Sunday, 12 February 2012

Join RHEL 6 server to a Windows 2003 Active Directory domain.

I think I might be losing my mind. At work a colleague asked me for instructions on how to join a RHEL6 box to a windows domain and I just pointed him to my blog, but he could not find the post I had in mind, because it looks as if I've not actually posted it, so here it goes:
  1. Ensure that name resolution is working. At the very least you should be able to ping your domain controller, in my case If you can't, have a look at your /etc/resolv.conf file. Sample file:
  2. Depending on your installation type, you might have to install several of the packages below (It looks like I went for a base install only):
    yum install pam_krb5 pam_ldap nss-pam-ldapd samba policycoreutils-python -y
  3. Run authconfig-tui. Make sure that Kerberos realm is in capitals:

  4. Ensure that Name Service Switch is configured for ldap authentication. In essence, check that /etc/nsswitch.conf has the following values:
  5. passwd:     files ldap
    shadow:     files ldap
    group:      files ldap
  6. Edit the local LDAP name service daemon configuration (/etc/nslcd.conf). A bind account to the Active Directory is needed, so create that account now (I have created binding in the Users OU). The mappings (for Microsoft Service for unix 3.5) need to be modified. Below is a list of changes to /etc/nslcd.conf:
  7. binddn cn=binding, cn=User,dc=dev,dc=com
    bindpw mypass 
    #The Default search scope
    scope sub 
    #Customize certain database lookups
    base   group  dc=dev,dc=com
    base   passwd dc=dev,dc=com
    base   shadow dc=dev,dc=com
    # Mappings for Services for UNIX 3.5
    filter passwd (objectClass=User)
    map    passwd uid              msSFU30Name
    map    passwd uidNumber       msSFU30UidNumber
    map    passwd gidNumber       msSFU30GidNumber
    map    passwd userPassword     msSFU30Password
    map    passwd homeDirectory    msSFU30HomeDirectory
    map   passwd  LoginShell       msSFU30LoginShell
    filter shadow (objectClass=User)
    map    shadow uid              msSFU30Name
    map    shadow userPassword     msSFU30Password
    filter group  (objectClass=Group)
    map    group  uniqueMember     msSFU30PosixMember
    map    group gidNumber       msSFU30GidNumber
  8. Change permissions on /etc/nslcd.conf file so that it is only readable by root:
    chmod 600 /etc/nslcd.conf
  9. Ensure that the local LDAP name service daemon (nslcd) is set to start with the server:
    chkconfig nslcd on
  10. Edit /etc/samba/smb.conf. Make sure that there is only a security directive active. Comment out all others.
  11. Network Related Options
    workgroup =dev
    Domain members options
    security = ads
    realm = DEV.COM
    use kerberos keytab = true  #not really sure about this one
    password server =
  12. Ensure that iptables lets traffic through on port 389:
  13. iptables –I INPUT –p tcp --dport ldap –j ACCEPT; service iptables save
  14. Run the following command to join the domain:
  15. net ads join –U domainadmin
  16. At this point you have successfully joined to the AD domain, you can test this by getting a list of users or group. You should get back the users and/or groups that have linux attributes, at least the binding account.
    getent passwd
    getent group
  17. In order to create a user's home directory on first login add this directive to /etc/pam.d/sshd. I only log on using ssh. If you are logging in at the box, rather than remotely, you need to modify /etc/pam.d/logon too, I believe. Note that this will not work if SELinux is on.
    session required skel=/etc/skel umask=0022
  18. Allow polyinstatiation in SELinux settings:
     setsebool -P allow_polyinstantiation 1
  19. Temporarily set SELinux to permissive:
  20. setenforce 0
  21. If you login with a domain user (ssh binding@domaintest, where domaintest is the server that has just joined the domain), the directory will be created, but you will also have a record of what would've gone wrong on /var/log/audit/audit.conf had SElinux been on, which in my case is this:
  22. type=AVC msg=audit(1329063091.971:160): avc:  denied  { create } for  pid=5510 comm="mkhomedir_helpe" name="binding" scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=dir type=AVC msg=audit(1329063091.973:161): avc:  denied  { create } for  pid=5510 comm="mkhomedir_helpe" name=".bashrc" scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=file type=AVC msg=audit(1329063091.973:161): avc:  denied  { write open } for  pid=5510 comm="mkhomedir_helpe" name=".bashrc" dev=dm-0 ino=263825 scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=file type=AVC msg=audit(1329063091.973:162): avc:  denied  { setattr } for  pid=5510 comm="mkhomedir_helpe" name=".bashrc" dev=dm-0 ino=263825 scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=file type=AVC msg=audit(1329063092.015:163): avc:  denied  { setattr } for  pid=5510 comm="mkhomedir_helpe" name="binding" dev=dm-0 ino=263284 scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=dir
  23. Create a SELinux policy module to allow the creation of home directories when the user first logs in:
    less /var/log/audit/audit.log  | grep denied > mkdir.log 
    audit2why < mkdir.log 
    audit2allow -M mkdir -i mkdir.log 
    semodule -i mkdir.pp
  24. Renable SELinux:
    setenforce 1
I wonder how much tweaking, if any, will be required for a Windows 2008 Active Directory domain.


  1. Hi, very useful post. But what's "bind user" on step 5 ?
    u mean a simple user account ?

    1. that's right, a simple user account. I've not really investigated the security implications of this, though.

  2. and, excuse me, an other question. How to make a simple samba join (without ssh kerb auth)?

  3. i learn so many things from this blog.keep updating.thank you so much.

  4. good work ..looking forward to learn more from you..keep updating such information.