Joining Fedora 7 to a MS 2003 server Domain:

Joining Fedora 7 to a MS 2003 server Domain:

Hi I am very new to Linux;
I have just installed Fedora 7. I will like to know the step by step guide how to add Fedora 7 to my MS 2003 server domain running DHCP, DNS, and AD.

I will like for both Windows and Linux computers to be able to share and communicate with each other on my LAN once they have joined the domain.

Please can anyone give me some step by step guide on how to get this done!!!!?

Thanks for your help!!!

Quote:

Originally Posted by dyer83 Joining Fedora 7 to a MS 2003 server Domain: Hi I am very new to Linux; I have just installed Fedora 7. I will like to know the step by step guide how to add Fedora 7 to my MS 2003 server domain running DHCP, DNS, and AD. I will like for both Windows and Linux computers to be able to share and communicate with each other on my LAN once they have joined the domain. Please can anyone give me some step by step guide on how to get this done!!!!? Thanks for your help!!!

I've got some rough notes on how I've joined a few of my FC6 & 7 servers to my domain. I can share them if you'd like.

Quote:

Originally Posted by dyer83 Joining Fedora 7 to a MS 2003 server Domain: Hi I am very new to Linux; I have just installed Fedora 7. I will like to know the step by step guide how to add Fedora 7 to my MS 2003 server domain running DHCP, DNS, and AD. I will like for both Windows and Linux computers to be able to share and communicate with each other on my LAN once they have joined the domain. Please can anyone give me some step by step guide on how to get this done!!!!? Thanks for your help!!!

Hi

Just add the MS 2003 server domain IP address in your Fedora system's DNS IP. Hope u will solve ur problem.

Hemant

I recently worked on contract at Sony.

We spend quite a bit of time pursuing a reliable repeatable solution for RedHat ES4 and 5ES joining them to Win2000 and Win2003 AD servers.

We discovered the main problem was due to windows time (win32time) not allowing the Linux box to sync which is required for Kerberos authentication (part of AD).

I gained quite a bit of knowledge about what will work and what doesn't.

What problems are you having?

Graham.

Quote:

Originally Posted by grahamatlq I recently worked on contract at Sony. We spend quite a bit of time pursuing a reliable repeatable solution for RedHat ES4 and 5ES joining them to Win2000 and Win2003 AD servers. We discovered the main problem was due to windows time (win32time) not allowing the Linux box to sync which is required for Kerberos authentication (part of AD). I gained quite a bit of knowledge about what will work and what doesn't. What problems are you having? Graham.

I am trying to join Fedora 7 to my MS 2003 server domain but it keeps picking up my MS 2003 server local area IP address. I have try to release the IP address from Fedora using root# ifconfig eth0 down and root#ifconfig eth0 up. but it keeps picking up my MS 2003 server local area IP address. Any help welcome!!!

plus i want to enable remote acccess from Fedora to MS 2003 server and to all of the PC in the Domain.

Quote:

Originally Posted by d33z I've got some rough notes on how I've joined a few of my FC6 & 7 servers to my domain. I can share them if you'd like.

yes please do share your notes.

thank you

We had to give the RedHat box a fixed IPaddress in the Active directory domain and told the RedHat Box to get DHCP.

There's a new service on recent Fedora releases (6+ I think) NetworkManager.
I was also on the Redhat4 release we were using.

We found that it used to mess with the network settings so we disabled it
# service NetworkManager stop
# chkconfig NetworkManager off
# service NetworkManagerDispatcher stop
# chkconfig NetworkManagerDispatcher off

Try this then force a DHCP link
# ifconfig eth0 down
# ifconfig eth0 dynamic
# dhclient eth0

You should see it set up the link with DHCP DISCOVER etc.

