Quote:
Originally Posted by dyer83
yes please do share your notes.
thank you
|
Here's my notes:
My Steps on How to join Fedora Core Linux to an Active Directory Domain
This document will explain how to add a Fedora Core Linux box to an Active Directory domain.
The AD server will handle the authentication. Login as root for this installation.
My AD Server Primary - 192.168.123.20
My AD Server Sec - 192.168.123.21
Packages you need:
samba (v.3.0)
samba-common
pam_krb5
krb5-workstation
Step 1:
Backup your /etc/pam.d directory:
# cp -a /etc/pam.d /etc/pam.d.bak
Step 2:
Change in /etc/nsswitch.conf (Here's the syntax using the nano text editor: [root@myhost]# nano /etc/nsswitch.conf)
passwd: files
shadow: files
group: files
Change to:
passwd: files winbind
shadow: files winbind
group: files winbind
Save the file and exit (Nano Syntax: CTRL + X, Type in Yes and press the enter key)
The files below are my files that I edited to get my host to connect to my AD.
***Before you edit your files though, be sure and make a copy of the originals for backup.
For example: [root@myhost]# cp /etc/samba/smb.conf /etc/samba/smb.conf.ORIG
After you've made backup copies of your files, edit your files and change them to match your settings:
My /etc/samba/smb.conf ([root@myhost]# more /etc/samba/smb.conf):
[global]
workgroup = MYDOMAIN
realm = MYDOMAIN.COM
server string = Samba %v
security = ads
password server = 192.168.123.20
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
winbind use default domain = yes
winbind separator = +
winbind cache time = 10
winbind enum users = yes
winbind enum groups = yes
template shell = /bin/bash
template homedir = /home/%D/%U
My /etc/pam.d/login:
#%PAM-1.0
auth sufficient pam_winbind.so
auth required pam_securetty.so
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
account sufficient pam_winbind.so
account required pam_stack.so service=system-auth
password sufficient pam_winbind.so use_authtok
password required pam_stack.so service=system-auth
# pam_selinux.so close" should be the first session rule
session required pam_selinux.so close
session required pam_stack.so service=system-auth
session optional pam_console.so
# pam_selinux.so open should be the last session rule
session required pam_selinux.so multiple open
My /etc/krb5.conf:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = MYDOMAIN.COM
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
MYDOMAIN = {
kdc = 192.168.123.20 192.168.123.21
admin_server = 192.168.123.20
default_domain = mydomain.com
}
[domain_realm]
.mydomain.com = MYDOMAIN.COM
mydomain.com = MYDOMAIN.COM
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
Run authconfig and choose/configure:
"Use Winbind"
"Use Kerberos"
"Use Winbind Authentication"
# authconfig
My /etc/pam.d/system-auth:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth sufficient /lib/security/$ISA/pam_krb5.so use_first_pass
auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_unix.so broken_shadow
account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
account [default=bad success=ok user_unknown=ignore] /lib/security/$ISA/pam_krb5.so
account required /lib/security/$ISA/pam_permit.so
password requisite /lib/security/$ISA/pam_cracklib.so retry=3 type=
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
password sufficient /lib/security/$ISA/pam_krb5.so use_authtok
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_mkhomedir.so skel=/etc/skel umask=0022
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
session optional /lib/security/$ISA/pam_krb5.so
Last Steps:
Join the Linux server to the domain:
# net ads join -U <domain admin>
Restart winbind:
# service winbind restart
Create the Domain directory:
# mkdir /home/MYDOMAIN
Logoff and Login with your AD credentials.
Useful commands:
See what groups you are in and get the group ID:
# getent group | grep <utaccount> | awk -F: '{ print $1,$3 }'