{"id":522,"date":"2015-07-22T23:29:02","date_gmt":"2015-07-22T23:29:02","guid":{"rendered":"https:\/\/www.nicktailor.com\/?p=522"},"modified":"2022-10-21T11:49:56","modified_gmt":"2022-10-21T11:49:56","slug":"how-to-add-redhat-server-6-0-to-active-directory","status":"publish","type":"post","link":"https:\/\/nicktailor.com\/tech-blog\/how-to-add-redhat-server-6-0-to-active-directory\/","title":{"rendered":"How to add Redhat Server 6.0 to Active Directory"},"content":{"rendered":"

\n

.<\/span><\/span>We will be using sssd\/kerberos\/ldap<\/em><\/strong> to join the server to a domain in Active directory for SSO(Single Sign On Authentication)<\/p>\n

.<\/span><\/span><\/p>\n

Note: After you have successfully deployed a server using kickstart or manually registered a redhat server to satellite, next we need to join the server to domain controller aka Active Directory<\/em><\/strong><\/p>\n

.<\/span><\/span><\/p>\n

\n
\n
1.<\/span>Login via ssh to the server via putty or similar ssh client.<\/div>\n<\/div>\n
\n
2.<\/span>Next we will need to install some packages, type the following below.<\/div>\n<\/div>\n<\/div>\n

.<\/span><\/span><\/p>\n

\n
\n
\u2022<\/span> <\/span>yum install -y sssd krb5-workstation samba-common authconfig oddjob-mkhomedir<\/em><\/div>\n
\n
\n
\u25e6<\/span> <\/span>If you do not have your server registered to satellite. You will need to manually setup the following files for this to work. I have at the bottom of this document provided example files of what they should contain. Which you will need to adjust to your specific environments.<\/em><\/strong><\/div>\n

.<\/span><\/span><\/p>\n

\n
\n
\u00b7<\/span> <\/span>\/etc\/krb5.conf<\/em><\/div>\n<\/div>\n
\n
\u00b7<\/span> <\/span>\/etc\/oddjobd.conf.d\/oddjobd-mkhomedir.conf<\/em><\/div>\n<\/div>\n
\n
\u00b7<\/span> <\/span>\/etc\/pam.d\/password-auth-ac<\/em><\/div>\n<\/div>\n
\n
\u00b7<\/span> <\/span>\/etc\/pam.d\/su<\/em><\/div>\n<\/div>\n
\n
\u00b7<\/span> <\/span>\/etc\/pam.d\/system-auth-ac<\/em><\/div>\n<\/div>\n
\n
\u00b7<\/span> <\/span>\/etc\/samba\/smb.conf<\/em><\/div>\n<\/div>\n
\n
\u00b7<\/span> <\/span>\/etc\/sudoers<\/em><\/div>\n

.<\/span><\/span><\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n

.<\/span><\/span><\/p>\n

\n
\n
3.<\/span>Now since the server is already registered to satellite. You can deploy the configuration files necessary to join the server to the domain from satellite server as follows.<\/div>\n
\n
\n
1.<\/span>Log into the red hat satellite server into the corresponding organization you wish to manage.<\/div>\n<\/div>\n
\n
2.<\/span>Click one systems top left corner<\/div>\n<\/div>\n
\n
3.<\/span>Next filter the server by name click go.<\/div>\n<\/div>\n
\n
4.<\/span>Click on the host name of the server<\/div>\n<\/div>\n
\n
5.<\/span>Now click on configuration<\/div>\n<\/div>\n
\n
6.<\/span>On the far right you should see \u201cDeploy all managed config files\u201d click that.<\/div>\n<\/div>\n
\n
7.<\/span>At the bottom right select \u201cSchedule deploy\u201d<\/div>\n