Also you can monitor the activity with tcpdump

# tcpdump -i eth0

You could also install the win2003 version of ethereal on the win server and monitor traffic on both ends

Sound like you need also to experiment with fixed IP addresses as well to make sure the AD server DNS is working OK
We needed to set up a fixed reservation for DHCP and set up AD to use that address.
This means we could still use DHCP and fixed addresses, the RedHat box was a server after all :-)

You could set up a static address on the Linux box temporarily to make sure AD will still work

# ifconfig eth0 down
# ifconfig eth0 192.168.0.100
# route add default dev eth0 gw <win server IP>
# echo "nameserver <win server IP>" >/etc/resolv.conf
No this is not a typo it's not resolve.conf ;-)

This gives you a fixed IP until you reboot or restart the network

Then set up the AD server to use 192.168.0.100 (or use some appropriate IP address)

You also need to set up the KDC realm in /etc/krb5.conf as well as /etc/samba/smb.conf
I seem to remember having to tinker with /etc/nsswitch.conf and the PAM settings, but I'm not sure if they were needed.

Then you should just be able to:
# kinit administrator@<REALM>
# net join ads
and it should just work

I would do a
# net time set
just before the kinit to sync the time properly.

I also have some notes in some backups as well as some scripts to automate much of this.

Let me know how you get on.

Post some console dumps so we can see what is happening.

Graham.
http://grahams.free-online.co.uk

Quote:

Originally Posted by grahamatlq We had to give the RedHat box a fixed IPaddress in the Active directory domain and told the RedHat Box to get DHCP. There's a new service on recent Fedora releases (6+ I think) NetworkManager. I was also on the Redhat4 release we were using. We found that it used to mess with the network settings so we disabled it # service NetworkManager stop # chkconfig NetworkManager off # service NetworkManagerDispatcher stop # chkconfig NetworkManagerDispatcher off Try this then force a DHCP link # ifconfig eth0 down # ifconfig eth0 dynamic # dhclient eth0 You should see it set up the link with DHCP DISCOVER etc. Also you can monitor the activity with tcpdump # tcpdump -i eth0 You could also install the win2003 version of ethereal on the win server and monitor traffic on both ends Sound like you need also to experiment with fixed IP addresses as well to make sure the AD server DNS is working OK We needed to set up a fixed reservation for DHCP and set up AD to use that address. This means we could still use DHCP and fixed addresses, the RedHat box was a server after all :-) You could set up a static address on the Linux box temporarily to make sure AD will still work # ifconfig eth0 down # ifconfig eth0 192.168.0.100 # route add default dev eth0 gw <win server IP> # echo "nameserver <win server IP>" >/etc/resolv.conf No this is not a typo it's not resolve.conf ;-) This gives you a fixed IP until you reboot or restart the network Then set up the AD server to use 192.168.0.100 (or use some appropriate IP address) You also need to set up the KDC realm in /etc/krb5.conf as well as /etc/samba/smb.conf I seem to remember having to tinker with /etc/nsswitch.conf and the PAM settings, but I'm not sure if they were needed. Then you should just be able to: # kinit administrator@<REALM> # net join ads and it should just work I would do a # net time set just before the kinit to sync the time properly. I also have some notes in some backups as well as some scripts to automate much of this. Let me know how you get on. Post some console dumps so we can see what is happening. Graham. http://grahams.free-online.co.uk

I have reinstall Fedora and change my MS 2003 server DHCP address range from 10.0.0.1 to 10.0.0
2. and leave my MS 2003 server on 10.0.0.1 for the LAN IP Address. Fedora is now able to Optain an IP address from my MS 2003 server (10.0.0.15) and have full internet access and can ping both local and external.

Thanks a lot for all your help!!!


I how need to join Fedora 7 to my MS 2003 domain but need to know how to configure KDC and Samba, so that can enable remote access and file sharing!!!
any help on this will be welcome.

Thank you!!

Have to say the short and less painless way is to configure a Linux server and hook your Windows box to that.

Linux will serve the DHCP stuff with /etc/dhcpd.conf and give you file sharing with /etc/samba/smb.conf
DNS is already configured so you don't need to touch that.

Easy peasy.

