http://blog.skinkers.com/2010/07/28/how-to-use-winbind-to-authenticate-against-ad-on-rhelcentos-5-x-automated-scripts/
The author of the article gets the credit, I'm just going to add some notes and clarification for spots where I got stuck. I recently set this up with an Amazon Linux instance authenticating Windows Domain built on Amazon EC2. There were a few tweaks needed. Nothing major, but something I would like to share and do not want to forget for the future.
Build an Amazon Linux instance from the Amazon AMIs. Connect to the instance with the ec2user and ssh key. Run Yum update for the latest packages
Do the following as root or use sudo
1) Add the CentOS Base Repo (samba packages are currently not available in the preconfigured Amazon Linux repos)
vi /etc/yum.repos.d/centos.repo
[centOS]
name=CentOS-6 Base
baseurl=http://mirror.centos.org/centos/6/os/x86_64/
enabled=1
gpgcheck=1
gpgkey=http://mirror.centos.org/centos/6/os/x86_64/RPM-GPG-KEY-CentOS-6
2) yum install nscd samba samba-common samba-client samba-winbind
3) vi /etc/hosts
10.0.0.1 dc01.example.local dc01
4) Change the hostname, Amazon Linux by default will have a hostname like IP-10-248-246-135
That is more then 15 characters and is too log of a netbios name for joining to active directory
vi /etc/sysconfig/network
Change HOSTNAME=localhost.localdomain to a name shorter then 15 characters
5) Run authconfig-tui
Authentication Configuration - check Cache Information, Use Winbind, Use MD5 Passwords, Use Shadow Passwords, Use Winbind Authentication
Winbind Settings - check ads, type the short name of the domain, example.com needs to be just example in this field, enter FQDN of domain controllers, ADS realm is FQDN of primary DC, check /bin/bash
Click on Join Domain
Enter credentials for a domain administrator and make sure the server successfully joined the domain
6) vi /usr/local/bin/bash-wrapper - make it executable chmod +x
| #!/bin/sh # This script restricts shell access to privileged users. The "template shell" # option in the '/etc/samba/smb.conf' file should be set to call this wrapper. # Get group memberships for this user. BFN_ID=$(/usr/bin/id) # Grant shell access to users that are in the local wheel group. if /bin/echo "$BFN_ID" | /bin/grep -P '[=,][0-9]{1,8}\(wheel\)' > /dev/null then exec /bin/bash --login "$@" fi # Grant shell access to users that are in the domain administrators group. if /bin/echo "$BFN_ID" | /bin/grep -P '[=,][0-9]{1,8}\(domain\ admins\)' > /dev/null then exec /bin/bash --login "$@" fi # Else print a notice and just exit. echo "Shell access to this computer is disabled." # eof |
7) vi ad-phase2.sh - make it executable chmod +x
#!/bin/sh
# ad-phase2.sh - Phase 2
# Author: Max Sanna
# Description: This script automates the process of joining a linux box
# to an AD domain. The process is divided in two parts.
#
# Please edit the relevant parts of the script below prior running it
# This block doesn't need to be edited
#sed -i 's%protocols: files%protocols: files winbind%g' /etc/nsswitch.conf
#sed -i 's%rpc: files%rpc: files winbind%g' /etc/nsswitch.conf
#sed -i 's%netgroup: files%netgroup: files winbind%g' /etc/nsswitch.conf
#sed -i 's%automount: files%automount: files winbind%g' /etc/nsswitch.conf
# The following line allows users to logon without the ugly EXAMPLE\user syntax
#sed -i 's%winbind use default domain = false%winbind use default domain = true%g' /etc/samba/smb.conf
# More parameters to make life easier with UID and GID correspondances
#sed -i 's% template shell = /bin/bash% template shell = /usr/local/bin/bash-wrapper%g' /etc/samba/smb.conf
#sed -i '/ winbind offline logon = false/a winbind enum users = true' /etc/samba/smb.conf
#sed -i '/winbind enum users = true/a winbind enum groups = true' /etc/samba/smb.conf
#sed -i '/winbind enum groups = true/a winbind cache time = 5' /etc/samba/smb.conf
#sed -i '/winbind cache time = 5/a winbind nested groups = true' /etc/samba/smb.conf
# This line will allow for home folders to be created in /home/DOMAIN/username upon first login
#echo "session optional pam_mkhomedir.so skel=/etc/skel/ umask=0022" >> /etc/pam.d/system-auth
# The following line will allow all the users within the Domain Admins group to sudo on the server
#echo "%domain\ admins ALL=(ALL) ALL" >> /etc/sudoers
# Replace "base OU=Users,DC=example,DC=com" with the container of the users you want to allow on the box
sed -i 's%base dc=example,dc=com%base OU=Users,DC=example,DC=com%g' /etc/openldap/ldap.conf
service winbind restart
service nscd restart
8)Restart the instance9)Try to login
ssh user@instance.DNS or ssh domain\\user@instance.DNS
The directory structure should be automatically created - /home/domain/user
10)Troubleshooting
Watch for any messages or errors along the way - make sure the instance has actually joined the domain
Make sure winbind is running - ps ax | grep winbind
There are changes between Linux distributions and slight changes from the original post
Example - samba-winbind is a relatively new package and is required
Another example - in ad-phase2.sh, ldap.conf is located at /etc/openldap instead of the root of /etc like in the original script
Time - A critical part of AD authentication, by default Amazon Windows and Linux instances talk to the Amazon NTP servers, I leave this as is and do not change any of it, but the servers must be in sync or AD authentication will fail
No comments:
Post a Comment