Home » Article » Membangun Linux wokstation dengan authentifikasi AD Windows Server

Membangun Linux wokstation dengan authentifikasi AD Windows Server

Pages

October 2010
M T W T F S S
« Aug   Nov »
 123
45678910
11121314151617
18192021222324
25262728293031

RSS Link

  • An error has occurred; the feed is probably down. Try again later.

Twitter Updates

Blog Stats

  • 346,176 hits

Archives

Pengunjung


Berangkat dari kebutuhan untuk membuat workstation umumdi setiap departemen yang bisa digunakan untuk akses internet. Internet dibatasi dan hanya bisa diakses melalui terminal tersebut. Untuk menghindari berjangkitnya virus, spam, malware, maka PC-PC berbasis Windows tidak diberikan akses internet langsung. User-user yang ingin pake internet bisa memakai PC yang berbasis Linux itu.

Secara kebetulan, akses ke setiap PC sudah memakai Active Directory (AD) berbasis Windows Server, sehingga mau tidak mau dan agar tidak repot-repot membuat user lagi di sisi Linux nya maka dibuatlah agar PC Linux itu bisa menggunakan authentifikasi AD yang ada.

Setelah googling beberapa lama, gw dapatkan link yang mengatur agar Linux tersebut bisa join ke AD tersebut. Berikut link lengkapnya (http://www.brentnorris.net/blog/archives/179).

Everything done in this howto is done with root permissions. It is always best to start out with a completely updated machine:
yum upgrade

Kerberos Configuration
Next it is important to make sure that you have the Kerberos files on your machine:
yum install krb5-server krb5-workstation

Next you need to edit the /etc/krb5.conf file so that it looks similar to this (Case IS important. Bolded Items are things that need changing) :

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = EDMONSON.KETSDS.NET
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
default_tgs_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC
default_tkt_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC
preferred_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC

[realms]
EDMONSON.KETSDS.NET = {
kdc = ed151000d1.edmonson.ketsds.net
admin_server = 10.76.16.50:749
default_domain = edmonson.ketsds.net
}

[domain_realm]
.example.com = EDMONSON.KETSDS.NET
example.com = EDMONSON.KETSDS.NET
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}

Now it is a good idea to add your domain controller to your /etc/hosts file. That way if something happens to DNS you can still resolve out to it.

SAMBA Configuration
We are on to editing the /etc/samba/smb.conf file. There are several things to add and change here (again case is important and bolded items are what needs changed or added):

change: workgroup = EDMONSON
add: realm = EDMONSON.KETSDS.NET
change: server string = Linux Samba File Server
change: security = ADS
change: encrypt passwords = yes
change: preferred master = no
add: template shell = /bin/false
add: template homedir = /home/%D/%U
add: idmap uid = 10000-20000
add: idmap gid = 10000-20000
add: enhanced browsing = no
add: winbind use default domain = yes

After you get those edited then it is a good idea to run testparm and correct any errors that you get. With just the changes that I posted above there shouldn’t be any errors.
Next start SAMBA and join the machine to the domain using the commands:

/etc/init.d/smb start
net ads join -U bnorris@EDMONSON.KETSDS.NET

Again case is important. The program should ask you for your network password and then it should join the box to the network.
If all went well you need to stop SAMBA while you finish up the pieces:
/etc/init.d/smb stop

Winbind Configuration
Now we need to edit /etc/nsswitch.conf and tell the machine to use Winbind to authenticate people.

change: passwd: files winbind
change: group: files winbind

Now we can start Winbind and SAMBA back up:

/etc/init.d/winbind start
/etc/init.d/smb start

Test to make sure it is working using wbinfo:

wbinfo -u
wbinfo -g

Those commands should give you a list of users and groups from your domain. If you have a particularly complex domain with lots of trusts and such to you might want to limit wbinfo to one domain with the –domain=EDMONSON option. If wbinfo hangs and never returns then you will need to stop and start Winbind in order to get it working again.

You can also get some info about your connection to the domain with:
net ads info

Enabling Filesystem ACLs
Now you need to enable extended Access Control Lists (ACLs) on the filesystem that you will be using. This will give you access to extended security settings similar to Windows file permissions. To change this we will need to edit /etc/fstab. You might not want to enable ACLs for all of your filesystems as it can induce some overhead that you might not need. Find the filesystem entry that you want to enable ACL for and edit the options field (the fourth field, usually says defaults). After the entries that are in there put ,alc

Now you need to unmount that filesystem and remount it. The easiest way to do that is to just reboot the machine, since sometimes there might be users with files open and you can’t unmount while that is going on.

Now if you are planning on give your users home folders you need to make their directories. I cheated a little and did the following to quickly create mine:

wbinfo -u –domain=EDMONSON | grep -v ‘$’ | sort > ~/temp
for i in `cat ~/temp` ; do
mkdir -p /home/EDMONSON/$i
setfacl -m u:”EDMONSON\\$i”:rwx /home/EDMONSON/$i
done

That should give you a directory for every user with them having full control of that directory. I think there is an option to SAMBA to get it to do this when a user connects to the machine, but I couldn’t find it quickly today to set it. If anyone knows what it is, just let me know and I will edit this to get it in there.

Adding Shares for users
So there you go. You should now have a machine that will authenticate to the AD and show you the shares that you are allowed to access. If you want to add shares for specific users it isn’t too tough, just add them to /etc/samba/smb.conf
A good template share definition looks something like this:

[vivnenoi]
comment = wireless to connect field house
path = /home/shares/vivnenoi
valid users = EDMONSON\lamar.miller EDMONSON\jcarnes EDMONSON\bnorris
public = no
writable = yes
printable = no
create mask = 076

Semoga membantu.

Penulis adalah konsultan Linux freelance yang saat ini bekerja sebagai SAP Basis Team Leader di salah satu perusahaan di Surabaya. Ingin meng-hire penulis ? Klik disini.


2 Comments

  1. Clemmie says:

    We stumbled over here different page and thought I may as well check things out.
    I like what I see so i am just following you. Look forward to checking out your web page repeatedly.

  2. naturally like your web-site however you have to
    test the spelling on several of your posts. Many of them are rife with spelling problems and
    I find it very troublesome to tell the reality nevertheless I will surely come back
    again.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: