May 25, 2015 pfongsamCentosAD, Centos, Winbind Had a need for CentOS and AD integration. Searched the Web for examples of CentOS+Samba+Winbind. However none fit the bill. Ended up crafting my own. So here is a quick and tested verbatim method of integrating CentOS 7.x in an Active Directory domain by using Winbind. The steps provided here are not commented in detail. The assumption is that you already know your way around Linux and the vi editor, and of course, Active Directory. However, there are validation steps along to way to ensure things are working up to the point. Start off with a CentOS 7 minimal install. I used VirtualBox as a quick and easy test/prototype platform before rolling out to a “production” platform. Configure a hostname and set a static IP address. Be sure /etc/resolv.conf points to the AD as the nameserver. In the example below, my Active Directory domain is FSHOME. My domain is fshome.local. My AD server FQDN is fshomead. fshome.local To get going even faster, just cut and paste the commands below — of course, changing any of my name references to yours as applicable. # # Centos 7.x fileserver with AD authentication of users :: revision 5/1/2015 # #—— turn off the firewall systemctl stop firewalld.service systemctl disable firewalld.service #—— check selinux status and turn off as necessary sestatus # vi /etc/selinux/config and change to selinux=disabled #—— install auxillary packages — these will be useful yum -y install chrony yum -y install bind-utils yum -y install net-tools #—— verify Centos can resolve the AD server nslookup fshome-ad #—— verify Centos can reach the AD server ping fshome-ad Basic steps and validation tests are out of the way, so moving on… #—— setup time syncronization to the AD — set the server pool to include the AD vi /etc/ntp.conf # add the AD server to the ntp server pool, e.g., server fshome-ad.fshome.local #—— create the home directory for the domain users — note name capitalization mkdir /home/FSHOME chmod 0777 /home/FSHOME #—— install the necessary packages yum -y install samba samba-winbind* yum -y install authselect* #—— verify the time can be pulled from the AD server net time -S fshome-ad #—— sync the time to the AD server net time set -S fshome-ad #—— start and enable the services to run at boot time – ntpd, smb, winbind systemctl start chronyd systemctl enable chronyd systemctl start smb systemctl enable smb systemctl start winbind systemctl enable winbind #—— verify that ntpd, smb, and winbind are indeed enabled to start at boot time systemctl list-unit-files –type=service | grep enabled
#—— setup winbind authentication
1. Install the following packages:
# yum install samba-common-tools realmd oddjob oddjob-mkhomedir sssd adcli krb5-workstation CHAPTER 1. CONNECTING RHEL SYSTEMS DIRECTLY TO AD USING SSSD 9 2. To display information for a specific domain, run realm discover and add the name of the domain you want to discover: # realm discover ad.example.com ad.example.com type: kerberos realm-name: AD.EXAMPLE.COM domain-name: ad.example.com configured: no server-software: active-directory client-software: sssd required-package: oddjob required-package: oddjob-mkhomedir required-package: sssd required-package: adcli required-package: samba-common The realmd system uses DNS SRV lookups to find the domain controllers in this domain automatically. NOTE The realmd system can discover both Active Directory and Identity Management domains. If both domains exist in your environment, you can limit the discovery results to a specific type of server using the --server-software=active-directory option. 3. Configure the local RHEL system with the realm join command. The realmd suite edits all required configuration files automatically. For example, for a domain named ad.example.com: # realm join ad.example.com #—— configure as shown in the following graphics #—— ignore the “No DNS name configured…” error after entering the password #—— verify domain join net ads testjoin #—— verify AD server info net ads info #—— verify users are pulled from AD wbinfo -u #—— verify groups are pulled from AD wbinfo -g The listing will show the output as DOMAIN/username. Same with the groups. So to fix that #—— remove the DOMAIN prefixes from the users and the groups authconfig –enablewinbindusedefaultdomain –update #—— verify the DOMAIN prefix no longer exist wbinfo -u wbinfo -g ### ### on the AD server run the dsquery * command to verify the ### Centos results correspond to AD ### for granularity run the following: dsquery ou, dsquery group, dsquery user ### #—— allow autocreation of home directories from ssh users login authconfig –enablemkhomedir –update #—— allow auto-creation of home directories from Windows clients login by using a script for same # create script as shown belowtouch /usr/local/sbin/mkhomedir.sh vi /usr/local/sbin/mkhomedir.sh ——————— script start ———————– #!/bin/bash if [ ! -e /home/FSHOME/$1 ]; then mkdir -m 0700 /home/FSHOME/$1 chown $1:”domain users” /home/FSHOME/$1 fi exit 0 ———————– script end ———————– #—— set script permission chmod u=rwsx,g=rwx,o=rwx /usr/local/sbin/mkhomedir.sh #—— verify the script permissions ls -l /usr/local/sbin/mkhomedir.sh Now need to make changes to the default Samba configuration in the [homes] section… #—— setup smb.conf [homes] section vi /etc/samba/smb.conf [homes] comment = Home Directories … inherit permissions = yes root preexec = /usr/local/sbin/mkhomedir.sh %U #—— reboot Centos sync;reboot #—— verify configuration still holds after reboot net ads testjoin net ads info wbinfo -u wbinfo -g #—— login from a Windows workstation and verify the user’s directory is automatically created, and files can be added and deleted NOTE: if you are using a workstation that is not already domain enabled for logins, you will need to prefix the username with the DOMAIN name as shown below #—— Have Fun! #### ### tools/notes for reference ### #—— dump a list of the autoconfig settings authconfig –test > authconfig.txt #—— change the host name hostnamectl set-hostname centos7-vb.fshome.local #—— if the fileserver hostname is changed, rerun authconfig-tui to rejoin the domain with the new hostname #—— to restart the network interfaces systemctl restart network.service #—— show the IP address on the interface(s) ifconfig