.<\/span><\/span><\/p>\n<\/div>\n<\/div>\n<\/div>\n

\n
4.<\/span>Login via ssh to the server and pull down the configuration files by typing the following<\/div>\n
\n
\n
8.<\/span>rhn_check (this will pull down all the configuration files from satellite server)<\/em><\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n

.<\/span><\/span><\/p>\n

\n
\n
5.<\/span>Now you want to enabled authconfig so users home directories get created if they aren\u2019t. Type the following at the ssh prompt.<\/div>\n
\n
\n
9.<\/span>Authconfig \u2013emablemkhomedir \u2013update<\/em><\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n

.<\/span><\/span><\/p>\n

\n
\n
6.<\/span>Now edit the file \/etc\/security\/limits.conf and add the following line below.<\/div>\n
\n
\n
\u2022<\/span> <\/span>* – nofile 16384<\/em><\/div>\n

.<\/span><\/span><\/p>\n<\/div>\n<\/div>\n<\/div>\n

\n
7.<\/span>Now you want to load configuration from samba by running \u201ctestparm\u201d<\/em><\/div>\n<\/div>\n<\/div>\n

.<\/span><\/span>.<\/span><\/span><\/p>\n

.<\/span><\/span><\/p>\n

The output will look like something this:<\/strong><\/p>\n

.<\/span><\/span><\/p>\n

Load smb config files from \/etc\/samba\/smb.conf<\/em><\/p>\n

Loaded services file OK.<\/em><\/p>\n

Server role: ROLE_DOMAIN_MEMBER<\/em><\/p>\n

Press enter to see a dump of your service definitions<\/em><\/p>\n

.<\/span><\/span><\/p>\n

[global]<\/em><\/p>\n

\u2003\u2003workgroup = NICKSTG<\/em><\/p>\n

\u2003\u2003realm = NICKSTG.NICKTAILOR.COM<\/em><\/p>\n

\u2003\u2003security = ADS<\/em><\/p>\n

\u2003\u2003kerberos method = secrets and keytab<\/em><\/p>\n

\u2003\u2003log file = \/var\/log\/<\/em><\/p>\n

\u2003\u2003client signing = Yes<\/em><\/p>\n

\u2003\u2003idmap config * : backend = tdb<\/em><\/p>\n

.<\/span><\/span><\/p>\n

\n
\n
8.<\/span>Next you want to pull the admin credentials by running the following.<\/div>\n
\n
\n
10.<\/span>Kinit <DC Admin Username ><\/em><\/div>\n<\/div>\n
\n
11.<\/span>Net ads join k (<\/em>this will add the server to the domain using above AD Credentials)<\/em><\/strong><\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n

.<\/span><\/span><\/p>\n

Note: If the nets join fails. It will be due to most likely three reasons. <\/strong><\/p>\n

\n
\n
\u2022<\/span> <\/span>DNS not setup in Active directory for the host<\/strong><\/div>\n<\/div>\n
\n
\u2022<\/span> <\/span>NTP server time is out more by more then 5 mins. <\/strong><\/div>\n<\/div>\n
\n
\u2022<\/span> <\/span>Your dns is not pointed to active directory in \/etc\/resolv.conf<\/strong><\/div>\n<\/div>\n<\/div>\n

.<\/span><\/span><\/p>\n

I ran into the NTP issue. Here is how you fix it.<\/strong><\/p>\n

\n
\n
\u2022<\/span> <\/span>Yum install ntp<\/div>\n<\/div>\n
\n
\u2022<\/span> <\/span>Edit the etc\/ntp.conf<\/div>\n<\/div>\n
\n
\u2022<\/span> <\/span>Add the following lines and save the file<\/div>\n<\/div>\n<\/div>\n

