Image

Image

Search This Blog

Tuesday, October 20, 2015

10

Already 10. Looks like yesterday to me :)

Thursday, October 01, 2015

Authentify linux users to a windows 2012 R2 domain controller

As root type:
rpm –Uvh  samba-winbind samba-winbind-clients pam_krb5 krb5-libs

Then:
authconfig --enablekrb5 --krb5kdc=2k12srv.domain.local --krb5adminserver=2k12srv.domain.local --krb5realm=DOMAIN.LOCAL --enablewinbind --enablewinbindauth --smbsecurity=ads --smbrealm=DOMAIN.LOCAL --smbservers=2k12srv.domain.local --smbworkgroup=DOMAIN --winbindtemplatehomedir=/home/%U --winbindtemplateshell=/bin/bash --enablemkhomedir --enablewinbindusedefaultdomain –update && net ads join -U administrator -D DOMAIN

vi smb.conf
[global]
   workgroup = DOMAIN
   password server = 2k12srv.domain.local
   realm = DOMAIN.LOCAL
   security = ads
   idmap config * : range = 16777216-33554431
   template homedir = /home/%U
   template shell = /bin/bash
   winbind use default domain = true
   winbind offline logon = true

Restart and enable winbind:
chkconfig winbind on
service winbind restart

-----------------------------------------------------------------------------------------------------------------------------






The old way, for a 2008 Server was:
rpm -Uvh samba-winbind-clients samba-winbind samba-client

service winbind start
chkconfig winbind on

authconfig --enablewinbind --enablewinbindauth --enablelocauthorize --enablemkhomedir --updateall

vi smb.conf:
# Any modification may be deleted or altered by authconfig in future
   workgroup = DOMAIN
   password server = 2008dc 2008R2dc
   realm = DOMAIN.LOCAL
   security = ads
   idmap config * : range = 16777216-33554431
   template homedir = /home/%D/%U
   template shell = /bin/bash
   winbind use default domain = true
   winbind offline logon = true
#--authconfig--end-line--


vi /etc/openldap/ldap.conf:
TLS_CACERTDIR   /etc/openldap/cacerts
SASL_NOCANON    on

cp shared_DOMAIN_cert.cer /etc/openldap/cacerts/
cacertdir_rehash /etc/openldap/cacerts/

net join -w DOMAIN -S 2008dc.domain.tld -U Administrator
systemctl restart winbind.service

In order to allow certain AD Groups to login:
vi /etc/login.group.allowed
A_CERTAIN_AD_GROUP

vi /etc/pam.d/sshd
auth       required     pam_listfile.so item=group sense=allow onerr=fail file=/etc/login.group.allowed

vi /etc/pam.d/login
auth       required     pam_listfile.so item=group sense=allow onerr=fail file=/etc/login.group.allowed

cd /home
mkdir DOMAIN

Blog Archive