Join CentOS to a Windows Domain
3/26/2012 update: I've now done this on CentOS 6.2 as well.
Since I've had to do this a number of times in the last few months, I thought I should post this here so I can't forget it.
Here's some specifics on what I'm using:
While that downloads and installs, let's add a /sbin and /usr/sbin to your path. These directories have a lot of commands that need to be run by root. Since we're going to "sudo" a lot of these commands later, having them in our path will save us from having to fully qualify the path all the time (e.g /usr/sbin/something -arg -foo).
And now, assuming that you're using eth0 as your ethernet device,
Configuring NTP correctly is actually not as easy as it should be. I don't understand why "hey go sync your clock with that guy over there every so often" requires so much work, but it does. I found a good tutorial over here, which I will now distill for you.
We're going to completely replace the existing configuration, so you should rename it to a backup file.
We're not done! Next, a separate ticker file must be created that lists the servers.
(assuming you're still running as root from the last step)
Let's do one last thing while your OS is updating: set firewall and SELinux policies. The first time I attempted to join a CentOS box to the domain, I pulled my hair out for a couple of days trying to debug this error: "bind failed on pipe socket /var/lib/samba/winbindd_privileged/pipe: Permission denied". I've only discovered one thing that will make this error go away: SELinux settings. You can either set the system SELinux policy from "Enforcing" to "Permissive", or you can keep it as "Enforcing" but turn off all samba protection. Up to you and your requirements, but for this blog post I'm going to set SELinux to "Permissive".
Open System > Administration > Security Level and Firewall and allow samba through the firewall on the "Firewall Options" tab.
Then go to the "SELinux" tab and change the setting to "Permissive" and apply the changes.
If you haven't installed an X server, you can just edit /etc/selinux/config and set
SELINUX=permissive.
Welcome back!
We've already come a long way together and we haven't even begun to join our box to the domain, have we? For this reason, you might want to consider tools like Centrify or Likewise-Open. I've never used either of them myself, but I'm a fan of the group policy and auditing capability that they advertise. Even after you finish following all of my steps, you're still not going to have those two capabilities.
It's finally time to download and install samba. At http://enterprisesamba.org, you'll find already-compiled binaries of the latest samba for CentOS 5.5 (and CentOS 6 too). These instructions assume you have a connection to the interwebs, so if you don't you'll need to pre-download these files and put them into the correct location yourself.
The enterprise samba site provides a yum repository so that you can install their binaries via the yum command line. Here's how you install the repository:
Okay! Let's configure pam, nsswitch, samba, and kerberos! I'm going to use the built-in GUI that comes with CentOS 5.5, but I'll also post screenshots of the files that get updated by the GUI so you can edit the files manually if you aren't running X.
NEW CENTOS 6 INSTRUCTIONS!! If you are running CentOS 6 instead of CentOS 5, do not use the GUI as I just suggested. Instead, let's use the authconfig command-line tool to get everything correct.
This will ask you for the domain administrator's password and immediately join you to the domain. If you have your own domain administrator account that isn't 'Administrator', change --winbindjoin=Administrator to your account name. Only do this if your account is a domain admin.
This ought to have joined you successfully to the domain in which case you only need to add an entry into DNS on your Windows Domain Controller before you're completely done. See my instructions below on how to add a DNS entry.
END OF CENTOS 6 INSTRUCTIONS.
Open your Authentication Configuration GUI from System > Administration > Authentication.
Check "Enable Winbind Support" and then "Configure Winbind". Here are the settings I'm using - you'll want to replace them with your own, obviously. Don't click "Join Domain" - you have more configuring before you're ready to do that!
It's important that your winbind ADS realm is in ALL UPPERCASE. Notice that the winbind domain doesn't have .com after it - DEVEXAMPLE is the NetBios name of the domain, which is what winbind wants. Also notice that I've set Winbind Domain Controllers to a star (*). This will make winbind use DNS to lookup the domain controller for the devexample.com domain. This is recommended because if you set it to dc1.devexample.com and that server dies, your CentOS box won't automatically go to the backup domain controller. Also, if you want to do things like kerberize JBoss, you need winbind to use DNS to lookup the domain controller because otherwise Java will construct an incorrect service principal name when it tries to bind to LDAP.
