I recently had a case where Linux machines were joined to a domain alongside the windows machines. Domain users and groups were accessible and configurable in Linux machines using Samaba. The good thing about domain configuration was that it simple was possible to assign domain accounts to users and they use it to login in both windows and linux machines.
There is no need to manage users on each linux machine which is a great deal for enterprises. Below I walk you through the linux setup and configuration for using Samba, Kerberos and LDAP.
I strongly suggest to backup your data before doing anything. It is a better idea if you can just use a staging machine to test new setup instead of start running commands on your production environment.
The first step is to install Samba; but since Amazon Linux does not include Samba repository we add it and then install it.
wget http://ftp.sernet.de/pub/samba/3.5/centos/5/sernet-samba.repo mv sernet-samba.repo /etc/yum.repos.d/ yum install samba -y
And then installing Kerberos:
yum install krb5-workstation -y
Obviously the important part is always configuration! just for reference here is the list of config file you may need to change:
- /etc/resolve.conf: contains the name servers and you may want to add the domain nameserver too or else you will not able to join it.
- /etc/sysconfig/network: contains the network configuations and you may need to change localhost name to a DQDN (fully qualified domain name) like abcd.mydomain.local
- /etc/krb5: contains Kerberos network authentication protocol configurations and for sure you will need to update it.
- /etc/samba/smb.conf: contains the Samba configurations and necessary for everything to work.
- /etc/openldap/ldap.conf: contains LDAP (lightweight directory access protocol) configurations
- /etc/hosts: contains local records of hosts’ ip addresses. You might need to change some host’s ip here specially if you changed hostname.
I have copied my configurations as appendices so you can use them as a working reference.
At the end there is a last piece of configuration that needs to be done before trying to join domain. Here we enable some of the authentication configuration:
authconfig --enablekrb5 --enablewinbind --enablemkhomedir --update
Finally we can join to domain by “net ads” command as follow:
net ads join -W MYDOMAIN.LOCAL -U adadminuser -S ad.mydomain.local
Appendix 1: resolve.cong
search ap-southeast-1.compute.internal mydomain.local nameserver 10.x.x.x nameserver 10.1.0.2
Appendix 2: kbr5.conf
# make sure server name is capital. [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = MYDOMAIN.LOCAL dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h forwardable = yes [realms] MYDOMAIN.LOCAL = { } [domain_realm] .mydomain.local = MYDOMAIN.LOCAL mydomain.local = MYDOMAIN.LOCAL [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false }
Appendix 3: smb.conf
[global] workgroup = MYDOMAIN realm = MYDOMAIN.LOCAL security = ads idmap uid = 16777216-33554431 idmap gid = 16777216-33554431 template homedir = /home/MYDOMAIN/%U template shell = /bin/bash winbind use default domain = true winbind offline logon = false server string = Samba Server Version %v log file = /var/log/samba/log.%m max log size = 50 passdb backend = tdbsam load printers = yes cups options = raw [homes] comment = Home Directories browseable = no writable = yes [printers] comment = All Printers path = /var/spool/samba browseable = no guest ok = no writable = no printable = yes
Further info:
http://www.server-world.info/en/note?os=CentOS_7&p=samba&f=3
https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server