LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Slackware (http://www.linuxquestions.org/questions/slackware-14/)
-   -   Slackware 13 + Active directory users (http://www.linuxquestions.org/questions/slackware-14/slackware-13-active-directory-users-768729/)

TheMadIndian 11-12-2009 02:03 PM

Slackware 13 + Active directory users
 
Hi all I'm running a fresh install of Slackware 13, I removed the samba package that comes with slackware and compiled the latest kerberos, openldap and samba sources.

I can enumerate users on active directory with wbinfo and getent but I can't log in via ssh or the console. I can however su to any AD user once I am logged in as root and set permissions by users and groups from AD.

Hoping someone can steer me in the right direction, I will post my configs if that helps

thanks

TheMadIndian 11-22-2009 08:19 PM

I solved this with a small catch, if anyone wants to know how to do this let me know. Its long but it works as I've now tested on 3 separate Slackware 13 installs and one Slacware 12.2 install

Slax-Dude 11-23-2009 05:43 AM

I was planing to try this out, but it's way over my head :(
It would be great if you could help me out.

The goal here is making a distributed shared folder using slackware, or perhaps slax, and samba so that my AD users can make files that have certain permissions.

I have zero experience with samba + AD, so any help you can provide would be most appreciated.

Right now I'm avoiding the issue by having several slax machines exporting a distributed RAID5 over AoE.
Since the array is mounted by a win2k3 machine as a block device I don't have to configure samba to work with AD...
Although it's working, it's not an ideal solution.

TheMadIndian 11-23-2009 06:08 AM

Quote:

Originally Posted by Slax-Dude (Post 3766581)
I was planing to try this out, but it's way over my head :(
It would be great if you could help me out.

The goal here is making a distributed shared folder using slackware, or perhaps slax, and samba so that my AD users can make files that have certain permissions.

I have zero experience with samba + AD, so any help you can provide would be most appreciated.

Right now I'm avoiding the issue by having several slax machines exporting a distributed RAID5 over AoE.
Since the array is mounted by a win2k3 machine as a block device I don't have to configure samba to work with AD...
Although it's working, it's not an ideal solution.

Do you just need samba shares to work and slackware to be apart of the domain or do you want AD users to be able to ssh in or login in via the console? The catch with my config is if you want to login with an AD user via the console you can't login with a local user via the console but you can still ssh with a local user... let me know and I'll post up the configs and steps

Slax-Dude 11-23-2009 09:42 AM

Quote:

Originally Posted by TheMadIndian (Post 3766593)
Do you just need samba shares to work and slackware to be apart of the domain or do you want AD users to be able to ssh in or login in via the console?

No need for AD users to login into the linux box(es) at all.

TheMadIndian 11-23-2009 12:42 PM

Quote:

Originally Posted by Slax-Dude (Post 3766795)
No need for AD users to login into the linux box(es) at all.

**Remove slackware samba package
Code:

slackpkg remove samba
**Save these downloads to the Downloads dir
Kerberos
http://web.mit.edu/Kerberos/dist/ (i used this one http://web.mit.edu/Kerberos/dist/krb...1.7-signed.tar)

Berkley DB (i used an old version that i know works with both versions of slackware i mentioned and tested)
http://www.bayour.com/kerberos/sleepycat_3.0.55.tar.gz

Openldap
http://www.openldap.org/software/download/ (I used this one ftp://ftp.openldap.org/pub/OpenLDAP/...dap-2.4.19.tgz )

Samba
http://www.samba.org/samba/ftp/ (I used this one http://www.samba.org/samba/ftp/samba-3.4.3.tar.gz )

**Start installing (Order does matter)
Kerberos
Code:

cd ~
        *  Extract source
              o tar -xvf Downloads/krb5-1.7-signed.tar
              o tar -xzvf krb5-1.7.tar.gz
        * Configure source
              o cd krb5-1.7/src
              o ./configure --prefix=/usr --enable-shared --with-ccopts="-g -02 -D_REENTRANT" --localstatedir=/etc --mandir=/usr/share/man --without-tcl
        * Compile and Install
              o make all
              o make install
              o vi /etc/krb5.conf

Paste this and replace WHATEVER.COM with your domain and server.whatever.com with the fqdn of your domain controller
Code:

[libdefaults]
          default_realm = WHATEVER.COM
          dns_lookup_realm = true
            dns_lookup_kdc = true
            ticket_lifetime = 24h
            forwardable = yes
          clockskew = 300

