Prescript: I wrote this over a month ago and still haven’t found an authoring plugin I like so it still looks terrible. See my next post and give me ideas or just call me lazy, thanks!
Based on http://blog.scottlowe.org/2007/01/15/linux-ad-integration-version-4/
First, install windows 2003 R2 and install the identity management for unix option. Open control panel, select add remove programs, click add/remove windows components. It will grind a while and give you a list of possible services. You’ll need to expand ‘Active Directory Services’ and check the ‘Identify Management for Unix’ service. You will need to be in the schema admins group to do this.
In order to test, you’ll want go to the ‘Unix Attributes’ tab on a user and activate them as a unix user. You’ll need to pick a NIS domain (you’ll probably only have one if you haven’t done this before) and add a unix ID and home directory. Typically the default values will be fine to get you started.
Now, log into your unix machine. Make sure it can resolve the dns name of your active directory server(s).
Run authconfig.
- Check [] Use LDAP
- Check [] Use LDAP Authentication
- Check [] Use Kerberos
- Check [] Local authorization is sufficient
You can check [] Cache Information if you want. I wouldn’t until you know things work, as nscd can get out of sync with server and cause confusion.
Select [ Next ]
- Enter your AD server dns name in the server. For example,
adserver.corp.example.com - Enter your AD base DN in the Base DN field. For example,
dc=corp,dc=example,dc=com
Select [ Next ]
Enter your local dns name, in ALL CAPS in the realm field. For example,
CORP.EXAMPLE.COMEnter your server name:88 in the KDC field. For example
adserver.corp.example.com:88Enter your server name:749 in the admin server field. For example
adserver.corp.example.com:749Check [] Use DNS to resolve hosts to realms
Check [] Use DNS to locate KDCs for realms
Select [ Finish ]
Now a lot of things are set up, but of course we’re not quite done. We’ll need to add lines to /etc/ldap.conf in order to allow us to query ldap. Ideally, you’ll have created an account specifically for this purpose (Domain Users group seems to work). I use linux_auth but it truly doesn’t matter.
echo "binddn [email protected]" >> /etc/ldap.conf
echo "bindpw secret" >> /etc/ldap.conf
you will also need to uncomment or add the RFC2307 AD mappings from the /etc/ldap.conf file. You can also just run this:
cat >> /etc/ldap.conf <<-ENDDOC
# RFC 2307 (AD) mappings
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_attribute uid sAMAccountName
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute shadowLastChange pwdLastSet
nss_map_objectclass posixGroup group
nss_map_attribute uniqueMember member
pam_login_attribute sAMAccountName
pam_filter objectclass=User
pam_password ad
ENDDOC
Test your config exactly like Scott’s directions say. Using your regular user account for the test should be fine. If you get the error kinit(5): KDC reply did not match expectations while getting initial credentials, it’s because you didn’t log in using the kerberos realm, which is in ALL CAPS! Scott’s directions aren’t real explicit about this and I spent a while figuring it out. Maybe you won’t have to.
kinit [email protected]
It will ask for your password and should just return blank if it was successful. You can then use klist to check and see if you got a TGT.
getent passwd user
You’ll see something like this:
user:x:10000:10000:User:/home/user:/bin/sh
Now we’re almost done. We just need to use samba to join the computer to the domain. you’ll need the following in your smb.conf
workgroup = CORP
security = ads
realm = corp.example.com
use kerberos keytab = true
password server = adserver.corp.example.com
Then you need to destroy any old kerberos tickets
kdestroy
Then authorize kerberos with a domain admin account to join active directory
kinit [email protected]
Then finally join the domain
net ads join
That will grind for a little while and you’ll be all set. You should get something like this:
[root@vpc-dev0 ~]# net ads join
Using short domain name -- CORP
Joined 'VPC-DEV0' to realm 'CORP.EXAMPLE.COM'
Finally, you’ll need to get everybody home directories. I always use autofs, something like this:
echo /home /etc/auto.home >> /etc/auto.master
echo * -rw,bg,intr,hard,rsize=32768,wsize=32768,tcp,vers=3 nfsserver:/vol/work/users_unix/& >> /etc/auto.home
chkconfig autofs on
service autofs start
So now the final test… try to log in with ssh!