How to add Redhat Server 6.0 to Active Directory

.We will be using sssd/kerberos/ldap to join the server to a domain in Active directory for SSO(Single Sign On Authentication)

.

Note: After you have successfully deployed a server using kickstart or manually registered a redhat server to satellite, next we need to join the server to domain controller aka Active Directory

.

1.Login via ssh to the server via putty or similar ssh client.
2.Next we will need to install some packages, type the following below.

.

 yum install -y sssd krb5-workstation samba-common authconfig oddjob-mkhomedir
 If you do not have your server registered to satellite. You will need to manually setup the following files for this to work. I have at the bottom of this document provided example files of what they should contain. Which you will need to adjust to your specific environments.

.

· /etc/krb5.conf
· /etc/oddjobd.conf.d/oddjobd-mkhomedir.conf
· /etc/pam.d/password-auth-ac
· /etc/pam.d/su
· /etc/pam.d/system-auth-ac
· /etc/samba/smb.conf
· /etc/sudoers

.

.

3.Now since the server is already registered to satellite. You can deploy the configuration files necessary to join the server to the domain from satellite server as follows.
1.Log into the red hat satellite server into the corresponding organization you wish to manage.
2.Click one systems top left corner
3.Next filter the server by name click go.
4.Click on the host name of the server
5.Now click on configuration
6.On the far right you should see “Deploy all managed config files” click that.
7.At the bottom right select “Schedule deploy”

.

4.Login via ssh to the server and pull down the configuration files by typing the following
8.rhn_check (this will pull down all the configuration files from satellite server)

.

5.Now you want to enabled authconfig so users home directories get created if they aren’t. Type the following at the ssh prompt.
9.Authconfig –emablemkhomedir –update

.

6.Now edit the file /etc/security/limits.conf and add the following line below.
 * – nofile 16384

.

7.Now you want to load configuration from samba by running “testparm”

..

.

The output will look like something this:

.

Load smb config files from /etc/samba/smb.conf

Loaded services file OK.

Server role: ROLE_DOMAIN_MEMBER

Press enter to see a dump of your service definitions

.

[global]

  workgroup = NICKSTG

  realm = NICKSTG.NICKTAILOR.COM

  security = ADS

  kerberos method = secrets and keytab

  log file = /var/log/

  client signing = Yes

  idmap config * : backend = tdb

.

8.Next you want to pull the admin credentials by running the following.
10.Kinit <DC Admin Username >
11.Net ads join k (this will add the server to the domain using above AD Credentials)

.

Note: If the nets join fails. It will be due to most likely three reasons.

 DNS not setup in Active directory for the host
 NTP server time is out more by more then 5 mins.
 Your dns is not pointed to active directory in /etc/resolv.conf

.

I ran into the NTP issue. Here is how you fix it.

 Yum install ntp
 Edit the etc/ntp.conf
 Add the following lines and save the file

.

 restrict default ignore
 restrict 127.0.0.1
 
 restrict ntp01.nicktailor.com mask 255.255.255.255 nomodify notrap noquery
 server ntp01.nicktailor.com iburst
 
 driftfile /var/lib/ntp/drift
 
 Now you want to manually update the NTP server by doing the following
 ntpdate -u 192.168.1.56(ntp01.nicktailor.com)
 and the rerun net ads join k

.

12.enable the following services to boot on reboot.
1.Chkconfig sssd on
2.Chkconfig oddjobd on
3.Chkconfig sshd
4.
13.Start the above services
5.service start sshd
6.service start oddjobd on
7.service start sssd

.

14.Lastly you will need file sharing installed
8.Yum install –y cifs-utils

.

15.Now you should be able reboot your server and login via active directory credentials via ssh.

.

.

If your server is not registered to satellite

.

You will need to have the following files configured as such

.

/etc/krb5.conf

[logging]

default = FILE:/var/log/krb5libs.log

kdc = FILE:/var/log/krb5kdc.log

admin_server = FILE:/var/log/kadmind.log

[libdefaults]

default_realm = NICKSTG.NICKTAILOR.COM

dns_lookup_realm = false

dns_lookup_kdc = false

ticket_lifetime = 24h

renew_lifetime = 7d

forwardable = true

[realms]

NICKSTG.NICKTAILOR.COM = {

kdc = DC1.NICKTAILOR.COM

admin_server = DC1.NICKTAILOR.COM

}

[domain_realm]

.nickstg.nicktailor.com = = NICKSTG.NICKTAILOR.COM

nickstg.nicktailor.com = = NICKSTG.NICKTAILOR.COM

.

/etc/oddjobd.conf.d/oddjobd-mkhomedir.conf

<?xml version=”1.0″?>

.

<!– This configuration file snippet controls the oddjob daemon. It

     provides access to mkhomedir functionality via a service named

“com.redhat.oddjob_mkhomedir”, which exposes a single object

(“/”).

The object allows the root user to call any of the standard D-Bus

     introspection interface’s methods (these are implemented by

     oddjobd itself), and also defines an interface named

     “com.redhat.oddjob_mkhomedir”, which provides two methods. –>

.

<oddjobconfig>

.

<service name=”com.redhat.oddjob_mkhomedir”>

.

<object name=”/”>

.

