This is my note for configure Linux intergrade windows domain authentication with Kerberos
Package Require
- yum install samba
- yum install krb5-server
- yum install krb5-workstation
- yum install samba-winbind
- yum install ntpdate --> This is required for sync time
- yum install cifs-utils
Setup the Host Name on Linux
Setup the host name in /etc/sysconfig/network
Setup network connection on Linux
Setup the host name in /etc/sysconfig/network-scripts/ifcfg-eth0
setup hostname /etc/hosts
This is the Linux network looks like
Before we start configuration, we need to make sure the Linux and Windows can ping each other
Linux
IP : 192.168.126.128
Hostname : NOSQL1
Windows
IP : 192.168.126.1
Hostname : SGC
DOMAIN: SGC.stargate.com
Configure Samba
configure /etc/samba/smb.conf
[global]
workgroup = STARGATE # For Win2000 and older
password server = SGC.stargate.com # DC hostname
realm = STARGATE.COM # Domain
security = ads # Activity Directory
idmap config * : range = 16777216-33554431
template shell = /bin/bash # Default Shell
winbind use default domain = true # When set true, we can log in as loginname, when set false, we need to login as loginid@domainname
winbind offline logon = false
template homedir = /mnt/samba/%u
server string = stargate Samba Server Version %v
netbios name = NOSQL1
# Below are all default value
log file = /var/log/samba/log.%m
max log size = 50
passdb backend = tdbsam
encrypt passwords = yes
load printers = yes
cups options = raw
[homes]
comment = Home Directories
browseable = no
writable = yes
[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
guest ok = no
writable = no
printable = yes
mkdir /mnt/samba
update /etc/fstab
//sgc/C$/Users /mnt/samba cifs sec=krb5i,noserverino,nounix,iocharset=utf8,rw,dir_mode=0777,file_mode=0666
Configure KDC
configure /etc/krb5.conf Configure file is case sensitive
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = STARGATE.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
STARGATE.COM = {
kdc = SGC.STARGATE.COM
admin_server = SGC.STARGATE.COM:749
default_domain = STARGATE.COM
kdc = SGC.stargate.com
}
[domain_realm]
.example.com = STARGATE.COM
example.com = STARGATE.COM
stargate.com = STARGATE.COM
.stargate.com = STARGATE.COM
configure /var/kerberos/krb5kdc/kdc.conf
[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88
[realms]
STARGATE.COM = {
#master_key_type = aes256-cts
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
}
Restart samba
service smb start
chkconfig smb on
Sync time
ntpdate sgc
KINIT
Join Domain
net rpc join –U PO
After join the domain, you can see the host show up in the windows AD.
If you encounter the error : Unable to find a suitable server for domain
That is because the iptables
We can temporary stop the iptables.
Configure Winbind authentication
configure /etc/nsswitch.conf
Configure PAM
configure /etc/pam.d/system-auth
Log path for trouble shooting authentication error /var/log/audit/audit.log
auth sufficient pam_winbind.so
account sufficient pam_winbind.so
password sufficient pam_winbind.so
session sufficient pam_winbind.so
After the pam setting is complete we need to restart winbind
service winbind start
chkconfig winbind on
We can also use authconfig-tui to configure the PAM .
This is what my system-auth looks like after authconfig-tui
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_winbind.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_winbind.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password sufficient pam_winbind.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
~
Test AD login
List all the account on the AD: wbinfo -u
Check the user : id
You can see the id belong to the domain group
Login as domain account
Other errors
No DNS domain configured for nosql2. Unable to perform DNS Update.
DNS update failed!
To fix this, add the nosql2 in the DC’s DNS record:
WARNING: Ignoring invalid value 'ads # Activity Directory' for parameter 'security'
ReplyDeletecannot join as standalone machine
This is cool post and i enjoy to read this post. your blog is fantastic and you have good staff in your blog. nice sharing keep it up. thebestvpn
ReplyDeleteThank you again for all the knowledge you distribute,Good post. I was very interested in the article, it's quite inspiring I should admit. I like visiting you site since I always come across interesting articles like this one.Great Job, I greatly appreciate that.Do Keep sharing! Regards, Klick für mehr
ReplyDeletepleasant post, stay aware of this fascinating work. It truly regards realize that this subject is being secured likewise on this site so cheers for setting aside time to talk about this! gizlilikveguvenlik
ReplyDeleteIntriguing post. I Have Been pondering about this issue, so much obliged for posting. Really cool post.It "s truly extremely pleasant and Useful post.Thanks https://privacyenbescherming.nl
ReplyDeleteI'm impressed, I must say. Very rarely do I come across a blog thats both informative and entertaining, and let me tell you, you ve hit the nail on the head. Your blog is important.. vpnveteran
ReplyDelete