.<\/span><\/span><\/p>\n

\n
\n
\u25e6<\/span> <\/span>restrict default ignore<\/em><\/div>\n<\/div>\n
\n
\u25e6<\/span> <\/span>restrict 127.0.0.1<\/em><\/div>\n<\/div>\n
\n
\u25e6<\/span> <\/span><\/div>\n<\/div>\n
\n
\u25e6<\/span> <\/span>restrict ntp01.nicktailor.com mask 255.255.255.255 nomodify notrap noquery<\/em><\/div>\n<\/div>\n
\n
\u25e6<\/span> <\/span>server ntp01.nicktailor.com iburst<\/em><\/div>\n<\/div>\n
\n
\u25e6<\/span> <\/span><\/div>\n<\/div>\n
\n
\u25e6<\/span> <\/span>driftfile \/var\/lib\/ntp\/drift<\/em><\/div>\n<\/div>\n
\n
\u25e6<\/span> <\/span><\/div>\n<\/div>\n<\/div>\n
\n
\n
\u2022<\/span> <\/span>Now you want to manually update the NTP server by doing the following<\/div>\n
\n
\n
\u25e6<\/span> <\/span>ntpdate -u 192.168.1.56(ntp01.nicktailor.com)<\/div>\n<\/div>\n<\/div>\n<\/div>\n
\n
\u2022<\/span> <\/span>and the rerun net ads join k<\/em><\/strong><\/div>\n

.<\/span><\/span><\/p>\n<\/div>\n<\/div>\n

\n
\n
12.<\/span>enable the following services to boot on reboot.<\/div>\n
\n
\n
1.<\/span>Chkconfig sssd on<\/em><\/div>\n<\/div>\n
\n
2.<\/span>Chkconfig oddjobd on<\/em><\/div>\n<\/div>\n
\n
3.<\/span>Chkconfig sshd<\/em><\/div>\n<\/div>\n
\n
4.<\/span><\/div>\n<\/div>\n<\/div>\n<\/div>\n
\n
13.<\/span>Start the above services<\/em><\/div>\n
\n
\n
5.<\/span>service start sshd<\/em><\/div>\n<\/div>\n
\n
6.<\/span>service start oddjobd on<\/em><\/div>\n<\/div>\n
\n
7.<\/span>service start sssd<\/em><\/div>\n

.<\/span><\/span><\/p>\n<\/div>\n<\/div>\n<\/div>\n

\n
14.<\/span>Lastly you will need file sharing installed<\/div>\n
\n
\n
8.<\/span>Yum install \u2013y cifs-utils<\/em><\/div>\n

.<\/span><\/span><\/p>\n<\/div>\n<\/div>\n<\/div>\n

\n
15.<\/span>Now you should be able reboot your server and login via active directory credentials via ssh.<\/div>\n

