Join CentOS 6.2 server to a Windows 8 Server Beta Active Directory domain

I've been using Windows 8 Server Beta for a bit (since VMware got their act together and sorted support for it in ESXi) and one thing I wanted to investigate was integration with Linux, in particular, using Windows 8 Beta Server as an Active Directory domain controller for Linux servers.

I will not discuss how to promote a Windows 8 server Beta to become a DC as it's a fairly straight forward process. I will say that it took me a while to work out that it is no longer possible to install the Identity Management for UNIX role through the UI, I thought I must be missing something because for the life of me I could not see it, because it wasn't there :)

The good news is that it can done from PowerShell. Thus I ran a PowerShell console as an Administrator and ran the following commands:

1. Dism.exe /online /enable-feature /featurename:adminui /all  /NoRestart
2. Dism.exe /online /enable-feature /featurename:nis /all /NoRestart
3. Dism.exe /online /enable-feature /featurename:psync /all

Where the first command installs the administration tools for Identity Management for UNIX, the second installs Server for NIS and the third installs Password Synchronization. Ensure that you reboot the DC server after running the third command.

Once the DC server had been rebooted I added a group, LinuxTest and an account, lb, to act as the binding account and set their Unix Attributes as can be seen below (if you add the account and there is no "unix" group it'll complain, although you can ignore the message):

With the domain controller prepared I turned to the CentOS server, here are the steps needed to join the domain:

1. Ensure that name resolution is working. At the very least you should be able to ping your domain controller, in my case win8pdc.dev.com. If you can't, have a look at your /etc/resolv.conf file in the first instance. Sample file:

   search sma.org test.com
   nameserver 10.168.20.93

2. Ensure that your hosts file contains an entry with the ip address of the server, something like this:

   10.168.20.99 pms3 pms3.sma.org

3. Depending on your installation type, you might have to install several of the packages below (It looks like I went for a base install only):

   yum install pam_krb5 pam_ldap nss-pam-ldapd samba policycoreutils-python -y

4. Run authconfig-tui. Make sure that Kerberos realm is in capitals (I'm re-using the screenshots from previous posts):
   
   

   
   

   

   
   

   
5.  Alternatively, the following command could be used (change parameters as needed):

   authconfig --enablemd5 --enableshadow --enableldap --enableldapauth --enablekrb5 --ldapserver='win8pdc.sma.org' --disablelocauthorize --ldapbasedn='dc=sma,dc=org' --krb5realm='SMA.ORG' --krb5adminserver='win8pdc.sma.org' --krb5kdc='win8pdc.sma.org' --update

6. Ensure that Name Service Switch is configured for ldap authentication. In essence, check that /etc/nsswitch.conf has the following values:

passwd:     files ldap

shadow:     files ldap

group:      files ldap

7. Edit the local LDAP name service daemon configuration (/etc/nslcd.conf). A bind account to the Active Directory is needed, so create that account now (I have created binding in the Users OU). The mappings (for Active Directory) need to be modified. Below is a list of changes to /etc/nslcd.conf. In essence uncomment the relevant parts:

binddn cn=lb, cn=Users,dc=dev,dc=com

bindpw mypass 

#The Default search scope

scope sub 

#Customize certain database lookups

base   group  dc=dev,dc=com

base   passwd dc=dev,dc=com

base   shadow dc=dev,dc=com

# Mappings for Active Directory

pagesize 1000
referrals off
filter passwd (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
map    passwd uid              sAMAccountName
map    passwd homeDirectory    unixHomeDirectory
map    passwd gecos            displayName
filter shadow (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
map    shadow uid              sAMAccountName
map    shadow shadowLastChange pwdLastSet

map    shadow userPassword     unixUserPassword
filter group  (objectClass=group)
map    group  uniqueMember     member

8. Change permissions on /etc/nslcd.conf file so that it is only readable by root:

   chmod 600 /etc/nslcd.conf

9. Restart the local LDAP name service daemon:

   service nslcd restart

10. Ensure that the local LDAP name service daemon (nslcd) is set to start with the server:

    chkconfig nslcd on

11. Edit /etc/samba/smb.conf. Make sure that there is only a security directive active. Comment out all others.

Network Related Options

workgroup =dev

Domain members options

security = ads

realm = DEV.COM

password server = win8pdc.dev.com

12. Ensure that iptables lets traffic through on port 389:

iptables –I INPUT –p tcp --dport ldap –j ACCEPT; service iptables save

13. Run the following command to join the domain:

net ads join –U domainadmin

14. Ensure that the DNS Zone is configured to accept secure and nonsecure dynamic updates.
15. At this point you have successfully joined to the AD domain, you can test this by getting a list of users or group. You should get back the users and/or groups that have Unix attributes, at least the binding account and a group if you created it. You can also check the Computers group in the Active Directory Users and Computers console.

    getent passwd

    getent group

16. In order to create a user's home directory on first login add this directive to /etc/pam.d/sshd. I only log on using ssh. If you are logging in at the box, rather than remotely, you need to modify /etc/pam.d/logon too, I believe. Note that this will not work if SELinux is on.

    session required pam_mkhomedir.so skel=/etc/skel umask=0022

17. Allow polyinstatiation in SELinux settings:

     setsebool -P allow_polyinstantiation 1

18. Temporarily set SELinux to permissive:

setenforce 0

19. If you login with a domain user (ssh lb@pms1, where pms1 is the server that has just joined the domain), the directory will be created, but you will also have a record of what would've gone wrong on /var/log/audit/audit.conf had SElinux been on, which in my case is this:

type=AVC msg=audit(1329063091.971:160): avc:  denied  { create } for  pid=5510 comm="mkhomedir_helpe" name="binding" scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=dir type=AVC msg=audit(1329063091.973:161): avc:  denied  { create } for  pid=5510 comm="mkhomedir_helpe" name=".bashrc" scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=file type=AVC msg=audit(1329063091.973:161): avc:  denied  { write open } for  pid=5510 comm="mkhomedir_helpe" name=".bashrc" dev=dm-0 ino=263825 scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=file type=AVC msg=audit(1329063091.973:162): avc:  denied  { setattr } for  pid=5510 comm="mkhomedir_helpe" name=".bashrc" dev=dm-0 ino=263825 scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=file type=AVC msg=audit(1329063092.015:163): avc:  denied  { setattr } for  pid=5510 comm="mkhomedir_helpe" name="binding" dev=dm-0 ino=263284 scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=dir

20. Create a SELinux policy module to allow the creation of home directories when the user first logs in:

    less /var/log/audit/audit.log  | grep denied > mkdir.log 

    audit2why < mkdir.log 

    audit2allow -M mkdir -i mkdir.log 

    semodule -i mkdir.pp

21. Renable SELinux:

    setenforce 1

That is it, you now should be able to login with AD users, that have their Unix Attributes set, to this server with SELinux on, see this post to configure Kerberos based single sign-on.