Saturday, July 04, 2009  
Google
Web pcquest.com

CIOL Network sites

Search by Issue | CD Search | Sitemap | Advanced Search

• Ad :- Enterprise Connect Awards 09: Nominations Open • Ad: Force.com Cloud Developer Challenge: Participate to win Apple MacBook

Home > Linux > Linux and Active Directory
    Enterprise Solutions
    Hands On
    ITstrategy

    Developer

    Tech Forum

    Trends

    Shootout

    Reviews
    Editorials
    In Depth
    Technology
    Extraedge

    IT Careers

    Vertical Focus

Subscribe to Print magazine.


now!


Newsletter
Linux and Active Directory

How to add and authenticate a Linux machine with Microsoft Active Directory
Anindya Roy

Monday, January 05, 2004

In our November 2003 issue, we saw how you can use Samba 3 to migrate your existing Win NT PDC to a Linux box (Migrating from NT to Linux, page 104). Another important feature of Samba 3 is that it can easily join a Linux machine to an existing Win 2000 or 2003 Active Directory. 

Here we will see how you can use Samba and Kerberos to add a Linux machine to an Active Directory controlled by a Win 2000 Advance Server. Kerberos authenticates the Linux machine against the Domain Controller. Though we will use PCQLinux (full install) as the client Linux machine, you can use any distro you like—the only requirement is Samba 3 and krb5-1.2.5. PCQLinux 8.0 comes with krb pre installed, but you need to install Samba 3. To install Samba 3, first copy samba-3.0.0-1.i386.rpm from our November PCQ Essential CD to your home directory and run the command as below.

#rpm –Uvh samba-3.0.0-1.i386.rpm 

The Linux machine will look like this in your Active Directory property page

Be sure to use ‘–Uvh’ switch. If you try to install Samba 3 with ‘ivh’ switch, then it can show conflicts with the pre-installed previous version of Samba. Now after Samba is ready, give your Linux machine an FQDN (Fully Qualified Domain Name) within the realm of your Active Directory. This step is not mandatory but will benefit you when working on the network. To do this, let’s suppose that the realm of the Active Directory on which we are going to join the Linux machine is PCQ.LOCAL. Now, open the file called /etc/sysconfig/network and add

HOSTNAME=linclnt.pcq.local.

Now check weather krb5 is installed on your machine. To do so run the following command.

#rpm –qa krb5-workstation

The command should return something like krb5-workstation-1.2.5-8. If nothing is returned, then it means that krb5 is not installed. To install it, insert your PCQLinux 8.0 CD-2 (given with the March 2003 issue) and run the command as below.

#rpm –ivh /mnt/cdrom/PCQuest/RPMS/krn5-workstation-1.2.5-8.rpm

Configuring Kerberos 
Open the file /etc/krb5.conf and change ‘libdefaults’, ‘realms’ and ‘domain_realm’ part of the file so that it looks like this.

[libdefaults]
ticket_lifetime = 24000
default_realm = PCQ.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
PCQ.LOCAL = {
kdc = 192.168.1.10:88
admin_server = Kerberos.example.com:749
default_domain = PCQ.LOCAL
}

[domain_realm]
.pcq.local = PCQ.LOCAL
pcq.local = PCQ.LOCAL

Keep the other parts unchanged. Remember that we are supposing that the realm of your Active Directory is ‘PCQ.LOCAL’ and the IP address of your Domain Controller is 192.168.1.10. 

Configuring Samba
Open the file /etc/samba/smb.conf and change the following variables in the ‘global’ section with the values given below.

[global]
worksgrup = PCQ
ads server = 192.168.1.10
realm = PCQ.LOCAL
netbios name = linclnt
security = ADS

Now save the file and exit to the terminal. 

Joining to ADS
At this moment we are just two commands far from joining the machine to the ADS. To do so first run the following command to authenticate your machine against the ADS.

#kinit administrator@PCQ.LOCAL

This will ask you for the password of the administrator user of your ADS. Provide the password and hit Enter. The only thing to keep in mind at this stage is the proper case. 

Here you should use the same case for the realm that you have used in your krb5.conf and that is upper case. So, for example, if you use administrator@pcq.local or something like this, Kerberos won’t let you authenticate. 

After getting authenticated, its time to add the machine to ADS. To do so run the following command.

#net ads join –S PCQ.LOCAL

This will give an output something like “Joined ‘linclnt’ to realm ‘PCQ.LOCAL’. To check that everything worked properly, go to your Domain Controller and open ‘Active Directory Users and Computers’ and go to Computers. You will see your Linux machine listed there. 

Accessing a Share from ADS
Now let’s try accessing something from the network which has administrator access. For this create a share (for example, test) in your Domain Controller or any Windows machine in your realm and give the access to only Administrator User. Now come to your Linux machine and run the following command to connect to the share with Kerberos authentication.

#smbclient //192.168.1.10/test –k

And it will give you proper access to the test folder.

Anindya Roy



Page(s)   1   

End of the article

PC Problems? Get a solution in 24 hours. Ask Tech Expert




Untitled Document



Innovation, Winning the future with ZTE

Reduce your TCO now with INGRES
Message boards

Discuss this and many other IT topics at the
CIOL message board

Previous Stories

Video Editing with LiVES

TI-based Wi-Fi Cards

Sherlock is Back
   
 

 
 

Magazine Subscription | RQS | Contact Us | Team PCQuest | Advertising - Print | jobs@cybermedia

 
 
 
 
   

Copyright © CyberMedia. All rights reserved.
Reproduction in whole or in part in any form or medium without express written permission is prohibited.
Usage of this web site is subject to terms and conditions.
Broken links? Problems with site? Send email to webmasterciol@cybermedia.co.in