Join RHEL 6 server to a Windows 2003 Active Directory domain.

I think I might be losing my mind. At work a colleague asked me for instructions on how to join a RHEL6 box to a windows domain and I just pointed him to my blog, but he could not find the post I had in mind, because it looks as if I've not actually posted it, so here it goes:

1. Ensure that name resolution is working. At the very least you should be able to ping your domain controller, in my case mars.dev.com. If you can't, have a look at your /etc/resolv.conf file. Sample file:

   search dev.com test.com
   nameserver 10.168.20.203

2. Depending on your installation type, you might have to install several of the packages below (It looks like I went for a base install only):

   yum install pam_krb5 pam_ldap nss-pam-ldapd samba policycoreutils-python -y

3. Run authconfig-tui. Make sure that Kerberos realm is in capitals:
   
   

   
   

   

   
   

   
4. Ensure that Name Service Switch is configured for ldap authentication. In essence, check that /etc/nsswitch.conf has the following values:

passwd:     files ldap

shadow:     files ldap

group:      files ldap

5. Edit the local LDAP name service daemon configuration (/etc/nslcd.conf). A bind account to the Active Directory is needed, so create that account now (I have created binding in the Users OU). The mappings (for Microsoft Service for unix 3.5) need to be modified. Below is a list of changes to /etc/nslcd.conf:

binddn cn=binding, cn=User,dc=dev,dc=com

bindpw mypass 

#The Default search scope

scope sub 

#Customize certain database lookups

base   group  dc=dev,dc=com

base   passwd dc=dev,dc=com

base   shadow dc=dev,dc=com

# Mappings for Services for UNIX 3.5

filter passwd (objectClass=User)

map    passwd uid              msSFU30Name

map    passwd uidNumber       msSFU30UidNumber

map    passwd gidNumber       msSFU30GidNumber

map    passwd userPassword     msSFU30Password

map    passwd homeDirectory    msSFU30HomeDirectory

map   passwd  LoginShell       msSFU30LoginShell

filter shadow (objectClass=User)

map    shadow uid              msSFU30Name

map    shadow userPassword     msSFU30Password

filter group  (objectClass=Group)

map    group  uniqueMember     msSFU30PosixMember

map    group gidNumber       msSFU30GidNumber

6. Change permissions on /etc/nslcd.conf file so that it is only readable by root:

   chmod 600 /etc/nslcd.conf

7. Ensure that the local LDAP name service daemon (nslcd) is set to start with the server:

   chkconfig nslcd on

8. Edit /etc/samba/smb.conf. Make sure that there is only a security directive active. Comment out all others.

Network Related Options

workgroup =dev

Domain members options

security = ads

realm = DEV.COM

use kerberos keytab = true  #not really sure about this one

password server = mars.dev.com

9. Ensure that iptables lets traffic through on port 389:

iptables –I INPUT –p tcp --dport ldap –j ACCEPT; service iptables save

10. Run the following command to join the domain:

net ads join –U domainadmin

11. At this point you have successfully joined to the AD domain, you can test this by getting a list of users or group. You should get back the users and/or groups that have linux attributes, at least the binding account.

    getent passwd

    getent group

12. In order to create a user's home directory on first login add this directive to /etc/pam.d/sshd. I only log on using ssh. If you are logging in at the box, rather than remotely, you need to modify /etc/pam.d/logon too, I believe. Note that this will not work if SELinux is on.

    session required pam_mkhomedir.so skel=/etc/skel umask=0022

13. Allow polyinstatiation in SELinux settings:

     setsebool -P allow_polyinstantiation 1

14. Temporarily set SELinux to permissive:

setenforce 0

15. If you login with a domain user (ssh binding@domaintest, where domaintest is the server that has just joined the domain), the directory will be created, but you will also have a record of what would've gone wrong on /var/log/audit/audit.conf had SElinux been on, which in my case is this:

type=AVC msg=audit(1329063091.971:160): avc:  denied  { create } for  pid=5510 comm="mkhomedir_helpe" name="binding" scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=dir type=AVC msg=audit(1329063091.973:161): avc:  denied  { create } for  pid=5510 comm="mkhomedir_helpe" name=".bashrc" scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=file type=AVC msg=audit(1329063091.973:161): avc:  denied  { write open } for  pid=5510 comm="mkhomedir_helpe" name=".bashrc" dev=dm-0 ino=263825 scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=file type=AVC msg=audit(1329063091.973:162): avc:  denied  { setattr } for  pid=5510 comm="mkhomedir_helpe" name=".bashrc" dev=dm-0 ino=263825 scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=file type=AVC msg=audit(1329063092.015:163): avc:  denied  { setattr } for  pid=5510 comm="mkhomedir_helpe" name="binding" dev=dm-0 ino=263284 scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=dir

16. Create a SELinux policy module to allow the creation of home directories when the user first logs in:

    less /var/log/audit/audit.log  | grep denied > mkdir.log 

    audit2why < mkdir.log 

    audit2allow -M mkdir -i mkdir.log 

    semodule -i mkdir.pp

17. Renable SELinux:

    setenforce 1

I wonder how much tweaking, if any, will be required for a Windows 2008 Active Directory domain.