I would think several times before connecting a Windows box directly to the internet, but a Linux box is pretty safe.

Quote:

Originally Posted by dyer83 yes please do share your notes. thank you

Here's my notes:

My Steps on How to join Fedora Core Linux to an Active Directory Domain

This document will explain how to add a Fedora Core Linux box to an Active Directory domain.
The AD server will handle the authentication. Login as root for this installation.
My AD Server Primary - 192.168.123.20
My AD Server Sec - 192.168.123.21

Packages you need:
samba (v.3.0)
samba-common
pam_krb5
krb5-workstation

Step 1:
Backup your /etc/pam.d directory:
# cp -a /etc/pam.d /etc/pam.d.bak

Step 2:
Change in /etc/nsswitch.conf (Here's the syntax using the nano text editor: [root@myhost]# nano /etc/nsswitch.conf)
passwd: files
shadow: files
group: files

Change to:
passwd: files winbind
shadow: files winbind
group: files winbind

Save the file and exit (Nano Syntax: CTRL + X, Type in Yes and press the enter key)


The files below are my files that I edited to get my host to connect to my AD.
***Before you edit your files though, be sure and make a copy of the originals for backup.
For example: [root@myhost]# cp /etc/samba/smb.conf /etc/samba/smb.conf.ORIG

After you've made backup copies of your files, edit your files and change them to match your settings:

My /etc/samba/smb.conf ([root@myhost]# more /etc/samba/smb.conf):
[global]
workgroup = MYDOMAIN
realm = MYDOMAIN.COM
server string = Samba %v
security = ads
password server = 192.168.123.20
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
winbind use default domain = yes
winbind separator = +
winbind cache time = 10
winbind enum users = yes
winbind enum groups = yes
template shell = /bin/bash
template homedir = /home/%D/%U

My /etc/pam.d/login:
#%PAM-1.0
auth sufficient pam_winbind.so
auth required pam_securetty.so
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
account sufficient pam_winbind.so
account required pam_stack.so service=system-auth
password sufficient pam_winbind.so use_authtok
password required pam_stack.so service=system-auth
# pam_selinux.so close" should be the first session rule
session required pam_selinux.so close
session required pam_stack.so service=system-auth
session optional pam_console.so
# pam_selinux.so open should be the last session rule
session required pam_selinux.so multiple open

My /etc/krb5.conf:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = MYDOMAIN.COM
dns_lookup_realm = false
dns_lookup_kdc = false

[realms]
MYDOMAIN = {
kdc = 192.168.123.20 192.168.123.21
admin_server = 192.168.123.20
default_domain = mydomain.com
}

[domain_realm]
.mydomain.com = MYDOMAIN.COM
mydomain.com = MYDOMAIN.COM

[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}

Run authconfig and choose/configure:
"Use Winbind"
"Use Kerberos"
"Use Winbind Authentication"
# authconfig

My /etc/pam.d/system-auth:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth sufficient /lib/security/$ISA/pam_krb5.so use_first_pass
auth required /lib/security/$ISA/pam_deny.so

account required /lib/security/$ISA/pam_unix.so broken_shadow
account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
account [default=bad success=ok user_unknown=ignore] /lib/security/$ISA/pam_krb5.so
account required /lib/security/$ISA/pam_permit.so

password requisite /lib/security/$ISA/pam_cracklib.so retry=3 type=
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
password sufficient /lib/security/$ISA/pam_krb5.so use_authtok
password required /lib/security/$ISA/pam_deny.so

session required /lib/security/$ISA/pam_mkhomedir.so skel=/etc/skel umask=0022
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
session optional /lib/security/$ISA/pam_krb5.so


Last Steps:
Join the Linux server to the domain:
# net ads join -U <domain admin>
Restart winbind:
# service winbind restart
Create the Domain directory:
# mkdir /home/MYDOMAIN
Logoff and Login with your AD credentials.

