| 1 | Install Linux Machine |
| fresh install of Centos 6.2 & Centos 5.8 32bit in text mode |
| 2 |
Install support for host command |
| # yum install bind-utils ( Optional -- just for host command ) |
| 3 |
Install required softwares |
In Centos 6.x
# yum install samba-common pam_krb5 samba-winbind krb5-workstation
In Centos 5.x
# yum install samba-common pam_krb5 krb5-workstation |
| 4 |
Check if resolution works ( OPTIONAL ) |
# host -t srv _kerberos._tcp.<DOMAIN>
(Allows a client to locate a domain controller that is running the Kerberos
KDC service for the domain) |
| 5 |
Make sure "hostname -f" returns answer |
On your Linux box, set the fully-qualified hostname in /etc/sysconfig/network and
/etc/hosts. Note that the first part of your hostname must be no longer than
15 characters and unique in the domain
# /etc/sysconfig/network
HOSTNAME=myhostname.example.com
# /etc/hosts
127.0.0.1 myhostname.example.com myhostname localhost.localdomain localhost
# `hostname -f` should returns answer |
| 6 | Configure DNS Client ( this step is optional as long as the server names are
resolving properly) |
Make sure your Linux box has a properly configured DNS client (probably pointing at
your domain controllers):
search example.com
nameserver <192.168.1.10> |
| 7 | Make required entries
run the command: |
# authconfig \
--disablecache \
--enablewinbind \
--enablewinbindauth \
--smbsecurity=ads \
--smbworkgroup=<TEST> \
--smbrealm=<TEST.COM> \
--enablewinbindusedefaultdomain \
--winbindtemplatehomedir=/home/%U \
--winbindtemplateshell=/bin/bash \
--enablekrb5 \
--krb5realm=<TEST.COM> \
--krb5kdc=<default kerberos KDC> \
--enablekrb5kdcdns \
--enablekrb5realmdns \
--enablelocauthorize \
--enablemkhomedir \
--enablepamaccess \
--updateall |
make sure to replace:
<TEST> with your domain name in all CAPS
<TEST.COM> with your domain name (FQDN) in all CAPS
<default kerberos KDC> with your KDC server FQDN in all CAPS |
| 8 | Having Same User & Group IDs across multiple client machines |
Edit smb.conf & add following lines as given below:
[global]
….
security = ads
allow trusted domains = No
idmap backend = idmap_rid:KPAK=5000-100000000
idmap uid = 5000-100000000
idmap gid = 5000-100000000
…..
Out of these idmap uid & gid lines are already there. Make sure to change idmap uid &
idmap gid lines |
| There is sed alternative for above work ( run these two commands): |
# sed -i -e 's/idmap/#idmap/g' /etc/samba/smb.conf
# sed -i -e '/#idmap\ gid/i \
allow trusted domains = No \
idmap backend = rid:<EXAMPLE>=5000-100000000 \
idmap uid = 5000-100000000 \
idmap gid = 5000-100000000
' /etc/samba/smb.conf |
| 9 |
Fix Home Dir Permission |
| Open file /etc/pam.d/system-auth |
| & add umask=0077 to below line |
| session optional pam_mkhomedir.so |
| Now it should look like this:- |
| session optional pam_mkhomedir.so umask=0077 |
| save & exit |
There is a one liner for above task:- |
# sed -i -e 's/pam_mkhomedir.so/pam_mkhomedir.so umask=0077/g'
/etc/pam.d/system-auth-ac |
| 10 |
Make sure winbind runs on reboot |
| # chkconfig winbind on |
| 11 |
Join Domain |
| # net ads join -S <default kerberos KDC server FQDN> -U <administrator> |
| # net ads keytab create -S <default kerberos KDC server FQDN> -U <administrator> |
| provide the <administrator> password for above commands |
| 12 |
Restart Winbind |
| # service winbind restart |
| 13 |
Permission needs to be reset for domain user if local user with same name exists
( this should be done after joining to DOMAIN, otherwise users will not get the homedir or
shell when they login) |
if a username with same name as in AD exists in local system, make sure to update
the home directory permissions for that user: |
| # chown <username>.domain\ users /home/<direname> |
| where "domain users" is the group to which all AD users are attached in linux |
|
| 14 |
Test if it’s working fine: |
| # getent passwd <username_on_ad> |
| should return the id details for <username_on_ad> |
| replace <username_on_ad> with any valid user in AD |