<interface name=”org.freedesktop.DBus.Introspectable”>

.

<allow min_uid=”0″ max_uid=”0″/>

        <!– <method name=”Introspect”/> –>

.

</interface>

.

<interface name=”com.redhat.oddjob_mkhomedir”>

.

<method name=”mkmyhomedir”>

<helper exec=”/usr/libexec/oddjob/mkhomedir -u 0077″

                  arguments=”0″

                  prepend_user_name=”yes”/>

          <!– no acl entries -> not allowed for anyone –>

</method>

.

<method name=”mkhomedirfor”>

<helper exec=”/usr/libexec/oddjob/mkhomedir -u 0077″

                  arguments=”1″/>

<allow user=”root”/>

</method>

.

</interface>

.

</object>

.

</service>

.

</oddjobconfig>
================================================================================

.

/etc/pam.d/password-auth-ac

#%PAM-1.0

# This file is auto-generated.

# User changes will be destroyed the next time authconfig is run.

auth required pam_env.so

auth sufficient pam_unix.so nullok try_first_pass

auth requisite pam_succeed_if.so uid >= 500 quiet

auth sufficient pam_sss.so use_first_pass

auth required pam_deny.so

.

account required pam_unix.so

account sufficient pam_localuser.so

account sufficient pam_succeed_if.so uid < 500 quiet

account [default=bad success=ok user_unknown=ignore] pam_sss.so

account required pam_permit.so

.

password requisite pam_cracklib.so try_first_pass retry=3

password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok

password sufficient pam_sss.so use_authtok

password required pam_deny.so

.

session optional pam_keyinit.so revoke

session required pam_limits.so

session optional pam_oddjob_mkhomedir.so skel=/etc/skel

session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid

session required pam_unix.so

session optional pam_sss.so

.

/etc/pam.d/su

#%PAM-1.0

auth sufficient pam_rootok.so

.

auth [success=2 default=ignore] pam_succeed_if.so use_uid user ingroup grp_technology_integration_servertech_all

auth [success=1 default=ignore] pam_succeed_if.so use_uid user ingroup wheel

auth required pam_deny.so

.

auth include system-auth

.

account sufficient pam_succeed_if.so uid = 0 use_uid quiet

account include system-auth

.

password include system-auth

.

session include system-auth

session optional pam_xauth.so

.

.

#This line is the last line

.

/etc/pam.d/system-auth-ac

#%PAM-1.0

# This file is auto-generated.

# User changes will be destroyed the next time authconfig is run.

auth required pam_env.so

auth sufficient pam_fprintd.so

auth sufficient pam_unix.so nullok try_first_pass

auth requisite pam_succeed_if.so uid >= 500 quiet

auth sufficient pam_sss.so use_first_pass

auth required pam_deny.so

.

account required pam_unix.so

account sufficient pam_localuser.so

account sufficient pam_succeed_if.so uid < 500 quiet

account [default=bad success=ok user_unknown=ignore] pam_sss.so

account required pam_permit.so

.

password requisite pam_cracklib.so try_first_pass retry=3

password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok

password sufficient pam_sss.so use_authtok

password required pam_deny.so

.

session optional pam_keyinit.so revoke

session required pam_limits.so

session optional pam_oddjob_mkhomedir.so skel=/etc/skel

session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid

session required pam_unix.so

session optional pam_sss.so

.

/etc/samba/smb.conf

[global]

workgroup = NICKSTG

client signing = yes

client use spnego = yes

kerberos method = secrets and keytab

realm = NICKSTG.NICKTAILOR.COM

.

security = ads

log file = /var/log/

.

/etc/sssd/sssd.conf

[sssd]

config_file_version = 2

reconnection_retries = 3

sbus_timeout = 30

services = nss, pam

domains = default, nickstg.nicktailor.com

.

[nss]

filter_groups = root

filter_users = root,bin,daemon,adm,lp,sync,shutdown,halt,mail,news,uucp,operator,games,gopher,ftp,nobody,vcsa,pcap,ntp,dbus,avahi,rpc,sshd,xfs,rpcuser,nfsnobody,haldaemon,avahi-autoipd,gdm,nscd,oracle, ,deploy,tomcat,jboss,apache,ejabberd,cds,distcache,squid,mailnull,smmsp,backup,bb,clam,obdba,postgres,named,mysql,quova, reconnection_retries = 3

.

[pam]

reconnection_retries = 3

.

[domain/nickstg.nicktailor.com]

id_provider = ad

access_provider = simple

cache_credentials = true

#ldap_search_base = OU=NICKSTG-Users,DC=NICKSTG,DC=nicktailor,DC=com

override_homedir = /home/%u

default_shell = /bin/bash

simple_allow_groups = ServerTech_All,Server_Systems_Integration

.

/etc/sudoers

## /etc/sudoers

## nicktailor sudoers configuration

.

## Include all configuration from /etc/sudoers.d

## Note: the single # is needed in the line below and is NOT a comment!

.

#includedir /etc/sudoers.d

##%NICKSTG\\domain\ users ALL = NOPASSWD: ALL

% ServerTech_All ALL = NOPASSWD: ALL

% Server_Systems_Integration ALL = NOPASSWD: ALL

.

Leave a Reply

Your email address will not be published. Required fields are marked *