Monday, 27 April 2015

Add RHEL7 Server to Active Directory Domain



This tutorial is based on the following configuration:
domain name : mycompany.com
workgroup : MYCOMPANY
kerberos realm : MYCOMPANY.COM

Windows Server DNS Name: winserver.mycompany.com
Windows Server IP Address: 192.168.122.10

Linux Server DNS Name: server3.mycompany.com
Linux Server IP Address: 192.168.122.4

Ensure that DNS Server is properly configured on the Windows Server.

1) Install packages
yum install krb5-workstation pam_krb5

yum install samba samba-client samba-winbind

yum install authconfig



2) Ensure that the clocks on both systems are in sync. Time synchronization is essential for Kerberos to work.

3) Configure the DNS Service to use AD as its name server. DNS is critical for proper resolution of host names and domains for kerberos.
Edit the file '/etc/resolv.conf' and add the following entries:
search mycompany.com

nameserver 192.168.122.10


4) Configure Kerberos to use AD Kerberos realm. Edit the file '/etc/krb5.conf'.
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
dns_lookup_realm = true
dns_lookup_kdc = true

ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
default_realm = MYCOMPANY.COM

5) Verify Kerberos operation.

[root@server3 ~]# kinit Administrator
Password for Administrator@MYCOMPANY.COM:
[root@server3 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator@MYCOMPANY.COM

Valid starting Expires Service principal
04/27/2015 00:42:19 04/27/2015 10:42:19 krbtgt/MYCOMPANY.COM@MYCOMPANY.COM
renew until 05/04/2015 00:42:10
[root@server3 ~]# kdestroy

6) Configure Samba to connect to AD server. Edit the file '/etc/samba/smb.conf' and make the
following changes:

workgroup = MYCOMPANY

server string = Samba Server Version %v



netbios name = SERVER3



interfaces = lo eth0 192.168.122.4/24

hosts allow = 127. 192.168.122.



security = ads

passdb backend = tdbsam

realm = MYCOMPANY.COM



kerberos method = secrets and keytab



template shell = /bin/sh

winbind offline logon = true



winbind separator = +

winbind use default domain = yes



idmap uid = 10000-19999

idmap gid = 10000-19999

idmap config MYCOMPANY:backend = rid

idmap config MYCOMPANY:range = 10000000-19999999



7) Check for configuration errors
testparm

8) Configure NSS and PAM to use winbind
authconfig –enablewinbind –enablewins –enablewinbindauth --update

9) Start services
systemctl start smb
systemctl start winbind

10) Add the linux machine to the AD Domain
[root@server3 ~]# kinit Administrator

[root@server3 ~]# net ads join -U Administrator
Enter Administrator's password:
Using short domain name -- MYCOMPANY
Joined 'SERVER3' to dns domain 'mycompany.com'

10) Verify AD Server status

[root@server3 ~]# klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
3 SERVER3$@MYCOMPANY.COM

[root@server3 ~]# net ads info
LDAP server: 192.168.122.10
LDAP server name: WINSERVER.mycompany.com
Realm: MYCOMPANY.COM
Bind Path: dc=MYCOMPANY,dc=COM
LDAP port: 389
Server time: Mon, 27 Apr 2015 21:51:54 IST
KDC server: 192.168.122.10
Server time offset: 19835

No comments:

Post a Comment