Click OK and go to the Authentication tab. Check "Enable Kerberos Support" and then "Configure Kerberos...". Here's what my settings look like.
It's important that the REALM be in ALL UPPERCASE. Click OK. Now check "Enable Winbind Support" and "Configure Winbind...". Again, here are my settings. Again, don't click "Join Domain".
Click OK and then go to the options tab. Here's what I have for that tab:
Click OK to close out the GUI. We're almost done! The reason that we didn't click "Join Domain" at all was because we still have a little bit of configuration and cleanup to do before we attempt domain joining.
There's nothing that needs to be done in your /etc/nsswitch.conf file, but I'm including it here in case you are running a headless server and need to edit it yourself.
First, we need to add some parameters to the pam configuration file, /etc/pam.d/system-auth. Just a few lines up from the bottom of the file, find:
Next, let's clean up our kerberos configuration file. Even though you just used the GUI to configure kerberos for your domain, /etc/krb5.conf still has "fake" entries for example.com that we should remove. Look at the image below to see the final state of my krb5.conf file.
Finally, let's edit our samba/winbind configuration. Here's my final state:
These are the lines that I added or changed:
Now that we've configured samba and winbind, let's tell CentOS to start those services every time it boots.
Log onto your Windows domain controller and open up your DNS Manager from Administrative Tools. First, you're going to create a reverse lookup zone (if one doesn't already exist), then you're going to add an A entry for your CentOS box.
If you don't have a reverse lookup zone, follow these instructions to create one. When you're done, your DNS Manager ought to look like this:
Now, create an A record for your CentOS box:
IT'S TIME! (Unless you are using CentOS 6, in which case you've already joined to the domain. Skip the join command here, but definitely reboot even on CentOS 6)
Back on your CentOS box, join to the domain:
Reboot! Reboot! When your CentOS box comes back up, login as a domain user. GOGOGO!
While you're rebooting your CentOS machine, go back to your domain controller and notice that there's now an APP01 entry in your "Active Directory Users and Computers" MMC.
Once your CentOS box comes back up, login with a domain user account and see that it knows who you are and what groups you're a member of.
You have successfully joined CentOS to your Windows domain!
Since I've had to do this a number of times in the last few months, I thought I should post this here so I can't forget it.
Here's some specifics on what I'm using:
- Windows Server 2008 R2
- As dc1.devexample.com (192.168.0.201)
- As Primary Domain Controller of devexample.com
- As Windows Server 2008 R2 forest functional level
- CentOS 5 / CentOS 6
- As app01.devexample.com (192.168.0.203)
- Samba 3.5.6 / Samba 3.6.3
- An internet connection. If you are not going to have an internet connection, you'll want to pre-download the files you'll need. I suggest using 'yum downloadonly' to get them.
The first thing I need to do is take on great responsibility, so for that I'm going to need great power: let's add my account to the sudoers list.
su - EDITOR=nano visudoThat's better. Now we can stop acting as root.
exitNow that I can tell the operating system what to do, let's update it.
While that downloads and installs, let's add a /sbin and /usr/sbin to your path. These directories have a lot of commands that need to be run by root. Since we're going to "sudo" a lot of these commands later, having them in our path will save us from having to fully qualify the path all the time (e.g /usr/sbin/something -arg -foo).
nano ~/.bash_profileNow is also a good time to update our hostname and network settings. On your network at home, you probably just let DHCP assign you an IP address. In a kerberized network environment, though, you'll want to assign your computers a static IP address.
sudo nano /etc/sysconfig/networkand then create an entry for that hostname in your hosts file...
sudo nano /etc/hosts
And now, assuming that you're using eth0 as your ethernet device,
sudo nano /etc/sysconfig/network-scripts/ifcfg-eth0Since you're configuring everything statically instead of relying on DHCP, you need to configure your DNS server(s) manually too.
sudo nano /etc/resolv.confFinally before we reboot, let's configure our network time protocol (ntp) client. KERBEROS WILL NOT WORK unless the computers involved (KDC, Server, Client) have synchronized clocks. Variances larger than 1-2 minutes will cause kerberos to fail.
Configuring NTP correctly is actually not as easy as it should be. I don't understand why "hey go sync your clock with that guy over there every so often" requires so much work, but it does. I found a good tutorial over here, which I will now distill for you.
