, it just how I did it.


Then, to join to the domain or AD, issue the command



net ads join -U adminstrator@MYDOMAIN.COM



the there should be similar message that should appear upon joining. see below

[root@gw1 ~]# net join -U administrator@MYDOMAIN.COM
administrator@MYDOMAIN.COM's password:
[2007/08/21 00:50:37, 0] libads/ldap.c:ads_add_machine_acct(1368)
ads_add_machine_acct: Host account for linuxhost already exists - modifying old account
Using short domain name -- MYDOMAIN
[2007/08/21 00:50:37, 0] libads/kerberos.c:get_service_ticket(335)
get_service_ticket: kerberos_kinit_password LINUXHOST$@MYDOMAIN.COM@MYDOMAIN.COM failed: Preauthentication failed
Segmentation fault



Opssss, troubleshooting....
What I did was removing the files at /var/cache/samba/
command:

rm -rf /var/cache/samba/*

then issue again the command "net ads join"

[root@gw1 ~]# net join -U administrator@MYDOMAIN.COM
administrator@MYDOMAIN.COM's password:
[2007/08/21 00:51:04, 0] libads/ldap.c:ads_add_machine_acct(1368)
ads_add_machine_acct: Host account for linuxhost already exists - modifying old account
Using short domain name -- MYDOMAIN
Joined 'LINUXHOST' to realm 'MYDOMAIN.COM'

Now it joined successfully.


Issue the command "getent passwd" and it should display all the users registered on your AD