Using winbind to authenticate to an active directory - Part 1

Here I describe how to get various  Unix clients to use winbind for authentication to a Windows AD Domain. For bonus points I will also describe how to make sudo use AD groups for controlling root access.

Setting Up The Domain

I am using a single Windows 2008 R2 standard edition install to host all AD functions.
Once installed and patched add the Active Directory Domain Services role which in turn will install the DNS server role if doing a single box install.

My example config:

FQDN: my.dom
Short domain name: my
Domain controller: dc.my.dom

Set up some groups to control access:

grp-linux-servers: Users in this group will be able to log onto linux hosts
grp-solaris-servers: Users in this group will be able to log onto solaris hosts
grp-root-access: Users in this group will be able to sudo to root

Create some example users to test it all out:

user1: member of grp-linux-servers - will only be able to log onto linux host
user2: member of grp-linux-servers, grp-solaris-servers - will be able to log onto linux & solaris hosts
user3: member of grp-linux-servers, grp-solaris-servers, grp-root-access - will be able to log onto linux & solaris hosts and sudo to root.

Finally add hostname A records into the DNS my.dom zone for your unix clients.

In part 2 I'll describe how to configure a RHEL 6 client to authenticate to this domain.

Further Reading

Red Hat provide some interesting documentation around Active Directory integration.

Here is a Reference Architecture white paper detailing the different AD options available.

You'll need to sign into the Red Hat customer portal to see these ones:
Some introductory concepts are covered here.
Here is a basic guide on how to join RHEL to Active Directory
Here is a guide on how to use the RID backend to solve the SID to UID mapping problems.

Enabling ping replies through Windows 7 firewall

By default the Windows 7 firewall blocks ping. Here's how to enable a PC to respond to ping requests:

• Open Windows firewall
• Select Advanced settings, Inbound Rules
• Create New Rule - 
• Type custom
• Apply to all programs
• Protocol ICMPv4
• ICMP settings, allow Echo Request only
• Apply to any source & destination IP
• Action, Allow the connection
• Rule applies to all locations
• Name it Ping
• Refresh Inbound Rule list and it should appear, make sure it is enabled

Windows 7 will now respond to ping requests.

Server imaging with SelfImage & Windows PE

Here's how to restore an image made with the SelfImage utility using a Windows PE boot environment. Previously I have used BartPE but were finding that I kept needing to rebuild the image to support the various different NIC & array drivers used on newer servers.

A recent WinPE enviroment has these drivers already built in. So if the server can build directly from the Windows server 2008 CD then it can use the WinPE disk without modification. I've been using WinPE version 2 for what it's worth. Version 1 was based on an earlier Windows version so doesn't have the newer drivers in it.

This post assumes you have access to a WinPE environment boot cd (or iso) and also that it has been modified to include the SelfImage utility.

• Boot into WinPE environment 
• Configure interface (n is the interface number, x is IP, y is netmask, z is gateway)
• netsh interface ip set address name="Local Area Connection n" static x.x.x.x y.y.y.y z.z.z.z 1
• Map a drive to where the image is loaded (remember the username is specified as server\usersname)
• net use e: \\server\share
• Configure a primary partition on the disk using diskpart
• select disk 0
• clean
• create partition primary size=<size in mb>
• select partition 1
• active
• assign letter=c:
• Run the selfimage tool and select the output to be \Device\Harddisk0\Partition1 C:
• Before rebooting fix the boot manager otherwise the server will blue screen
• bcdedit /set {default} device partition=c:
• bcdedit /set {default} osdevice partition=c:
• bcdedit /set {bootmgr} device partition=c:

Reboot server and the job is done.

Note that on reboot Windows may complain that it was not shutdown properly, this can be ignored and Windows booted normally. Also once logged in you may find Windows installs some more device drivers, let it finish and do one more reboot to finish the job off.