You can read about the AD setup in Part 1 and the RHEL 6 configuration in Part 2.
I have performed a customized RHEL 5 installation, removing Desktop Environments, Applications, Printer Servers and reset the run level to 3.
yum install samba3x-winbind (you don't need samba for authentication)
Run authconfig-tui --enablemkhomedir to configure winbind, set the following options:
user information: use winbind
authentication: winbind
winbind domain: MY
security model: ads
winbind ads realm: MY.DOM
winbind domain controllers: dc.my.dom
template shell: /bin/bash
Don't click join domain at this stage.
When the wizard completes it will attempt to start winbind and fail. We haven't finished configuring yet so this is fine.
Remove the existing configuration databases, rm -f /var/lib/samba/*
Modify /etc/samba/smb.conf with the following options. This will map all AD users & groups into the range 100000-199999.
workgroup = MY
password server = dc1.my.dom
realm =MY.DOM
security = ads
idmap config * : backend = tdb
idmap config * : range = 200000-299999
idmap config my:backend = rid
idmap config my:range = 100000 - 199999
idmap config my:base_rid = 0
idmap uid = 100000-299999
idmap gid = 100000-299999
You can also set these useful options:
template shell = /bin/bash
winbind use default domain = true
winbind enum users = yes (let's you use getent passwd to see AD users)
winbind enum groups = yes (let's you use getent group to see AD groups)
winbind offline logon = true (cached users can log in when AD is unavailable. Very useful)
Now rerun authconfig-tui --enablemkhomedir and click join domain. Supply the AD domain password when prompted and the client will join the domain successfully. You will be able to see the client in the Windows ADUC tool
It should now start up properly:
chkconfig winbind on ; service winbind start
I'm not setting up centralised home directories so we'll use oddjobd to automatically create home directories when an AD user logs on for the first time to a client.
We'll set the home directories up in /home/MY and make them private. RHEL 6 uses oddjobd for this. RHEL 5 doesn't.
mkdir /home/MY
chmod 711 /home/MY
Modify /etc/pam.d/system-auth-ac to fix home dir permissions
session optional pam_mkhomedir.so umask=0077
Now restrict ssh access to users in the grp-linux-servers AD group.
Edit /etc/security/pam_winbind.conf
require_membership_of = grp-linux-servers
Finally restrict root access via sudo to those in the grp-root-access AD group
Edit /etc/sudoersSome useful commands to check things are working:
%grp-root-access ALL=(ALL) NOPASSWD: ALL
wbinfo -u / wbinfo -g will pull a user and group list from the AD
wbinfo -D my / wbinfo --dc-info=my will put details of AD and associated DCs
getent passwd / getent group will show the client's passwd & group list including AD entries.
In Part 4 I'll describe how to achieve this on a Solaris 10 client. This is the most complex to set up as there is no out the box integration and it also requires additional freeware packages.
No comments:
Post a Comment