Configure RHEL7 machine as client of Active Directory

Posted on by crk0acrk0a

INTRODUCTION

Non-Windows machines can be configured as Active Directory clients. This blog explains how to configure RHEL7 machine as a client of Active Directory Server.

rhel7_as_ad_client

The following configuration can be used to setup RHEL7 client machine as AD client whenever someone wants to use Spectrum Scale NFS service offering from RHEL7 client over Active Directory i.e AD.

The steps may vary for other client platforms or OS versions. The diagram briefly explains the steps for configuring RHEL7 machine as AD client.

DETAILS

We detail the procedure to configure RHEL7 machine as AD client in this section. Few Terms used for configuration :

  • Active Directory server : 192.168.122.27 (Windows Server 2008 R2 Enterprise)
  • Active Directory Domain : EXAMPLE.COM
  • Active Directory user : administrator
  • RHEL Client Machine : cknode1 (RHEL7.0)

Configure DNS and Install Packages

We need to update two configuration files – /etc/resolv.conf and /etc/hosts to tell correct AD server. Along with this, few pre-requisite packages need to be installed.

# add following line in /etc/resolv.conf;
# nameserver <IP address of AD server>
[root@cknode1 ~]# grep nameserver /etc/resolv.conf
nameserver 192.168.122.27
[root@cknode1 ~]#

# also make sure /etc/hosts contains correct fqdn for linux client
[root@cknode1 ~]# grep example /etc/hosts
192.168.122.81 cknode1.example.com cknode1
[root@cknode1 ~]#

# install pre-requisite packages
[root@cknode1 ~]# yum install -y samba pam-krb5 samba-client.x86_64 samba-winbind.x86_64 samba-winbind-modules.x86_64 > /dev/null 2>&1
Complete!
[root@cknode1 ~]#

SAMBA CONFIGURATION

Configure samba so that rhel7 machine points to correct AD server

# update /etc/samba/smb.conf file to mention AD server ip i.e. “password server” parameter
# in short, I updated following attributes under [global] section
[root@cknode1 ~]# grep -v ^# /etc/samba/smb.conf

[global]
workgroup = EXAMPLE
password server = 192.168.122.27
realm = EXAMPLE.COM
security = ads
idmap config * : range = 16777216-33554431
template shell = /bin/bash
winbind use default domain = false
winbind offline logon = false


# while doing changes, I backed up /etc/samba/smb.conf
# providing herewith the differences after changes

[root@cknode1 ~]# cp /etc/samba/smb.conf /etc/samba/smb.conf.19june2015

[root@cknode1 ~]# vim /etc/samba/smb.conf

[root@cknode1 ~]# diff /etc/samba/smb.conf /etc/samba/smb.conf.19june2015
89c89
< ; workgroup = EXAMPLE

> workgroup = MYGROUP
91,98c91
< workgroup = EXAMPLE
< password server = 192.168.122.27
< realm = EXAMPLE.COM
< security = ads
< idmap config * : range = 16777216-33554431
< template shell = /bin/bash
< winbind use default domain = false
< winbind offline logon = false

>
130,131c123,124
< ; security = user
< ; passdb backend = tdbsam

> security = user
> passdb backend = tdbsam
154c147
< ; security = ads

> ; security = domain
156c149
< ; realm = EXAMPLE.COM

> ; realm = MY_REALM
158c151
< ; password server = 192.168.122.27

> ; password server = <NT-Server-Name>
[root@cknode1 ~]#

START SAMBA

Start Samba on RHEL7 client

# service smb status
# service smb restart
# service smb status

[root@cknode1 ~]# service smb status
Redirecting to /bin/systemctl status smb.service
smb.service – Samba SMB Daemon
Loaded: loaded (/usr/lib/systemd/system/smb.service; disabled)
Active: inactive (dead)

[root@cknode1 ~]#
[root@cknode1 ~]# service smb start
Redirecting to /bin/systemctl start smb.service
[root@cknode1 ~]#

JOIN THE DOMAIN

[root@cknode1 ~]# net ads join -U administrator
Enter administrator’s password:
Using short domain name — EXAMPLE
Joined ‘CKNODE1’ to dns domain ‘EXAMPLE.COM’
[root@cknode1 ~]# echo $?
0
[root@cknode1 ~]#

UPDATE /etc/nsswitch.conf

Make sure RHEL7 machine will use winbind to resolve users i.e. update /etc/nsswitch.conf with winbind entry.

