I have used RHEL 6.2 (64 bit) server and Windows 2003 Enterprise Edition server (Active Directory)
OS : RHEL 6.2 (64 bit)
Hostname : mail.isvivek.com
IP Addr : 192.168.248.128
OS : Windows 2003 Enterprise Server (64 bit)
Active Directory Server
Hostname : win2k3.isvivek.com
IP Addr : 192.168.248.129
First setup the active directory & make sure the server is ready for authenticating the client.
For active directory configuration refer http://www.youtube.com/watch?v=ihxSA-VYO_Q link
Step 1 : Install samba package
[root@mail ~]# yum install -y samba*
[root@mail ~]# rpm -qa | grep samba
samba-common-3.5.10-114.el6.x86_64
samba-3.5.10-114.el6.x86_64
samba-winbind-3.5.10-114.el6.x86_64
samba-client-3.5.10-114.el6.x86_64
samba-winbind-clients-3.5.10-114.el6.x86_64
[root@mail ~]#
Step 2 : Configure Linux box to authenticate from AD through Winbind & Kerberous
[root@mail ~]# authconfig-tui
enable Kerberous & Winbind authentication
Enter Domain & AD server details
Select option "ads" and enter domain, AD server IP & select /bin/bash shell
Click ok.
Just for the reference, refer the samba & kerberous config file
[root@mail ~]# grep -v \# /etc/samba/smb.conf| grep -v ";"| sort -u
[global]
idmap gid = 500-100000000
idmap uid = 500-100000000
password server = 192.168.248.129
realm = ISVIVEK.COM
security = ads
template shell = /bin/bash
winbind offline logon = false
winbind use default domain = true
workgroup = isvivek
[root@mail ~]#
[root@mail ~]# cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = ISVIVEK.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
ISVIVEK.COM = {
kdc = 192.168.248.129
admin_server = 192.168.248.129
kpasswd_server = 192.168.248.129
default_domain = isvivek.com
}
[domain_realm]
isvivek.com = ISVIVEK.COM
.isvivek.com = ISVIVEK.COM
[root@mail ~]#
[root@mail ~]# grep -v \# /etc/samba/smb.conf| grep -v ";"| sort -u
[global]
idmap gid = 500-100000000
idmap uid = 500-100000000
password server = 192.168.248.129
realm = ISVIVEK.COM
security = ads
template shell = /bin/bash
winbind offline logon = false
winbind use default domain = true
workgroup = isvivek
[root@mail ~]#
[root@mail ~]# cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = ISVIVEK.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
ISVIVEK.COM = {
kdc = 192.168.248.129
admin_server = 192.168.248.129
kpasswd_server = 192.168.248.129
default_domain = isvivek.com
}
[domain_realm]
isvivek.com = ISVIVEK.COM
.isvivek.com = ISVIVEK.COM
[root@mail ~]#
Step 4 : In /etc/nsswitch.conf file
Change below lines
passwd: files winbind
shadow: files winbind
group: files winbind
to
passwd: compat winbind
shadow: compat
group: compat winbind
Change below lines
passwd: files winbind
shadow: files winbind
group: files winbind
to
passwd: compat winbind
shadow: compat
group: compat winbind
Step 5 :
[root@mail ~]# /etc/init.d/winbind stop
Shutting down Winbind services: [ OK ]
[root@mail ~]# /etc/init.d/smb restart
Shutting down SMB services: [ OK ]
Starting SMB services: [ OK ]
[root@mail ~]# /etc/init.d/winbind start
Starting Winbind services: [ OK ]
[root@mail ~]#
Shutting down Winbind services: [ OK ]
[root@mail ~]# /etc/init.d/smb restart
Shutting down SMB services: [ OK ]
Starting SMB services: [ OK ]
[root@mail ~]# /etc/init.d/winbind start
Starting Winbind services: [ OK ]
[root@mail ~]#
Step 6 :
Just to make sure that there is no kerberous live tickets execute below command to kill if so any
# kdestroy
# kdestroy
Step 7 :
Add Linux box to AD
# net ads join -U administrator -k
# net ads join -U administrator -k
(or)
# net join -S win2k3 -U ANYADUSER
Note : You will get below error if there is no proper dns server or dns record configured, this error can be ignored.
Error:
No DNS domain configured for hostname. Unable to perform DNS Update.
DNS update failed!
Note : You will get below error if there is no proper dns server or dns record configured, this error can be ignored.
Error:
No DNS domain configured for hostname. Unable to perform DNS Update.
DNS update failed!
Step 8 :
Verification Steps :
Below command returns the AD membership status
[root@mail ~]# net ads testjoin
Join is OK
[root@mail ~]#
Below command provide the AD memberships details
[root@mail ~]# net ads info
LDAP server: 192.168.248.129
LDAP server name: win2k3.isvivek.com
Realm: ISVIVEK.COM
Bind Path: dc=ISVIVEK,dc=COM
LDAP port: 389
Server time: Mon, 29 Apr
2013 16:09:51 IST
KDC server: 192.168.248.129
Server time offset: -126
[root@mail ~]#
Below command lists AD users
[root@mail ~]# wbinfo -u
administrator
guest
krbtgt
isvivek
sleodeepak
linuxmail
user1
user2
[root@mail ~]#
administrator
guest
krbtgt
isvivek
sleodeepak
linuxmail
user1
user2
[root@mail ~]#
Try to login by some AD user which doesn't exists in Local Linux box
login as: isvivek
isvivek@192.168.248.128's password:
Creating home directory for isvivek.
Last login: Thu May 30 12:59:17 2013 from 192.168.248.1
[isvivek@mail ~]$ pwd
/home/ISVIVEK/isvivek
[isvivek@mail ~]$ ll -a
total 28
drwxr-xr-x 4 isvivek domain users 4096 May 30 15:21 .
drwx--x--x 3 root root 4096 May 30 15:20 ..
-rw-r--r-- 1 isvivek domain users 18 May 30 15:20 .bash_logout
-rw-r--r-- 1 isvivek domain users 176 May 30 15:21 .bash_profile
-rw-r--r-- 1 isvivek domain users 124 May 30 15:20 .bashrc
drwxr-xr-x 2 isvivek domain users 4096 May 30 15:20 .gnome2
drwxr-xr-x 4 isvivek domain users 4096 May 30 15:20 .mozilla
[isvivek@mail ~]$ grep -i isvivek /etc/passwd
[isvivek@mail ~]$
All the best...
No comments:
Post a Comment