How to set up RHEL4 to authenticate users on a Windows Server 2003 Active Directory
There are many guides on how to set this up. However, they are either too complex, out-dated, or just don't work for Red Hat Enterprise Linux or CentOS.
Here are the quick steps:
Install Samba Server:
yum install samba samba-common
Set the above service to start at boot time:
chkconfig smb on
chkconfig winbind on
Edit your /etc/samba/smb.conf file and make it look something like this:
# Global parameters
[global]
workgroup = MYDOMAIN
realm = MYDOMAIN.ORG
preferred master = no
server string = Samba file and print server
security = ADS
encrypt passwords = yes
log level = 3
log file = /var/log/samba/%m
max log size = 50
winbind separator = +
winbind use default domain = No
printcap name = cups
printing = cups
idmap uid = 10000-20000
idmap gid = 10000-20000
# allow enumeration of winbind users and groups
winbind enum users = yes
winbind enum groups = yes
# give winbind users a real shell (only needed if they have telnet access)
template homedir = /home/%U
template shell = /bin/bash
password server = ad.mydomain.org
Next, edit your /etc/krb5.conf and make it look something like this:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = MYDOMAIN.ORG
default_etypes = des-cbc-crc des-cbc-md5
default_etypes_des = des-cbc-crc des-cbc-md5
default_keytab-name = FILE:/etc/krb5.keytab
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
MYDOMAIN.ORG = {
kdc = ad.mydomain.org
admin_server = ad.mydomain.org
default_domain = MYDOMAIN.ORG
}
[domain_realm]
.mydomain.org = MYDOMAIN.ORG
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
Edit /etc/nsswitch.conf and change these two lines to make them look like this:
passwd: files winbind
group: files winbind
Edit /etc/pam.d/system-auth and make it look something like this:
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth sufficient /lib/security/$ISA/pam_winbind.so use_first_pass
auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_unix.so
account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
account [default=bad success=ok user_unknown=ignore] /lib/security/$ISA/pam_winbind.so
account required /lib/security/$ISA/pam_permit.so
password requisite /lib/security/$ISA/pam_cracklib.so retry=3
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
password sufficient /lib/security/$ISA/pam_winbind.so use_authtok
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_mkhomedir.so skel=/etc/skel umask=0077
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
Now issue these commands and away we go:
Request kerberos key:
kinit Administrator@MYDOMAIN.ORG (you will be prompted to enter your password)
Start Samba Server:
service smb start
Join the server to the Active Directory:
net ads join -U Administrator
Start Winbind:
service winbind start
Here are some checks to see if things are working properly:
Check to see if users are getting pulled from AD:
wbinfo -u
Check to see if groups are getting pulled from AD:
wbinfo -g
Check to see if all the AD settings are correct:
net ads info
Check to see if usernames and passwords are getting pulled from AD for login purposes:
getent passwd
If all the above commands return expected results, you are ready to try to login with AD usernames.
- Login to post comments