[root@cknode1 ~]# cat /etc/nsswitch.conf| grep win
[root@cknode1 ~]#
[root@cknode1 ~]# cp /etc/nsswitch.conf /etc/nsswitch.conf.19june2015
[root@cknode1 ~]#
[root@cknode1 ~]# vim /etc/nsswitch.conf
[root@cknode1 ~]#
[root@cknode1 ~]# diff /etc/nsswitch.conf /etc/nsswitch.conf.19june2015
33,35c33,35
< passwd: files winbind
< shadow: files winbind
< group: files winbind

> passwd: files ldap
> shadow: files ldap
> group: files ldap
39c39
< hosts: files dns winbind

> hosts: files dns
[root@cknode1 ~]#

RESTART SAMBA AND WINBIND

Restarting samba and winbind services to reflect above changes.

[root@cknode1 ~]# service smb restart
Redirecting to /bin/systemctl restart smb.service
[root@cknode1 ~]#
[root@cknode1 ~]# service winbind start
Redirecting to /bin/systemctl start winbind.service
[root@cknode1 ~]#
[root@cknode1 ~]# service winbind status
Redirecting to /bin/systemctl status winbind.service
winbind.service – Samba Winbind Daemon
Loaded: loaded (/usr/lib/systemd/system/winbind.service; disabled)
Active: active (running) since Fri 2015-06-19 01:37:27 EDT; 1s ago
Main PID: 7457 (winbindd)
Status: “winbindd: ready to serve connections…”
CGroup: /system.slice/winbind.service
ââ7457 /usr/sbin/winbindd
ââ7458 /usr/sbin/winbindd
ââ7459 /usr/sbin/winbindd

Jun 19 01:37:27 cknode1 systemd[1]: Starting Samba Winbind Daemon…
Jun 19 01:37:27 cknode1 winbindd[7457]: [2015/06/19 01:37:27.864058, 0] ../source3/winbindd/winbindd_cache.c:3183(initialize_winbindd_cache)
Jun 19 01:37:27 cknode1 winbindd[7457]: initialize_winbindd_cache: clearing cache and re-creating with version number 2
Jun 19 01:37:27 cknode1 winbindd[7457]: [2015/06/19 01:37:27.970676, 0] ../lib/util/become_daemon.c:136(daemon_ready)
Jun 19 01:37:27 cknode1 systemd[1]: Started Samba Winbind Daemon.
[root@cknode1 ~]#

VERIFY LINUX CLIENT CAN RESOLVE AD USERS

Verify that RHEL7 client now can resolve the AD users.

[root@cknode1 ~]# id example\\autouser1
uid=16777216(EXAMPLE\autouser1) gid=16777216(EXAMPLE\autogroup) groups=16777216(EXAMPLE\autogroup),16777217(EXAMPLE\group2),16777218(EXAMPLE\domain users),16777219(EXAMPLE\group1)
[root@cknode1 ~]#
[root@cknode1 ~]# id example\\administrator
uid=16777217(EXAMPLE\administrator) gid=16777218(EXAMPLE\domain users) groups=16777218(EXAMPLE\domain users),16777220(EXAMPLE\denied rodc password replication group),16777221(EXAMPLE\schema admins),16777222(EXAMPLE\enterprise admins),16777223(EXAMPLE\domain admins),16777224(EXAMPLE\group policy creator owners)
[root@cknode1 ~]#

CONFIGURATION FILES CHANGED

  • /etc/resolv.conf
  • /etc/hosts
  • /etc/samba/smb.conf
  • /etc/nsswitch.conf

DAEMONS REQUIRED

  • smb
  • winbind

LINKS REFERRED

https://wiki.archlinux.org/index.php/Active_Directory_Integration

2 thoughts on “Configure RHEL7 machine as client of Active Directory

Leave a comment