Scribd Logo
Upload

Welcome to Scribd!

  • Integrating CentOS 7 With Active

    Uploaded by

    Julio Lopez
    3 views4 pages

    Copyright

    © © All Rights Reserved

    Available Formats

    DOCX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    3 views4 pages

    Integrating CentOS 7 With Active

    Uploaded by

    Julio Lopez

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 4

    Integrating CentOS 7 with Active

    Directory using Winbind


    May 25, 2015 pfongsamCentosAD, Centos, Winbind
    Had a need for CentOS and AD integration. Searched the Web for
    examples of CentOS+Samba+Winbind. However none fit the bill.
    Ended up crafting my own.
    So here is a quick and tested verbatim method of integrating CentOS
    7.x in an Active Directory domain by using Winbind.
    The steps provided here are not commented in detail. The assumption
    is that you already know your way around Linux and the vi editor, and
    of course, Active Directory. However, there are validation steps along
    to way to ensure things are working up to the point.
    Start off with a CentOS 7 minimal install. I used VirtualBox as a quick
    and easy test/prototype platform before rolling out to a “production”
    platform. Configure a hostname and set a static IP address. Be sure
    /etc/resolv.conf points to the AD as the nameserver.
    In the example below, my Active Directory domain is FSHOME. My
    domain is fshome.local. My AD server FQDN is fshomead.
    fshome.local
    To get going even faster, just cut and paste the commands below — of
    course, changing any of my name references to yours as applicable.
    #
    # Centos 7.x fileserver with AD authentication of users :: revision 5/1/2015
    #
    #—— turn off the firewall
    systemctl stop firewalld.service
    systemctl disable firewalld.service
    #—— check selinux status and turn off as necessary
    sestatus
    # vi /etc/selinux/config and change to selinux=disabled
    #—— install auxillary packages — these will be useful
    yum -y install chrony
    yum -y install bind-utils
    yum -y install net-tools
    #—— verify Centos can resolve the AD server
    nslookup fshome-ad
    #—— verify Centos can reach the AD server
    ping fshome-ad
    Basic steps and validation tests are out of the way, so moving on…
    #—— setup time syncronization to the AD — set the server pool to include the AD
    vi /etc/ntp.conf
    # add the AD server to the ntp server pool, e.g., server fshome-ad.fshome.local
    #—— create the home directory for the domain users — note name capitalization
    mkdir /home/FSHOME
    chmod 0777 /home/FSHOME
    #—— install the necessary packages
    yum -y install samba samba-winbind*
    yum -y install authselect*
    #—— verify the time can be pulled from the AD server
    net time -S fshome-ad
    #—— sync the time to the AD server
    net time set -S fshome-ad
    #—— start and enable the services to run at boot time – ntpd, smb, winbind
    systemctl start chronyd
    systemctl enable chronyd
    systemctl start smb
    systemctl enable smb
    systemctl start winbind
    systemctl enable winbind
    #—— verify that ntpd, smb, and winbind are indeed enabled to start at boot time
    systemctl list-unit-files –type=service | grep enabled

    #—— setup winbind authentication

    1. Install the following packages:


    # yum install samba-common-tools realmd oddjob oddjob-mkhomedir sssd adcli krb5-workstation
    CHAPTER 1. CONNECTING RHEL SYSTEMS DIRECTLY TO AD USING SSSD
    9
    2. To display information for a specific domain, run realm discover and add the name of the
    domain you want to discover:
    # realm discover ad.example.com
    ad.example.com
    type: kerberos
    realm-name: AD.EXAMPLE.COM
    domain-name: ad.example.com
    configured: no
    server-software: active-directory
    client-software: sssd
    required-package: oddjob
    required-package: oddjob-mkhomedir
    required-package: sssd
    required-package: adcli
    required-package: samba-common
    The realmd system uses DNS SRV lookups to find the domain controllers in this domain
    automatically.
    NOTE
    The realmd system can discover both Active Directory and Identity Management
    domains. If both domains exist in your environment, you can limit the discovery
    results to a specific type of server using the --server-software=active-directory
    option.
    3. Configure the local RHEL system with the realm join command. The realmd suite edits all
    required configuration files automatically. For example, for a domain named ad.example.com:
    # realm join ad.example.com
    #—— configure as shown in the following graphics
    #—— ignore the “No DNS name configured…” error after entering the password
    #—— verify domain join
    net ads testjoin
    #—— verify AD server info
    net ads info
    #—— verify users are pulled from AD
    wbinfo -u
    #—— verify groups are pulled from AD
    wbinfo -g
    The listing will show the output as DOMAIN/username. Same with the
    groups. So to fix that
    #—— remove the DOMAIN prefixes from the users and the groups
    authconfig –enablewinbindusedefaultdomain –update
    #—— verify the DOMAIN prefix no longer exist
    wbinfo -u
    wbinfo -g
    ###
    ### on the AD server run the dsquery * command to verify the
    ### Centos results correspond to AD
    ### for granularity run the following: dsquery ou, dsquery group, dsquery user
    ###
    #—— allow autocreation of home directories from ssh users login
    authconfig –enablemkhomedir –update
    #—— allow auto-creation of home directories from Windows clients login by using a script for same
    # create script as shown belowtouch
    /usr/local/sbin/mkhomedir.sh
    vi /usr/local/sbin/mkhomedir.sh
    ——————— script start ———————–
    #!/bin/bash
    if [ ! -e /home/FSHOME/$1 ]; then
    mkdir -m 0700 /home/FSHOME/$1
    chown $1:”domain users” /home/FSHOME/$1
    fi
    exit 0
    ———————– script end ———————–
    #—— set script permission
    chmod u=rwsx,g=rwx,o=rwx /usr/local/sbin/mkhomedir.sh
    #—— verify the script permissions
    ls -l /usr/local/sbin/mkhomedir.sh
    Now need to make changes to the default Samba configuration in the
    [homes] section…
    #—— setup smb.conf [homes] section
    vi /etc/samba/smb.conf
    [homes]
    comment = Home Directories

    inherit permissions = yes
    root preexec = /usr/local/sbin/mkhomedir.sh %U
    #—— reboot Centos
    sync;reboot
    #—— verify configuration still holds after reboot
    net ads testjoin
    net ads info
    wbinfo -u
    wbinfo -g
    #—— login from a Windows workstation and verify the user’s directory is automatically created, and files can be
    added and deleted
    NOTE: if you are using a workstation that is not already domain
    enabled for logins, you will need to prefix the username with the
    DOMAIN name as shown below
    #—— Have Fun!
    ####
    ### tools/notes for reference
    ###
    #—— dump a list of the autoconfig settings
    authconfig –test > authconfig.txt
    #—— change the host name
    hostnamectl set-hostname centos7-vb.fshome.local
    #—— if the fileserver hostname is changed, rerun authconfig-tui to rejoin the domain with the new hostname
    #—— to restart the network interfaces
    systemctl restart network.service
    #—— show the IP address on the interface(s)
    ifconfig

    You might also like