Centos 6.3 Server Configuration.
-----------------------------------------------------
1. Installing and start named service for DNS resolution
# yum -y install bind bind-utils samba samba-winbind krb5-workstation pam_krb5 fprintd-pam
# serivce named start
# service smb start
# service nmb start
# chkconfig named on
# chkconfig smb on
# chkconfig nmb on
Note: Later we will enable winbind to map windows and linux users
# echo "192.168.1.121 ns.example.com ns" >> /etc/hosts
# sed -in s/localhost.localdomain/ns/g /etc/sysconfig/network
2. Adding 7 dynamic zones required by AD 2008
a. ad.example.com
b. DomainDNSZone.example.com
c. _ForestDNSZones.example.com
d. _upd.example.com
e. _tcp.example.com
f. _msdcs.example.com
g. _sites.example.com
# vim /etc/named.conf
#listen-on port 53 { 127.0.0.1; }; --> Comment it to listen on all interfaces
allow-query { 192.168.1.0/24; };
Note: First zone is added to resolve second level domain "example.com"
zone "example.com" in {
type master;
file "example.com.zone";
allow-update { any; };
};
zone "ad.example.com" in {
type master;
file "ad.example.com.zone";
allow-update { any; };
};
zone "DomainDNSZones.example.com" in {
type master;
file "DomainDNSZones.example.com.zone";
allow-update { any; };
};
zone "_udp.example.com" in {
type master;
file "_udp.example.com.zone";
allow-update { any; };
};
zone "_tcp.example.com" in {
type master;
file "_tcp.example.com.zone";
allow-update { any; };
};
zone "ForestDNSZones.example.com" in {
type master;
file "ForestDNSZones.example.com.zone";
allow-update { any; };
};
zone "_msdcs.example.com" in {
type master;
file "_msdcs.example.com.zone";
allow-update { any; };
};
zone "_sites.example.com" in {
type master;
file "_sites.example.com.zone";
allow-update { any; };
};
3. Then add the database files for each zone under /var/named/
For second level domain zone
# vim /var/named/example.com.zone
$TTL 86400
@ IN SOA ns.example.com. admin.example.com. (
43 ; serial (d. adams)
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
IN NS ns.example.com.
ns.example.com. IN A 192.168.1.121
For other 7 zones
# vim /var/named/ad.example.com.zone
$TTL 86400
ad.example.com. IN SOA ns.example.com. admin.example.com. (
42 ; serial (d. adams)
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
IN NS ns.example.com.
$ORIGIN ad.example.com.
# vim /var/named/_tcp.example.com.zone
$TTL 86400
_tcp.example.com. IN SOA ns.example.com. admin.example.com. (
42 ; serial (d. adams)
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
IN NS ns.example.com.
$ORIGIN _tcp.example.com.
# vim /var/named/_udp.example.com.zone
$TTL 86400
_udp.example.com. IN SOA ns.example.com. admin.example.com. (
42 ; serial (d. adams)
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
IN NS ns.example.com.
$ORIGIN _udp.example.com.
# vim /var/named/_sites.example.com.zone
$TTL 86400
_sites.example.com. IN SOA ns.example.com. admin.example.com. (
42 ; serial (d. adams)
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
IN NS ns.example.com.
$ORIGIN _sites.example.com.
# vim /var/named/_msdcs.example.com.zone
$TTL 86400
_msdcs.example.com. IN SOA ns.example.com. admin.example.com. (
42 ; serial (d. adams)
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
IN NS ns.example.com.
$ORIGIN _msdcs.example.com.
# vim /var/named/DomainDNSZones.example.com.zone
$TTL 86400
DomainDNSZones.example.com. IN SOA ns.example.com. admin.example.com. (
42 ; serial (d. adams)
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
IN NS ns.example.com.
$ORIGIN DomainDNSZones.example.com.
# vim /var/named/ForestDNSZones.example.com.zone
$TTL 86400
ForestDNSZones.example.com. IN SOA ns.example.com. admin.example.com. (
42 ; serial (d. adams)
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
IN NS ns.example.com.
