Wednesday, July 28, 2010

Active Directory Server: How to communicate ADS to Linux?

Prerequisite:

Following Samba client RPM’s must be pre-installed on the server:

samba-client-3.0.33-3.7.el5
samba-common-3.0.33-3.7.el5

01)Configuring Linux networking:

a)Make sure that your host file has proper entries for your server [if it is static IP ].

b)Configure DNS client properly. Entries for /etc/resolv.conf file:

search sap.com
nameserver 10.210.1.252
nameserver 10.219.1.252

02)Synchronize the time using NTP.

a)Remove all public server IP’s/Names from /etc/ntp.conf and replace with the Company DNS server IP.

server 10.222.1.252

b)Synchronize the time with spaient time server.

#ntpdate -u 10.222.1.252

c)Start the NTP daemon

# service ntpd restart

d)Set the NTP service to start at boot time.

#chkconfig --level 234 ntpd on

03)Configuring PAM and NSS

a)Run the system-config-authentication in GUI or setup [for authentication configuration] command in CLI.

# system-config-authentication

Check the Winbind option on both the User Information tab (which configures the nss.conf file) and the Authentication tab (which modifies system-auth file).


Click the Configure Winbind button and enter the following entries:


b)Open the /etc/pam.d/system-auth file, then scroll down toward the bottom and insert a highlighted line before the last line. This will create a home directory for a user if doesn’t exists.

session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid

session required pam_mkhomedir.so skel=/etc/skel/ umask=0022

session required pam_unix.so

04)Open the /etc/samba/smb.conf and add/edit the highlighted entries in the global section of this file.

[global]
#--authconfig--start-line--

# Generated by authconfig on 2010/02/13 11:48:48

workgroup = sap
password server = dellads2
realm = SAP.COM
security = ads
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
idmap backend = rid
template shell = /bin/bash
template homedir = /home/%U
winbind use default domain = true
winbind offline logon = false


05)Domain Join and Logging in:
a)Add that machine into a Sapient domain

#net ads join -U

Note: Required NT-ID of a Company IT member who has privileges to add machine into a domain.

b)Start the winbind service and set it up for startup at boot time.

# service winbind restart
# chkconfig --level 234 winbind on

Try logging into the server using your NTID.