1 files changed, 206 insertions, 0 deletions
diff --git a/doc/markdown/swiftkerbauth/AD_client.md b/doc/markdown/swiftkerbauth/AD_client.md
new file mode 100644
index 0000000..0947a1e
--- /dev/null
+++ b/doc/markdown/swiftkerbauth/AD_client.md
@@ -0,0 +1,206 @@
+#AD client setup guide
+
+###Contents
+* [Setup Overview] (#setup)
+* [Configure Network] (#network)
+* [Installing AD Client] (#AD-client)
+
+<a name="setup" />
+###Setup Overview
+
+This guide talks about adding fedora linux client to windows domain.
+The test setup included a client machine with Fedora 19 installed
+on it with all the latest packages updated. The crux is to add this linux
+machine to Windows Domain. This linux box is expected to act as RHS node and on which swiftkerbauth,
+apachekerbauth code would run.
+
+Set hostname (FQDN) to fcclient.winad.com
+
+    # hostnamectl set-hostname "fcclient.winad.com"
+
+    # hostname "fcclient.winad.com"
+
+
+<a name="network" />
+### Configure client
+
+* Deploy Fedora linux 19.
+
+* Update the system with latest packages.
+
+* Configure SELinux security parameters.
+
+* Install & configure samba
+
+* Configure DNS
+
+* Synchronize the time services
+
+* Join Domain
+
+* Install / Configure Kerberos Client
+
+
+The document assumes the installing Fedora Linux and configuring SELinux
+parameters to 'permissive' is known already.
+
+###Install & Configure Samba:
+    # yum -y install samba samba-client samba-common samba-winbind
+    samba-winbind-clients
+
+    # service start smb
+
+    # ps -aef | grep smb
+    # chkconfig smb on
+
+###Synchronize time services
+The kerberos authentication and most of the DNS functionality could fail with
+clock skew if times are not synchronized.
+
+    # cat /etc/ntp.conf
+    server ns1.bos.redhat.com
+    server 10.5.26.10
+
+    # service ntpd stop
+
+    # ntpdate 10.16.255.2
+
+    # service ntpd start
+
+    #chkconfig ntpd on
+
+Check if Windows server in the whole environment is also time synchronized with
+same source.
+
+    # C:\Users\Administrator>w32tm /query /status | find "Source"
+
+    Source: ns1.xxx.xxx.com
+
+###Configure DNS on client
+Improperly resolved hostname is the leading cause in authentication failures.
+Best practice is to configure fedora client to use Windows DNS.
+'nameserver' below is the IP address of the windows server.
+    # cat /etc/resolve.conf
+    domain server.winad.com
+    search server.winad.com
+    nameserver 10.nn.nnn.3
+
+###Set the hostname of the client properly (FQDN)
+    # cat /etc/sysconfig/network
+    HOSTNAME=fcclient.winad.com
+
+
+###Install & Configure kerberos client
+
+    # yum -y install krb5-workstation
+
+Edit the /etc/krb5.conf as follows:
+
+    # cat /etc/krb5.conf
+    [logging]
+    default = FILE:/var/log/krb5libs.log
+    kdc = FILE:/var/log/krb5kdc.log
+    admin_server = FILE:/var/log/kadmind.log
+
+    [libdefaults]
+    default_realm = WINAD.COM
+    dns_lookup_realm = false
+    dns_lookup_kdc = false
+    ticket_lifetime = 24h
+    renew_lifetime = 7d
+    forwardable = true
+
+    [realms]
+        WINAD.COM = {
+            kdc = server.winad.com
+            admin_server = server.winad.com
+        }
+    [domain_realm]
+        .demo = server.winad.com
+        demo = server.winad.com
+
+###Join Domain
+Fire command 'system-config-authentication' on client. This should display a
+graphical wizard. Below inputs would help configure this wizard.
+
+    - User account data base = winbind
+    - winbind domain = winad
+    - security model = ads
+    - winbind ads realm = winad.com
+    - winbind controller = server.winad.com
+    - template shell = /bin/bash
+    - let the other options be as is to default.
+    - Perform Join domain and appy settings and quit. Please note this join should
+      not see any errors. This makes the client fedora box to join the windows
+      domain.
+
+###Configure the kerberos client
+This would bring the users/groups from Windows Active directory to this
+fedora client.
+
+Edit /etc/samba/smb.conf file to have below parameters in the global section.
+
+    # cat /etc/samba/smb.conf
+    [global]
+    workgroup = winad
+    realm = winad.com
+    server string = Samba Server Version %v
+    security = ADS
+    allow trusted domains = No
+    password server = server.winad.com
+    log file = /var/log/samba/log.%m
+    max log size = 50
+    idmap uid = 1000019999
+    idmap gid = 1000019999
+    template shell = /bin/bash
+    winbind separator = +
+    winbind use default domain = Yes
+    idmap config REFARCHAD:range = 1000000019999999
+    idmap config REFARCHAD:backend = rid
+    cups options = raw
+
+
+    # service smb stop
+
+    # service winbind stop
+
+    # tar -cvf /var/tmp/samba-cache-backup.tar /var/lib/samba
+
+    # ls -la /var/tmp/samba-cache-backup.tar
+
+    # rm -f /var/lib/samba/*
+
+
+Verify that no kerberos ticket available and cached.
+
+    # kdestroy
+
+    # klist
+
+Rejoin the domain.
+
+    # net join -S server -U Administrstor
+
+Test that client rejoined the domain.
+
+    # net ads info
+
+Restart smb and winbind service.
+
+    # wbinfo --domain-users
+
+Perform kinit for the domain users prepared on active directory. This is obtain
+the kerberos ticket for user 'auth_admin'
+
+    # kinit auth_admin
+
+    # id -Gn auth_admin
+
+###Notes
+Obtaining the HTTP service principal & keytab file and installing it with
+swiftkerbauth is added to swiftkerbauth_guide
+
+###References
+Reference Document for adding Linux box to windows domain :
+Integrating Red Hat Enterprise Linux 6
+with Active Directory