.<\/span><\/span><\/p>\n<\/div>\n<\/div>\n

.<\/span><\/span><\/p>\n

If your server is not registered to satellite <\/span><\/strong><\/p>\n

.<\/span><\/span><\/p>\n

You will need to have the following files configured as such<\/p>\n

.<\/span><\/span><\/p>\n

\/etc\/krb5.conf<\/strong><\/span><\/p>\n

[logging]<\/p>\n

default = FILE:\/var\/log\/krb5libs.log<\/p>\n

kdc = FILE:\/var\/log\/krb5kdc.log<\/p>\n

admin_server = FILE:\/var\/log\/kadmind.log<\/p>\n

[libdefaults]<\/p>\n

default_realm = NICKSTG.NICKTAILOR.COM<\/p>\n

dns_lookup_realm = false<\/p>\n

dns_lookup_kdc = false<\/p>\n

ticket_lifetime = 24h<\/p>\n

renew_lifetime = 7d<\/p>\n

forwardable = true<\/p>\n

[realms]<\/p>\n

NICKSTG.NICKTAILOR.COM = {<\/p>\n

kdc = DC1.NICKTAILOR.COM<\/p>\n

admin_server = DC1.NICKTAILOR.COM<\/p>\n

}<\/p>\n

[domain_realm]<\/p>\n

.nickstg.nicktailor.com = = NICKSTG.NICKTAILOR.COM<\/p>\n

nickstg.nicktailor.com = = NICKSTG.NICKTAILOR.COM<\/p>\n

.<\/span><\/span><\/p>\n

\/etc\/oddjobd.conf.d\/oddjobd-mkhomedir.conf<\/p>\n

<?xml version=”1.0″?><\/p>\n

.<\/span><\/span><\/p>\n

<!– This configuration file snippet controls the oddjob daemon. It<\/p>\n

     provides access to mkhomedir functionality via a service named<\/p>\n

“com.redhat.oddjob_mkhomedir”, which exposes a single object<\/p>\n

(“\/”).<\/p>\n

The object allows the root user to call any of the standard D-Bus<\/p>\n

     introspection interface’s methods (these are implemented by<\/p>\n

     oddjobd itself), and also defines an interface named<\/p>\n

     “com.redhat.oddjob_mkhomedir”, which provides two methods. –><\/p>\n

.<\/span><\/span><\/p>\n

<oddjobconfig><\/p>\n

.<\/span><\/span><\/p>\n

<service name=”com.redhat.oddjob_mkhomedir”><\/p>\n

.<\/span><\/span><\/p>\n

<object name=”\/”><\/p>\n

.<\/span><\/span><\/p>\n

<interface name=”org.freedesktop.DBus.Introspectable”><\/p>\n

.<\/span><\/span><\/p>\n

<allow min_uid=”0″ max_uid=”0″\/><\/p>\n

        <!– <method name=”Introspect”\/> –><\/p>\n

.<\/span><\/span><\/p>\n

<\/interface><\/p>\n

.<\/span><\/span><\/p>\n

<interface name=”com.redhat.oddjob_mkhomedir”><\/p>\n

.<\/span><\/span><\/p>\n

<method name=”mkmyhomedir”><\/p>\n

<helper exec=”\/usr\/libexec\/oddjob\/mkhomedir -u 0077″<\/p>\n

                  arguments=”0″<\/p>\n

                  prepend_user_name=”yes”\/><\/p>\n

          <!– no acl entries -> not allowed for anyone –><\/p>\n

<\/method><\/p>\n

.<\/span><\/span><\/p>\n

<method name=”mkhomedirfor”><\/p>\n

<helper exec=”\/usr\/libexec\/oddjob\/mkhomedir -u 0077″<\/p>\n

                  arguments=”1″\/><\/p>\n

<allow user=”root”\/><\/p>\n

<\/method><\/p>\n

.<\/span><\/span><\/p>\n

<\/interface><\/p>\n

.<\/span><\/span><\/p>\n

<\/object><\/p>\n

.<\/span><\/span><\/p>\n

<\/service><\/p>\n

.<\/span><\/span><\/p>\n

<\/oddjobconfig>
\n================================================================================<\/p>\n