$ORIGIN ForestDNSZones.example.com.
4. Change ownership of /var/named to be owned by "named" user or add write permission to the group, both will work
# chmod g+w /var/named
OR
# chown named.named /var/named
5. Restart named service
# service named restart
WIN 2008 Server Configuration.
----------------------------------------------------
1. Make sure that the server DNS point to 192.168.1.121
2. Execute dcpromo from the command prompt
Note: Accept default configuration except for
Create new domain in a new forest
in Name the Forest Root Domain add ad.example.com. After installation finished restart
Centos 6.3 Server Configuration.
--------------------------------
Now you should be able to resovle ad.example.com from your local DNS and it should point to AD IP
1. configure Kerberos as follow
# vim /etc/krb5.conf
[libdefaults]
default_realm = AD.EXAMPLE.COM
#dns_lookup_realm = false
#dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
AD.EXAMPLE.COM = {
kdc = win2008.ad.example.com:88
admin_server = win2008.ad.example.com:464
}
[domain_realm]
.win2008.ad.example.com = AD.EXAMPLE.COM
win2008.ad.example.com = AD.EXAMPLE.COM
Note: win2008 is the name of AD machine
To test kerberos authentication
# kinit administrator --> if it ask for password it's a good sign add Windows server 2008 administrator password
Note: If you got this message "kinit: Clock skew too great while getting initial credentials" then you have to configure ntp server as follow
# yum install ntpd
# /etc/init.d/ntpd start
# chkconfig ntpd on
# ntpdate -u 192.168.1.87 (Win98 Server)--> Repeat it until the offset became too small
3. Configure Samba
# vim /etc/smb.conf
workgroup = AD
realm = AD.EXAMPLE.COM
security = ADS
# service smb restart
# service nmb restart
4. Join samba server to AD
# net ads join -U administrator
Note: You should configure the FQDN of the server properly i.e samba.example.com or ns.example.com as this server act as samba and DNS server
At this point since we use ADS mode we can only authenticate from kerberos which means that local /etc/passwd is used only for mapping users information such as UID and GID, this require duplication of users in both sides (samba server and AD server), here the role of winbind come into play since winbind is use to map users between samba server and AD server and prevent duplication
5. Configure winbind to enable AD users to connect to samba server share
# vim /etc/samba/smb.conf
#Add the following at Global section
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
winbind enum users = Yes
winbind enum groups = Yes
winbind nested groups = No
# service winbind start
# chkconfig winbind on
# wbinfo -u --> Reveals users available in AD
Note: If wbinfo didn't reveal AD users restart smb,nmb and winbind and make sure that samba machine is connected to AD
# vim /etc/nsswitch.conf
#add winbind to passwd and group
passwd: files winbind
group: files winbind
# getent passwd --> Reveals all users available for the system (Local and AD)
Now try to create a user on AD that doesn't exist on samba server and establish IPC$ session with samba server to access its share
From command prompt
net use \\"NETBOIS name of samba server"\IPC$ /user:newuser
6. Configure winbind and PAM to enable AD users authentication in samba server
# vim /etc/samba/smb.conf
# Add below line in global section
template shell = /bin/bash
winbind use default domain = Yes --> This option useful if you have one domain, if you want to connect to other domain use UNC format "Domain\\User"
# vim /etc/pam.d/system-auth --> it should be like the following
auth required pam_env.so
auth sufficient pam_fprintd.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient /lib64/security/pam_winbind.so use_first_pass
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient /lib64/security/pam_winbind.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session required /lib64/security/pam_mkhomedir.so skel=/etc/skel umask=0027
# vim /etc/pam.d/password-auth --> it should be like the following
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient /lib64/security/pam_winbind.so use_first_pass
