Active Directory

now browsing by category

 

How to add Redhat Server 6.0 to Active Directory

We will be using sssd/kerberos/ldap to join the server to a domain in Active directory for SSO(Single Sign On Authentication)

Note: After you have successfully deployed a server using kickstart or manually registered a redhat server to satellite, next we need to join the server to domain controller aka Active Directory

1.     Login via ssh to the server via putty or similar ssh client.

2.     Next we will need to install some packages, type the following below.

  • yum install -y sssd krb5-workstation samba-common authconfig oddjob-mkhomedir
    • If you do not have your server registered to satellite. You will need to manually setup the following files for this to work. I have at the bottom of this document provided example files of what they should contain. Which you will need to adjust to your specific environments.
  • /etc/krb5.conf
  • /etc/oddjobd.conf.d/oddjobd-mkhomedir.conf
  • /etc/pam.d/password-auth-ac
  • /etc/pam.d/su
  • /etc/pam.d/system-auth-ac
  • /etc/samba/smb.conf
  • /etc/sudoers

3.  Now since the server is already registered to satellite. You can deploy the configuration files necessary to join the server to the domain from satellite server as follows.

  1.  Log into the red hat satellite server into the corresponding organization you wish to manage.
  2. Click one systems top left corner
  3. Next filter the server by name click go.
  4. Click on the host name of the server
  5. Now click on configuration
  6. In the far right you should see “Deploy all managed config files” click that.
  7. At the bottom right select “Schedule deploy”

4. Now login via ssh to the server and pull down the configuration files by typing the following.

  •  rhn_check -vvvv
    (this will pull down all the configuration files from satellite server with verbose output)

 

5.     Now you want to enabled authconfig so users home directories get created if they aren’t. Type the following at the ssh prompt.

  •  authconfig –emablemkhomedir –update

 

6.     Now edit the file /etc/security/limits.conf and add the following line below.

  • *               –       nofile  16384

7.     Now you want to load configuration from samba by running

  • “testparm”

The output will look like something this:

Load smb config files from /etc/samba/smb.conf

Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions

 [global]
            workgroup = NICKSTG
            realm = NICKSTG.NICKTAILOR.COM
            security = ADS
            kerberos method = secrets and keytab
            log file = /var/log/
            client signing = Yes
            idmap config * : backend = tdb

8.     Next you want to pull the admin credentials by running the following.

  1. Kinit <DC Admin Username >
  2. Net ads join -k (this will add the server to the domain using above AD Credentials)

Note: If the nets join fails. It will be due to most likely three reasons.

  • DNS not setup in Active directory for the host
  • NTP server time is out more by more then 5 mins.
  • Your dns is not pointed to active directory in /etc/resolv.conf

I ran into the NTP issue. Here is how you fix it.

  • Yum install ntp
  • Edit the /etc/ntp.conf
  • Add the following lines and save the file

restrict default ignore
restrict 127.0.0.1 

restrict ntp01.nicktailor.com mask 255.255.255.255 nomodify notrap noquery
server ntp01.nicktailor.com iburst

driftfile /var/lib/ntp/drift

Now you want to manually update the NTP server by doing the following

  • ntpdate -u 192.168.1.56   (ntp01.nicktailor.com)
  • and the rerun net ads join -k

3.     enable the following services to boot on reboot.

  • 1. Chkconfig sssd on
  • 2. Chkconfig oddjobd on
  • 3. Chkconfig ssh on

4.     Start the above services

  • 1. service start sshd
  • 2. service start oddjobd 
  • 3. service start sssd

5.     Lastly you will need file sharing installed

  • Yum install –y cifs-utils

6.     Now you should be able reboot your server and login via active directory credentials via ssh.

If your server is not registered to satellite

You will need to have the following files configured as such

/etc/krb5.conf
============================================================
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = NICKSTG.NICKTAILOR.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
NICKSTG.NICKTAILOR.COM = {
kdc = DC1.NICKTAILOR.COM
admin_server = DC1.NICKTAILOR.COM
rdns = false
}

[domain_realm]
.nickstg.nicktailor.com = = NICKSTG.NICKTAILOR.COM
nickstg.nicktailor.com = = NICKSTG.NICKTAILOR.COM
==============================================================

