Friday, May 18, 2012

Joining Linux server/workstation to Windows Active Directory

This  joins your Linux machine to a Windows Active Directory domain
and allows you to share your samba shares to users of the Active Directory domain without further authentication.

You need to install the latest version of Samba which is currently version 3
also  install samba-common, samba-client  and samba-winbind

yum install samba samba-client samba-common samba-winbind

if not already installed you also need to have
ntpd, and kerebos installed

yum install ntpd  kerberos


it is imperative that your linux machines clock is in sync with the active directory domain controller

ntpdate -u  [ip of your ADserver]

eg
ntpdate -u 192.168.1.10


next make sure that ntpd winbind and samba all start on boot up and are all running


chkconfig ntpd on
chkconfig winbind on
chkconfig smb on
/etc/init.d/ntpd start
/etc/init.d/smb start
/etc/init.d/winbind start


next edit your samba config file

vim /etc/samba/smb.conf


and change the following settings so that they are as they appear here.
Substitute CLIVE.COM with your Active directory domain name.
Also insure that you do not have a netbios entry.
If you have a line in your samba config file that says
netbios name = somename

delete the above line (if it exists)

the netbios entry will be added automatically by the system when you join the domain later.

your smb.conf should look something like this

 workgroup = CLIVE
        realm = CLIVE.COM
        preferred master = no
        server string = Samba File Server

 security = ADS
        encrypt passwords = yes
        log level = 3
        log file = /var/log/samba/%m
        max log size = 50
        winbind enum users = Yes
        winbind enum groups = Yes
        winbind use default domain = Yes
        winbind nested groups = Yes
        winbind separator = +
        idmap uid = 600-20000
        idmap gid = 600-20000
        hosts allow = 192.168.1.0/24 (put the ip of your network here)
        hosts deny = 0.0.0.0/0

Restart samba to load in the new config.

/etc/init.d/smb restart 

next you need to edit your kerberos config file

vim /etc/krb5.conf
and make the following additions
change CLIVE.COM for your AD domain name
and change servername to your active Directory domain controllers machine name.

case sensitivity is of extreme importance here.
[realms]
 CLIVE.COM = {
  kdc = servername.clive.com:88
  admin_server = servername.clive.com:749
  default_domain = clive.com
 }


 [domain_realm]
 .kerberos.server = CLIVE.COM
 .clive.com = CLIVE.COM
 clive.com = CLIVE.COM

save the file

and then run the following file to make sure everything is working as it should.

 /usr/kerberos/bin/kinit administrator@CLIVE.COM

You should be asked for the domain administrators password, once put in correctly you will return to a command prompt.

(Please note if you get an error here it is more than likely because your clock on your linux machine is not synced to your active directory domain controller)  check your clock and use ntpd to sync it properly.

next edit your nsswitch.conf file and change it so that it looks like this
vim /etc/nsswitch.conf

passwd:     compat winbind
shadow:     compat
group:      compat winbind

save the file and restart winbind
/etc/init.d/winbind restart

 And now lets join your machine to the domain.
type
net ads join -U Administrator@CLIVE.COM

put in the administrators password and if all goes well your machine will be added to the domain
next type
wbinfo -u

to show a list of all the users of the Active directory domain.

in Samba to give access to an active directory user to your samba share,
edit the valid users line in your smb.conf file and add your active directory users like so,
substitute CLIVE for your domain name

[share]
        comment = share
        path = "/home/samba/shares/share/"
        browseable = yes
        writable = yes
        read only = no
        create mode = 0777
        directory mode = 2777
        valid users = CLIVE+administrator CLIVE+cliveg CLIVE+user2

to add an entire group ie Domain Users use the @
eg
valid users = "@CLIVE+Domain_users" 

don't forget to restart Samba every time you make changes to smb.conf.




No comments: