- Windows Server 2008 R2 Enterprise with active directory domain services role enabled and configured
- Red Hat Enterprise Linux 6.3 or CentOS release 6.3 (Final)
- samba-winbind-clients-3.5.10-125.el6.x86_64
- samba-winbind-3.5.10-125.el6.x86_64
- samba-client-3.5.10-125.el6.x86_64
yum -y install samba-winbind-clients samba-winbind samba-client If you are not planning to setup a samba fileserver, you do not need to have the samba daemon running. You do need to have the winbind daemon running for authentication.
chkconfig samba off
service smb stop
service winbind start
chkconfig winbind on We need to tell to PAM that it should use winbind for authentication. You can edit the /etc/pam.d/password-auth and the /etc/pam.d/system-auth by hand, but I prefer to use the authconfig tool, which will do just the same for you. The same applies for the /etc/nsswitch file, where the system looks for the location of "metadata" information about users.
authconfig --enablewinbind --enablewinbindauth --enablelocauthorize
--enablemkhomedir --updateall
Too bad you can not seem to configure the different idmap backends with authconfig, only basic smb.conf.
That's why, for this implementation, we edit smb.conf by hand.
vi /etc/samba/smb.conf:
[global]
#Make this server part of an AD domain
security = ads
#What is the domain name
workgroup = DOMAIN
#To which Domain controller you want to authenticate:
#Note * will use SRV DNS lookups to find back the kerberos and ldap servers.
#I like to put this in the end for fallback usage
password server = dc.domain.com, *
#Which kerberos realm
realm = DOMAIN.COM
#Now this is a special one:
#if you set this to no it will use the system wide config file for kerberos (i.e. /etc/krb5.conf).
#if this is set to yes it will create it's own krb5.conf based on the settings you specify in this file.
#You can look at the contents after restarting winbind: (/var/lib/samba/smb_krb/krb5.conf.DOMAIN)
#Note that if * is used at the password server directives it will add all discovered servers through DNS to this file also. Please be aware that it will only add servers available at time of the winbind start to the /var/lib/samba/smb_krb/krb5.conf.DOMAIN file
create krb5 conf = yes
#set the logging level
log level = 3
#Specify which fallback backends should be used, normally these are not triggered
idmap backend = tdb
idmap uid = 15000-17000
idmap gid = 15000-17000
#Directives for idmap_rid backend. It will map SIDs to UID/GID range of 10000000-29999999
idmap config DOMAIN : backend = rid
idmap config DOMAIN : default = yes
idmap config DOMAIN : range = 10000000-29999999
#This variable is only needed if you have the Unix extensions installed on AD and you want to get some parameters like login shell directly from AD. Except for the UID/GID because that is mapped by the idmap_rid backend.
winbind nss info = rfc2307
#If you do not use winbind nss info = rfc2307 you have to specify what home and login shell users will get by default
#template homedir = /home/%U
#template shell = /bin/bash
#winbind finetuning parameters
winbind enum users = no
winbind enum groups = no
winbind separator = +
winbind use default domain = yes
winbind nested groups = yes
winbind reconnect delay = 2
winbind offline logon = true
winbind cache time = 300
#Make the server more silent on the network, we do not need netbios
name resolve order = host
disable netbios = yes
Issue the following command to join the server to the network
You will need the administrator password of the DC
If you do not get the administrator password from your AD admins, then please let them create a computer object for you on which your account has full permissions.
net join -w DOMAIN -S dc.domain.com -U administrator
now restart winbind
service winbind restart To check if join is succesful
net ads testjoin
Join is OK
See if you can query some info from AD ldap. following command should return all users in AD
wbinfo -u Get nss info from an AD user
getent passwd <someADuser> Try to login to your server via ssh with your AD enabled account.
Now everything should be working. Authentication is via kerberos (encrypted and secure). But all our ldap queries are still in plain text, also no authentication of the DC takes places (is the DC who he claims to be?). In the next part I will explain how to enable ldap starttls with this setup.
If any questions, wrong info or help needed please comment.
No comments:
Post a Comment