Useful commands:
See what groups you are in and get the group ID:
# getent group | grep <utaccount> | awk -F: '{ print $1,$3 }'

Quote:

Originally Posted by grahamatlq Have to say the short and less painless way is to configure a Linux server and hook your Windows box to that. Linux will serve the DHCP stuff with /etc/dhcpd.conf and give you file sharing with /etc/samba/smb.conf DNS is already configured so you don't need to touch that. Easy peasy. I would think several times before connecting a Windows box directly to the internet, but a Linux box is pretty safe.

Ok i now want to configure my Fedora system to do the DHCP and file sharing and to be my gateway device to the my network. how and what to i need to configure first and will i need to install (shorewall) if so where do i start from as i am very new;

Thank you

Quote:

Originally Posted by dyer83 Ok i now want to configure my Fedora system to do the DHCP and file sharing and to be my gateway device to the my network. how and what to i need to configure first and will i need to install (shorewall) if so where do i start from as i am very new; Thank you

Quote:

Originally Posted by dyer83 i have downloaded dhcp -3.0.6nalong with kcmdhcpd-0.3.8 to get the kde gui end of the dhcp server but can't get the gui or the command line to work the gui would not open and the commands that i got from google keeps giving me errors. please help if you can!!!!

here are my two network card information:
[root@Fedora-Server etc]# ifconfig
eth0 Link encap:Ethernet HWaddr 00:0BB:4D:5A:99
inet addr:160.9.94.68 Bcast:160.9.95.255 Mask:255.255.252.0
inet6 addr: fe80::20b:dbff:fe4d:5a99/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:477 errors:0 dropped:0 overruns:0 frame:0
TX packets:46 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:86219 (84.1 KiB) TX bytes:15094 (14.7 KiB)
Base address:0xdc40 Memory:ff6c0000-ff6e0000

eth1 Link encap:Ethernet HWaddr 00:01:02:AB:60:E9
inet addr:192.168.1.0 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::201:2ff:feab:60e9/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:356 errors:0 dropped:0 overruns:1 frame:0
TX packets:258 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:96031 (93.7 KiB) TX bytes:71721 (70.0 KiB)
Interrupt:20 Base address:0xcc00
here is my dhcp config file:

default-lease-time 86400;
max-lease-time 86400;
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.1.255;
option routers 192.168.1.254;
option domain-name-servers 192.168.1.1, 192.168.1.2;
option domain-name "wmd.org";

subnet 192.168.1.0 netmask 255.255.255.0 {
range 192.168.1.10 192.168.1.100;
range 192.168.1.150 192.168.1.200;
}
option netbios-name-servers 192.168.1.1;

i can't get any of my windows or linux client computers to receive an ip address from the server. i do not know what have gone wrong or if there more configurations to be done. this is my first time at setting a dhcp server on Fedora/linux!!! there are no error messages comping up only after i use the command "[root@Fedora-Server etc]# /usr/sbin/dhcpd eth1" the following message comes up;

Internet Systems Consortium DHCP Server V3.0.6
Copyright 2004-2007 Internet Systems Consortium.
All rights reserved.
For info, please visit http://www.isc.org/sw/dhcp/

** You must add a global ddns-update-style statement to /etc/dhcpd.conf.
To get the same behaviour as in 3.0b2pl11 and previous
versions, add a line that says "ddns-update-style ad-hoc;"
Please read the dhcpd.conf manual page for more information. **

If you did not get this software from ftp.isc.org, please
get the latest from ftp.isc.org and install that before
requesting help.

If you did get this software from ftp.isc.org and have not
yet read the README, please read it before requesting help.
If you intend to request help from the dhcp-server@isc.org
mailing list, please read the section on the README about
submitting bug reports and requests for help.

Please do not under any circumstances send requests for
help directly to the authors of this software - please
send them to the appropriate mailing list as described in
the README file.

exiting.

I have also set the dhcp server to start at start up using code "[root@Fedora-Server etc]# /usr/rc.d/rc.local
" the DHCP server is set to work on eth1 NIC, i have full access to the web on eth0 NIC. please help