#Software#
- acl
- attr
- samba
- krb5-config
- krb5-user
- ldap-utils
- nscd
- nslcd
- ntp
- ntpdate
- sasl2-bin
- kstart
- libsasl2-modules-gssapi-mit
- libpam-krb5
#Steps#
- Install Pre-requeset software.
- Configure NTPd to sync with AD Server
- edit /etc/ntp.conf
- stop ntpd ( service ntp stop )
- ntpdate {adserver}
- start ntpd ( service ntp start )
- Create DNS Entry Host with AD suffex.
- Configure Kerberos
- edit /etc/krb5.conf to match your environment. I find it useful to clean out all of the realms that come preconfigured. You should not need to do this, but there is no point in keeping them, unless you intend to offer them as authentication endpoints.
- Test it works by with kinit and a known account
- Create an account for the Host in AD
- In AD Users and Computers, create an account for the host using the hostname
- Create a very secure password and have it non-expiring
- Set the map the
host/
services Principle to the User Account - Create a keytab
1. On an Windows AD Server, create the keytab and map the user to a principle
> ktpass -princ host/{hostname}.{ad_fqdn}@{ad_fqdn} -mapuser {ad_domain}\{username} -pass "{password}" -ptype KRB5_NT_PRINCIPAL -crypto ALL -out {filename}
2. Copy the keypass to the host 3. Test the keytabkinit -k -t /path/to/keytab
klist
- Setup nslcd and k5start
- Copy
nslcd-kerberos.conf
andnslcd.conf
to/etc/init/
. - Configure nslcd, see
example-nslcd.conf
- Start nslcd
service nslcd start
. - Check that
/tmp/host.tkt
exists. - Configure nsswitch
- Edit
/etc/nsswitch.conf
and addldap
to the end of thepasswd
andgroup
lines. - Test with
getent passwd
and you should see at the bottom of the list the users in Active Directory with a unix uid. - Run
pam-auth-update
and disable LDAP Authentication - Create Home directories for the AD users.
cp -r /etc/skel/ /home/$USERNAME
chown $USERNAME:$GROUP -R /home/$USERNAME
- Update sshd to accept kerberos tokens for single-signon authentication
- Edit
/etc/ssh/sshd_config
- Uncomment, Add and Set
GSSAPIAuthentication
andGSSAPICleanupCredentials
toyes