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] /lib64/security/pam_winbind.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient /lib64/security/pam_winbind.so use_first_pass
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
Now try to use su and ssh
# ssh administrator@localhost
# su - administrator
Note: here we didn't use UNC format because we have only one domain and enabled "winbind use default domain" option in smb.conf otherwise use
# ssh AD\\administrator@localhost
# su - AD\\administrator
-----------------------------------------------------
1. Installing and start named service for DNS resolution
# yum -y install bind bind-utils samba samba-winbind krb5-workstation pam_krb5 fprintd-pam
# serivce named start
# service smb start
# service nmb start
# chkconfig named on
# chkconfig smb on
# chkconfig nmb on
Note: Later we will enable winbind to map windows and linux users
# echo "192.168.1.121 ns.example.com ns" >> /etc/hosts
# sed -in s/localhost.localdomain/ns/g /etc/sysconfig/network
2. Adding 7 dynamic zones required by AD 2008
a. ad.example.com
b. DomainDNSZone.example.com
c. _ForestDNSZones.example.com
d. _upd.example.com
e. _tcp.example.com
f. _msdcs.example.com
g. _sites.example.com
# vim /etc/named.conf
#listen-on port 53 { 127.0.0.1; }; --> Comment it to listen on all interfaces
allow-query { 192.168.1.0/24; };
Note: First zone is added to resolve second level domain "example.com"
zone "example.com" in {
type master;
file "example.com.zone";
allow-update { any; };
};
zone "ad.example.com" in {
type master;
file "ad.example.com.zone";
allow-update { any; };
};
zone "DomainDNSZones.example.com" in {
type master;
file "DomainDNSZones.example.com.zone";
allow-update { any; };
};
zone "_udp.example.com" in {
type master;
file "_udp.example.com.zone";
allow-update { any; };
};
zone "_tcp.example.com" in {
type master;
file "_tcp.example.com.zone";
allow-update { any; };
};
zone "ForestDNSZones.example.com" in {
type master;
file "ForestDNSZones.example.com.zone";
allow-update { any; };
};
zone "_msdcs.example.com" in {
type master;
file "_msdcs.example.com.zone";
allow-update { any; };
};
zone "_sites.example.com" in {
type master;
file "_sites.example.com.zone";
allow-update { any; };
};
3. Then add the database files for each zone under /var/named/
For second level domain zone
# vim /var/named/example.com.zone
$TTL 86400
@ IN SOA ns.example.com. admin.example.com. (
43 ; serial (d. adams)
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
IN NS ns.example.com.
ns.example.com. IN A 192.168.1.121
For other 7 zones
# vim /var/named/ad.example.com.zone
$TTL 86400
ad.example.com. IN SOA ns.example.com. admin.example.com. (
42 ; serial (d. adams)
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
IN NS ns.example.com.
$ORIGIN ad.example.com.
# vim /var/named/_tcp.example.com.zone
$TTL 86400
_tcp.example.com. IN SOA ns.example.com. admin.example.com. (
42 ; serial (d. adams)
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
IN NS ns.example.com.
$ORIGIN _tcp.example.com.
# vim /var/named/_udp.example.com.zone
$TTL 86400
_udp.example.com. IN SOA ns.example.com. admin.example.com. (
42 ; serial (d. adams)
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
IN NS ns.example.com.
$ORIGIN _udp.example.com.
# vim /var/named/_sites.example.com.zone
$TTL 86400
_sites.example.com. IN SOA ns.example.com. admin.example.com. (
42 ; serial (d. adams)
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
IN NS ns.example.com.
$ORIGIN _sites.example.com.
# vim /var/named/_msdcs.example.com.zone
$TTL 86400
_msdcs.example.com. IN SOA ns.example.com. admin.example.com. (
42 ; serial (d. adams)
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
IN NS ns.example.com.
$ORIGIN _msdcs.example.com.
# vim /var/named/DomainDNSZones.example.com.zone
$TTL 86400
DomainDNSZones.example.com. IN SOA ns.example.com. admin.example.com. (
42 ; serial (d. adams)
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
IN NS ns.example.com.
$ORIGIN DomainDNSZones.example.com.
# vim /var/named/ForestDNSZones.example.com.zone
$TTL 86400
ForestDNSZones.example.com. IN SOA ns.example.com. admin.example.com. (
42 ; serial (d. adams)
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
IN NS ns.example.com.
$ORIGIN ForestDNSZones.example.com.