        [realms]
          WHATEVER.COM = {
                kdc = server.whatever.com:88
                  admin_server = server.whatever.com:749
                default_domain = whatever.com
                passwd_server = server.whatever.com
          }

        [domain_realm]
          .whatever.com = WHATEVER.COM
          whatever.com = WHATEVER.COM

        [logging]
          default = FILE:/var/log/krb5libs.log
            kdc = FILE:/var/log/krb5kdc.log
            admin_server = FILE:/var/log/kadmind.log

Test installation (again replacing with your domain info (caps matter) and a valid user on AD
Code:

kinit aduser@WHATEVER.COM
kilst

Berkley DB
Code:

cd ~

        * Extract source
              o tar -xzvf Downloads/cyrus-sasl-2.1.23.tar.gz
        * Configure source
              o cd sleepycat-3.0.55.orig/
              o cd build_unix/
              o ../dist/configure
        * Compile and Install
              o make all
              o make install

OpenLDAP
Code:

cd ~

        * Extract source
              o tar -xzvf Downloads/openldap-2.4.19.tgz
        * Configure source
              o cd openldap-2.4.19/
              o CPPFLAGS="-I/usr/local/BerkeleyDB.3.0/include";LDFLAGS="-L/usr/local/BerkeleyDB.3.0/lib";./configure --prefix=/usr --sysconfdir=/etc/ldap --disable-debug --disable-ipv6 --with-tls --with-kerberos --with-cyrus-sasl --with-threads --enable-null --enable-kpasswd --enable-slapd --enable-crypt --enable-spasswd
        * Compile and Install
              o make depend
              o make all
              o make install

Samba
Code:

cd ~

        * Extract source
              o tar -xzvf Downloads/samba-3.4.3.tar.gz
        * Configure source
              o cd samba-3.4.3/source3/
              o ./configure --prefix=/usr --sysconfdir=/etc/samba --with-privatedir=/etc/samba/private --with-ldap --with-ads --with-krb5=/usr --with-cifsmount --without-sys-quotas
        * Compile and Install
              o make all
              o make install
              o cd ..
              o cp nsswitch/libnss_wins.so /lib/
              o cp nsswitch/libnss_winbind.so /lib/
              o cd /lib/
              o ln -s libnss_wins.so libnss_wins.so.2
              o ln -s libnss_winbind.so libnss_winbind.so.2

Configure rc.samba (if it doesn't exist create and make it executable /etc/rc.d/rc.samba)
Code:

#!/bin/sh
#
# /etc/rc.d/rc.samba
#
# Start/stop/restart the Samba SMB file/print server.
#
# To make Samba start automatically at boot, make this
# file executable:  chmod 755 /etc/rc.d/rc.samba
#

samba_start() {
  if [ -x /usr/sbin/smbd -a -x /usr/sbin/nmbd -a -r /usr/lib/smb.conf ]; then
    echo "Starting Winbind /usr/sbin/winbindd -D"
    /usr/sbin/winbindd -D
    echo "Starting Samba:  /usr/sbin/smbd -D"
    /usr/sbin/smbd -D
    echo "                /usr/sbin/nmbd -D"
    /usr/sbin/nmbd -D
  fi
}

samba_stop() {
  killall smbd nmbd winbindd
}

samba_restart() {
  samba_stop
  sleep 2
  samba_start
}

case "$1" in
'start')
  samba_start
  ;;
'stop')
  samba_stop
  ;;
'restart')
  samba_restart
  ;;
*)
  # Default is "start", for backwards compatibility with previous
  # Slackware versions.  This may change to a 'usage' error someday.
  samba_start
esac

Configure smb.conf (if it doesn't exist create it /usr/lib/smb.conf) **(Caps matter replace as before)
Code:

[global]
  workgroup = WHATEVER
  server string = Slackware Samba Server
 netbios name = slackserv
  security = ADS
  load printers = yes
  log file = /var/log/samba.%m
  max log size = 50
        realm = WHATEVER.COM
        password server = SERVER.WHATEVER.COM
        security = ADS
        encrypt passwords = yes
        map to guest = never
        client use spnego = yes
#        idmap backend = rid:WHATEVER=10000-20000
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        winbind separator = +
        winbind use default domain = yes
        winbind enum users = yes
        winbind enum groups = yes
        template shell = /bin/bash
        template homedir = /home/%D/%u
        loglevel = 10
  passdb backend = tdbsam
        bind interfaces only = yes
  dns proxy = no
[homes]
  comment = Home Directories
  browseable = no
  writable = yes
[printers]
  comment = All Printers
  path = /var/spool/samba
  browseable = no
  guest ok = no
  writable = no
  printable = yes