We're going to completely replace the existing configuration, so you should rename it to a backup file.
sudo mv /etc/ntp.conf /etc/ntp.origAnd then we can create our own
sudo nano /etc/ntp.conf
We're not done! Next, a separate ticker file must be created that lists the servers.
su - awk '/^server/ {print $2}' /etc/ntp.conf | grep -v '127.127.1.0' > /etc/ntp/step-tickersAnd then! We need to sync our clock and then configure the OS to sync every time it boots.
(assuming you're still running as root from the last step)
ntpdate -u dc1.devexample.com chkconfig --level 345 ntpd onWhew, all that just for clock synchronization! Now we can stop acting as root:
exitOur server is now configured as app01.devexample.com, is set to have the IP address 192.168.0.203, and will sync its clock with the domain controller.
Let's do one last thing while your OS is updating: set firewall and SELinux policies. The first time I attempted to join a CentOS box to the domain, I pulled my hair out for a couple of days trying to debug this error: "bind failed on pipe socket /var/lib/samba/winbindd_privileged/pipe: Permission denied". I've only discovered one thing that will make this error go away: SELinux settings. You can either set the system SELinux policy from "Enforcing" to "Permissive", or you can keep it as "Enforcing" but turn off all samba protection. Up to you and your requirements, but for this blog post I'm going to set SELinux to "Permissive".
Open System > Administration > Security Level and Firewall and allow samba through the firewall on the "Firewall Options" tab.
Then go to the "SELinux" tab and change the setting to "Permissive" and apply the changes.
If you haven't installed an X server, you can just edit /etc/selinux/config and set
SELINUX=permissive.
That's it for now: go have a coffee. Or a beer. When the update is finished, reboot. I'll wait right here for you. (P.S. - if you can't get to the internet when you come back, make sure your /etc/resolv.conf still has our custom entries in it!).Welcome back!
We've already come a long way together and we haven't even begun to join our box to the domain, have we? For this reason, you might want to consider tools like Centrify or Likewise-Open. I've never used either of them myself, but I'm a fan of the group policy and auditing capability that they advertise. Even after you finish following all of my steps, you're still not going to have those two capabilities.
It's finally time to download and install samba. At http://enterprisesamba.org, you'll find already-compiled binaries of the latest samba for CentOS 5.5 (and CentOS 6 too). These instructions assume you have a connection to the interwebs, so if you don't you'll need to pre-download these files and put them into the correct location yourself.
The enterprise samba site provides a yum repository so that you can install their binaries via the yum command line. Here's how you install the repository:
cd /etc/yum.repos.d sudo wget http://ftp.sernet.de/pub/samba/3.5/centos/5/sernet-samba.repo # if centos 5 sudo wget http://ftp.sernet.de/pub/samba/3.6/centos/6/sernet-samba.repo # if centos 6Now that you have the repository installed, you can install samba:
sudo yum install samba3 samba3-client samba3-winbind libsmbclient0 libwbclient0yum will figure out all the dependencies, which you should accept.
Okay! Let's configure pam, nsswitch, samba, and kerberos! I'm going to use the built-in GUI that comes with CentOS 5.5, but I'll also post screenshots of the files that get updated by the GUI so you can edit the files manually if you aren't running X.
NEW CENTOS 6 INSTRUCTIONS!! If you are running CentOS 6 instead of CentOS 5, do not use the GUI as I just suggested. Instead, let's use the authconfig command-line tool to get everything correct.
sudo authconfig --enableldap --enablemkhomedir --ldapserver=ldap://dc1.devexample.com:389 --ldapbasedn=dc=devexample,dc=com --enablewinbind --enablewinbindauth --smbsecurity ads --enablewinbindoffline --smbservers=dc1.devexample.com --smbworkgroup=DEVEXAMPLE --smbrealm DEVEXAMPLE.COM --winbindtemplateshell=/bin/bash --disableldaptls --enablekrb5 --krb5kdc=dc1.devexample.com --krb5adminserver=dc1.devexample.com --krb5realm=DEVEXAMPLE.COM --enablekrb5kdcdns --enablekrb5realmdns --smbidmapuid=16777216-33554431 --smbidmapgid=16777216-33554431 --winbindseparator=+ --winbindtemplatehomedir=/home/%U --winbindtemplateshell=/bin/bash --enablewinbindusedefaultdomain --enablewinbindoffline --winbindjoin=Administrator --disablesssd --disablesssdauth --enablepamaccess --enablesysnetauth --nostart --update
This will ask you for the domain administrator's password and immediately join you to the domain. If you have your own domain administrator account that isn't 'Administrator', change --winbindjoin=Administrator to your account name. Only do this if your account is a domain admin.
