I've been using Windows 8 Server Beta for a bit (since VMware got their act together and sorted support for it in ESXi) and one thing I wanted to investigate was integration with Linux, in particular, using Windows 8 Beta Server as an Active Directory domain controller for Linux servers.
I will not discuss how to promote a Windows 8 server Beta to become a DC as it's a fairly straight forward process. I will say that it took me a while to work out that it is no longer possible to install the Identity Management for UNIX role through the UI, I thought I must be missing something because for the life of me I could not see it, because it wasn't there :)
The good news is that it can done from PowerShell. Thus I ran a PowerShell console as an Administrator and ran the following commands:
I will not discuss how to promote a Windows 8 server Beta to become a DC as it's a fairly straight forward process. I will say that it took me a while to work out that it is no longer possible to install the Identity Management for UNIX role through the UI, I thought I must be missing something because for the life of me I could not see it, because it wasn't there :)
The good news is that it can done from PowerShell. Thus I ran a PowerShell console as an Administrator and ran the following commands:
- Dism.exe /online /enable-feature /featurename:adminui /all /NoRestart
- Dism.exe /online /enable-feature /featurename:nis /all /NoRestart
- Dism.exe /online /enable-feature /featurename:psync /all
Where the first command installs the administration tools for Identity Management for UNIX, the second installs Server for NIS and the third installs Password Synchronization. Ensure that you reboot the DC server after running the third command.
Once the DC server had been rebooted I added a group, LinuxTest and an account, lb, to act as the binding account and set their Unix Attributes as can be seen below (if you add the account and there is no "unix" group it'll complain, although you can ignore the message):
With the domain controller prepared I turned to the CentOS server, here are the steps needed to join the domain:
- Ensure that name resolution is working. At the very least you should be able to ping your domain controller, in my case win8pdc.dev.com. If you can't, have a look at your /etc/resolv.conf file in the first instance. Sample file:
search sma.org test.com
nameserver 10.168.20.93 - Ensure that your hosts file contains an entry with the ip address of the server, something like this:
10.168.20.99 pms3 pms3.sma.org
- Depending on your installation type, you might have to install several of the packages below (It looks like I went for a base install only):
yum install pam_krb5 pam_ldap nss-pam-ldapd samba policycoreutils-python -y
- Run authconfig-tui. Make sure that Kerberos realm is in capitals (I'm re-using the screenshots from previous posts):
- Alternatively, the following command could be used (change parameters as needed):
authconfig --enablemd5 --enableshadow --enableldap --enableldapauth --enablekrb5 --ldapserver='win8pdc.sma.org' --disablelocauthorize --ldapbasedn='dc=sma,dc=org' --krb5realm='SMA.ORG' --krb5adminserver='win8pdc.sma.org' --krb5kdc='win8pdc.sma.org' --update
- Ensure that Name Service Switch is configured for ldap authentication. In essence, check that /etc/nsswitch.conf has the following values:
- Edit the local LDAP name service daemon configuration (/etc/nslcd.conf). A bind account to the Active Directory is needed, so create that account now (I have created binding in the Users OU). The mappings (for Active Directory) need to be modified. Below is a list of changes to /etc/nslcd.conf. In essence uncomment the relevant parts:
- Change permissions on /etc/nslcd.conf file so that it is only readable by root:
chmod 600 /etc/nslcd.conf
- Restart the local LDAP name service daemon:
service nslcd restart
- Ensure that the local LDAP name service daemon (nslcd) is set to start with the server:
chkconfig nslcd on
- Edit /etc/samba/smb.conf. Make sure that there is only a security directive active. Comment out all others.
- Ensure that iptables lets traffic through on port 389:
- Run the following command to join the domain:
- Ensure that the DNS Zone is configured to accept secure and nonsecure dynamic updates.
- At this point you have successfully joined to the AD domain, you can test this by getting a list of users or group. You should get back the users and/or groups that have Unix attributes, at least the binding account and a group if you created it. You can also check the Computers group in the Active Directory Users and Computers console.
getent passwd
getent group
- In order to create a user's home directory on first login add this directive to /etc/pam.d/sshd. I only log on using ssh. If you are logging in at the box, rather than remotely, you need to modify /etc/pam.d/logon too, I believe. Note that this will not work if SELinux is on.
session required pam_mkhomedir.so skel=/etc/skel umask=0022
- Allow polyinstatiation in SELinux settings:
setsebool -P allow_polyinstantiation 1
- Temporarily set SELinux to permissive:
- If you login with a domain user (ssh lb@pms1, where pms1 is the server that has just joined the domain), the directory will be created, but you will also have a record of what would've gone wrong on /var/log/audit/audit.conf had SElinux been on, which in my case is this:
- Create a SELinux policy module to allow the creation of home directories when the user first logs in:
less /var/log/audit/audit.log | grep denied > mkdir.log
audit2why < mkdir.log
audit2allow -M mkdir -i mkdir.log
semodule -i mkdir.pp
- Renable SELinux:
setenforce 1
passwd: files ldapshadow: files ldapgroup: files ldap
binddn cn=lb, cn=Users,dc=dev,dc=combindpw mypass
#The Default search scopescope sub
#Customize certain database lookupsbase group dc=dev,dc=combase passwd dc=dev,dc=combase shadow dc=dev,dc=com
# Mappings for Active Directorypagesize 1000
referrals off
filter passwd (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
map passwd uid sAMAccountName
map passwd homeDirectory unixHomeDirectory
map passwd gecos displayName
filter shadow (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
map shadow uid sAMAccountName
map shadow shadowLastChange pwdLastSetmap shadow userPassword unixUserPassword
filter group (objectClass=group)
map group uniqueMember member
Network Related Optionsworkgroup =devDomain members optionssecurity = adsrealm = DEV.COMpassword server = win8pdc.dev.com
iptables –I INPUT –p tcp --dport ldap –j ACCEPT; service iptables save
net ads join –U domainadmin
setenforce 0
type=AVC msg=audit(1329063091.971:160): avc: denied { create } for pid=5510 comm="mkhomedir_helpe" name="binding" scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=dir type=AVC msg=audit(1329063091.973:161): avc: denied { create } for pid=5510 comm="mkhomedir_helpe" name=".bashrc" scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=file type=AVC msg=audit(1329063091.973:161): avc: denied { write open } for pid=5510 comm="mkhomedir_helpe" name=".bashrc" dev=dm-0 ino=263825 scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=file type=AVC msg=audit(1329063091.973:162): avc: denied { setattr } for pid=5510 comm="mkhomedir_helpe" name=".bashrc" dev=dm-0 ino=263825 scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=file type=AVC msg=audit(1329063092.015:163): avc: denied { setattr } for pid=5510 comm="mkhomedir_helpe" name="binding" dev=dm-0 ino=263284 scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=dir
Thanks a lot, I just came through your blog randomly, you've a new follower :)
ReplyDelete