Friday, April 03, 2009

Integrate Linux with Windows AD Domain Controller

This mini tutorial will help you to integrate Linux a box with Windows AD and also to mount shared drives from Windows AD to your Linux machine.

1. Set up a windows DC. (How to set up a windows DC is beyond the scope of this tutorial)
2. Set up a Linux desktop machine with winbind, samba (both client and server) and Kerberos packages installed.

[root@lin3 ~]# rpm -qa samba-*
samba-3.0.33-3.7.el5
samba-client-3.0.25b-0.el5.4
samba-common-3.0.25b-0.el5.4
[root@lin3 ~]#
[root@lin3 ~]# rpm -qa krb*
krb5-auth-dialog-0.7-1
krb5-workstation-1.6.1-17.el5
krb5-libs-1.6.1-17.el5
krb5-devel-1.6.1-17.el5

3. Make sure your Linux box and the windows DC are sync’d with a time server such that the difference between the times shown on either machine is not greater than 5 minutes.

[root@lin1 ~]# service ntpd stop
Shutting down ntpd: [ OK ]
[root@lin1 ~]# ntpdate -u 192.168.5.211
25 Jan 01:45:53 ntpdate[4371]: step time server 192.168.5.211 offset 2.277736 sec
[root@lin1 ~]# service ntpd start
ntpd: Synchronizing with time server: /sbin/service: line 66: 4379 Terminated env -i LANG="$LANG" PATH="$PATH" TERM="$TERM" "${SERVICEDIR}/${SERVICE}" ${OPTIONS}
[root@lin1 ~]# service ntpd restart
Shutting down ntpd: [ OK ]
ntpd: Synchronizing with time server: [ OK ]
Starting ntpd: [ OK ]

If you are trying this on Virtual Machine, I have noticed that the Linux box has a habit of falling behind in time from the windows domain. In that case create a cron job to restart the ntpd service every 5 minutes.
On the terminal window type crontab –e (assuming you are logged in as root user)
*/5 * * * * /root/ntpupdate.sh
Type the above in the file and save and exit.
[root@lin1 ~]# cat ntpupdate.sh
/sbin/service ntpd stop
/usr/sbin/ntpdate –u 192.168.5.211
/sbin/service ntpd restart

4. Make sure the /etc/hosts file contains the entries towards the windows DC machine.
192.168.5.212 lin1.dog.smb lin1
192.168.5.211 arvind.dog.smb dog
here dog.smb is my domain name
Now change the hostname parameter in the /etc/sysconfig/network file to lin1 and restart the machine.

5. After restart the commands hostname and hostname –f should resolve correctly to the hostname and the fully qualified domain name.

6. The /etc/resolv.conf should have the nameserver entry towards the windows DC (assuming your windows DC is your DNS nameserver)
[root@lin1 ~]# cat /etc/resolv.conf
nameserver 192.168.5.211

7. Stop the services winbind and samba.
service winbind stop
service smb stop



8. Now in a terminal window type “system-config-authentication”
9. Select “Enable Winbind Support” under the User Information tab.

10. Now select Configure Winbind and make the entries as shown below and click OK (not JOIN DOMAIN).
11. Now get to the second tab “Authentication”
12. Click on the Configure Kerberos tab and make the following entries
Enter the following values:
KDC ARVIND.DOG.SMB:88,*,192.168.5.211
Admin Servers: ARVIND.DOG.SMB:749
create the directory /var/cache/samba/smb_krb5

13. Click on the Configure Winbind Button and make the following entries.
14. Click the Join Domain Button. Now Enter the Username/Password of the domain controller user who has the privileges of adding machines to the domain.
15. Click OK twice and come out of the Authentication Configuration Window and the Winbind services are started.
You can ignore the two errors as they pertain to Smart Card authentication.
Your machine is successfully joined to the domain.

16. WARNING! ALWAYS BACKUP THE PAM FILES BEFOE EDITING THEM.
Add the line “session required /lib/security/pam_mkhomedir.so” to the file /etc/pam.d/system-auth.
17. Now open the samba config file /etc/samba/smb.conf
Your samba config file will look something like this.

password server = 192.168.5.211
realm = DOG.SMB
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
idmap backend = rid template homedir = /home/%D/%U
template shell = /bin/bash
use default domain = true
Entries for idmap backend and template homedir should be added manually.

Also create a folder in the home directory with the workgroup name. Make sure the name of the folder is in uppercase.
e.g. mkdir /home/DOG

Now restart the samba service:
service smb restart
chkconfig smb on
18. Now to check whether there is a trust relationship built between the Linux machine and the windows DC use the command wbinfo -t. Further commands wbinfo –u and wbinfo -g


[root@lin1 ~]# wbinfo -t
checking the trust secret via RPC calls succeeded

[root@lin1 ~]# wbinfo -g
domain computers
domain controllers
schema admins
enterprise admins
domain admins
domain users
domain guests
group policy creator owners
dnsupdateproxy
newgrp

[root@lin1 ~]# wbinfo -u
administrator
guest
support_388945a0
krbtgt
user1
user2
u1
u2
u10
[root@lin1 ~]#

19. Now restart the Linux machine.

20. Now create a user test in the windows DC. We can now try to log in as user test on the Linux machine. Dog\test is the way the username has to be provided as we are logging into the domain with netbios name DOG.
Home directory of the user test is auto created (because of step where we edited the /etc/pam.d/system-auth file)



PAM_MOUNT

Using pam_mount to automout network shares

Install pam_mount
yum install pam_mount

for an RH or CentOS 5.1 to 5.3 system you can download a pam_mount package corresponding to Fedora 6.

Edit /etc/pam.d/system-auth and add the line
auth required pam_mount.so
There can be no auth lines containing sufficient before the above one, or else it won't work. Then at the bottom add
session optional pam_mount.so

Edit /etc/security/pam_mount.conf. On line 72 where you see the line
options_require nosuid, nodev
comment this line.


# volume [cifs|ncp|nfs|local]
and using that as your guide add the appropriate line diectly after it. Here's a sample
Code:
volume * cifs 192.168.5.212 share /home/DOG/&/mountpoint - - -

and restart the machine.

Now when you login to your Linux box you will find the drives mounted inside your home directory.

Newer versions of pam_mount have an XML file (/etc/security/pam_mount.conf.xml) which needs to be edited.

The volume definitions in the xml file need to be as follows.