This ought to have joined you successfully to the domain in which case you only need to add an entry into DNS on your Windows Domain Controller before you're completely done. See my instructions below on how to add a DNS entry.
END OF CENTOS 6 INSTRUCTIONS.
Open your Authentication Configuration GUI from System > Administration > Authentication.
Check "Enable Winbind Support" and then "Configure Winbind". Here are the settings I'm using - you'll want to replace them with your own, obviously. Don't click "Join Domain" - you have more configuring before you're ready to do that!
It's important that your winbind ADS realm is in ALL UPPERCASE. Notice that the winbind domain doesn't have .com after it - DEVEXAMPLE is the NetBios name of the domain, which is what winbind wants. Also notice that I've set Winbind Domain Controllers to a star (*). This will make winbind use DNS to lookup the domain controller for the devexample.com domain. This is recommended because if you set it to dc1.devexample.com and that server dies, your CentOS box won't automatically go to the backup domain controller. Also, if you want to do things like kerberize JBoss, you need winbind to use DNS to lookup the domain controller because otherwise Java will construct an incorrect service principal name when it tries to bind to LDAP.
Click OK and go to the Authentication tab. Check "Enable Kerberos Support" and then "Configure Kerberos...". Here's what my settings look like.
It's important that the REALM be in ALL UPPERCASE. Click OK. Now check "Enable Winbind Support" and "Configure Winbind...". Again, here are my settings. Again, don't click "Join Domain".
Click OK and then go to the options tab. Here's what I have for that tab:
Click OK to close out the GUI. We're almost done! The reason that we didn't click "Join Domain" at all was because we still have a little bit of configuration and cleanup to do before we attempt domain joining.
There's nothing that needs to be done in your /etc/nsswitch.conf file, but I'm including it here in case you are running a headless server and need to edit it yourself.
First, we need to add some parameters to the pam configuration file, /etc/pam.d/system-auth. Just a few lines up from the bottom of the file, find:
session optional pam_mkhomedir.soand add the parameter skel=/etc/skel umask=0027
sudo nano /etc/pam.d/system-authWhat did you just do? When new domain users log onto your CentOS box for the first time, their home directory will be created and its contents will be copied from /etc/skel and permissions on the new user's home directory will be reasonable.
Next, let's clean up our kerberos configuration file. Even though you just used the GUI to configure kerberos for your domain, /etc/krb5.conf still has "fake" entries for example.com that we should remove. Look at the image below to see the final state of my krb5.conf file.
Finally, let's edit our samba/winbind configuration. Here's my final state:
These are the lines that I added or changed:
template homedir = /home/%U | This tells the system to create home directories for new domain users in /home/[username]. This is nice and clean and lives side-by-side with local users. Because of this, if you're going to have local system users or if your domain forest has more than one domain in it, you'll want to set this to /home/%D/%U instead. That way, there will be no chance of name conflicts. None of those caveats apply to my example, so I used the simpler option (/home/%U). |
winbind enum users / groups | This causes the 'getent passwd' and 'getent group' commands to include domain users and groups in its output. |
winbind separator | You know how on windows your domain account can be represented as DOMAIN\user? Well, using a backslash as a separator can cause real problems in Linux, or at least headaches and confusion. So what I've done is configure the separator to be the plus symbol (+) - because it has far fewer issues in Linux (actually, I've never had any). Domain users will now log onto your CentOS box as DOMAIN+user. Any scripts that reference domain users or groups will also use DOMAIN+user. |
winbind use default domain = true | When this is set to true, I can log into my CentOS box with domain accounts without having to prefix the username with DOMAIN+. If your users will be logging in from multiple domains in equal proportion, you probably don't want to set this to true. |
sudo chkconfig --level 345 smb on sudo chkconfig --level 345 winbind onWe are getting so close to the end! Before we join to the domain, let's configure our sudoers list so that Domain Admins can execute commands as root.
EDITOR=nano visudoThat's it for configuring your CentOS box for membership in an AD domain. You have one more thing to do before joining - create a DNS entry on your domain controller!
Log onto your Windows domain controller and open up your DNS Manager from Administrative Tools. First, you're going to create a reverse lookup zone (if one doesn't already exist), then you're going to add an A entry for your CentOS box.
If you don't have a reverse lookup zone, follow these instructions to create one. When you're done, your DNS Manager ought to look like this:
Now, create an A record for your CentOS box:
IT'S TIME! (Unless you are using CentOS 6, in which case you've already joined to the domain. Skip the join command here, but definitely reboot even on CentOS 6)
Back on your CentOS box, join to the domain:
su - net ads join -U Administrator osName="CentOS" osVer="5.5"
Reboot! Reboot! When your CentOS box comes back up, login as a domain user. GOGOGO!
While you're rebooting your CentOS machine, go back to your domain controller and notice that there's now an APP01 entry in your "Active Directory Users and Computers" MMC.
Once your CentOS box comes back up, login with a domain user account and see that it knows who you are and what groups you're a member of.
You have successfully joined CentOS to your Windows domain!
Awesome Tutorial! I just installed my first ever CentOS box and this was the first thing I wanted to accomplish, Thanks! Definitely couldn't have done it without your help/knowledge/blog_post
ReplyDeleteHi realy its good help for me, thanks ,
ReplyDeletei need one more help, how to give the samba share folder access add user delete user from windows ?
example:
i have share one data folder from linux ,then i open the data folder from windows add some sub folder like admin,sales, i need to access from windows for admin group,sales group from ads
I havent tried it, But it looks so gr8.
ReplyDeleteThanks
@Josephnetworks - sorry about your comment: it got marked as spam and I just now saw it.
ReplyDeleteI think you might want to look at these two links:
http://www.cyberciti.biz/tips/how-do-i-set-permissions-to-samba-shares.html
http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/AccessControls.html
I hope that helps.
CentOS 6.2 Samba 3.6.3
ReplyDeleteservice winbind start don't start winbindd.
In log.winbindd:
[2012/03/15 16:46:48.715072, 0] lib/util_sock.c:1369(create_pipe_sock)
bind failed on pipe socket /var/lib/samba/winbindd_privileged/pipe: Address already in use
can you help, or give a link for docs?
Thanks
"Address already in use" means that something is already bound on the ports that winbind uses. Typically, that means that winbind is already running. In that case, you'll want to use service winbind restart.
ReplyDeleteIf your old instance of winbind got messed up and crashed but didn't release the port, you might have to kill -9 windbind.
Good luck
Great Tutorial John!
ReplyDeleteJust one issue on the last bit concerning "sudoers" configuration.
My domain is "EMEA.ABC.YZ.COM" and my domain admin group via AD is called "emea-abc-xyz-sysadmins". So I tried the following configuration in "sudoers":
%EMEA.ABC.YZ.COM+Domain\emea-abc-xyz-sysadmins ALL=(ALL) ALL
However, when I try to do something like "sudo nano /etc/sudoers", I get asked for the root password but it always fails :-(
I even tried the following 2 differnet lines, both failing as well:
%EMEA.ABC.YZ.COM+Domain\\emea-abc-xyz-sysadmins ALL=(ALL) ALL
%EMEA+Domain\\emea-abc-xyz-sysadmins ALL=(ALL) ALL
Any ideas?
Thanks,
Mike
Hi Mike,
ReplyDeleteI'm really glad that you found the tutorial useful. I see what your error is, yes.
If you look closely at my screenshot of the sudoers file, you'll notice that what I'm doing is giving Domain Admins sudo privileges. Since domain admins is a group in AD, I prepend the entry with % (percent). So far, so good, right?
Ok, now notice that the reason that I have Domain\ Admins is because I'm escaping the space in the name "Domain Admins". So my entry takes the format: %REALM+group.
So what you want for your entry is: %EMEA.ABC.YZ.COM+emea-abc-xyz-sysadmins
That should do it for you.
Thanks John. This fixed the issue!
