Koozali.org: home of the SME Server
Legacy Forums => Experienced User Forum => Topic started by: DarkMirage on March 04, 2005, 04:22:11 PM
-
How to add SME to an Active Directory as a member server using kerberos
First of all, no credit to me, I just pieced this together from various posts/sites.
Notes:
This configuration assumes DNS runs on the Active Directory Server.
If you have DNS running as it should, their is no need to edit the hosts and resolve.conf file.
You should however doublecheck hostname lookup and reverse lookup.
I have tested this on a clean Sme 6.5rc1 and 6.0.1 install, 6.0.1 requires you update
to samba 3 (look here: http://lists.contribs.org/mailman/public/devinfo/msg07291.html )
I posted the entire contents of the files I changed, you may find differences if you
have already made changes to these files.
I am unfamiliar with the whole naming concept of templates, you might want to
append items in other templates.
You should not change the case of the realm/hosts in krb5.conf,
kerberos is supposed to be sensitive about that.
The next step for me is to look at the mail authentication,
but I can't seem to figure out how to configure this.
Anybody know how this is done?
I've read about dovecot's authentication being done by mailfront,
but I'm not sure where to look for mailfront and its config.
(Attempts at changing dovecots config failed: no effect :-( )
ISSUE:
Currently home directories in samba are not automaticly created,
and to gain access I use the following:
root# mkdir -p /home/e-smith/files/users/username/home
root# chown -R 'delirium\username' /home/e-smith/files/users/username
Anybody know how/where to script this?
(Probably something not that hard to find, still need to look in to that)
The sample configuration uses:
delirium.com As the Domain Name
addc As the Active Directory Server (Domain Controller)
172.16.1.2 As the addc's ip address
-------------------------------------------------
Domain Controller should have this configured:
DNS:
"A" Record for SME server
"PTR" Record for SME server
server-manager:
(Configuration) Workgroup -->
Windows workgroup name: DELIRIUM
#If this is a clean install we will have to create the templates-custom/etc dir aswell
mkdir /etc/e-smith/templates-custom/etc
cd /etc/e-smith/templates-custom/etc/
#If their not already there, copy the templates to their custom location
mkdir hosts
cp /etc/e-smith/templates/etc/hosts/20hostname hosts/
mkdir resolv.conf
cp /etc/e-smith/templates/etc/resolv.conf/10domain resolv.conf/
cp /etc/e-smith/templates/etc/resolv.conf/25nameserver resolv.conf/
mkdir nsswitch.conf
cp /etc/e-smith/templates/etc/nsswitch.conf/10files nsswitch.conf
mkdir pam.d
mkdir pam.d/login
cp /etc/e-smith/templates/etc/pam.d/login/20auth pam.d/login/
cp /etc/e-smith/templates/etc/pam.d/login/30account pam.d/login/
mkdir smb.conf
cp /etc/e-smith/templates/etc/smb.conf/10globals smb.conf/
cp /etc/e-smith/templates/etc/smb.conf/11nameResolveOrder smb.conf/
cp /etc/e-smith/templates/etc/smb.conf/11security smb.conf/
#Backup /etc/krb5.conf
cp /etc/krb5.conf /etc/krb5.conf.orig
Edit the following files (still in the /etc/e-smith/templates-custom/etc/ dir)
Example: pico hosts/20hostname
-----------------hosts/20hostname----------------
{
$OUT .= "$LocalIP\t";
$OUT .= " ${SystemName}.${DomainName}";
$OUT .= " ${SystemName}\n";
$OUT .= "172.16.1.2\t";
$OUT .= " addc.${DomainName}";
$OUT .= " addc";
}
---------------resolv.conf/10domain--------------
{
$OUT .= "domain $DomainName\n";
$OUT .= "search $DomainName";
}
-------------resolv.conf/25nameserver------------
nameserver 172.16.1.2
--------------nsswitch.conf/10files--------------
passwd: files winbind
shadow: files
group: files winbind
hosts: { ($AccessType eq "off") ? "files" : "files dns" }
services: files
networks: files
protocols: files
rpc: files
ethers: files
netmasks: files
bootparams: files
automount: files
aliases: files
----------------pam.d/login/20auth----------------
