Your /etc/pam.d/system-auth is created with the command “authconfig” on a RHEL5 machine though you may have to manually edit it with other distributions:
#%PAM-1.0# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so like
auth nullokauth sufficient /lib/security/$ISA/pam_krb5.so use_first_pass
auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_unix.so broken_shadow
account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
account [default=bad success=ok user_unknown=ignore] /lib/security/$ISA/pam_krb5.so
account required /lib/security/$ISA/pam_permit.so
password requisite /lib/security/$ISA/pam_cracklib.so retry=3
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
password sufficient /lib/security/$ISA/pam_krb5.so use_authtok
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
session optional /lib/security/$ISA/pam_krb5.so
Your /etc/krb5.conf should look something like this. Your system time must be accurate or else it will not work correctly.
[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log[libdefaults] default_realm = AD.DOMAIN.EDUclockskew = 300 dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h forwardable = yes[realms]UFL.EDU = { kdc = DC01.AD.DOMAIN.EDU default_domain = DOMAIN.EDU }AD.DOMAIN.EDU = { kdc = ad.domain.edu admin_server = ad.domain.edu }[domain_realm] .domain.edu = DOMAIN.EDU domain.edu = DOMAIN.EDU[kdc] profile = /var/kerberos/krb5kdc/kdc.conf[appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false }
Next you need run kinit to make sure that you can contact the kerberos server, if it returns nothing then you should be good.
$ kinitPassword for rsreese@AD.DOMAIN.EDU: blahblah
Next setup two cron entries to keep the time up to date and kinit
alive:
$ sudo crontab -e
0 23 * * 1,3,5 /usr/sbin/ntpdate time.nrc.ca0 */4 * * * kinit -R
The /etc/samba/smb.conf file needs to be setup.
# grep -Ev '#|;|^$' /etc/samba/smb.conf[global] workgroup = UFAD realm = AD.DOMAIN.EDU server string = SRVV-SERV hosts allow = 10.242. 10.228. load printers = no log file = /var/log/samba/%m.log max log size = 50 security = ads idmap uid = 10000 - 20000 idmap gid = 10000 - 20000winbind enum users=yeswinbind enum groups=yes template homedir = /home/%U template shell = /bin/bashclient use spnego = yes winbind use default domain = no encrypt passwords = yes smb passwd file = /etc/samba/smbpasswd socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 local master = no dns proxy = no[homes] comment = %U Home Directory browseable = no path = %H valid users = %U writable = yes create mode = 0664 directory mode = 0775[printers] comment = All Printers path = /var/spool/samba browseable = no guest ok = no writable = no printable = yes
Now add the computer object to the domain via the Active directory “Users and Computers”
You need to join the linux machine to the domain. First create an
account on the domain for the machine as mentioned in the beginning or
this will fail.
# net ads join -U administrator
SElinux needs to be told to let Samba play nicely
# setsebool -P samba_enable_home_dirs=1
\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~NOT
NEEDED\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~
The /etc/ldap.conf looks like this:
host 10.241.28.100
base dc=domain,dc=edu
uri ldap://ad.domain.edu/
binddn rsreese@domain.edu
bindpw
scope sub
pam_filter objectclass=User
pam_login_attribute sAMAccountName
pam_lookup_policy yes
nss_base_passwd dc=edu?sub
nss_base_shadow dc=edu?sub
nss_base_group dc=edu?sub
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_attribute uid sAMAccountName
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute shadowLastChange pwdLastSet
nss_map_objectclass posixGroup group
nss_map_attribute uniqueMember member
pam_login_attribute sAMAccountName
pam_filter objectclass=User
pam_password ad
ssl no
tls_cacertdir /etc/openldap/cacerts
pam_password md5
\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~NOT
NEEDED\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~
Next I edit the /etc/nsswitch.conf to add ldap support:
passwd: files ldap
shadow: files
group: files ldap
hosts: files dns
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files
netgroup: files
publickey: nisplus
automount: files
aliases: files nisplus
Comments
comments powered by Disqus