ReplyDeleteRegards,
Mike
Hi, I have Centos 6.2 after reboot i can't login to the domain I keep getting authentication failure. I have tried \ user@ etc... i either get Error in Service Module when using only otherwise i get Authentication Failure.
ReplyDeleteThanks,
Ron
I should of clicked preview.
DeleteI tried the various formats of a username for windows...
When i use only the username I get Error in Service Module. All others give me Authentication Error.
Thanks again...
Ron, that's pretty strange. I've followed these instructions 4 times on vanilla CentOS 6 boxes now, so I'm certain they work. My best guess, therefore, is that you missed a step? Are you working from a vanilla install too? I'm really sorry, but "Error in Service Module" doesn't mean anything to me. My best advice is to re-install and start over again.
ReplyDeleteIf you found any part of my instructions hard to understand, let me know and I'll try to make them clearer, ok?
Sorry late response. I overlooked and didn't try + maybe highlight that part of the doc.
DeleteThank you!
Great article! I have never worked on CentOS at all. Strictly a MS windows admin. Went through these steps and voila! worked like a charm. Thanks for a great article - keep up the work.
ReplyDeleteBTW - read this article http://www.serverwatch.com/trends/article.php/3884621/From-Obsolete-Servers-to-Private-Cloud-in-3-Easy-Steps.htm
ReplyDeletenow I'm going to try to cluster two CentOS systems - both have same exact HW. I need a good article on that. any help would be great!!
Hello, I join centos 6.2 into windows server 2008 R2 successfully, network access by user domain from windows xp successfully, but I open folder which is shared, It appeares "access is denied". Can you help me this problem?
ReplyDeleteRon Duong, is the shared folder on Windows XP or on CentOS? If it is on CentOS, what does your smb.conf look like, and what are the unix file permission of the share folder?
ReplyDeleteHello John Ruiz, The shared folder, named public, is on CenOS. The permission of shared folder is
Deletedrwxrwxrwx. 2 root root 4096 Apr 4 15:12 public
My smb.conf:( tinhoc is domain group of windows server 2008, I access by DULICHDAINAM\loit from windows xp is the memeber of group tinhoc )
[global]
workgroup = DULICHDAINAM
realm = DULICHDAINAM.COM
server string = Samba Server Version %v
security = ADS
password server = dcsrv.dulichdainam.com
log file = /var/log/samba/log.%m
max log size = 50
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
template homedir = /home/%U
template shell = /bin/bash
winbind separator = +
winbind use default domain = Yes
winbind offline logon = Yes
cups options = raw
#============================ Share Definitions ==============================
[homes]
comment = Home Directories
browseable = no
writable = yes
; valid users = %S
; valid users = MYDOMAIN\%S
[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
guest ok = no
writable = no
printable = yes
# Un-comment the following and create the netlogon directory for Domain Logons
; [netlogon]
; comment = Network Logon Service
; path = /var/lib/samba/netlogon
; guest ok = yes
; writable = no
; share modes = no
# Un-comment the following to provide a specific roving profile share
# the default is to use the user's home directory
; [Profiles]
; path = /var/lib/samba/profiles
; browseable = no
; guest ok = yes
# A publicly accessible directory, but read only, except for people in
# the "staff" group
; [public]
; comment = Public Stuff
; path = /home/samba
; public = yes
; writable = yes
; printable = no
; write list = +staff
[public]
path = /public
valid users = +tinhoc
write list = +tinhoc
John Ruiz, the shared folder, named is public, is on CentOS. The permission is
ReplyDeletedrwxrwxrwx. 2 root root 4096 Apr 4 15:12 public
My smb.conf is
[global]
workgroup = DULICHDAINAM
realm = DULICHDAINAM.COM
server string = Samba Server Version %v
security = ADS
password server = dcsrv.dulichdainam.com
log file = /var/log/samba/log.%m
max log size = 50
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
template homedir = /home/%U
template shell = /bin/bash
winbind separator = +
winbind use default domain = Yes
winbind offline logon = Yes
cups options = raw
[homes]
comment = Home Directories
browseable = no
writable = yes
[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
guest ok = no
writable = no
printable = yes
[public]
path = /public
valid users = +tinhoc
write list = +tinhoc
tinhoc is group domain of AD. I access to CenOS( from WinXp) by DULICHDAINAM\loitt(loitt is the member of tinhoc group) is OK But when open public folder is received "access is denied".
