From 41261e3828f5102ae8d203a5b576b0001bdcc075 Mon Sep 17 00:00:00 2001 From: Prashanth Pai Date: Fri, 4 Oct 2013 17:50:32 +0530 Subject: Add Windows AD documentation Added documentation to setup swiftkerbauth environment with Windows Active Directory Server and Linux client Change-Id: I18333428c633b23fd15afc8965266d546f0bb03b Original-author: Chetan Risbud Signed-off-by: Prashanth Pai Reviewed-on: http://review.gluster.org/6041 Reviewed-by: Luis Pabon Tested-by: Luis Pabon --- README.md | 8 +- doc/AD_client.md | 206 +++++++++++++++++++++++++++++++++++++++++++++ doc/AD_server.md | 107 +++++++++++++++++++++++ doc/swiftkerbauth_guide.md | 8 ++ 4 files changed, 326 insertions(+), 3 deletions(-) create mode 100644 doc/AD_client.md create mode 100644 doc/AD_server.md diff --git a/README.md b/README.md index f3ef73a..84f2c29 100644 --- a/README.md +++ b/README.md @@ -14,6 +14,8 @@ Table of Contents ----------------- 1. [Architecture](doc/architecture.md) -2. [IPA Server Guide](doc/ipa_server.md) -3. [IPA Client Guide](doc/ipa_client.md) -4. [Swiftkerbauth Guide](doc/swiftkerbauth_guide.md) +2. [RHEL IPA Server Guide](doc/ipa_server.md) +3. [RHEL IPA Client Guide](doc/ipa_client.md) +4. [Windows AD Server Guide](doc/AD_server.md) +5. [Windows AD Client Guide](doc/AD_client.md) +6. [Swiftkerbauth Guide](doc/swiftkerbauth_guide.md) diff --git a/doc/AD_client.md b/doc/AD_client.md new file mode 100644 index 0000000..0947a1e --- /dev/null +++ b/doc/AD_client.md @@ -0,0 +1,206 @@ +#AD client setup guide + +###Contents +* [Setup Overview] (#setup) +* [Configure Network] (#network) +* [Installing AD Client] (#AD-client) + + +###Setup Overview + +This guide talks about adding fedora linux client to windows domain. +The test setup included a client machine with Fedora 19 installed +on it with all the latest packages updated. The crux is to add this linux +machine to Windows Domain. This linux box is expected to act as RHS node and on which swiftkerbauth, +apachekerbauth code would run. + +Set hostname (FQDN) to fcclient.winad.com + + # hostnamectl set-hostname "fcclient.winad.com" + + # hostname "fcclient.winad.com" + + + +### Configure client + +* Deploy Fedora linux 19. + +* Update the system with latest packages. + +* Configure SELinux security parameters. + +* Install & configure samba + +* Configure DNS + +* Synchronize the time services + +* Join Domain + +* Install / Configure Kerberos Client + + +The document assumes the installing Fedora Linux and configuring SELinux +parameters to 'permissive' is known already. + +###Install & Configure Samba: + # yum -y install samba samba-client samba-common samba-winbind + samba-winbind-clients + + # service start smb + + # ps -aef | grep smb + # chkconfig smb on + +###Synchronize time services +The kerberos authentication and most of the DNS functionality could fail with +clock skew if times are not synchronized. + + # cat /etc/ntp.conf + server ns1.bos.redhat.com + server 10.5.26.10 + + # service ntpd stop + + # ntpdate 10.16.255.2 + + # service ntpd start + + #chkconfig ntpd on + +Check if Windows server in the whole environment is also time synchronized with +same source. + + # C:\Users\Administrator>w32tm /query /status | find "Source" + + Source: ns1.xxx.xxx.com + +###Configure DNS on client +Improperly resolved hostname is the leading cause in authentication failures. +Best practice is to configure fedora client to use Windows DNS. +'nameserver' below is the IP address of the windows server. + # cat /etc/resolve.conf + domain server.winad.com + search server.winad.com + nameserver 10.nn.nnn.3 + +###Set the hostname of the client properly (FQDN) + # cat /etc/sysconfig/network + HOSTNAME=fcclient.winad.com + + +###Install & Configure kerberos client + + # yum -y install krb5-workstation + +Edit the /etc/krb5.conf as follows: + + # cat /etc/krb5.conf + [logging] + default = FILE:/var/log/krb5libs.log + kdc = FILE:/var/log/krb5kdc.log + admin_server = FILE:/var/log/kadmind.log + + [libdefaults] + default_realm = WINAD.COM + dns_lookup_realm = false + dns_lookup_kdc = false + ticket_lifetime = 24h + renew_lifetime = 7d + forwardable = true + + [realms] + WINAD.COM = { + kdc = server.winad.com + admin_server = server.winad.com + } + [domain_realm] + .demo = server.winad.com + demo = server.winad.com + +###Join Domain +Fire command 'system-config-authentication' on client. This should display a +graphical wizard. Below inputs would help configure this wizard. + + - User account data base = winbind + - winbind domain = winad + - security model = ads + - winbind ads realm = winad.com + - winbind controller = server.winad.com + - template shell = /bin/bash + - let the other options be as is to default. + - Perform Join domain and appy settings and quit. Please note this join should + not see any errors. This makes the client fedora box to join the windows + domain. + +###Configure the kerberos client +This would bring the users/groups from Windows Active directory to this +fedora client. + +Edit /etc/samba/smb.conf file to have below parameters in the global section. + + # cat /etc/samba/smb.conf + [global] + workgroup = winad + realm = winad.com + server string = Samba Server Version %v + security = ADS + allow trusted domains = No + password server = server.winad.com + log file = /var/log/samba/log.