19.4.09

Join Linux (RedHat based) machine to Active Directory

Join Linux (RedHat based) machine to Active Directory we have to edit few configuration files

################################

/etc/krb5.conf

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = DOMAIN.NET
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes

[realms]
DOMAIN.NET = {
kdc = dc1.domain.net:88
kdc = dc1.domain.net:88
kdc = dc2.domain.net:88
admin_server = dc1.domain.net:389
default_domain = domain.net
}

[domain_realm]
.domain.net = DOMAIN.NET
domain.net = DOMAIN.NET

[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}

##################################

/etc/smb.conf

[global]
realm = DOMAIN.NET
security = ADS
encrypt passwords = yes
# Optional. Use only if Samba cannot determine the Kerberos server automatically.
password server = dc1.domain.net
password server = dc2.domain.net
password server = dc3.domain.net
workgroup = DOMAIN
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind use default domain = yes

##################################

/etc/pam.d/system-auth

auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_winbind.so use_first_pass
auth required pam_deny.so

account required pam_unix.so
account sufficient pam_succeed_if.so uid < 500 quietwpg3
account [default=bad success=ok user_unknown=ignore] pam_winbind.so
account required pam_permit.so

password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password sufficient pam_winbind.so use_authtok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so

##########################################

Join Linux to domain:

net ads join -U

Restart winbind service

/etc/init.d/winbind restart

Test domain membership

wbinfo -g #gives info about domain groups

wbinfo -u #gives info about domain users


share on: facebook
at 6:57 PM
Labels: , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)