Resend my activation email : Register : Log in 
BCF: Bike Chat Forums


Integrating Linux servers with Active Directory - How?

Reply to topic
Bike Chat Forums Index -> The Geek Zone
View previous topic : View next topic  
Author Message

Andy_Pagin
World Chat Champion



Joined: 08 Nov 2010
Karma :

PostPosted: 12:23 - 10 Mar 2017    Post subject: Integrating Linux servers with Active Directory - How? Reply with quote

I've got a couple of Linux servers that up to now have been stand-alone in our company apart from accessing Windows print servers which up until now hasn't been a problem.

Users have different Linux login names and passwords from those they use on their Windows desktops. Linux applications are presented via an Xterm emulator and ssh.

The problem now is we've gone on to a 'follow me' printing strategy whereby users' prints are stored in a queue (on the Windows side) under their Windows userid, they can then go to any printer, swipe a card and the prints stored under their userid are all available to that printer.

So I need to ensure the userid is the same on both sides of the fence, and avoid the Windows side requiring a password to be entered every time someone wants to print something.

Eg. The AD administrator sets up user john.smith, he can go straight a Linux box and login as john.smith with the same password and print something to 'follow me'.

It only needs to be a one way street, Windows doesn't need to send stuff to Linux.

Servers are RHEL6.
I'm an application developer with only a hazy knowledge of infrastructure, last time I studied the subject Novell 3.1 was the latest thing.

So far everything I've googled is a bit too academic and theoretical, so I turn to the font of all wisdom - BCF.
____________________
They're coming to take me away, ho-ho, hee-hee, ha-haaa, hey-hey,
the men in white coats are coming to take me away.
Yamaha Vity -> YBR125 -> FZS600 Fazer -> FZ1-S Fazer
 Back to top
View user's profile Send private message Send e-mail You must be logged in to rate posts

techathy
Traffic Copper



Joined: 09 Aug 2015
Karma :

PostPosted: 14:29 - 10 Mar 2017    Post subject: Reply with quote

Apparently, I'm not sure how, you can authenticate against an AD domain from within Linux.

What we do is have an IdM unix domain, RH provides packages in their standards repo for a stability/support win, which trusts the AD domain. We have ended up with RHEL7 servers to do this job as RHEL6 version of IdM did not support everything we needed (all our clients are RHEL6, it's just the IdM servers which are RHEL7). The IdM servers really need to be single task physical servers, no VMs I'm afraid, due to the installation being a one hit script item. Also it makes life a lot easier if you have control of your own DNS (sub-)domain.
There's a huge pain barrier to go through when initially setting it all up but once it's working it works very well. I've not got any real hands on experience with the software side as I'm the datacentre hardware & services manager.
____________________
Bikes: '17 Zero FX ZF6.5, '16 BMW R1200 RS, '12 Triumph Daytona 675
 Back to top
View user's profile Send private message You must be logged in to rate posts

Andy_Pagin
World Chat Champion



Joined: 08 Nov 2010
Karma :

PostPosted: 15:07 - 10 Mar 2017    Post subject: Reply with quote

techathy wrote:
The IdM servers really need to be single task physical servers, no VMs I'm afraid
That's a bit of a show-stopper for me, we're completely virtualised. At least that's one option I don't need to waste time exploring.
____________________
They're coming to take me away, ho-ho, hee-hee, ha-haaa, hey-hey,
the men in white coats are coming to take me away.
Yamaha Vity -> YBR125 -> FZS600 Fazer -> FZ1-S Fazer
 Back to top
View user's profile Send private message Send e-mail You must be logged in to rate posts

Baggyman
Crazy Courier



Joined: 20 Feb 2017
Karma :

PostPosted: 15:08 - 10 Mar 2017    Post subject: Reply with quote

Samba?
____________________
Old fart
Baghira, modded GS1000 and the T150 I bought in 1978 when I was 21
 Back to top
View user's profile Send private message You must be logged in to rate posts

