Red Hat, AD, and Winbind

[Skel]

Is Winbind still the best option on intergrading my linux clients into my AD?

 

[Brazen]

If you are using Red Hat, then yes. I would prefer Likewise-open, but Red Hat does not distribute it. If you want to stick with official Red Hat packages, then Winbind is your ONLY option.

FYI, Ubuntu does include Likewise-open, if you consider going that route. Although to be honest, I've had a Red Hat 5 file server running for years, and I've never had a problem with Winbind on it, other than the difficulty of setting it up.

 

[Skel]

I have a large network with tons of linux servers, we run into issues here and there when the AD guys patch and bounce the DCs. Nothing to major, but looking at ways to improve the interops

 

[Brazen]

Really? I've never had an issue with bouncing DC's. They do them one at a time, right? What is in your /etc/krb5.conf ?

 

[Skel]

I've pulled the name stuff out...

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = DOMAIN
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
[realms]
EXAMPLE.COM = {
kdc = kerberos.example.com:88
admin_server = kerberos.example.com:749
default_domain = example.com
}
.DOMAINNAME.com = {
kdc = DCSERVERNAME.DOMAINNAME.com
}
.DOMAINNAME.COM = {
kdc = DCSERVERNAME.DOMAINNAME.com
kdc = ANOTHERDCSERVERNAME.DOMAINNAME.com
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
.DOMAINNAME.com = .DOMAINNAME.com
..DOMAINNAME.com = .DOMAINNAME.com
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}

 

[Brazen]

I've pulled the name stuff out...

I assumed you would

Here's the thing. Mine is blank - completely blank. This is the one thing, that a lot of instructions will tell you to put all the information you have in your krb5.conf. However, if you just leave it blank, then it automatically detects all that based on the realm you have set in smb.conf. This may be why your system is not resilient to system changes (such as a downed domain controller). But that's just a guess.

Basically the steps I use for setting up a Red Hat 5 file server on a Windows domain are:

1. sudo open firewall ports UDP: 137, 138 and TCP: 139,445
2. sudo yum install krb5-workstation pam_krb5 samba attr acl
3. sudo mv /etc/krb5.conf /etc/krb5.conf.original
4. sudo touch /etc/krb5.conf

test it with: sudo kinit Administrator@DOMAIN
It should not return any errors. I don't believe this is necessary for the setup, but I always do it.

5. sudo nano /etc/pam.d/samba
Add the following lines:
auth required pam_winbind.so
account required pam_winbind.so

6. sudo nano /etc/nsswitch.conf
Add “winbind” without the quotes to the end of the passwd and group lines.

7. sudo /sbin/ldconfig –v | grep winbind

8. write out the smb.conf

The important global settings are:
realm = DOMAIN
workgroup = DOMAIN
security = ADS
encrypt passwords = yes
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = no
winbind enum groups = no
winbind cache time = 900
server signing = auto
client signing = auto


9. sudo net ads join -U Administrator@DOMAIN
This joins it to the domain and you are ready to go.


read 'man selinux_samba' for what to do with selinux.

 

[Skel]

thanks for the help.. I just need time to test it now. I'll update when I have a better clue.

 

[Scarpozzi]

I've done Likewise-open before. It was pretty straight forward and the servers I deployed showed up in AD without a hitch.

I'm tempted to go back and try it again to do AD integration with Apache accounts using the userdir mod. I just doubt it'll be used if I go through the trouble.