Introduction
The data used in this tutorial:
The data used in this tutorial:
- Samba4 Active Directory Domain: example.com
- Samba4 Active Directory host: host.example.com
- Realm/workgroup: EXAMPLE.COM
- Samba4 Active Directory, DNS & NTP IP Address: 192.168.1.2
- Fedora19 Client machine hostname : FEDCLIENT1
Overview
A summary of the steps we are going to do:
- Install Packages
- Configure NTP & DNS
- Configure Kerberos
- Configure nsswitch
- Configure Samba
- Join the Domain
- Test the setup
Install Packages
Install the following packages on a freshly install Fedora 19 machine
#yum install krb5-workstation krb5-libs samba-winbind samba-winbind-clients samba samba-client samba-libs samba-winbind-krb5-locator samba-common ntp
Configure NTP & DNS
Inorder to synchronize active directory and the client's time for kerberos
#/etc/ntp.conf
server 192.168.1.2
For DNS
#/etc/resolv.conf
domain example.com
search example.com
nameserver 192.168.1.6
Configure Kerberos
What is Kerberos?
Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography. It has the following characteristics:
- It is secure: it never sends a password unless it is encrypted.
- Only a single login is required per session. Credentials defined at login are then passed between resources without the need for additional logins.
- The concept depends on a trusted party – a Key Distribution Center (KDC). The KDC is aware of all systems in the network and is trusted by all of them.
- It performs mutual authentication, where a client proves its identity to a server and a server proves its identity to the client.
file, remove everything and place the following in it, changing the EXAMPLE.COM domain to your own Active Directory Domain:[libdefaults]
ticket_lifetime = 24h
default_realm = EXAMPLE.COM
forwardable = true
[realms]
EXAMPLE.COM = {
kdc = EXAMPLE.COM
default_domain = EXAMPLE.COM
admin_server = 192.168.1.2
kdc = host.example.com
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log
Test Kerberos by getting a ticket for the Active Directory Administrator User.
#kinit Administrator
Password for Administrator@EXAMPLE.COM:
The following command should list a valid ticket for kinit.
#klist
Ticket cache: DIR::/run/user/0/krb5cc/tktgdYTR
Default principal: administrator@EXAMPLE.COM
Valid starting Expires Service principal
05/28/2014 16:43:40 05/29/2014 02:43:40 krbtgt/EXAMPLE.COM@EXAMPLE.COM
renew until 05/29/2014 16:43:35
If youo get error, check your Kerberos and DNS and NTP (time) settings and try again.
Configure nsswitch
nsswitch is used to tell the system that the Active Directory users are also valid users. We are going to configure it to also accept winbind users, which is what Samba uses after it has bound to the domain.
Edit the /etc/nsswitch.conf
passwd: files ldap winbind
group: files ldap winbind
shadow: files ldap winbind
Configure Samba
Now we need to set up Samba to also support the domain.
Edit /etc/samba/smb.conf
[global]
workgroup = EXAMPLE
realm = EXAMPLE.COM
password server = host.example.com
security = ads
domain master = no
local master = no
preferred master = no
idmap config * : backend = rid
idmap config * : range = 2000-50000000
template homedir = /home/%U
template shell = /bin/bash
winbind use default domain = yes
winbind offline logon = yes
winbind enum users = yes
winbind enum groups = yes
winbind nested groups = yes
winbind refresh tickets = yes
wins support = yes
dns proxy = yes
wins proxy = yes
Save the file and restart all the daemons:
#service smb restart
#service nmb restart
#service ntp restart
#service winbind restart
Join the domain
Make sure you still have a valid Kerberos ticket. If not, do a new kinit Administrator
. Then execute the following command:#net ads join -U Administrator
Enter Administrator's password:
Using short domain name -- EXAMPLE
Joined FEDCLIENT1 to realm 'example.org'
DNS Update for fedclient1.example.org failed: ERROR_DNS_GSS_ERROR
DNS update failed!
The DNS error can be ignored, make sure you create an A record and a PTR record manually.
Restart all the daemons:
#service smb restart
#service nmb restart
#service winbind restart
Update pam:
#authconfig --enableshadow --enablewinbind --update
check if winbind and nsswitch are correctly working and displays the list of all active directory users and group:
#getent passwd
#getent group