Planet Malaysia Blog

My previous post about How to join Fedora Core 6 Samba Server to Windows 2003 Active Directory which I believed helpful and getting a lot of traffic from Google search engine.

The following article “How to Authenticate to Active Directory on SuSE Linux 9” will focus on how to join AD domain & authentication using SLES9 SP3 running on my VM machine.

Basically the setup details are:

SLES9: 192.168.1.10
Windows 2003 Server: 192.168.1.1
Required RPM:  heimdal-lib(kerberos), samba-client, samba-winbind, samba, sudo, xntp, glibc, pwdutils, openssh.

A. Time synchronization
Ensure Clock synchronization between your SLES9 and AD. Type #rcxntpd start

B. Kerberos setup
Edit /etc/krb5.conf

[libdefaults]
        default_realm = AD.YOURDOMAIN.COM
        clockskew = 300

[realms]
        AD.YOURDOMAIN.COM = {
                kdc = ad01.ad.yourdomain.com
                default_domain = ad.yourdomain.com
                admin_server = ad01.ad.yourdomain.com
        }
EXAMPLE.COM = {
        kdc = kerberos.example.com
        admin_server = kerberos.example.com
}

[logging]
        kdc = FILE:/var/log/krb5/krb5kdc.log
        admin_server = FILE:/var/log/krb5/kadmind.log
        default = SYSLOG:NOTICE:DAEMON
[domain_realm]
        .ad.yourdomain.com = AD.YOURDOMAIN.COM
[appdefaults]
        pam = {
                ticket_lifetime = 1d
                renew_lifetime = 1d
                forwardable = true
                proxiable = false
                retain_after_close = false
                minimum_uid = 1
                try_first_pass = true
}

Note: Be careful here. It’s CASE SENSITIVE and please make sure you can PING each others.

C. Samba setup
Edit /etc/samba/smb.conf

[global]
winbind separator = +
winbind cache time = 10
winbind use default domain = yes
workgroup = ADYOUDOMAIN
printing = cups
printcap name = cups
printcap cache time = 750
cups options = raw
map to guest = Bad User
include = /etc/samba/dhcp.conf
logon path = \\%L\profiles\.msprofile
logon home = \\%L\%U\.9xprofile
idmap gid = 10000-20000
idmap uid = 10000-20000
realm = AD.YOURDOMAIN.COM
security = ADS
template homedir = /home/%U
template shell = /bin/bash
password server = server.example.com
unix password sync = Yes
passwd program = /usr/bin/passwd %u
passwd chat = *New*password* %n\n
Retype*new*password*%n\n*password:*all*authentication*tokens*updated*successfully
Pam password change = Yes

The example show as above is not complete. Please focus on realm and security.

D. /etc/nsswitch.conf setup
passwd: files winbind
shadow: files winbind
group: files winbind
hosts: files dns
networks: files dns
services: files
protocols: files
rpc: files
ethers: files
netmasks: files
netgroup: files
publickey: files
bootparams: files
automount: files nis
aliases: files

E. PAM configuration
/etc/pam.d/passwd
auth required pam_unix2.so nullok
auth sufficient pam_winbind.so
account required pam_unix2.so
account sufficient pam_winbind.so
password required pam_pwcheck.so nullok
password required pam_unix2.so nullok use_first_pass use_authtok
session required pam_unix2.so

/etc/pam.d/sshd
auth sufficient pam_winbind.so
auth required pam_unix2.so # set_secrpc
auth required pam_nologin.so
auth required pam_env.so
account sufficient pam_winbind.so
account required pam_unix2.so
account required pam_nologin.so
password sufficient pam_winbind.so use_authtok
password required pam_pwcheck.so
password required pam_unix2.so use_first_pass use_authtok
password required pam_unix2.so use_authtok
session required pam_unix2.so none # trace or debug
session required pam_mkhomedir.so skel=/etc/skel/ umask=0077
session required pam_limits.so

/etc/pam.d/login
auth required pam_securetty.so
auth required pam_env.so
auth sufficient pam_winbind.so
auth sufficient pam_unix2.so nullok use_first_pass
auth required pam_deny.so
auth required pam_nologin.so
account sufficient pam_winbind.so
account required pam_unix2.so
password sufficient pam_winbind.so
password required pam_pwcheck.so nullok
password required pam_unix2.so nullok use_first_pass use_authtok
session required pam_mkhomedir.so skel=/etc/skel/ umask=0077
session sufficient pam_limits.so

Note:
Notice the highlighted pam_mkhomedir.so line. This helps to create a home directory in Unix if one does not already exists with umask 077 so that
only the user has access to it. Also, the highlighted pam_winbind.so will allow the authentication to the AD server.

/etc/pam.d/sudo (sudo rpm require)
auth sufficient pam_winbind.so
auth required pam_unix2.so

F. Join Domain
Make sure Samba and Winbind are stop
#/etc/init.d/smb stop
#/etc/init.d/winbind stop

For Debugging purposes kindly Disable the nscd Caching Daemon from all runlevels and stop nscd daemon if it is running with the following commands:
#/etc/init.d/nscd stop
#chkconfig nscd off

Make sure kerberos is working properly
#kinit domainadministrator@AD.YOURDOMAIN.COM
Enter your administrator password if required

Type #net ads join -U domainadministrator
Domainadministrator’s password:
Using short domain name — AD
Joined ‘AD.YOURDOMAIN.COM’ to realm ‘AD.YOURDOMAIN.COM’

You should be connect to Microsoft AD now. Now see if you can retrieve the Domain Information with the following commands:

wbinfo -u (Lists all domain users)
wbinfo -g (Lists all domain groups)

G. Testing
Open a new Putty SSH session, login with adyourdomain\youradusename and password

If you’re require sudo, type #visudo and insert:
%ADYOURDOMAIN\\adgroupnamehere ALL=(ALL) ALL
and save.

After login as normal user and type #sudo su -
You’re require to enter your password for access as root.

Congratulations! You’re done!

Possibly Related Posts:

• RSS Feed Submissions
• Geo Positions
• Interesting about Google Suggest
• Setup a Linux Highly Availability NFS servers
• How to find empty folders on Linux