Monday, 14 May 2012

Join CentOS 6.2 server to a Windows 8 Server Beta Active Directory domain

I've been using Windows 8 Server Beta for a bit (since VMware got their act together and sorted support for it in ESXi) and one thing I wanted to investigate was integration with Linux, in particular, using Windows 8 Beta Server as an Active Directory domain controller for Linux servers.

I will not discuss how to promote a Windows 8 server Beta to become a DC as it's a fairly straight forward process. I will say that it took me a while to work out that it is no longer possible to install the Identity Management for UNIX role through the UI, I thought I must be missing something because for the life of me I could not see it, because it wasn't there :)

The good news is that it can done from PowerShell. Thus I ran a PowerShell console as an Administrator and ran the following commands:
  1. Dism.exe /online /enable-feature /featurename:adminui /all  /NoRestart
  2. Dism.exe /online /enable-feature /featurename:nis /all /NoRestart
  3. Dism.exe /online /enable-feature /featurename:psync /all
Where the first command installs the administration tools for Identity Management for UNIX, the second installs Server for NIS and the third installs Password Synchronization. Ensure that you reboot the DC server after running the third command.

Once the DC server had been rebooted I added a group, LinuxTest and an account, lb, to act as the binding account and set their Unix Attributes as can be seen below (if you add the account and there is no "unix" group it'll complain, although you can ignore the message):


With the domain controller prepared I turned to the CentOS server, here are the steps needed to join the domain:
  1. Ensure that name resolution is working. At the very least you should be able to ping your domain controller, in my case win8pdc.dev.com. If you can't, have a look at your /etc/resolv.conf file in the first instance. Sample file:
    search sma.org test.com
    nameserver 10.168.20.93
  2. Ensure that your hosts file contains an entry with the ip address of the server, something like this:
    10.168.20.99 pms3 pms3.sma.org
  3. Depending on your installation type, you might have to install several of the packages below (It looks like I went for a base install only):
    yum install pam_krb5 pam_ldap nss-pam-ldapd samba policycoreutils-python -y
  4. Run authconfig-tui. Make sure that Kerberos realm is in capitals (I'm re-using the screenshots from previous posts):


  5.  Alternatively, the following command could be used (change parameters as needed):
    authconfig --enablemd5 --enableshadow --enableldap --enableldapauth --enablekrb5 --ldapserver='win8pdc.sma.org' --disablelocauthorize --ldapbasedn='dc=sma,dc=org' --krb5realm='SMA.ORG' --krb5adminserver='win8pdc.sma.org' --krb5kdc='win8pdc.sma.org' --update
  6. Ensure that Name Service Switch is configured for ldap authentication. In essence, check that /etc/nsswitch.conf has the following values:
  7. passwd:     files ldap
    shadow:     files ldap
    group:      files ldap
  8. Edit the local LDAP name service daemon configuration (/etc/nslcd.conf). A bind account to the Active Directory is needed, so create that account now (I have created binding in the Users OU). The mappings (for Active Directory) need to be modified. Below is a list of changes to /etc/nslcd.conf. In essence uncomment the relevant parts:
  9. binddn cn=lb, cn=Users,dc=dev,dc=com
    bindpw mypass 
    #The Default search scope
    scope sub 
    #Customize certain database lookups
    base   group  dc=dev,dc=com
    base   passwd dc=dev,dc=com
    base   shadow dc=dev,dc=com
    # Mappings for Active Directory
    pagesize 1000
    referrals off
    filter passwd (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
    map    passwd uid              sAMAccountName
    map    passwd homeDirectory    unixHomeDirectory
    map    passwd gecos            displayName
    filter shadow (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
    map    shadow uid              sAMAccountName
    map    shadow shadowLastChange pwdLastSet
    map    shadow userPassword     unixUserPassword
    filter group  (objectClass=group)
    map    group  uniqueMember     member
  10. Change permissions on /etc/nslcd.conf file so that it is only readable by root:
    chmod 600 /etc/nslcd.conf
  11. Restart the local LDAP name service daemon:
    service nslcd restart
  12. Ensure that the local LDAP name service daemon (nslcd) is set to start with the server:
    chkconfig nslcd on
  13. Edit /etc/samba/smb.conf. Make sure that there is only a security directive active. Comment out all others.
  14. Network Related Options
    workgroup =dev
    Domain members options
    security = ads
    realm = DEV.COM
    password server = win8pdc.dev.com
  15. Ensure that iptables lets traffic through on port 389:
  16. iptables –I INPUT –p tcp --dport ldap –j ACCEPT; service iptables save
  17. Run the following command to join the domain:
  18. net ads join –U domainadmin
  19. Ensure that the DNS Zone is configured to accept secure and nonsecure dynamic updates.
  20. At this point you have successfully joined to the AD domain, you can test this by getting a list of users or group. You should get back the users and/or groups that have Unix attributes, at least the binding account and a group if you created it. You can also check the Computers group in the Active Directory Users and Computers console.
    getent passwd
    getent group
  21. In order to create a user's home directory on first login add this directive to /etc/pam.d/sshd. I only log on using ssh. If you are logging in at the box, rather than remotely, you need to modify /etc/pam.d/logon too, I believe. Note that this will not work if SELinux is on.
    session required pam_mkhomedir.so skel=/etc/skel umask=0022
  22. Allow polyinstatiation in SELinux settings:
     setsebool -P allow_polyinstantiation 1
  23. Temporarily set SELinux to permissive:
  24. setenforce 0
  25. If you login with a domain user (ssh lb@pms1, where pms1 is the server that has just joined the domain), the directory will be created, but you will also have a record of what would've gone wrong on /var/log/audit/audit.conf had SElinux been on, which in my case is this:
  26. type=AVC msg=audit(1329063091.971:160): avc:  denied  { create } for  pid=5510 comm="mkhomedir_helpe" name="binding" scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=dir type=AVC msg=audit(1329063091.973:161): avc:  denied  { create } for  pid=5510 comm="mkhomedir_helpe" name=".bashrc" scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=file type=AVC msg=audit(1329063091.973:161): avc:  denied  { write open } for  pid=5510 comm="mkhomedir_helpe" name=".bashrc" dev=dm-0 ino=263825 scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=file type=AVC msg=audit(1329063091.973:162): avc:  denied  { setattr } for  pid=5510 comm="mkhomedir_helpe" name=".bashrc" dev=dm-0 ino=263825 scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=file type=AVC msg=audit(1329063092.015:163): avc:  denied  { setattr } for  pid=5510 comm="mkhomedir_helpe" name="binding" dev=dm-0 ino=263284 scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=dir
  27. Create a SELinux policy module to allow the creation of home directories when the user first logs in:
    less /var/log/audit/audit.log  | grep denied > mkdir.log 
    audit2why < mkdir.log 
    audit2allow -M mkdir -i mkdir.log 
    semodule -i mkdir.pp
  28. Renable SELinux:
    setenforce 1
That is it, you now should be able to login with AD users, that have their Unix Attributes set, to this server with SELinux on, see this post to configure Kerberos based single sign-on.


1 comment:

  1. Thanks a lot, I just came through your blog randomly, you've a new follower :)

    ReplyDelete