{
use esmith::db;
use esmith::config;
local $conf{'telnet'} = $telnet;
my $rootLogin = db_get_prop(\%conf, "telnet", "PermitRootLogin")
|| "no";
if (defined $rootLogin && $rootLogin eq 'no')
{
$OUT .= "auth required /lib/security/pam_securetty.so\n";
}
$OUT .= "auth sufficient /lib/security/pam_winbind.so\n";
$OUT .= "auth sufficient /lib/security/pam_unix.so use_first_pass\n";
$OUT .= "auth required /lib/security/pam_stack.so service=system-auth\n";
$OUT .= "auth required /lib/security/pam_nologin.so\n";
}
--------------pam.d/login/30account---------------
account sufficient /lib/security/pam_winbind.so
account required /lib/security/pam_stack.so service=system-auth
----------------smb.conf/10globals----------------
[global]
encrypt passwords = yes
idmap uid = 10000-20000
idmap gid = 10000-20000
password server = addc.delirium.com
realm = delirium.com
template homedir = /home/e-smith/files/users/%U/home
template shell = /bin/bash
winbind enum users = yes
winbind enum groups = yes
-----------smb.conf/11nameResolveOrder------------
name resolve order = host wins lmhosts bcast
---------------smb.conf/11security----------------
security = ads
-------------------/etc/krb5.conf-----------------
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
ticket_lifetime = 24000
default_realm = DELIRIUM.COM
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
DELIRIUM.COM = {
kdc = addc.delirium.com:88
admin_server = addc.delirium.com:749
default_domain = delirium.com
}
[domain_realm]
.delirium.com = DELIRIUM.COM
delirium.com = DELIRIUM.COM
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
Execute the following commands as root:
root# /sbin/e-smith/expand-template /etc/hosts
root# /sbin/e-smith/expand-template /etc/resolv.conf
root# /sbin/e-smith/expand-template /etc/smb.conf
root# /sbin/e-smith/expand-template /etc/nssswitch.conf
root# /sbin/e-smith/expand-template /etc/pam.d/login
root# service winbind start
root# net ads join -U Administrator
#The above user must be authorised to add the server to the Active Directory
#Not sure how I should set winbind to enabled, so this starts winbind (in runlevel 7?) on boot
root# ln /etc/rc.d/init.d/winbind /etc/rc.d/rc7.d/S92Winbind
#Use these for testing
#The last entries should be your ADS users:
root# /usr/bin/getent passwd
#The last entries should be your ADS groups:
root# /usr/bin/getent group
If I made any mistakes, be gentle, I'm pretty new at this :-)
-
your how to is very intéresting but i think I forgot something (excuse me for my english)
when yo edit /hosts/20hostname
when y write {SystemName} is it My system name taht i must write
idem for DomainName , is it the DomainName of SMEserver or Of AD
thank i think i am burning
-
Since this how to is for adding an sme server to a domain, it's goal is to set the domain for the sme server the same as the rest of the computers already in the domain.
It seems the two options you are unsure of choosing from should be identical.
Still, try entering the domain you are trying to add the sme server to (the file is used by kerberos to find the kerberos server = AD server for validation)
Good luck
-
Hi, and thanks for making the HOWTO's to help out us dummies. However I am having some problems getting it to work. Can't work out where I'm supposed to replace System Name, Domain Name etc. Is it only where you have done it, or everywhere. Hope someone can help me out, cause I really need it to work!
-
where I'm supposed to replace System Name, Domain Name
Only replace the following:
delirium.com with yourdomain.com
DELIRIUM.COM with YOURDOMAIN.COM
addc with yourdomaincontroller
172.16.1.2 with the ip of yourdomaincontroller
Things like
${SystemName}.${DomainName}
are scripts, leave them alone, SME will take care of those
Hth
-
When executing command:
/sbin/e-smith/expand-template /etc/nssswitch.conf
I get the following
ERROR: No templates were found for /etc/nssswitch.conf.
at /sbin/e-smith/expand-template line 49 :-?