.<\/span><\/span><\/p>\n

\/etc\/pam.d\/password-auth-ac<\/strong><\/span><\/p>\n

#%PAM-1.0<\/p>\n

# This file is auto-generated.<\/p>\n

# User changes will be destroyed the next time authconfig is run.<\/p>\n

auth required pam_env.so<\/p>\n

auth sufficient pam_unix.so nullok try_first_pass<\/p>\n

auth requisite pam_succeed_if.so uid >= 500 quiet<\/p>\n

auth sufficient pam_sss.so use_first_pass<\/p>\n

auth required pam_deny.so<\/p>\n

.<\/span><\/span><\/p>\n

account required pam_unix.so<\/p>\n

account sufficient pam_localuser.so<\/p>\n

account sufficient pam_succeed_if.so uid < 500 quiet<\/p>\n

account [default=bad success=ok user_unknown=ignore] pam_sss.so<\/p>\n

account required pam_permit.so<\/p>\n

.<\/span><\/span><\/p>\n

password requisite pam_cracklib.so try_first_pass retry=3<\/p>\n

password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok<\/p>\n

password sufficient pam_sss.so use_authtok<\/p>\n

password required pam_deny.so<\/p>\n

.<\/span><\/span><\/p>\n

session optional pam_keyinit.so revoke<\/p>\n

session required pam_limits.so<\/p>\n

session optional pam_oddjob_mkhomedir.so skel=\/etc\/skel<\/p>\n

session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid<\/p>\n

session required pam_unix.so<\/p>\n

session optional pam_sss.so<\/p>\n

.<\/span><\/span><\/p>\n

\/etc\/pam.d\/su<\/strong><\/span><\/p>\n

#%PAM-1.0<\/p>\n

auth sufficient pam_rootok.so<\/p>\n

.<\/span><\/span><\/p>\n

auth [success=2 default=ignore] pam_succeed_if.so use_uid user ingroup grp_technology_integration_servertech_all<\/p>\n

auth [success=1 default=ignore] pam_succeed_if.so use_uid user ingroup wheel<\/p>\n