Please help me this problem.
hello John Ruiz, I resolved this problem. I forget to disable SELINUX. So I cannot access folder. Thanks
DeleteThank you so much, I was looking for a good tutorial for Centos 6 for quite a while and had to revert some snapshots until I found you :)
ReplyDeleteThanks for your help...im an Oracle DBA and I tried following other steps...nothing worked...but this step worked well...I am also a blogger...will create a deployment...and I will be using your page as my reference... thanks...
ReplyDeleteDear John,
ReplyDeleteWhen I'm trying to log with my Domain Username And password its Says "System Administrator has been Disabled your Account"
also I'm fail to edit /etc/sudoers as its Says once save file 'Read Only'
Please help me on this as I'm little bit stuck here
Thank You
Chathura -
ReplyDeleteSorry to hear that you're having problems.
First, the reason you can't save your /etc/sudoers file is because you're not root. Did you successfully run "su -" before trying to run the "visudo" command?
The error message you're getting when you log in with your domain username and password doesn't make any sense - it's not a grammatically correct sentence. Could you please copy it more precisely? Also, are you trying to log in with DOMAIN+username, or just with username?
Dear John,
ReplyDeleteThanks for your support on regards.i just install fresh copy of do the above steps again and i successfully joined the Cents OS to Windows domain enviroment.
but i had another issue,I'm trying to using cent OS 5.8 as my Company File server purpose.
Could you please let me know how do i manage the shares with windows user permissions
your support is regarding this highly appreciated
Hey John,
ReplyDeleteThanks for the write up. I followed it on test DC and CentOS6 VM I spun up before I try it on a company production server. I am a noob at Linux mainly a Windows Server guy, I am unable to log in to the CentOS box keep getting authentication failed.
username@testdc.com
username@testdc01.testdc.com
TESTDC01\username
Thanks for any assistance in advance.
Hi Ruchirp,
DeleteDid you try Centryfidc to join Linux Box to AD Environment??
it has worked for me
RuchirP,
ReplyDeleteIf you followed my steps, then the separator character between the domain and the username is the plus sign (+), not the backslash that you're used to on windows (\). This is because linux can have all sorts of issues with backslashes, but is typically pretty good with the plus sign.
Thanks! The domain+username did the trick.
ReplyDeleteHello John,
ReplyDeleteThank you for this Tutorial, I followed the advice and everything works well.
Just a problem, when I create a shared, I reach very inside but I cannot create a "new file".
I shall also like managing the rights from Windows 2003 to server.
I am understandable:
Add since Windows of the users of the domain on file. But it does not walk(work).
Here is my smb.conf:
[global]
w
t
#--authconfig--start-line--
# Generated by authconfig on 2013/02/05 17:41:25
# DO NOT EDIT THIS SECTION (delimited by --start-line--/--end-line--)
# Any modification may be deleted or altered by authconfig in future
workgroup = EPHAD
password server = *
realm = EPHAD.LAN
security = ads
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
template shell = /bin/false
template homedir = /home/%U
winbind enum users = true
winbind enum groups = true
winbind separator = +
winbind use default domain = true
winbind offline logon = true
nt acl support = yes
inherit acls = Yes
map acl inherit = Yes
map archive = no
map hidden = no
map read only = no
map system = no
store dos attributes = yes
inherit permissions = Yes
#--authconfig--end-line--
; printing = cups
printcap name = cups
load printers = yes
[administration]
valid users=Mydomain\Administrateur
comment="Fichiers Administration"
path=/volume
browseable=yes
public = yes
writable = yes
printable = no
nt acl support = yes
Thanks John.
Nice tutorial John. its fully works for me. fine. but how to do vice verse means how to add windows machine into linux domains (Samba DC/LDAP DC)..?
DeleteHaha. Good luck! It's supposedly possible with Samba 4, but I'll believe it when I see it.
DeleteHello John,
ReplyDeleteI've followed your steps but unfortunately am having trouble logging in as a domain user. Have tried using DOMAIN\user and DOMAIN+user (following your previous comment) but I still get "Access Denied".
