Make CentOS 6.x an AD member of Windows IIS 2012 R2

Making a CentOS 6.x PC a domain member of an active directory is a tiresome work. I came across this painful task for several time and comes in a conclusion that atleast I will make a document which will be helpful to me in near future. On the meantime if anybody take this step for their use, I wouldn't mind.

So I will go to the task step now --

i) First of all we need some basic (latest) software for making this task possible.
They are --

1. Samba
2. Samba-client
3. Samba-winbind
4. Krb5-workstation
5. Policycoreutils-python


command for the task on console --

yum install -y ntpdate samba samba-client samba-winbind krb5-workstation policycoreutils-python

  ii) Now it's time to make the windows active directory reachable from the centos PC. For that we need to add the active directory FQDN and IP address on resolv.conf

So do it by opening file  /etc/resolv.conf and add the following --

    domain ad.local
    nameserver 192.168.0.1

if ad.local is pingable from console then our work is done for resolving AD.


 iii) Now we need to sync the time of AD and CentOS PC, so that they can authenticate in kerborus mechanism. It can be done by following --

crontab -e

Now add the following on the opening file --

 0 */4 * * * /usr/sbin/ntpdate 192.168.0.1 >/dev/null 2>&1

Now synchronize the time by --

 ntpdate 192.168.0.1

 We will see the synced time and date on console.


iv) Now we ned to edit the samba configuration file --

        [global]
    workgroup = AD
    server string = Samba Server Version %v
    security = ads
    realm = AD.LOCAL
    domain master = no
    local master = no
    preferred master = no
    socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=131072 SO_SNDBUF=131072
    use sendfile = true
    idmap config * : backend = tdb
    idmap config * : range = 100000-299999
    idmap config AD : backend = rid
    idmap config AD : range = 10000-99999
    winbind separator = +
    winbind enum users = yes
    winbind enum groups = yes
    winbind use default domain = yeswhen I again have the same issue.
    winbind nested groups = yes
    winbind refresh tickets = yes
    template homedir = /home/%D/%U
    template shell = /bin/bash
    client use spnego = yes
    client ntlmv2 auth = yes
    encrypt passwords = yes
    restrict anonymous = 6
    log file = /var/log/samba/log.%m
    max log size = 50    

v) Edit krb5.conf file for authentication --

     [logging]
    default = FILE:/var/log/krb5libs.log
    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmind.log
    
    [libdefaults]
    default_realm = AD.LOCAL
    ticket_lifetime = 24h
    forwardable = yes
    
    [appdefaults]
    pam = {
    debug = false
    ticket_lifetime = 36000
    renew_lifetime = 36000
    forwardable = true
    krb4_convert = false
    }

            [domain_realm]
           .ad.local = AD.LOCAL 

            ad.local = AD.LOCAL

vi) Now we update nss configuration file by opening file  /etc/nsswitch.conf .

    passwd: files winbind
    group: files winbind

 We are done.

vii) It's the last step to make centos an AD member of a windows system. Lets over with it by --

 net ads join -U administrator

Will ask for password. Give it and viola!!