{"id":356,"date":"2010-05-24T15:59:19","date_gmt":"2010-05-24T22:59:19","guid":{"rendered":"http:\/\/jim-zimmerman.com\/?p=356"},"modified":"2012-01-20T10:22:18","modified_gmt":"2012-01-20T17:22:18","slug":"howto-join-an-active-directory-server-using-rhel5-xcentos5-x-and-samba-3-0-x","status":"publish","type":"post","link":"https:\/\/jim-zimmerman.com\/?p=356","title":{"rendered":"Howto Join An Active Directory Server using RHEL5.x\/CentOS5.x and Samba 3.0.x"},"content":{"rendered":"

I used the following procedure to join a simple Windows 2003 Active Directory. <\/p>\n

Ensure that your time is synced with the ADS machines via ntp.conf.<\/p>\n

I used the following to sync time to my NTP server:
\n# cat \/etc\/ntp.conf
\nrestrict default kod nomodify notrap nopeer noquery<\/p>\n

restrict 127.0.0.1
\nrestrict -6 ::1<\/p>\n

server 127.127.1.0
\nfudge 127.127.1.0 stratum 10<\/p>\n

driftfile \/var\/lib\/ntp\/drift<\/p>\n

keys \/etc\/ntp\/keys<\/p>\n

server ntp.domain.com
\nrestrict ntp.domain.com mask 255.255.255.255 nomodify notrap noquery<\/p>\n

Ensure that your name resolution is configured properly. If needed, modify via \/etc\/sysconfig\/network with the fully qualified name. Also, the \/etc\/resolv.conf should use the same DNS servers that handle the dynamic updates for the ADS domain.<\/p>\n

For example:
\n# hostname
\nrhel5.domain.local<\/p>\n

# cat \/etc\/resolv.conf
\nsearch domain.local
\nnameserver 192.168.0.31
\nnameserver 192.168.0.32<\/p>\n

Configure kerberos:<\/p>\n

For example:
\n# cat \/etc\/krb5.conf
\n[logging]
\n default = FILE:\/var\/log\/krb5libs.log
\n kdc = FILE:\/var\/log\/krb5kdc.log
\n admin_server = FILE:\/var\/log\/kadmind.log<\/p>\n

[libdefaults]
\n default_realm = DOMAIN.LOCAL
\n dns_lookup_realm = false
\n dns_lookup_kdc = false
\n ticket_lifetime = 24h
\n forwardable = yes<\/p>\n

[realms]
\n DOMAIN.LOCAL = {
\n kdc = pdc.domain.local:88
\n admin_server = pdc.domain.local:749
\n default_domain = domain.local
\n }<\/p>\n

[domain_realm]
\n .domain.local = DOMAIN.LOCAL
\n domain.local = DOMAIN.LOCAL<\/p>\n

[appdefaults]
\n pam = {
\n debug = false
\n ticket_lifetime = 36000
\n renew_lifetime = 36000
\n forwardable = true
\n krb4_convert = false
\n }<\/p>\n

Test kerberos:
\nkinit -V administrator@DOMAIN.LOCAL<\/p>\n

You should get the following kind of output:
\nAuthenticated to Kerberos v5<\/p>\n

Configure samba:
\n# cat \/etc\/samba\/smb.conf
\n#GLOBAL PARAMETERS
\n[global]
\n workgroup = DOMAIN
\n realm = DOMAIN.LOCAL
\n preferred master = no
\n server string = Linux Test Machine
\n security = ADS
\n encrypt passwords = yes
\n log level = 3
\n log file = \/var\/log\/samba\/%m
\n max log size = 50
\n printcap name = cups
\n printing = cups
\n winbind enum users = Yes
\n winbind enum groups = Yes
\n winbind use default domain = Yes
\n winbind nested groups = Yes
\n winbind separator = +
\n idmap uid = 600-200000
\n idmap gid = 600-200000
\n ;template primary group = “Domain Users”
\n template shell = \/bin\/bash<\/p>\n

[homes]
\n comment = Home Direcotries
\n valid users = %S
\n read only = No
\n browseable = No<\/p>\n

[printers]
\n comment = All Printers
\n path = \/var\/spool\/cups
\n browseable = no
\n printable = yes
\n guest ok = yes<\/p>\n

Use the testparm command to verify your samba configuration:
\n# testparm
\nLoad smb config files from \/etc\/samba\/smb.conf
\nProcessing section “[homes]”
\nProcessing section “[printers]”
\nLoaded services file OK.
\n‘winbind separator = +’ might cause problems with group membership.
\nServer role: ROLE_DOMAIN_MEMBER
\nPress enter to see a dump of your service definitions
\n…<\/p>\n

Join the domain:
\nnet ads join -U administrator<\/p>\n

You will be prompted for the administrator password. If successful a message will be displayed stating as such.
\nFor example:
\nUsing short domain name \u00e2\u20ac\u201c DOMAIN<\/p>\n

Joined ‘RHEL5’ to realm ‘domain’<\/p>\n

From here you can execute several commands to test:<\/p>\n

# net ads testjoin DOMAIN
\nJoin is OK<\/p>\n

Start up the samba related services:<\/p>\n

# service smb start
\n# service winbind start<\/p>\n

The following will list both local user IDs and ADS user IDs:
\n# wbinfo -u<\/p>\n

The will list ADS group names:
\n# wbinfo -g<\/p>\n

The following will verify ADS authentication (In this example, \u00e2\u20ac\u0153password\u00e2\u20ac\u009d is the administrator account password.):
\n# wbinfo -a administrator%password
\nplaintext password authentication succeeded
\nchallenge\/response password authentication succeeded<\/p>\n

Modify nsswitch.conf to support ADS authentication:
\n# cat \/etc\/nsswitch.conf
\npasswd: files winbind
\nshadow: files winbind
\ngroup: files winbind
\nhosts: files dns
\nbootparams: nisplus [NOTFOUND=return] files
\nethers: files
\nnetmasks: files
\nnetworks: files
\nprotocols: files
\nrpc: files
\nservices: files
\nnetgroup: nisplus
\npublickey: nisplus
\nautomount: files nisplus
\naliases: files nisplus<\/p>\n

This is very important. Make sure you are logged into a couple virtual terminals as root in case there is a problem. You can end up locking yourself out.<\/p>\n

Make a backup copy of \/etc\/pam.d\/system-auth-ac:
\n# cd \/etc\/pam.d
\n# cp -rp system-auth-ac system-auth-ac.orig<\/p>\n

Edit the system-auth-ac file:
\n# cat \/etc\/pam.d\/system-auth-ac
\n#%PAM-1.0
\nauth required pam_env.so
\nauth sufficient pam_unix.so likeauth nullok
\nauth sufficient pam_winbind.so use_first_pass
\nauth required pam_deny.so<\/p>\n

account required pam_unix.so
\naccount sufficient pam_succeed_if.so uid < 100 quiet\naccount sufficient pam_winbind.so use_first_pass\naccount required pam_permit.so\n\npassword requisite pam_cracklib.so retry=3 type=\npassword sufficient pam_unix.so nullok use_authtok md5 shadow\npassword sufficient pam_winbind.so use_first_pass\npassword required pam_deny.so\n\nsession required pam_limits.so\nsession required pam_unix.so\nsession required pam_winbind.so use_first\n<\/p>\n","protected":false},"excerpt":{"rendered":"

I used the following procedure to join a simple Windows 2003 Active Directory. Ensure that your time is synced with the ADS machines via ntp.conf. I used the following to sync time to my NTP server: # cat \/etc\/ntp.conf restrict default kod nomodify notrap nopeer noquery restrict 127.0.0.1 restrict -6 ::1 server 127.127.1.0 fudge 127.127.1.0 [&hellip<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[82,83,85,48,84,61],"class_list":["post-356","post","type-post","status-publish","format-standard","hentry","category-documentation","tag-active-directory","tag-ads","tag-join","tag-linux","tag-rhel","tag-samba"],"share_on_mastodon":{"url":"","error":""},"_links":{"self":[{"href":"https:\/\/jim-zimmerman.com\/index.php?rest_route=\/wp\/v2\/posts\/356","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/jim-zimmerman.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jim-zimmerman.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/jim-zimmerman.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/jim-zimmerman.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=356"}],"version-history":[{"count":3,"href":"https:\/\/jim-zimmerman.com\/index.php?rest_route=\/wp\/v2\/posts\/356\/revisions"}],"predecessor-version":[{"id":677,"href":"https:\/\/jim-zimmerman.com\/index.php?rest_route=\/wp\/v2\/posts\/356\/revisions\/677"}],"wp:attachment":[{"href":"https:\/\/jim-zimmerman.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=356"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jim-zimmerman.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=356"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jim-zimmerman.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=356"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}