|
Author |
Message |
Andy_Pagin |
This post is not being displayed .
|
Andy_Pagin World Chat Champion
Joined: 08 Nov 2010 Karma :
|
Posted: 12:23 - 10 Mar 2017 Post subject: Integrating Linux servers with Active Directory - How? |
|
|
I've got a couple of Linux servers that up to now have been stand-alone in our company apart from accessing Windows print servers which up until now hasn't been a problem.
Users have different Linux login names and passwords from those they use on their Windows desktops. Linux applications are presented via an Xterm emulator and ssh.
The problem now is we've gone on to a 'follow me' printing strategy whereby users' prints are stored in a queue (on the Windows side) under their Windows userid, they can then go to any printer, swipe a card and the prints stored under their userid are all available to that printer.
So I need to ensure the userid is the same on both sides of the fence, and avoid the Windows side requiring a password to be entered every time someone wants to print something.
Eg. The AD administrator sets up user john.smith, he can go straight a Linux box and login as john.smith with the same password and print something to 'follow me'.
It only needs to be a one way street, Windows doesn't need to send stuff to Linux.
Servers are RHEL6.
I'm an application developer with only a hazy knowledge of infrastructure, last time I studied the subject Novell 3.1 was the latest thing.
So far everything I've googled is a bit too academic and theoretical, so I turn to the font of all wisdom - BCF. ____________________ They're coming to take me away, ho-ho, hee-hee, ha-haaa, hey-hey,
the men in white coats are coming to take me away.
Yamaha Vity -> YBR125 -> FZS600 Fazer -> FZ1-S Fazer |
|
Back to top |
|
You must be logged in to rate posts |
|
|
techathy |
This post is not being displayed .
|
techathy Traffic Copper
Joined: 09 Aug 2015 Karma :
|
|
Back to top |
|
You must be logged in to rate posts |
|
|
Andy_Pagin |
This post is not being displayed .
|
Andy_Pagin World Chat Champion
Joined: 08 Nov 2010 Karma :
|
|
Back to top |
|
You must be logged in to rate posts |
|
|
Baggyman |
This post is not being displayed .
|
Baggyman Crazy Courier
Joined: 20 Feb 2017 Karma :
|
|
Back to top |
|
You must be logged in to rate posts |
|
|
Andy_Pagin |
This post is not being displayed .
|
Andy_Pagin World Chat Champion
Joined: 08 Nov 2010 Karma :
|
Posted: 15:12 - 10 Mar 2017 Post subject: |
|
|
Possibly, I've used it for exposing fileshares before, quite what it's capabilities are regarding AD I don't know. ____________________ They're coming to take me away, ho-ho, hee-hee, ha-haaa, hey-hey,
the men in white coats are coming to take me away.
Yamaha Vity -> YBR125 -> FZS600 Fazer -> FZ1-S Fazer |
|
Back to top |
|
You must be logged in to rate posts |
|
|
Baggyman |
This post is not being displayed .
|
Baggyman Crazy Courier
Joined: 20 Feb 2017 Karma :
|
|
Back to top |
|
You must be logged in to rate posts |
|
|
duhawkz |
This post is not being displayed .
|
duhawkz World Chat Champion
Joined: 03 Dec 2006 Karma :
|
|
Back to top |
|
You must be logged in to rate posts |
|
|
Andy_Pagin |
This post is not being displayed .
|
Andy_Pagin World Chat Champion
Joined: 08 Nov 2010 Karma :
|
|
Back to top |
|
You must be logged in to rate posts |
|
|
linuxyeti |
This post is not being displayed .
|
linuxyeti World Chat Champion
Joined: 06 Oct 2006 Karma :
|
Posted: 22:36 - 10 Mar 2017 Post subject: |
|
|
Piece of cake,
sssd & kerberos , for authentication, and if setting up shares that can be accessed via windows clients, samba.
Nothing to it, 5 minute job, may have to amend a couple of pam config files as well, but then again, possibly not.
Example of an entry in smb.conf
[global]
#--authconfig--start-line--
# Generated by authconfig on 2015/03/30 11:47:52
# DO NOT EDIT THIS SECTION (delimited by --start-line--/--end-line--)
# Any modification may be deleted or altered by authconfig in future
workgroup = workgroup
password server = AD Server
realm = domain
security = ads
template homedir = /home/%U
template shell = /bin/bash
kerberos method = secrets and keytab
winbind use default domain = true
winbind offline logon = true
client signing = yes
client use spnego = yes
log file = /var/log/samba/log.%m
max log size = 50
cups options = raw
[chimp]
comment = "Chimp Directory"
path = /chimp
follow symlinks = yes
valid users = "+DOMAIN\Domain group 1","+DOMAIN\Domain group 2","WMFS\domain user", fred
force user = fred
force group = smb
read only = No
acl check permissions = Yes
create mask = 0775
force create mode = 0775
***** Note *****
As of Samba 4, for the force user to work successfully, that user now also has to be in the valid users list.
Kerberos
This is straight forward to configure, on the proviso, you remember UPPER CASE, below is an example of a working /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = DOMAIN
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
[realms]
WMFS.NET = {
kdc = ad-server.domaint:88
kdc = ad server.domain
admin_server = ad server.domain:749
kdc = ad server.wmfs.net
}
domain = DOMAIN
.domain = DOMAIN
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
ssd
SSSD is a newer mechanism for authenticating against multiple backends, in our case, Active Directory. You will however, still need to use winbind for authenticating shares.
