Documentation → Howto Join An Active Directory Server using RHEL5.x/CentOS5.x and Samba 3.0.x
I used the following procedure to join a simple Windows 2003 Active Directory.
Ensure that your time is synced with the ADS machines via ntp.conf.
I used the following to sync time to my NTP server:
# cat /etc/ntp.conf
restrict default kod nomodify notrap nopeer noquery
restrict 127.0.0.1
restrict -6 ::1
server 127.127.1.0
fudge 127.127.1.0 stratum 10
driftfile /var/lib/ntp/drift
keys /etc/ntp/keys
server ntp.domain.com
restrict ntp.domain.com mask 255.255.255.255 nomodify notrap noquery
Ensure that your name resolution is configured properly. If needed, modify via /etc/sysconfig/network with the fully qualified name. Also, the /etc/resolv.conf should use the same DNS servers that handle the dynamic updates for the ADS domain.
For example:
# hostname
rhel5.domain.local
# cat /etc/resolv.conf
search domain.local
nameserver 192.168.0.31
nameserver 192.168.0.32
Configure kerberos:
For example:
# cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = DOMAIN.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
[realms]
DOMAIN.LOCAL = {
kdc = pdc.domain.local:88
admin_server = pdc.domain.local:749
default_domain = domain.local
}
[domain_realm]
.domain.local = DOMAIN.LOCAL
domain.local = DOMAIN.LOCAL
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
Test kerberos:
kinit -V administrator@domain.local
You should get the following kind of output:
Authenticated to Kerberos v5
Configure samba:
# cat /etc/samba/smb.conf
#GLOBAL PARAMETERS
[global]
workgroup = DOMAIN
realm = DOMAIN.LOCAL
preferred master = no
server string = Linux Test Machine
security = ADS
encrypt passwords = yes
log level = 3
log file = /var/log/samba/%m
max log size = 50
printcap name = cups
printing = cups
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
winbind nested groups = Yes
winbind separator = +
idmap uid = 600-200000
idmap gid = 600-200000
;template primary group = “Domain Users”
template shell = /bin/bash
[homes]
comment = Home Direcotries
valid users = %S
read only = No
browseable = No
[printers]
comment = All Printers
path = /var/spool/cups
browseable = no
printable = yes
guest ok = yes
Use the testparm command to verify your samba configuration:
# testparm
Load smb config files from /etc/samba/smb.conf
Processing section “[homes]”
Processing section “[printers]”
Loaded services file OK.
‘winbind separator = +’ might cause problems with group membership.
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions
…
Join the domain:
net ads join -U administrator
You will be prompted for the administrator password. If successful a message will be displayed stating as such.
For example:
Using short domain name – DOMAIN
Joined ‘RHEL5′ to realm ‘domain’
From here you can execute several commands to test:
# net ads testjoin DOMAIN
Join is OK
The following will list both local user IDs and ADS user IDs:
# wbinfo -u
The will list ADS group names:
# wbinfo -g
The following will verify ADS authentication (In this example, “password” is the administrator account password.):
# wbinfo -a administrator%password
plaintext password authentication succeeded
challenge/response password authentication succeeded
Modify nsswitch.conf to support ADS authentication:
# cat /etc/nsswitch.conf
passwd: files winbind
shadow: files winbind
group: files winbind
hosts: files dns
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files
netgroup: nisplus
publickey: nisplus
automount: files nisplus
aliases: files nisplus
This is very important. Make sure you are logged into a couple virtual terminals as root in case there is a problem. You can end up locking yourself out.
Make a backup copy of /etc/pam.d/system-auth-ac:
# cd /etc/pam.d
# cp -rp system-auth-ac system-auth-ac.orig
Edit the system-auth-ac file:
# cat /etc/pam.d/system-auth-ac
#%PAM-1.0
auth required pam_env.so
auth sufficient pam_unix.so likeauth nullok
auth sufficient pam_winbind.so use_first_pass
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_succeed_if.so uid < 100 quiet
account sufficient pam_winbind.so use_first_pass
account required pam_permit.so
password requisite pam_cracklib.so retry=3 type=
password sufficient pam_unix.so nullok use_authtok md5 shadow
password sufficient pam_winbind.so use_first_pass
password required pam_deny.so
session required pam_limits.so
session required pam_unix.so
session required pam_winbind.so use_first