/etc/oddjobd.conf.d/oddjobd-mkhomedir.conf
==============================================================
<?xml version=”1.0″?>

<!– This configuration file snippet controls the oddjob daemon. It
provides access to mkhomedir functionality via a service named
“com.redhat.oddjob_mkhomedir”, which exposes a single object
(“/”).
The object allows the root user to call any of the standard D-Bus
introspection interface’s methods (these are implemented by
oddjobd itself), and also defines an interface named
“com.redhat.oddjob_mkhomedir”, which provides two methods. –>

<oddjobconfig>

<service name=”com.redhat.oddjob_mkhomedir”>

<object name=”/”>

<interface name=”org.freedesktop.DBus.Introspectable”>

<allow min_uid=”0″ max_uid=”0″/>
<!– <method name=”Introspect”/> –>

</interface>

<interface name=”com.redhat.oddjob_mkhomedir”>

<method name=”mkmyhomedir”>
<helper exec=”/usr/libexec/oddjob/mkhomedir -u 0077″
arguments=”0″
prepend_user_name=”yes”/>
<!– no acl entries -> not allowed for anyone –>
</method>

<method name=”mkhomedirfor”>
<helper exec=”/usr/libexec/oddjob/mkhomedir -u 0077″
arguments=”1″/>
<allow user=”root”/>
</method>

</interface>

</object>

</service>

</oddjobconfig>
==================================================================

/etc/pam.d/password-auth-ac
==================================================================
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_sss.so use_first_pass
auth required pam_deny.so

account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so

password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_oddjob_mkhomedir.so skel=/etc/skel
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
==================================================================

/etc/pam.d/su
==================================================================
#%PAM-1.0
auth sufficient pam_rootok.so

auth [success=2 default=ignore] pam_succeed_if.so use_uid user ingroup servertech_all
auth [success=1 default=ignore] pam_succeed_if.so use_uid user ingroup wheel
auth required pam_deny.so

auth include system-auth

account sufficient pam_succeed_if.so uid = 0 use_uid quiet
account include system-auth

password include system-auth

session include system-auth
session optional pam_xauth.so

#This line is the last line
==================================================================

/etc/pam.d/system-auth-ac
==================================================================
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_fprintd.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_sss.so use_first_pass
auth required pam_deny.so

account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so

password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_oddjob_mkhomedir.so skel=/etc/skel
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
==================================================================

/etc/samba/smb.conf
=================================================================
[global]
workgroup = NICKSTG
client signing = yes
client use spnego = yes
kerberos method = secrets and keytab
realm = NICKSTG.NICKTAILOR.COM

security = ads
log file = /var/log/

/etc/sssd/sssd.conf

================================================================
[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam
domains = default, nickstg.nicktailor.com
#debug_level = 9

[nss]
filter_groups = root
filter_users = root,bin,daemon,adm,lp,sync,shutdown,halt,mail,news,uucp,operator,games,gopher,ftp,nobody,vcsa,pcap,ntp,dbus,avahi,rpc,sshd,xfs,rpcuser,nfsnobody,haldaemon,avahi-autoipd,gdm,nscd,oracle, ,deploy,tomcat,jboss,apache,ejabberd,cds,distcache,squid,mailnull,smmsp,backup,bb,clam,obdba,postgres,named,mysql,quova, reconnection_retries = 3

[pam]
reconnection_retries = 3
#debug_level = 9

[domain/nickstg.nicktailor.com]
id_provider = ad
access_provider = simple
cache_credentials = true
#ldap_search_base = OU=NICKSTG-Users,DC=NICKSTG,DC=nicktailor,DC=com
override_homedir = /home/%u
default_shell = /bin/bash
simple_allow_groups = ServerTech_All,Server_Systems_Integration
subdomain_inherit = ignore_group_members, ldap_purge_cache_timeout
ignore_group_members = True
ldap_purge_cache_timeout = 0
#debug_level = 9
krb5_auth_timeout = 30
cache_credentials = True
ldap_group_nesting_level = 0
ad_server = nickstg.nicktailor.com

==================================================================

/etc/sudoers
==================================================================
## /etc/sudoers
## nicktailor sudoers configuration

