0

In my office, we use samba domain + ldap. I already join some Windows 7 machines, but now I need to join CentOS 7 to that domain. How can I do that?

Below are steps that I already did:

  1. install nss-pam-ldap.x86_64
  2. configure smb.conf in /etc/samba/
  3. configure all files in /etc/pam.d/, that call pam_unix.so to call and pam_ldap.so
  4. add ldap to paswd, shadow and group lines in nsswich.conf
  5. configure nslcd.conf

When i try to join with:

net join -U administrator

I get this:

cannot join standalone machine

When I run 

journalcrl -r

I get some pam_ldap error:

pam_ldap: error opening connection to nslcd: No such file or directory.

Drifter104
  • 3,773
  • 2
  • 25
  • 39
krisko
  • 1
  • 1
  • 2

2 Answers2

1

Krisko. First you have to install the packages for an sssd integration:

yum install \
realmd \
sssd \
sssd-krb5 \
sssd-krb5-common \
sssd-common \
sssd-common-pac \
sssd-ad \
sssd-proxy \
sssd-tools \
python-sssdconfig \
samba \
samba-common \
authconfig \
authconfig-gtk

Then create the machine account in an AD container your user ([Domain UID]) has full access to.

Add the machine to the domain: realm --verbose join [FQ Domain name] -U [Domain UID]

Adjust /etc/sssd/sssd.conf

[sssd]
domains = <FQ Domain name lowercase>
config_file_version = 2
services = nss, pam

[domain/bdp.pt]
ad_domain = <FQ Domain name lowercase>
krb5_realm = <FQ Domain name uppercase>
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False
fallback_homedir = /home/%u@%d
access_provider = simple
simple_allow_groups = <Comma separated list of AD groups allowed to login in the form <FQDomainLowercase>\<GroupName>>
simple_allow_users = <Same for users>

You may have to adjust these 2 sections of /etc/krb5.conf

[realms]
 <FQDomainUpperCase> = {
 }

[domain_realm]
 <FQDomainLowerCase> = <FQDomainUpperCase>
 .<FQDomainLowerCase> = <FQDomainUpperCase>

Then this will no longer be a standalone machine, and you may authenticate domain users. Hope it helps.

Goulart
  • 11
  • 4
  • Thanks for your answer @Goulart, but in my case was not helpful, but i have some progress. Now when i run command: net join -U administrator, it says failed to join domain: failed to find DC for domain EXAMPLE. – krisko Mar 11 '16 at 01:37
0

Make sure you can ping between your hosts, try both ping server and ping server.domain.local. In case you get nothing there, try specifying your KDC explicity in the kerberos config and in smb.conf.

Example of krb5.conf file:

/etc/krb5.conf
...
[realms]
         DOMAINNAME.COM = {
                 kdc = din-dc1.domainname.com
                 kdc = den-dc1.domainname.com
                 master_kdc = din-dc1.domainname.com
                 admin_server = din-dc1.domainname.com
         }

[domain_realm]
         .domainname.com = DOMAINNAME.COM
...

/etc/samba/smb.conf
...
[global]
         server string = Dinamo File Server

         workgroup = DOMAINNAME
         realm = DOMAINNAME.COM
         security = ADS
         password server = *
         #password server = din-dc1.domainname.com
         #password server = din-dc1.domainname.com, den-dc1.domainname.com

Use kinit to make sure kerberos is working!

Thomas
  • 4,225
  • 5
  • 23
  • 28
Sissi_00_20
  • 3
  • 1
  • 5