Andy_Pagin
World Chat Champion



Joined: 08 Nov 2010
Karma :

PostPosted: 15:12 - 10 Mar 2017    Post subject: Reply with quote

Baggyman wrote:
Samba?
Possibly, I've used it for exposing fileshares before, quite what it's capabilities are regarding AD I don't know.
____________________
They're coming to take me away, ho-ho, hee-hee, ha-haaa, hey-hey,
the men in white coats are coming to take me away.
Yamaha Vity -> YBR125 -> FZS600 Fazer -> FZ1-S Fazer
 Back to top
View user's profile Send private message Send e-mail You must be logged in to rate posts

Baggyman
Crazy Courier



Joined: 20 Feb 2017
Karma :

PostPosted: 15:51 - 10 Mar 2017    Post subject: Reply with quote

https://technet.microsoft.com/en-us/library/2008.12.linux.aspx

not a Red Hat techie myself but am vaguely aware of what my guys use for "stuff"
____________________
Old fart
Baghira, modded GS1000 and the T150 I bought in 1978 when I was 21
 Back to top
View user's profile Send private message You must be logged in to rate posts

duhawkz
World Chat Champion



Joined: 03 Dec 2006
Karma :

PostPosted: 17:45 - 10 Mar 2017    Post subject: Reply with quote

Sounds like want you need to do is this

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/sect-sssd-ad-ldap-proc.html

See section

Procedure 13.7. Configuring Active Directory as an LDAP Provider
____________________
"The guy is a worthless cunt and I honestly believe I would be a slightly happier person if he died." - Chris-Red
 Back to top
View user's profile Send private message You must be logged in to rate posts

Andy_Pagin
World Chat Champion



Joined: 08 Nov 2010
Karma :

PostPosted: 17:51 - 10 Mar 2017    Post subject: Reply with quote

Trawling through Redhats' website I came across 'realmd' which looks promising, it identified our AD nicely but needed the admin password which I don't have. So it'll have to wait till I'm in the office Monday.
____________________
They're coming to take me away, ho-ho, hee-hee, ha-haaa, hey-hey,
the men in white coats are coming to take me away.
Yamaha Vity -> YBR125 -> FZS600 Fazer -> FZ1-S Fazer
 Back to top
View user's profile Send private message Send e-mail You must be logged in to rate posts

linuxyeti
World Chat Champion



Joined: 06 Oct 2006
Karma :

PostPosted: 22:36 - 10 Mar 2017    Post subject: Reply with quote

Piece of cake,

sssd & kerberos , for authentication, and if setting up shares that can be accessed via windows clients, samba.

Nothing to it, 5 minute job, may have to amend a couple of pam config files as well, but then again, possibly not.

Example of an entry in smb.conf

[global]
#--authconfig--start-line--

# Generated by authconfig on 2015/03/30 11:47:52
# DO NOT EDIT THIS SECTION (delimited by --start-line--/--end-line--)
# Any modification may be deleted or altered by authconfig in future

workgroup = workgroup
password server = AD Server
realm = domain
security = ads
template homedir = /home/%U
template shell = /bin/bash
kerberos method = secrets and keytab
winbind use default domain = true
winbind offline logon = true
client signing = yes
client use spnego = yes
log file = /var/log/samba/log.%m
max log size = 50
cups options = raw

[chimp]
comment = "Chimp Directory"
path = /chimp
follow symlinks = yes
valid users = "+DOMAIN\Domain group 1","+DOMAIN\Domain group 2","WMFS\domain user", fred
force user = fred
force group = smb
read only = No
acl check permissions = Yes
create mask = 0775
force create mode = 0775

***** Note *****
As of Samba 4, for the force user to work successfully, that user now also has to be in the valid users list.

Kerberos
This is straight forward to configure, on the proviso, you remember UPPER CASE, below is an example of a working /etc/krb5.conf

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = DOMAIN
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes

[realms]
WMFS.NET = {
kdc = ad-server.domaint:88
kdc = ad server.domain
admin_server = ad server.domain:749
kdc = ad server.wmfs.net
}

domain = DOMAIN
.domain = DOMAIN
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}

ssd
SSSD is a newer mechanism for authenticating against multiple backends, in our case, Active Directory. You will however, still need to use winbind for authenticating shares.