%m + max log size = 50 + idmap uid = 10000­19999 + idmap gid = 10000­19999 + template shell = /bin/bash + winbind separator = + + winbind use default domain = Yes + idmap config REFARCH­AD:range = 10000000­19999999 + idmap config REFARCH­AD:backend = rid + cups options = raw + + + # service smb stop + + # service winbind stop + + # tar -cvf /var/tmp/samba-cache-backup.tar /var/lib/samba + + # ls -la /var/tmp/samba-cache-backup.tar + + # rm ­-f /var/lib/samba/* + + +Verify that no kerberos ticket available and cached. + + # kdestroy + + # klist + +Rejoin the domain. + + # net join -S server -U Administrstor + +Test that client rejoined the domain. + + # net ads info + +Restart smb and winbind service. + + # wbinfo --domain-users + +Perform kinit for the domain users prepared on active directory. This is obtain +the kerberos ticket for user 'auth_admin' + + # kinit auth_admin + + # id -Gn auth_admin + +###Notes +Obtaining the HTTP service principal & keytab file and installing it with +swiftkerbauth is added to swiftkerbauth_guide + +###References +Reference Document for adding Linux box to windows domain : +Integrating Red Hat Enterprise Linux 6 +with Active Directory diff --git a/doc/AD_server.md b/doc/AD_server.md new file mode 100644 index 0000000..c34f0f1 --- /dev/null +++ b/doc/AD_server.md @@ -0,0 +1,107 @@ +#Windows Active Directory & Domain Controller Server Guide + +###Contents +* [Setup Overview] (#Setup) +* [Installing Active Directory Services] (#AD-server) +* [Configuring DNS] (#DNS) +* [Adding Users and Groups] (#users-groups) + + + +###Setup Overview + +The setup includes a server machine installed with Windows 2008 R2 Server, with +Domain Controller, Active Directory services & DNS server installed alongwith. +The steps to install windows operating system and above servers can be found +on MicroSoft Documentation. This windows Active Directory server would act as an +authentication server in the whole setup. This would provide the access control +and permissions for users on certain data objects. + + +Windows 2008 R2 deployment: + +http://technet.microsoft.com/en-us/library/dd283085.aspx + + +Configuring Active Directory, Domain Services, DNS server: + +http://technet.microsoft.com/en-us/library/cc770946.aspx + + + +###Installing AD Server + +Administrators need to follow simple instructions in Server Manager on Windows +2008, and should add Active Directory Domain Services & DNS server. It is +recommended to use static IP for DNS server. Preferred Hostname(FQDN) for +Windows server could be of format hostname 'server.winad.com' where +'winad.com' is a domain name. + +Following tips would help prepare a test setup neatly. + + - Select Active Directory Domain services wizard in Server Manager + - Move on to install it with all the pre-requisits, e.g. .NET framework etc. + - Configure Active directory after installtion via exapanding the 'Roles' + section in the server manager. + - Create a new Domain in the New Forest. + - Type the FQDN, winad.com + - Set Forest functional level Windows 2008 R2. + - Selct additional options for this domain controller as DNS server. + - Leave the log locations to default provided by wizard. + - Set the Administrator Password carefully. + - Thats it. You are done configuring active directory. + + + +###Configuring DNS + +This section explains configuring the DNS server installed on Windows 2008 R2 +server. You must know know about + + - Forward lookup zone + + - Reverse lookup zone + + - Zone type + +A forward lookup zone is simply a way to resolve hostnames to IP address. +A reverse lookup zone is to lookup DNS hostname of the host IP. + +Following tips would help configure the Zones on DNS server. + + - Create a Forward lookup zone. + - Create it a primary zone. + - Add the Clients using their ip addresses and FQDN to this forward lookup + zones. + - This would add type 'A' record for that host on DNS server. + - Similarly create a Reverser lookup zone. + - Add clients 'PTR' record to this zone via browsing through the forward + zones clients. + +The above setup can be tested on client once it joins the domain using 'dig' +command as mentioned below. + + +On client: + + # dig fcclient.winad.com + This should yield you a Answer section mentioning its IP address. + + Reverse lookup can be tested using + + # 'dig -t ptr 101.56.168.192.in-addr.arpa.' + The answer section should state the FQDN of the client. + + Repeat the above steps on client for Windows AD server as well. + + + +###Adding users and groups + +Adding groups and users to the Windows domain is easy task. + + - Start -> Administrative Tools -> Active Directory Users & Computers + - Expand the domain name which was prepared earlier. e.g winad.com + - Add groups with appropreate access rights. + - Add users to the group with appropreate permissions. + - Make sure you set password for users prepared on AD server. diff --git a/doc/swiftkerbauth_guide.md b/doc/swiftkerbauth_guide.md index eaebca5..ef76ad0 100644 --- a/doc/swiftkerbauth_guide.md +++ b/doc/swiftkerbauth_guide.md @@ -43,6 +43,14 @@ Retrieve the HTTP service principal to a keytab file: Copy keytab file to client: > scp /tmp/http.keytab root@192.168.56.101:/etc/httpd/conf/http.keytab +## Creating HTTP Service Principal on Windows AD server + +Add a HTTP Kerberos service principal: +> c:\>ktpass.exe -princ HTTP/fcclient.winad.com@WINAD.COM -mapuser +> auth_admin@WINAD.COM -pass Redhat*123 -out c:\HTTP.keytab + +Use winscp to copy HTTP.ketab file to /etc/httpd/conf/http.keytab + ***** -- cgit