4. Change ownership of /var/named to be owned by "named" user or add write permission to the group, both will work
# chmod g+w /var/named
OR
# chown named.named /var/named
5. Restart named service
# service named restart
WIN 2008 Server Configuration.
----------------------------------------------------
1. Make sure that the server DNS point to 192.168.1.121
2. Execute dcpromo from the command prompt
Note: Accept default configuration except for
Create new domain in a new forest
in Name the Forest Root Domain add ad.example.com. After installation finished restart
Centos 6.3 Server Configuration.
--------------------------------
Now you should be able to resovle ad.example.com from your local DNS and it should point to AD IP
1. configure Kerberos as follow
# vim /etc/krb5.conf
[libdefaults]
default_realm = AD.EXAMPLE.COM
#dns_lookup_realm = false
#dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
AD.EXAMPLE.COM = {
kdc = win2008.ad.example.com:88
admin_server = win2008.ad.example.com:464
}
[domain_realm]
.win2008.ad.example.com = AD.EXAMPLE.COM
win2008.ad.example.com = AD.EXAMPLE.COM
Note: win2008 is the name of AD machine
To test kerberos authentication
# kinit administrator --> if it ask for password it's a good sign add Windows server 2008 administrator password
Note: If you got this message "kinit: Clock skew too great while getting initial credentials" then you have to configure ntp server as follow
# yum install ntpd
# /etc/init.d/ntpd start
# chkconfig ntpd on
# ntpdate -u 192.168.1.87 (Win98 Server)--> Repeat it until the offset became too small
3. Configure Samba
# vim /etc/smb.conf
workgroup = AD
realm = AD.EXAMPLE.COM
security = ADS
# service smb restart
# service nmb restart
4. Join samba server to AD
# net ads join -U administrator
Note: You should configure the FQDN of the server properly i.e samba.example.com or ns.example.com as this server act as samba and DNS server
At this point since we use ADS mode we can only authenticate from kerberos which means that local /etc/passwd is used only for mapping users information such as UID and GID, this require duplication of users in both sides (samba server and AD server), here the role of winbind come into play since winbind is use to map users between samba server and AD server and prevent duplication
5. Configure winbind to enable AD users to connect to samba server share
# vim /etc/samba/smb.conf
#Add the following at Global section
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
winbind enum users = Yes
winbind enum groups = Yes
winbind nested groups = No
# service winbind start
# chkconfig winbind on
# wbinfo -u --> Reveals users available in AD
Note: If wbinfo didn't reveal AD users restart smb,nmb and winbind and make sure that samba machine is connected to AD
# vim /etc/nsswitch.conf
#add winbind to passwd and group
passwd: files winbind
group: files winbind
# getent passwd --> Reveals all users available for the system (Local and AD)
Now try to create a user on AD that doesn't exist on samba server and establish IPC$ session with samba server to access its share
From command prompt
net use \\"NETBOIS name of samba server"\IPC$ /user:newuser
6. Configure winbind and PAM to enable AD users authentication in samba server
# vim /etc/samba/smb.conf
# Add below line in global section
template shell = /bin/bash
winbind use default domain = Yes --> This option useful if you have one domain, if you want to connect to other domain use UNC format "Domain\\User"
# vim /etc/pam.d/system-auth --> it should be like the following
auth required pam_env.so
auth sufficient pam_fprintd.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient /lib64/security/pam_winbind.so use_first_pass
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient /lib64/security/pam_winbind.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session required /lib64/security/pam_mkhomedir.so skel=/etc/skel umask=0027
# vim /etc/pam.d/password-auth --> it should be like the following
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient /lib64/security/pam_winbind.so use_first_pass
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] /lib64/security/pam_winbind.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient /lib64/security/pam_winbind.so use_first_pass
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
Now try to use su and ssh
# ssh administrator@localhost
# su - administrator
Note: here we didn't use UNC format because we have only one domain and enabled "winbind use default domain" option in smb.conf otherwise use
# ssh AD\\administrator@localhost
# su - AD\\administrator
No comments:
Post a Comment