Lets create a kerberos keytab file, by default, /etc/krb5.keytab The important bit to remember here is the kerberos method property in the samba configuration file. It should read
kerberos method = secrets and keytab
At the root prompt issue the following :-
kinit ad_admin_account
Enter the password
All being well, once the password has been entered you should be returned to the prompt.
To see if a kerberos ticket has been iuused, issue the command
klist
The output should be similar to that shown below:-
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: adm.xxx@DOMAIN
Valid starting Expires Service principal
01/04/15 10:28:20 01/04/15 20:28:20 krbtgt/DOMAIN@DOMAIN
renew until 02/04/15 10:27:56
Once we have confirmed that a kerberos ticket has been generated fro the active directory admin user, we can join the domiain, using that ticket, by issuing the command
/usr/bin/net join -k
Kinit failed: Preauthentication failed
Using short domain name -- DOMAIN
Joined 'SERVER' to dns domain 'domain'
kerberos_kinit_password SERVER$@DOMAIN failed: Preauthentication failed
DNS update failed: kinit failed: Preauthentication failed
Don't worry too much about the last 2 lines, especially if the server has already been manually added to DNS, and you already run the net join command successfully.
If successful, the above command, as well as registering the server on the doamain, will also generate the kerberos keytab file, /etc/krb5.keytab
To list contents of /etc/krb5.keytab issue the command
klist -ke
To test GSSAPI / Kerberos, issue a command similar to that shown below :-
/usr/bin/ldapsearch -H ldap://ad server -Y GSSAPI -N -b "dc=dom,dc=ain" "(&(objectClass=user)(sAMAccountName=adm.xxx))"
Now, to configure sssd itself
Edit or create /etc/sssd/sssd.conf accordingly, shown below is a working example :-
[sssd]
domains = DOMAIN
services = nss, pam, ssh
config_file_version = 2
[domain/DOMAIN]
id_provider = ad
auth_provider = ad
access_provider = ad
chpass_provider = ad
default_shell = /bin/bash
fallback_homedir = /home/%u
***** Note ***** If you set the sssd domain to be the same as the ad domain, then sssd can use autodiscovery, and it saves on lots of additional ldap config etc in sssd.conf
To test sssd is working for user accounts issue the command
getent passwd -s sss username
The output should look similar to a passwd entry
pam
There are four config files in /etc/pam.d that may require editing , they are ..
system-auth-ac
postlogin-ac
password-auth-ac
fingerprint-auth-ac
For ssh to work with sssd ensure entries in /etc/pam.d/password-auth-ac for sss are there
Also check contents of /etc/nsswitch.conf for the sss options, such as
passwd: files sss winbind
Tying It All Together
The final steps to getting authentication successfully working are to issue the following command :-
authconfig --enablesssd --enablesssdauth --enablelocauthorize --enablemkhomedir --update
Once executed, isuuse the following commands to restart the relevant services :-
/bin/systemctl restart smb.service
/bin/systemctl restart winbind.service
/bin/systemctl restart nmb.service
/bin/systemctl restart nscd.service
/bin/systemctl restart sssd.service
/bin/systemctl restart oddjobd.service
/bin/systemctl restart sshd.service
That should get you going ..
Oh, make sure the servers 'time' match, anything out by a couple of minutes buggers up kerberos !!
Cheers
Tony ____________________ Beware what photos you upload, or link to on here, especially if you have family members on them |
|
Back to top |
|
You must be logged in to rate posts |
|
|
The Shaggy D.A. |
This post is not being displayed .
|
The Shaggy D.A. Super Spammer
Joined: 12 Sep 2008 Karma :
|
|
Back to top |
|
You must be logged in to rate posts |
|
|
Andy_Pagin |
This post is not being displayed .
|
Andy_Pagin World Chat Champion
Joined: 08 Nov 2010 Karma :
|
|
Back to top |
|
You must be logged in to rate posts |
|
|
linuxyeti |
This post is not being displayed .
|
linuxyeti World Chat Champion
Joined: 06 Oct 2006 Karma :
|
Posted: 08:51 - 11 Mar 2017 Post subject: |
|
|
____________________ Beware what photos you upload, or link to on here, especially if you have family members on them |
|
Back to top |
|
You must be logged in to rate posts |
|
|
techathy |
This post is not being displayed .
|
techathy Traffic Copper
Joined: 09 Aug 2015 Karma :
|
|
Back to top |
|
You must be logged in to rate posts |
|
|
Andy_Pagin |
This post is not being displayed .
|
Andy_Pagin World Chat Champion
Joined: 08 Nov 2010 Karma :
|
Posted: 13:59 - 13 Mar 2017 Post subject: |
|
|
I've succeeded in joining a Centos7 box to our domain using the adcli method detailed in the linky below. I didn't use realm since it's not available on our live RHEL6 servers.
https://jhrozek.livejournal.com/3581.html ____________________ They're coming to take me away, ho-ho, hee-hee, ha-haaa, hey-hey,
the men in white coats are coming to take me away.
Yamaha Vity -> YBR125 -> FZS600 Fazer -> FZ1-S Fazer |
|
Back to top |
|
You must be logged in to rate posts |
|
|
Old Thread Alert!
The last post was made 7 years, 45 days ago. Instead of replying here, would creating a new thread be more useful? |
|
|
|