## Include all configuration from /etc/sudoers.d
## Note: the single # is needed in the line below and is NOT a comment!

#includedir /etc/sudoers.d
##%NICKSTG\\domain\ users ALL = NOPASSWD: ALL
% ServerTech_All ALL = NOPASSWD: ALL
% Server_Systems_Integration ALL = NOPASSWD: ALL

==================================================================

/etc/nsswitch.conf
==================================================================
 #
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry ‘[NOTFOUND=return]’ means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Valid entries include:
#
# nisplus Use NIS+ (NIS version 3)
# nis Use NIS (NIS version 2), also called YP
# dns Use DNS (Domain Name Service)
# files Use the local files
# db Use the local database (.db) files
# compat Use NIS on compat mode
# hesiod Use Hesiod for user lookups
# [NOTFOUND=return] Stop searching if not found so far
## To use db, put the “db” in front of “files” for entries you want to be
# looked up first in the databases
#
# Example:
#passwd: db files nisplus nis
#shadow: db files nisplus nis
#group: db files nisplus nispasswd: files sss
shadow: files sss
group: files sss#hosts: db files nisplus nis dns
hosts: files dns

# Example – obey only what nisplus tells us…
#services: nisplus [NOTFOUND=return] files
#networks: nisplus [NOTFOUND=return] files
#protocols: nisplus [NOTFOUND=return] files
#rpc: nisplus [NOTFOUND=return] files
#ethers: nisplus [NOTFOUND=return] files
#netmasks: nisplus [NOTFOUND=return] files

bootparams: nisplus [NOTFOUND=return] files

ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files sss

netgroup: files sss

publickey: nisplus

automount: files sss
aliases: files nisplus

How to join a OpenSuse Host to Active Directory

Setup SSH service first from the console

  1. Login in as root
    1. Open up a terminal
      • Setup SSH Server
      • Edit the file /etc/ssh/sshd_config
        • Change PermitRootLogin to yes
        • Change PasswordAuthentication to yes
        • Save the file
      • Start ssh server by typing : service sshd restart <enter>
      • Enable ssh to start on reboots : chkconfig sshd on <enter>
      • Login via ssh as root and ensure you can login.
    2. Update /etc/resolv.conf with Domain controller ips for DNS to authenticate against the Domain controller
      • Add the lines and save file.
        (THESE WOULD BE THE IP OF YOUR DOMAIN CONTROLLER ) 

        nameserver 192.168.0.10
        nameserver 192.168.0.11

  1. Open the console window of the VM through vcenter and login as root.
    1. Click on the green start button bottom left
    2. Next click on the tab that says application right of favorites above the green Button
    3. Next click on the System Arrow
    4. Scroll down and click on Control Center

      opensusecontrolcenter

E. Next click on User and Group Management

opensuseuserman
F. Click on far right tab “Authentication Settings”

Note: Prior to running these steps you will need to ensure that you have administrator account for the domain controller and have properly setup the dns for the Desktop / Server in Active Directory

  • Double Click on SSSD
  • Click on ADD on the right
  • Type in the Domain Name
    • DC1.NICKTAILOR.COM
    • Select ad for both drop down boxes

 opensusesssdsetup1

  • Click on Finish

 

  1. Next Double Click Samba
    • Inside the Domain Or Workgroup type the Domain DC1.NICKTAILOR.COM
      • Check the box Use SMB information for Linux Authentication
      • Check the box Create Home Directory on Login
      • Check the box Offline Authentication

 opensusesambasetup

  1. Next Click on Expert Settings

    NOTE: ONLY DO THIS SECTION IF YOU SETUP USER GROUPS IN ACTIVE DIRECTORY, IF YOU DONT SET THIS UP ANY ONE WITH AD USER WILL BE BE ABLE TO LOGIN TO YOUR MACHINE.

    • Under Allowed Groups
    • Enter the Group Names or SID’s
    • And hit Okay and then Okay again.  (allow any packages that need to be downloaded and install)
    • Upon Joining Domain it will ask you for Administrator Login Credentials for the Domain Controller which you will need

 opensusesambasetup2You should now be able to login using your AD credentials though ssh & console

  • DC1\username
  • password