Lets create a kerberos keytab file, by default, /etc/krb5.keytab The important bit to remember here is the kerberos method property in the samba configuration file. It should read

kerberos method = secrets and keytab

At the root prompt issue the following :-
kinit ad_admin_account

Enter the password
All being well, once the password has been entered you should be returned to the prompt.
To see if a kerberos ticket has been iuused, issue the command
klist
The output should be similar to that shown below:-

Ticket cache: FILE:/tmp/krb5cc_0
Default principal: adm.xxx@DOMAIN

Valid starting Expires Service principal
01/04/15 10:28:20 01/04/15 20:28:20 krbtgt/DOMAIN@DOMAIN
renew until 02/04/15 10:27:56

Once we have confirmed that a kerberos ticket has been generated fro the active directory admin user, we can join the domiain, using that ticket, by issuing the command

/usr/bin/net join -k

Kinit failed: Preauthentication failed
Using short domain name -- DOMAIN
Joined 'SERVER' to dns domain 'domain'
kerberos_kinit_password SERVER$@DOMAIN failed: Preauthentication failed
DNS update failed: kinit failed: Preauthentication failed

Don't worry too much about the last 2 lines, especially if the server has already been manually added to DNS, and you already run the net join command successfully.
If successful, the above command, as well as registering the server on the doamain, will also generate the kerberos keytab file, /etc/krb5.keytab

To list contents of /etc/krb5.keytab issue the command

klist -ke

To test GSSAPI / Kerberos, issue a command similar to that shown below :-

/usr/bin/ldapsearch -H ldap://ad server -Y GSSAPI -N -b "dc=dom,dc=ain" "(&(objectClass=user)(sAMAccountName=adm.xxx))"


Now, to configure sssd itself
Edit or create /etc/sssd/sssd.conf accordingly, shown below is a working example :-
[sssd]
domains = DOMAIN
services = nss, pam, ssh
config_file_version = 2

[domain/DOMAIN]
id_provider = ad
auth_provider = ad
access_provider = ad
chpass_provider = ad

default_shell = /bin/bash
fallback_homedir = /home/%u

***** Note ***** If you set the sssd domain to be the same as the ad domain, then sssd can use autodiscovery, and it saves on lots of additional ldap config etc in sssd.conf

To test sssd is working for user accounts issue the command

getent passwd -s sss username

The output should look similar to a passwd entry

pam
There are four config files in /etc/pam.d that may require editing , they are ..

system-auth-ac
postlogin-ac
password-auth-ac
fingerprint-auth-ac

For ssh to work with sssd ensure entries in /etc/pam.d/password-auth-ac for sss are there
Also check contents of /etc/nsswitch.conf for the sss options, such as
passwd: files sss winbind

Tying It All Together
The final steps to getting authentication successfully working are to issue the following command :-

authconfig --enablesssd --enablesssdauth --enablelocauthorize --enablemkhomedir --update
Once executed, isuuse the following commands to restart the relevant services :-
/bin/systemctl restart smb.service
/bin/systemctl restart winbind.service
/bin/systemctl restart nmb.service
/bin/systemctl restart nscd.service
/bin/systemctl restart sssd.service
/bin/systemctl restart oddjobd.service
/bin/systemctl restart sshd.service



That should get you going ..

Oh, make sure the servers 'time' match, anything out by a couple of minutes buggers up kerberos !!

Cheers

Tony
____________________
Beware what photos you upload, or link to on here, especially if you have family members on them
 Back to top
View user's profile Send private message You must be logged in to rate posts

The Shaggy D.A.
Super Spammer



Joined: 12 Sep 2008
Karma :

PostPosted: 23:02 - 10 Mar 2017    Post subject: Reply with quote

Andy_Pagin wrote:
techathy wrote:
The IdM servers really need to be single task physical servers, no VMs I'm afraid
That's a bit of a show-stopper for me, we're completely virtualised. At least that's one option I don't need to waste time exploring.