What is that???
Is it a problem??
-
When executing:
net ads join -U Administrator
I get:
[2006/05/01 17:42:48, 0] libads/kerberos.c:ads_kinit_password(135)
kerberos_kinit_password Administrator@VITTRUP.LOCAL failed: Cannot resolve network address for KDC in requested realm
[2006/05/01 17:42:48, 0] utils/net_ads.c:ads_startup(183)
ads_connect: Cannot resolve network address for KDC in requested realm
Is this because of the previously posted problem??? :oops:
-
kerberos_kinit_password Administrator@VITTRUP.LOCAL failed: Cannot resolve network address for KDC in requested realm
In the /etc/kbr5.conf you specify the kdc:
kdc = addc.delirium.com:88
The message tells you the server is unable to locate the above mentioned server. Try doing a lookup on whatever kdc you specified. In the example the following command would show you if dns is failing:
nslookup addc.delirium.com
Next problem:
ERROR: No templates were found for /etc/nssswitch.conf.
at /sbin/e-smith/expand-template line 49
is not a problem. It's a typo.
There are only two s's in nsswitch.conf:
/sbin/e-smith/expand-template /etc/nsswitch.conf
-
Thank you so much for helping. Pls dont give up on me yet !!!
[root@server02 root]# net ads join -U Administrator
Administrator's password:
[2006/05/22 19:31:02, 0] libads/kerberos.c:ads_kinit_password(135)
kerberos_kinit_password Administrator@VITTRUP.LOCAL failed: KDC has no support for encryption type
[2006/05/22 19:31:02, 0] utils/net_ads.c:ads_startup(183)
ads_connect: KDC has no support for encryption type
Look to me, like it finds the kdc but cannot communicate with it...
Any ideas? :roll:
-
Hi all, a very interesting discussion and very helpful.
However, my requirement is the other way around and I need help from you guys.
I have 2 sites that need an authentication servers, so I thought of using SME Server as a PDC-BDC style, where the BDC is going to be deployed at the remote location and will replicate with the PDC at the central office.
I also understand that the Samba has to use an LDAP database at the backend. This might as well do, since the LDAP can aslo be the addressbook for Outlook?
Any help is much appreciated.
Cheers.
-
@thomastegl:
I have no idear why an Active Directory controller would give an error like that. Is the Active Directory modified, firewalled, or does it contain any non-standard settings which might apply to authentication encyption types?
You could try kinit, which is a program to acquire a 'ticket' for authentication, which is also the part of the join which seems to fail.
See the manual page for details:
man kinit
@tuxtux:
Although related, your target is beyond the above howto. The first problem which you will run into, is that the SME LDAP directory does not include any passwords, and for that reason is useless, without modification, for authentication. I have had a go at those modifications during my work with OpenXchange, which uses an LDAP backend. You might find some interesting possibilities there.
You mention an LDAP backend for samba, which might be required for your setup, but is really one of many possible backends for samba. The above does use it, since Active Directory is really just a complex form of an LDAP directory.
Directory replication is beyond me, although I believe to have seen some documentation in the past. You should be able to find a howto for either LDAP or samba.
I am familiar with an LDAP addressbook for Thunderbird, not for Outlook. But I suppose it's possible.
-
man kinit
"No manual entry for kinit"
Have ISA-server in system. Don't know if that could be the reason???
Can't find anything else that looks suspecious
-
The only problem I'm experiencing thus far with doing this on 7.0rc1
root# chown -R 'delirium\username' /home/e-smith/files/users/username
It appears to not even lookup a user.
chown: mydomain/myuser': invalid user
/usr/bin/getent passwd doesn't return any users in AD.
Anyone else successful using newer version od SME?[/code]