auth required pam_deny.so<\/p>\n

.<\/span><\/span><\/p>\n

auth include system-auth<\/p>\n

.<\/span><\/span><\/p>\n

account sufficient pam_succeed_if.so uid = 0 use_uid quiet<\/p>\n

account include system-auth<\/p>\n

.<\/span><\/span><\/p>\n

password include system-auth<\/p>\n

.<\/span><\/span><\/p>\n

session include system-auth<\/p>\n

session optional pam_xauth.so<\/p>\n

.<\/span><\/span><\/p>\n

.<\/span><\/span><\/p>\n

#This line is the last line<\/p>\n

.<\/span><\/span><\/p>\n

\/etc\/pam.d\/system-auth-ac<\/strong><\/span><\/p>\n

#%PAM-1.0<\/p>\n

# This file is auto-generated.<\/p>\n

# User changes will be destroyed the next time authconfig is run.<\/p>\n

auth required pam_env.so<\/p>\n

auth sufficient pam_fprintd.so<\/p>\n

auth sufficient pam_unix.so nullok try_first_pass<\/p>\n

auth requisite pam_succeed_if.so uid >= 500 quiet<\/p>\n

auth sufficient pam_sss.so use_first_pass<\/p>\n

auth required pam_deny.so<\/p>\n

.<\/span><\/span><\/p>\n

account required pam_unix.so<\/p>\n

account sufficient pam_localuser.so<\/p>\n

account sufficient pam_succeed_if.so uid < 500 quiet<\/p>\n

account [default=bad success=ok user_unknown=ignore] pam_sss.so<\/p>\n

account required pam_permit.so<\/p>\n

.<\/span><\/span><\/p>\n

password requisite pam_cracklib.so try_first_pass retry=3<\/p>\n

password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok<\/p>\n

password sufficient pam_sss.so use_authtok<\/p>\n

password required pam_deny.so<\/p>\n

.<\/span><\/span><\/p>\n

session optional pam_keyinit.so revoke<\/p>\n

session required pam_limits.so<\/p>\n

session optional pam_oddjob_mkhomedir.so skel=\/etc\/skel<\/p>\n

session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid<\/p>\n

session required pam_unix.so<\/p>\n

session optional pam_sss.so<\/p>\n

.<\/span><\/span><\/p>\n

\/etc\/samba\/smb.conf<\/strong><\/span><\/p>\n

[global]<\/p>\n

workgroup = NICKSTG<\/p>\n

client signing = yes<\/p>\n

client use spnego = yes<\/p>\n

kerberos method = secrets and keytab<\/p>\n

realm = NICKSTG.NICKTAILOR.COM<\/p>\n

.<\/span><\/span><\/p>\n

security = ads<\/p>\n

log file = \/var\/log\/<\/p>\n

.<\/span><\/span><\/p>\n

\/etc\/sssd\/sssd.conf<\/p>\n

[sssd]<\/p>\n

config_file_version = 2<\/p>\n

reconnection_retries = 3<\/p>\n

sbus_timeout = 30<\/p>\n

services = nss, pam<\/p>\n

domains = default, nickstg.nicktailor.com<\/p>\n

.<\/span><\/span><\/p>\n

[nss]<\/p>\n

filter_groups = root<\/p>\n

filter_users = root,bin,daemon,adm,lp,sync,shutdown,halt,mail,news,uucp,operator,games,gopher,ftp,nobody,vcsa,pcap,ntp,dbus,avahi,rpc,sshd,xfs,rpcuser,nfsnobody,haldaemon,avahi-autoipd,gdm,nscd,oracle, ,deploy,tomcat,jboss,apache,ejabberd,cds,distcache,squid,mailnull,smmsp,backup,bb,clam,obdba,postgres,named,mysql,quova, reconnection_retries = 3<\/p>\n

.<\/span><\/span><\/p>\n

[pam]<\/p>\n

reconnection_retries = 3<\/p>\n

.<\/span><\/span><\/p>\n

[domain\/nickstg.nicktailor.com]<\/p>\n

id_provider = ad<\/p>\n

access_provider = simple<\/p>\n

cache_credentials = true<\/p>\n

#ldap_search_base = OU=NICKSTG-Users,DC=NICKSTG,DC=nicktailor,DC=com<\/p>\n

override_homedir = \/home\/%u<\/p>\n

default_shell = \/bin\/bash<\/p>\n

simple_allow_groups = ServerTech_All,Server_Systems_Integration<\/p>\n

.<\/span><\/span><\/p>\n

\/etc\/sudoers<\/p>\n

## \/etc\/sudoers<\/p>\n

## nicktailor sudoers configuration<\/p>\n

.<\/span><\/span><\/p>\n

## Include all configuration from \/etc\/sudoers.d<\/p>\n

## Note: the single # is needed in the line below and is NOT a comment!<\/p>\n

.<\/span><\/span><\/p>\n

#includedir \/etc\/sudoers.d<\/p>\n

##%NICKSTG\\\\domain\\ users ALL = NOPASSWD: ALL<\/p>\n

% ServerTech_All ALL = NOPASSWD: ALL<\/p>\n

% Server_Systems_Integration ALL = NOPASSWD: ALL<\/p>\n

.<\/span><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"

.We will be using sssd\/kerberos\/ldap to join the server to a domain in Active directory for SSO(Single Sign On Authentication) . Note: After you have successfully deployed a server using kickstart or manually registered a redhat server to satellite, next we need to join the server to domain controller aka Active Directory . 1.Login via ssh to the server viaRead More …<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[31,58,138],"tags":[],"class_list":["post-522","post","type-post","status-publish","format-standard","hentry","category-active-directory","category-centos","category-linux"],"_links":{"self":[{"href":"https:\/\/nicktailor.com\/tech-blog\/wp-json\/wp\/v2\/posts\/522","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nicktailor.com\/tech-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nicktailor.com\/tech-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nicktailor.com\/tech-blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/nicktailor.com\/tech-blog\/wp-json\/wp\/v2\/comments?post=522"}],"version-history":[{"count":19,"href":"https:\/\/nicktailor.com\/tech-blog\/wp-json\/wp\/v2\/posts\/522\/revisions"}],"predecessor-version":[{"id":1612,"href":"https:\/\/nicktailor.com\/tech-blog\/wp-json\/wp\/v2\/posts\/522\/revisions\/1612"}],"wp:attachment":[{"href":"https:\/\/nicktailor.com\/tech-blog\/wp-json\/wp\/v2\/media?parent=522"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nicktailor.com\/tech-blog\/wp-json\/wp\/v2\/categories?post=522"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nicktailor.com\/tech-blog\/wp-json\/wp\/v2\/tags?post=522"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}