-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of William Warren Sent: Monday, February 19, 2007 4:57 PM To: CentOS mailing list Subject: [CentOS] SBS2ke Ad integration
I have a couple of workstations that are perfect candidates for Linux at a client's location. The only think i am shaky on is getting CentOS 4.4 to integrate into the AD domain. Any tips links would be highly appreciated.
Install samba-common, samba-client then,
This samba.conf works well for me for a ADS domain member scenario:
[global] workgroup = MFG security = ADS password server = * realm = MFG.PRV load printers = No max log size = 50 passdb backend = tdbsam use kerberos keytab = Yes allow trusted domains = No idmap gid = 100000-999999 idmap uid = 100000-999999 template homedir = /home/%U template shell = /bin/bash winbind enum groups = Yes winbind enum users = Yes winbind use default domain = Yes
Here's my krb5.conf:
[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log
[libdefaults] default_realm = MFG.PRV dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h renew_lifetime = 7d forwardable = yes renewable = yes
[realms] MFG.PRV = { kdc = mfg.prv:88 admin_server = mfg.prv:749 default_domain = mfg.prv }
[domain_realm] .mfg.prv = MFG.PRV mfg.prv = MFG.PRV
[kdc] profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults] pam = { debug = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true renewable = true krb4_convert = false }
Here's my nsswitch.conf:
# # /etc/nsswitch.conf # # An example Name Service Switch config file. This file should be # sorted with the most-used services at the beginning. # # The entry '[NOTFOUND=return]' means that the search for an # entry should stop if the search in the previous entry turned # up nothing. Note that if the search failed due to some other reason # (like no NIS server responding) then the search continues with the # next entry. # # Legal entries are: # # nis or yp Use NIS (NIS version 2), also called YP # dns Use DNS (Domain Name Service) # files Use the local files # db Use the local database (.db) files # compat Use NIS on compat mode # hesiod Use Hesiod for user lookups # ldap Use LDAP (only if nss_ldap is installed) # nisplus or nis+ Use NIS+ (NIS version 3), unsupported # [NOTFOUND=return] Stop searching if not found so far #
# To use db, put the "db" in front of "files" for entries you want to be # looked up first in the databases # # Example: #passwd: db files ldap nis #shadow: db files ldap nis #group: db files ldap nis
passwd: files winbind shadow: files group: files winbind
#hosts: db files ldap nis dns hosts: files dns
# Example - obey only what ldap tells us... #services: ldap [NOTFOUND=return] files #networks: ldap [NOTFOUND=return] files #protocols: ldap [NOTFOUND=return] files #rpc: ldap [NOTFOUND=return] files #ethers: ldap [NOTFOUND=return] files
bootparams: files ethers: files netmasks: files networks: files protocols: files rpc: files services: files netgroup: files publickey: files automount: files aliases: files
Here's my pam.d/system-auth:
auth required /lib/security/$ISA/pam_env.so auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok auth sufficient /lib/security/$ISA/pam_krb5.so use_first_pass auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_unix.so broken_shadow account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet account [default=bad success=ok user_unknown=ignore] /lib/security/$ISA/pam_krb5.so account required /lib/security/$ISA/pam_permit.so
password requisite /lib/security/$ISA/pam_cracklib.so retry=3 password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow password sufficient /lib/security/$ISA/pam_krb5.so use_authtok password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so session required /lib/security/$ISA/pam_unix.so session optional /lib/security/$ISA/pam_krb5.so
My pam.d/login:
#%PAM-1.0 auth required pam_securetty.so auth required pam_stack.so service=system-auth auth required pam_nologin.so account required pam_stack.so service=system-auth password required pam_stack.so service=system-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_stack.so service=system-auth session required pam_loginuid.so session required pam_mkhomedir.so skel=/etc/skel umask=0077 silent session optional pam_console.so # pam_selinux.so open should be the last session rule session required pam_selinux.so open
My pam.d/remote:
#%PAM-1.0 auth required pam_securetty.so auth required pam_stack.so service=system-auth auth required pam_nologin.so account required pam_stack.so service=system-auth password required pam_stack.so service=system-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_stack.so service=system-auth session required pam_loginuid.so session required pam_mkhomedir.so skel=/etc/skel umask=0077 silent session optional pam_console.so # pam_selinux.so open should be the last session rule session required pam_selinux.so open
My pam.d/sshd:
#%PAM-1.0 auth required pam_stack.so service=system-auth auth required pam_nologin.so account required pam_stack.so service=system-auth password required pam_stack.so service=system-auth session required pam_stack.so service=system-auth session required pam_loginuid.so session required pam_mkhomedir.so skel=/etc/skel umask=0077 silent
After the files are setup just join the domain with:
net ads join -U <admin user>
Set winbind to start with, chkconfig winbind on
Start the winbind server, service winbind start
And you should be all set to have ADS users log on to the system.
-Ross
______________________________________________________________________ This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail, and any attachments thereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify the sender and permanently delete the original and any copy or printout thereof.