Mbm329 23:23, March 9, 2012 (UTC)
Setup Prerequesites
/etc/hosts
Place entries in /etc/hosts for domain controllers.
10.1.1.2 domaincontroller1.example.com domaincontroller1 10.1.1.3 domaincontroller2.example.com domaincontroller2
/etc/ntp.conf
Make sure NTP is setup on the host and synchronized to the time of the domain controller (important for kerberos)
#don't panic should the hardware clock acts erratically tinker panic 0 #lock it down restrict default kod nomodify notrap nopeer noquery restrict 127.0.0.1 #servers server 10.1.1.2 prefer server 10.1.1.3 # Drift file. Put this in a directory which the daemon can write to. # No symbolic links allowed, either, since the daemon updates the file # by creating a temporary in the same directory and then rename()'ing # it to the file. driftfile /var/lib/ntp/drift
/etc/ntp/step-tickers
To allow NTP to start with a timeserver initially upon loading ntpdate at bootup.
10.1.1.2 10.1.1.3
Setup Kerberos Authentication configurations
/etc/krb5.conf
#Ref: http://blog.scottlowe.org/2007/01/15/linux-ad-integration-version-4 [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = EXAMPLE.COM dns_lookup_realm = true dns_lookup_kdc = true [realms] EXAMPLE.COM = { kdc = domaincontroller1.example.com:88 kdc = domaincontroller2.example.com:88 admin_server = domaincontroller1.example.com:749 admin_server = domaincontroller2.example.com:749 default_domain = example.com } [domain_realm] .example.com = EXAMPLE.COM example.com = EXAMPLE.COM [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false }
/etc/pam.d/system-auth-ac
Add in appropriate PAM modules for proper auth, account, and session entries.[1]
... auth sufficient pam_krb5.so #place after unix.so ... account sufficient pam_krb5.so #place after unix.so ... session required pam_mkhomedir.so skel=/etc/skel umask=0077 #place after pam_unix.so
Setup NSS LDAP Library Configuration
/etc/ldap.conf
Setup nss_ldap client library config to bind to your domain controller.[2]
#Ref: http://blog.scottlowe.org/2007/01/15/linux-ad-integration-version-4 host domaincontroller1 domaincontroller2 base dc=example,dc=com uri ldap://domaincontroller1.example.com/ ldap://domaincontroller2.example.com/ binddn binduser@example.com bindpw binduser_password scope sub ssl no #Timeout helpers if ldap is unavailable - Ref: http://www.nabble.com/Re%3A-allowing-local-accounts-when-LDAP-is-unavailable--p23358537.html bind_policy soft bind_timelimit 1 timelimit 5 idle_timelimit 3600 nss_initgroups_ignoreusers root,mbm #Filter passwd and shadow to improve speed of lookups and return far less than max allowed from AD - Ref: http://blog.scottlowe.org/2008/04/11/ad-integration-tip-dealing-with-more-than-1000-users/#comment-37287 nss_base_passwd dc=example,dc=com?sub?&(objectCategory=user)(uidNumber=*) nss_base_shadow dc=example,dc=com?sub?&(objectCategory=user)(uidNumber=*) nss_base_group dc=example,dc=com?sub?&(objectCategory=group)(gidNumber=*) nss_map_objectclass posixAccount user nss_map_objectclass shadowAccount user nss_map_objectclass posixGroup group nss_map_attribute gecos cn nss_map_attribute homeDirectory unixHomeDirectory nss_map_attribute uniqueMember member
/etc/nsswitch.conf
For passwd, shadow, and group, have the system look at files, then ldap for resolution.
... passwd: files ldap shadow: files ldap group: files ldap ...
Test LDAP Configuration
Test querying of passwd data from ldap:
getent passwd getent passwd <username>
Test querying of group data from ldap:
getent group getent group <group>
Test querying of shadow data from ldap:
getent shadow getent shadow <username>
Test listing of users with id command:
id <username>
Setup Automatic CIFS Home Directory Mounting
/etc/request-key.conf
This will enable the mounts to authenticate via kerberos tickets. You must ensure the "keyutils" package is installed on the system.
create cifs.spnego * * /usr/sbin/cifs.upcall %k create dns_resolver * * /usr/sbin/cifs.upcall %k
/etc/auto.master
/winhomes /etc/auto.winhomes
/etc/auto.winhomes
Here, "*" is defined as any key (subdirectory that is accessed under /winhomes), and "&" is the name of that key that was referenced. Two examples are shown below to show that you could specify certain users go to a specific server and everybody else go to a different one.
user1 -fstype=cifs,rw,soft,sec=krb5i,uid=&,file_mode=0700,dir_mode=0700 ://HOME_SHARE_SERVER1/home_share/& * -fstype=cifs,rw,soft,sec=krb5i,uid=&,file_mode=0700,dir_mode=0700 ://HOME_SHARE_SERVER2/home_share/&
It's possible that the server that you're trying to authorize the users doesn't support packet signing. In which case, you should use sec=krb5 instead of sec=krb5i.
user1 -fstype=cifs,rw,soft,sec=krb5,uid=&,file_mode=0700,dir_mode=0700 ://HOME_SHARE_SERVER1/home_share/& * -fstype=cifs,rw,soft,sec=krb5,uid=&,file_mode=0700,dir_mode=0700 ://HOME_SHARE_SERVER2/home_share/&
/etc/skel/.bash_profile
Add this code to the default .bash_profile to create a symlink to the autofs mountpoint for easy access to the home share.
if ! [ -h ~/h ] ;then ln -s /winhomes/$(whoami) ~/h fi
Test CIFS Auto-Mounting
Test auto-mounting of homedir when accessed by user:
ls -l ~/h/
Configure SAMBA to Join System to Domain[3]
/etc/samba/smb.conf
workgroup = workgroup security = ads realm = example.com use kerberos keytab = true password server = domaincontroller1.example.com domaincontroller2.example.com
Run following commands to join system to domain:
sudo kdestroy sudo kinit domain_admin_username@EXAMPLE.COM sudo net ads join -U domain_admin_username
Login as a standard user account and use smbclient to access the user's homeshare without requiring a password.
std_user$ smbclient -k '\\domaincontroller1\home_share\' -c 'ls std_user\*' OS=[Windows Server 2008 R2 Enterprise 7600] Server=[Windows Server 2008 R2 Enterprise 6.1] . D 0 Thu Oct 6 17:55:41 2011 .. D 0 Thu Oct 6 17:55:41 2011 std_user_file.txt A 26 Thu Oct 6 17:55:50 2011 61235 blocks of size 524288. 38719 blocks available
User-mounted CIFS Filesystems
Since the system is now in a Windows domain, we can allow users to mount their own CIFS shares that they have access to to increase their productivity. This is allowed by making /sbin/mount.cifs to suid-root.
$ sudo chmod 4755 /sbin/mount.cifs
The mount.cifs command can now be accessed directly by the user to mount their own filesystems like so:
$ /sbin/mount.cifs '//SERVER1/SHARE/DIRECTORY TO BE MOUNTED' /home/USERNAME/MOUNTPOINT -o rw,soft,sec=krb5,uid=USERNAME,file_mode=0700,dir_mode=0700
It's important that the command's arguments are specified in the order above. You could even create a wrapper script that the user could call that would handle the options for them as well.