Configure etc hosts (make sure server name is properly set against IP)
Code:

127.0.0.1                localhost
10.8.0.38                server.Whatever.com server

Test the install

Code:

grep nobody /etc/passwd (should list the user nobody)
ldd /usr/sbin/smbd |grep krb5 (should list krb5 modules)

Join the domain if those were successful
Code:

net ads join -U administrator
If successful start the services

Code:

/etc/rc.d/rc.samba start
Verify they are running
Code:

echo smbd processes;pgrep smbd;echo winbindd processes;pgrep winbindd;echo nmbd processes;pgrep nmbd
Test you can retrieve an AD user
Code:

getent passwd aduser
Verify Domain trusts
Code:

wbinfo -m
Test local shares
Code:

smbclient -L server -U%

And that's it if you need AD login there are more steps and the installation order changes a little for the missing packages

Keep me posted on how it works out

crabboy 01-06-2010 02:03 PM

Excellent, thanks. Saved me a lot of time.

I had trouble with the kinit step that this post helped with:
http://www.linuxquestions.org/questi...8/#post2380396

Also had to modify my nsswitch.conf from the default to use: files winbind

SqdnGuns 01-06-2010 02:06 PM

@ TheMadIndian, nice write-up, no doubt some will find it beneficial.

gmjs 01-29-2012 01:17 PM

Quote:

Originally Posted by TheMadIndian (Post 3766986)
And that's it if you need AD login there are more steps and the installation order changes a little for the missing packages

Thanks for this guide--it's been very helpful.

Currently I have this working (Slackware 13.37 and later packages) but would also like to be able to use the AD accounts to log in. It'd be great if you could share how to achieved that too!

Many thanks,

Graham

TheMadIndian 02-19-2012 03:55 PM

Quote:

Originally Posted by gmjs (Post 4587547)
Thanks for this guide--it's been very helpful.

Currently I have this working (Slackware 13.37 and later packages) but would also like to be able to use the AD accounts to log in. It'd be great if you could share how to achieved that too!

Many thanks,

Graham

I ran into a fair amout of issues with it in regard to time drift, I can't use that system for reference as it's currently a freenas system :D

I may have my notes on a server currently offline. I'll see if i can get in on and get my notes.

Post later

santaslilslacker 02-21-2012 04:55 AM

Quote:

Originally Posted by TheMadIndian (Post 4606836)
I ran into a fair amout of issues with it in regard to time drift, I can't use that system for reference as it's currently a freenas system :D
Post later

You can add domain controller(s) or your preferred ntp server in /etc/ntp.conf as a time source. (edit around line 19)
Code:

# NTP server (list one or more) to synchronize with:
#server pool.ntp.org iburst
server pdc.domain.local
server bdc.domain.local

In order to make it work, your DC(s) should be either ntp source as above or it should have some ntp server too.
After editing ntp.conf, chmod +x /etc/rc.d/rc.ntpd and start it. To check time sync, issue

Code:

# ntpq -p
to verify
If you don't like ntpd, you can add a crontab entry like this one that will do the same thing once per hour.
Code:

# crontab -e
59 * * * * /usr/sbin/ntpdate -b ntp.youlike.org

At least, all that above solved my issues with time drift. YMMV :)

TheMadIndian 02-26-2012 11:31 AM

Quote:

Originally Posted by gmjs (Post 4587547)
Thanks for this guide--it's been very helpful.

Currently I have this working (Slackware 13.37 and later packages) but would also like to be able to use the AD accounts to log in. It'd be great if you could share how to achieved that too!

Many thanks,

Graham

Sorry it took me so long

a word of caution, kerberos calls login.krb5 not login for kerberos auth once you make this change local accounts will not be able to log in, you can reverse this by going into single user mode

Code:

mv -v /bin/login /bin/login.shadow && install -m755 -v /usr/sbin/login.krb5 /bin/login
I had ntpdate in rc.local which is fine for boot but follow what santaslilslacker said for ntpd that is a much better solution to avoid drift


All times are GMT -5. The time now is 09:53 PM.