As this is fairly generic, where should I begin troubleshooting? Can post you config files (or a section thereof) if you need.
Thanks in advance,
Ben
Hi Ben. Without looking at any logs at all, my best guess is that there's something going on with the trust relationship between your CentOS box and your domain controller. There's a number of tests that you can run to check that your trust is setup correctly. Here's a good resource that I just found: http://cainmanor.com/tech/basic-samba-active-directory-troubleshooting-using-wbinfo/ I'll bet you that one or more of those commands fails for you.
DeleteIf that ends up being the case, here are some common things to check:
1. Believe it or not, it's often the case that clocks get out of sync. I often find myself surprised (and mad) that somehow my previously in-sync CentOS box is now randomly 4 hours off.
2. Stupid mistakes like typos in your smb.conf, or your pam stuff
3. samba/winbind has just decided to stop working. this happens to me every so often. restart your CentOS box. Yes, sometimes that works for linux too :)
4. nscd is running on your machine. ncsd? whatever. can't remember which it is any longer. one of those.
5, 6, & 7. ??? welcome to the wonderful world of kerberos.
let me know!
Hello John,
ReplyDeleteI think you may be onto something. Have gone through the steps listed in the article you found (thank you for posting that) and all but one of the tests complete successfully. The one which doesn't shows:
$ wbinfo -t
checking the trust secret for domain MYDOMAIN via RPC calls failed
failed to call wbcCheckTrustCredentials: WBC_ERR_WINBIND_NOT_AVAILABLE
Could not check secret
I've Googled this but haven't found anything particularly helpful. Have you seen this before?
nscd is indeed installed on my machine.
Thanks,
Ben
@BenWatson ... your problem is probably the same thing that i faced ...
ReplyDeleteStart winbindd /usr/sbin/winbindd restart should do the trick
Hello John,
ReplyDeleteFabulous tutorial .. wish I got here first when i was setting up my Samba Server.
A couple of requests ...
a) Would be nice if there is a small write up on setting up share of the home folder for the AD users
b) Small write up on using Groups.
I understand that each topic is quite expansive by itself, but seeing how you compressed large books into one great blog - it would really be useful for folks if these shares are setup and explained.
Thanks for this blog once again. I just wish i had gotten here first.
@Pats,
DeleteI was considering re-writing this blog post to remove all GUI elements - so that you could easily do this on a headless server. But since I wrote this article, it's become a LOT easier to join windows domains, to the point where I'm not sure it'd be worth the effort (this was a large article!).
Now as for the samba configuration and group configuration, that would probably still be pertinent. Could you expand a little bit on what you mean when you say "on using Groups"? How do you mean?
John,
ReplyDeleteWhat I was thinking of was along the lines of specifying Groups (for example - "smbuser" / "smbadmin" in the Windows Server, and then giving members of that Group(s) permissions on the Samba share.
About the large article or the GUI elements, there are folks who prefer UI based Admin tools. As for the CLI folks, there are plenty of site to cater to them. I think your article is by far the best when it came to explaining "How to Join your CentOS server to a Windows Domain?"
I'd be happy to supply you with a write-up for the part I suggested, once i fine-tune the Samba server.
Great work on this blog - :)!
I'm trying this with Samba 4 and CentOS 7. When I run the line for CentOS 6 (hoping the line is still accurate) I get:
ReplyDelete[/usr/bin/net join -w mimedxinc -S 10.0.112.32 -U sgenevish]
/bin/sh: /usr/bin/net: No such file or directory
authconfig: Winbind domain join was not successful.
I know this is an old post but I wanted to thank you for this guide and to let you know that this still works today even with CentOS 6.7.
ReplyDeleteWe have a new set of AD environments and wanted to be able to authenticate Linux using the AD system. In our legacy environments we are using a mish mash of NIS and LDAP and have wanted to move to AD for some time.
I've tried following the RedHat documentation for sssd and AD and didn't have much success. This how to was just the ticket to get everything moving.
Darin,
DeleteSuper-glad that 1) it still works, and 2) people are still finding it useful. It took me a long time and lots of debugging to distill it all into a How-To.
Thanks for sharing such amazing content which is very helpful for us. Please keep sharing like this. Also check to learnLinux PAM Administration or many more.
ReplyDelete