Monday, May 5, 2014

1 Centos 6.5 join Windows Domain and Kerberos authentication

This is my note for configure Linux intergrade windows domain authentication with Kerberos

 

Package Require

  • yum install samba
  • yum install krb5-server
  • yum install krb5-workstation
  • yum install samba-winbind
  • yum install ntpdate    --> This is required for sync time
  • yum install cifs-utils

 

Setup the Host Name on Linux

Setup the host name in /etc/sysconfig/network

image

Setup network connection on Linux

Setup the host name in /etc/sysconfig/network-scripts/ifcfg-eth0

image

setup hostname /etc/hosts

image

This is the Linux network looks like

image

Before we start configuration, we need to make sure the Linux and Windows can ping each other

Linux

IP : 192.168.126.128

Hostname : NOSQL1

Windows

IP : 192.168.126.1

Hostname : SGC

DOMAIN: SGC.stargate.com

 

Configure Samba

configure /etc/samba/smb.conf

[global]
 
   workgroup = STARGATE  # For Win2000 and older
   password server = SGC.stargate.com # DC hostname
   realm = STARGATE.COM # Domain
   security = ads # Activity Directory
   idmap config * : range = 16777216-33554431
   template shell = /bin/bash  # Default Shell
   winbind use default domain = true # When set true, we can log in as loginname, when set false, we need to login as loginid@domainname
   winbind offline logon = false
   template homedir = /mnt/samba/%u
   server string = stargate Samba Server Version %v
 
   netbios name = NOSQL1
 
  # Below are all default value
   log file = /var/log/samba/log.%m
   max log size = 50
 
 
   passdb backend = tdbsam
 
   encrypt passwords = yes
 
   load printers = yes
   cups options = raw
 
 
[homes]
        comment = Home Directories
        browseable = no
        writable = yes
 
[printers]
        comment = All Printers
        path = /var/spool/samba
        browseable = no
        guest ok = no
        writable = no
        printable = yes

mkdir /mnt/samba

update /etc/fstab 

//sgc/C$/Users /mnt/samba cifs sec=krb5i,noserverino,nounix,iocharset=utf8,rw,dir_mode=0777,file_mode=0666

 

Configure KDC

configure /etc/krb5.conf  Configure file is case sensitive 

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log
 
[libdefaults]
 default_realm = STARGATE.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 
[realms]
 STARGATE.COM = {
  kdc = SGC.STARGATE.COM
  admin_server = SGC.STARGATE.COM:749
  default_domain = STARGATE.COM
  kdc = SGC.stargate.com
 }
 
[domain_realm]
 .example.com = STARGATE.COM
 example.com = STARGATE.COM
 stargate.com = STARGATE.COM
 .stargate.com = STARGATE.COM

image

configure /var/kerberos/krb5kdc/kdc.conf

[kdcdefaults]
 kdc_ports = 88
 kdc_tcp_ports = 88
 
[realms]
 STARGATE.COM = {
  #master_key_type = aes256-cts
  acl_file = /var/kerberos/krb5kdc/kadm5.acl
  dict_file = /usr/share/dict/words
  admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
  supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
 }

image

Restart samba 

service smb start
chkconfig smb on

 

Sync time

ntpdate  sgc

image

KINIT

image

Join Domain

net rpc join –U PO

image

After join the domain, you can see the host show up in the windows AD.

image

If you encounter the error :  Unable to find a suitable server for domain
That is because the iptables

image

We can temporary stop the iptables.

image

Configure Winbind authentication

configure /etc/nsswitch.conf

image

Configure PAM

configure /etc/pam.d/system-auth

Log path for trouble shooting authentication error /var/log/audit/audit.log

auth         sufficient    pam_winbind.so
account      sufficient    pam_winbind.so
password     sufficient    pam_winbind.so
session      sufficient    pam_winbind.so

After the pam setting is complete  we need to restart winbind 

service winbind start
chkconfig winbind on

We can also use authconfig-tui to configure the PAM .

This is what my system-auth looks like after authconfig-tui 

auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_winbind.so use_first_pass
auth        required      pam_deny.so
 
account     required      pam_unix.so broken_shadow
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_winbind.so
account     required      pam_permit.so
 
password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    sufficient    pam_winbind.so use_authtok
password    required      pam_deny.so
 
session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
~

Test AD login

List all the account on the AD:  wbinfo -u

image

Check the user : id

You can see the id belong to the domain group

image

Login as domain account

image

Other errors

No DNS domain configured for nosql2. Unable to perform DNS Update.
DNS update failed!
image

To fix this, add the nosql2 in the DC’s DNS record:

 

Reference

http://wiki.centos.org/zh-tw/TipsAndTricks/WinbindADS

Posted by Po@sqlpanda at 12:01 AM
Labels: , ,

1 comments:

  1. WARNING: Ignoring invalid value 'ads # Activity Directory' for parameter 'security'
    cannot join as standalone machine

    ReplyDelete

Subscribe to: Post Comments (Atom)
 

SQL Panda Copyright © 2011 - |- Template created by O Pregador - |- Powered by Blogger Templates