2007/07/12

Samba with idmap RID on CentOS

For some reason, the CentOS authconfig-tui never works for me out of the box. And there doesn't appear to be correct error handling for it, such as "failed to join domain" -- it acts like everything is okay, and then it doesn't work.

I use the IDMAP_RID option to map user accounts within a single AD to unix user ID's.

Ensure that you have krb5-libs, samba-common, pam_krb5, krb5-workstation, samba-client, and krb5-auth-dialog installed.

Most of these are case-sensitive. The example NETBIOS domain name is "mydomain". Full DNS domain name is "mydomain.com". DC's/KDC's are dc1.mydomain.com, dc2.mydomain.com, etc.

/etc/pam_smb.conf
MYDOMAIN
dc1.mydomain.com
dc2.mydomain.com

Then run "ln -sf system-auth-ac /etc/pam.d/system-auth"
mkdir /var/cache/samba/smb_krb5

/etc/pam.d/system-auth-ac
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_krb5.so use_first_pass
auth sufficient pam_winbind.so use_first_pass
auth required pam_deny.so

account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_krb5.so
account [default=bad success=ok user_unknown=ignore] pam_winbind.so
account required pam_permit.so
assword requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password sufficient pam_krb5.so use_authtok
password sufficient pam_winbind.so use_authtok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_krb5.so


/etc/nsswitch.conf
passwd: files winbind
shadow: files winbind
group: files winbind
hosts: files dns
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files
netgroup: files
publickey: nisplus
automount: files
aliases: files nisplus
publickey: nisplus
automount: files nisplus
aliases: files nisplus

/etc/krb.conf
MYDOMAIN.COM
MYDOMAIN.COM dc1.mydomain.com:88
MyDOMAIN.COM dc2.mydomain.com:88
MYDOMAIN.COM dc1.mydomain.com:749 admin server

/etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = MYDOMAIN.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes

[realms]
MYDOMAIN.COM = {
kdc = dc1.mydomain.com:88
kdc = dc2.mydomain.com:88
admin_server = dc1.mydomain.com:749
}

[domain_realm]
domain.com = MYDOMAIN.COM
.domain.com = MYDOMAIN.COM

[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}

/etc/samba/smb.conf
#=======Global Settings =================
[global]

# workgroup = NT-Domain-Name or Workgroup-Name, eg: MIDEARTH
workgroup = MYDOMAIN
netbios name = FILESERVER
realm = MYDOMAIN.COM
# server string is the equivalent of the NT Description field
server string = File Server
# Security mode. Defines in which mode Samba will operate
security = ADS
allow trusted domains = No
idmap backend = rid:DOMAIN=1000000-10000000
idmap uid = 1000000-10000000
idmap gid = 1000000-10000000
template shell = /sbin/nologin
winbind use default domain = Yes
winbind enum users = Yes
winbind enum groups = Yes
winbind nested groups = Yes
smb ports = 139
# Restrict what subnets can access this server
hosts allow = 192.168.1. 192.168.2. 192.168.3. 192.168.4. 192.168.5. 192.168.0. 127.

# If you want to automatically load your printer list rather
# than setting them up individually then you'll need this
load printers = no
domain master = no
preferred master = no
domain logons = no
wins support = no
wins proxy = no
dns proxy = no
password server = dc1.mydomain.com
# SHARE DEFINITIONS
[users]
path = /var/export/users
comment = user home dirs
public = no
writeable = yes
browseable = no
guest ok = no
printable = no
[team]
path = /var/export/team
comment = Team and Departmental Share
public = no
writeable = yes
browseable = yes
guest ok = no
write list = @Domain\ Users
valid users = +"DOMAIN\Domain Users" jdoe
#invalid users = @acc_T_Drive_Deny mdc
printable = no


Now, run "ntpdate dc1.mydomain.com", then configure and start ntpd (configure it to sync time from your DC's). Use ntpd -q and look for an asterisk to know when it has synchronized to the DC; it may take a few minutes. If your system clock gets more than 5 minutes out of sync with the DC's, then kerberos (and your authentication) will stop working.

TESTING
To test Kerberos functionality for authentication, run kinit " where is a user name on your AD domain.

To test ntpd functionality, run ntpd -q and look for an asterisk next to your DC.

To test that winbind is getting user and group info from AD, and that the system can use it, run "getent passwd" and "getent groups", and you should see your AD users and groups in there.

Note: for VMware server to work, you'll need a manual password entry for any user who will run vmware to be in /etc/passwd.


No comments: