Join CentOS to Windows AD

i. Install the following packages,

[root@centos ~]# yum install authconfig krb5-workstation pam_krb5 samba-common

[root@centos ~]# yum install oddjob-mkhomedir ntp

[root@centos ~]# vi /etc/resolv.conf

Put the dns information

search scholaris.internal.com

nameserver 192.168.106.101

[root@centos ~]# ntpdate dev-ad1.scholaris.internal.com

[root@centos ~]# service smb start

[root@centos ~]# service nmb start

[root@centos ~]# chkconfig smb on

[root@centos ~]# chkconfig nmb on

[root@centos ~]# chkconfig ntpd on

ii. Setup the necessary config files for both Kerberos and Samba

Using the following commands and change your domain:

[root@centos ~]# authconfig –disablecache –enablewinbind –enablewinbindauth –smbsecurity=ads –smbworkgroup=SCHOLARIS –smbrealm=SCHOLARIS.INTERNAL.COM –enablewinbindusedefaultdomain –winbindtemplatehomedir=/home/DOMAIN/%U –winbindtemplateshell=/bin/bash –enablekrb5 –krb5realm=SCHOLARIS.INTERNAL.COM –enablekrb5kdcdns –enablekrb5realmdns –enablelocauthorize –enablemkhomedir –enablepamaccess –updateall

 

Check that the file was generated and then add the relevant realms and domain_realm for your domain to the file. If you have multiple domain controllers you can add extra kdc lines like below.

[root@centos ~]# cat /etc/krb5.conf

[logging]

default = FILE:/var/log/krb5libs.log

kdc = FILE:/var/log/krb5kdc.log

admin_server = FILE:/var/log/kadmind.log

[libdefaults]

default_realm = SCHOLARIS.INTERNAL.COM

dns_lookup_realm = true

dns_lookup_kdc = true

ticket_lifetime = 24h

renew_lifetime = 7d

forwardable = true

[realms]

EXAMPLE.COM = {

kdc = kerberos.example.com

admin_server = kerberos.example.com }  SCHOLARIS.INTERNAL.COM = { }

[domain_realm]

.example.com = EXAMPLE.COM

example.com = EXAMPLE.COM

scholaris.internal.com = SCHOLARIS.INTERNAL.COM

.scholaris.internal.com = SCHOLARIS.INTERNAL.COM

 

Save the file and test that it works using the kinit command. A password prompt will be displayed, type in the active directory password for that user and it should return to the prompt with no messages.

[root@centos ~]# kinit someaduser

You can then check that you have your kerberos ticket by running the klist command.

[root@centos ~]# klist

It should output something like the following:

Ticket cache: FILE:/tmp/krb5cc_0

Default principal: someaduser@SCHOLARIS.INTERNAL.COM

Valid starting Expires Service principal

02/27/14 12:23:21 02/27/14 22:23:21 krbtgt/@SCHOLARIS.INTERNAL.COM renew until 03/06/15 12:23:19

 

ii. Join domain

Create a new DNS record for this CentOS server/pc

You’re now ready to join the machine to the domain. You can use the trusty net command to join the machine to the domain.

[root@centos ~]# net ads join scholaris.internal.com -U someadadmin

You can test that this worked running the following command:

[root@centos ~]# net ads testjoin                 Join is OK

Reboot the server

 

IV. Home Directories

These switches enabled automatic creation of home directories. For this to work with the GUI version you will need to run authconfig with those 2 switches.

[root@centos ~]# authconfig –winbindtemplatehomedir=/home/DOMAIN/%U –enablemkhomedir –update

This is telling oddjobd to put any new home directories at the path /home/yourdomain/username. You will need to create the /home/yourdomain path and make sure you’ve got your permissions correct. I’ll be using ACLs as you’re able to configure much finer grain permissions. ACLs ship with pretty much all modern linux distributions these days.

[root@centos ~]# mkdir /home/DOMAIN[root@centos ~]# setfacl -m group:”Domain Users”:rwx /home/DOMAIN

 

About Terri

System Administrator @Netpower Datacenter

Posted on 03.09.2015, in Linux, Technical Articles and tagged , . Bookmark the permalink. 2 Comments.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: