CentOS - Feb 2007 - SBS2ke Ad integration

I have a couple of workstations that are perfect candidates for Linux at 
a client's location.  The only think i am shaky on is getting CentOS 4.4 
to integrate into the AD domain.  Any tips links would be highly 
appreciated.
-- 
My "Foundation" verse:
Isa 54:17  No weapon that is formed against thee shall prosper; and 
every tongue that shall rise against thee in judgment thou shalt 
condemn. This is the heritage of the servants of the LORD, and their 
righteousness is of me, saith the LORD.

-- carpe ductum -- "Grab the tape"
CDTT (Certified Duct Tape Technician)

Linux user #322099
Machines:
206822
256638
276825
http://counter.li.org/

> -----Original Message-----
> From: centos-bounces at centos.org 
> [mailto:centos-bounces at centos.org] On Behalf Of William Warren
> Sent: Monday, February 19, 2007 4:57 PM
> To: CentOS mailing list
> Subject: [CentOS] SBS2ke Ad integration
> 
> I have a couple of workstations that are perfect candidates 
> for Linux at 
> a client's location.  The only think i am shaky on is getting 
> CentOS 4.4 
> to integrate into the AD domain.  Any tips links would be highly 
> appreciated.
Install samba-common, samba-client then,

This samba.conf works well for me for a ADS domain member scenario:

[global]
   workgroup = MFG
   security = ADS
   password server = *
   realm = MFG.PRV
   load printers = No
   max log size = 50
   passdb backend = tdbsam
   use kerberos keytab = Yes
   allow trusted domains = No
   idmap gid = 100000-999999
   idmap uid = 100000-999999
   template homedir = /home/%U
   template shell = /bin/bash
   winbind enum groups = Yes
   winbind enum users = Yes
   winbind use default domain = Yes


Here's my krb5.conf:

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = MFG.PRV
 dns_lookup_realm = true
 dns_lookup_kdc = true
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = yes
 renewable = yes

[realms]
 MFG.PRV = {
   kdc = mfg.prv:88
   admin_server = mfg.prv:749
   default_domain = mfg.prv
 }

[domain_realm]
 .mfg.prv = MFG.PRV
 mfg.prv = MFG.PRV

[kdc]
 profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 24h
   renew_lifetime = 7d
   forwardable = true
   renewable = true
   krb4_convert = false
 }


Here's my nsswitch.conf:

#
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Legal entries are:
#
#       nis or yp               Use NIS (NIS version 2), also called YP
#       dns                     Use DNS (Domain Name Service)
#       files                   Use the local files
#       db                      Use the local database (.db) files
#       compat                  Use NIS on compat mode
#       hesiod                  Use Hesiod for user lookups
#       ldap                    Use LDAP (only if nss_ldap is installed)
#       nisplus or nis+         Use NIS+ (NIS version 3), unsupported
#       [NOTFOUND=return]       Stop searching if not found so far
#

# To use db, put the "db" in front of "files" for entries
you want to be
# looked up first in the databases
#
# Example:
#passwd:    db files ldap nis
#shadow:    db files ldap nis
#group:     db files ldap nis

passwd:     files winbind
shadow:     files
group:      files winbind

#hosts:     db files ldap nis dns
hosts:      files dns

# Example - obey only what ldap tells us...
#services:  ldap [NOTFOUND=return] files
#networks:  ldap [NOTFOUND=return] files
#protocols: ldap [NOTFOUND=return] files
#rpc:       ldap [NOTFOUND=return] files
#ethers:    ldap [NOTFOUND=return] files

bootparams: files
ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files
netgroup:   files
publickey:  files
automount:  files
aliases:    files


Here's my pam.d/system-auth:

auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/$ISA/pam_krb5.so use_first_pass
auth        required      /lib/security/$ISA/pam_deny.so

account     required      /lib/security/$ISA/pam_unix.so broken_shadow
account     sufficient    /lib/security/$ISA/pam_succeed_if.so uid < 100
quiet
account     [default=bad success=ok user_unknown=ignore]
/lib/security/$ISA/pam_krb5.so
account     required      /lib/security/$ISA/pam_permit.so

password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3
password    sufficient    /lib/security/$ISA/pam_unix.so nullok
use_authtok md5 shadow
password    sufficient    /lib/security/$ISA/pam_krb5.so use_authtok
password    required      /lib/security/$ISA/pam_deny.so

session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so
session     optional      /lib/security/$ISA/pam_krb5.so


My pam.d/login:

#%PAM-1.0
auth       required     pam_securetty.so
auth       required     pam_stack.so service=system-auth
auth       required     pam_nologin.so
account    required     pam_stack.so service=system-auth
password   required     pam_stack.so service=system-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_stack.so service=system-auth
session    required     pam_loginuid.so
session    required     pam_mkhomedir.so skel=/etc/skel umask=0077
silent
session    optional     pam_console.so
# pam_selinux.so open should be the last session rule
session    required     pam_selinux.so open


My pam.d/remote:

#%PAM-1.0
auth       required     pam_securetty.so
auth       required     pam_stack.so service=system-auth
auth       required     pam_nologin.so
account    required     pam_stack.so service=system-auth
password   required     pam_stack.so service=system-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_stack.so service=system-auth
session    required     pam_loginuid.so
session    required     pam_mkhomedir.so skel=/etc/skel umask=0077
silent
session    optional     pam_console.so
# pam_selinux.so open should be the last session rule
session    required     pam_selinux.so open


My pam.d/sshd:

#%PAM-1.0
auth       required     pam_stack.so service=system-auth
auth       required     pam_nologin.so
account    required     pam_stack.so service=system-auth
password   required     pam_stack.so service=system-auth
session    required     pam_stack.so service=system-auth
session    required     pam_loginuid.so
session    required     pam_mkhomedir.so skel=/etc/skel umask=0077
silent


After the files are setup just join the domain with:

net ads join -U <admin user>

Set winbind to start with, chkconfig winbind on

Start the winbind server, service winbind start

And you should be all set to have ADS users log on to the system.

-Ross

______________________________________________________________________
This e-mail, and any attachments thereto, is intended only for use by
the addressee(s) named herein and may contain legally privileged
and/or confidential information. If you are not the intended recipient
of this e-mail, you are hereby notified that any dissemination,
distribution or copying of this e-mail, and any attachments thereto,
is strictly prohibited. If you have received this e-mail in error,
please immediately notify the sender and permanently delete the
original and any copy or printout thereof.