We use IDM between Novel OES (Suse) and AD servers under VMware with no issues.
____________________
Chances are quite high you are not in my Monkeysphere, and I don't care about you. Don't take it personally.
Currently : Royal Enfield 350 Meteor
Previously : CB100N > CB250RS > XJ900F > GT550 > GPZ750R/1000RX > AJS M16 > R100RT > Bullet 500 > CB500 > LS650P > Bullet Electra X & YBR125 > Bullet 350 "Superstar" & YBR125 Custom > Royal Enfield Classic 500 Despatch Limited Edition (28 of 200) & CB Two-Fifty Nighthawk > ER5
 Back to top
View user's profile Send private message You must be logged in to rate posts

Andy_Pagin
World Chat Champion



Joined: 08 Nov 2010
Karma :

PostPosted: 00:17 - 11 Mar 2017    Post subject: Reply with quote

linuxyeti wrote:
Stuff I was looking for...

Thanks, even I can work my way through that.
Plus I can now forever justify staring at BCF all day at work Thumbs Up Very Happy
____________________
They're coming to take me away, ho-ho, hee-hee, ha-haaa, hey-hey,
the men in white coats are coming to take me away.
Yamaha Vity -> YBR125 -> FZS600 Fazer -> FZ1-S Fazer
 Back to top
View user's profile Send private message Send e-mail You must be logged in to rate posts

linuxyeti
World Chat Champion



Joined: 06 Oct 2006
Karma :

PostPosted: 08:51 - 11 Mar 2017    Post subject: Reply with quote

Laughing Laughing Thumbs Up
____________________
Beware what photos you upload, or link to on here, especially if you have family members on them
 Back to top
View user's profile Send private message You must be logged in to rate posts

techathy
Traffic Copper



Joined: 09 Aug 2015
Karma :

PostPosted: 16:18 - 11 Mar 2017    Post subject: Reply with quote

The Shaggy D.A. wrote:
We use IDM between Novel OES (Suse) and AD servers under VMware with no issues.

We had nothing but problems with IdM on RHEL7 being the guest OS on RHEL6 qemu/KVM VMs. RH either recommend or only supported IdM on a non-virtualised server.
____________________
Bikes: '17 Zero FX ZF6.5, '16 BMW R1200 RS, '12 Triumph Daytona 675
 Back to top
View user's profile Send private message You must be logged in to rate posts

Andy_Pagin
World Chat Champion



Joined: 08 Nov 2010
Karma :

PostPosted: 13:59 - 13 Mar 2017    Post subject: Reply with quote

I've succeeded in joining a Centos7 box to our domain using the adcli method detailed in the linky below. I didn't use realm since it's not available on our live RHEL6 servers.
https://jhrozek.livejournal.com/3581.html
____________________
They're coming to take me away, ho-ho, hee-hee, ha-haaa, hey-hey,
the men in white coats are coming to take me away.
Yamaha Vity -> YBR125 -> FZS600 Fazer -> FZ1-S Fazer
 Back to top
View user's profile Send private message Send e-mail You must be logged in to rate posts
Old Thread Alert!

The last post was made 7 years, 17 days ago. Instead of replying here, would creating a new thread be more useful?
  Display posts from previous:   
This page may contain affiliate links, which means we may earn a small commission if a visitor clicks through and makes a purchase. By clicking on an affiliate link, you accept that third-party cookies will be set.

Post new topic   Reply to topic    Bike Chat Forums Index -> The Geek Zone All times are GMT + 1 Hour
Page 1 of 1

 
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum

Read the Terms of Use! - Powered by phpBB © phpBB Group
 

Debug Mode: ON - Server: birks (www) - Page Generation Time: 0.10 Sec - Server Load: 0.23 - MySQL Queries: 17 - Page Size: 95.34 Kb