Adding a Linux box to a DC

[zetsway]

Ok, I don't know if this is the correct place to post but I'm really frustrated right now.....

I have try this for six days with no success. I have google the google out google (if that makes sense) and I still can't get this to work.

First let me say this. I have some experience with Linux. I took two semesters of Linux networking when I was in college. With that said here's what I'm trying to do.

I need two things:
Proxy server
Internal Mail server

To accomplish this I have chosen to use CentOS. WHY? Someone on my group told me to. If I should use a different distro let me know.

What I need to do is join both servers to my domain. Yes, I know there are other ways to do this but I need to add these servers to my DC. I want to pass the users in AD through my proxy server. I would like to use a Linux based proxy and not a windows.

Here's the information:
On the mail server

Here?s what I installed:
PHP
Apache
MySql
Webmin
Yum
Yum extender
NTP ( when I tried to auth against AD it said ?Clock skew to great? it was a four hour difference and from what I understand it can only be a five minute difference.
Roundcube (I wanted to try this mail system out since I heard squirrel mail is a pain to install and this one has Ajax GUI J you should look into it)

Didn?t try and make a share folder but I can see it on the network


Proxy server
Installed apps:
PHP
Apache
Webimn
Yum
Yum extender

I created a user and a share folder on this one. I can get to it fine from my computer.

I can ping both computers from my Windows box (this box is join to the DC). I can pull Webmin on both computers. I can see their shares.

So what do I want to do? Join them to the domain.

I made sure samba and kerberos were installed. I changed my smb.conf and my krb5.conf
I did a kinit and it asked for the password, I typed it in and it failed. What am I doing wrong?

The first day I did this I was able to get a ticket. But when I did a net join ads -U it wouldn't work (I don't know if that's the right command I'm typing from memory) anyway please help. SOMEONE PLEASE I don't know what to do

 

[Netopia]

I know not. But at your suggestion, I will look at RoundCube.

After you get the AD stuff worked out, but before you put the mail server into full operation, you may want to take a look at FreeSpamFilter.org (http://freespamfilter.org) for some ideas on filtering SPAM, phishing, and viruses on that server.

Joe

 

[Brazen]

Roundcube looks pretty awesome.

 

[zetsway]

Originally posted by: Netopia
I know not. But at your suggestion, I will look at RoundCube.

After you get the AD stuff worked out, but before you put the mail server into full operation, you may want to take a look at FreeSpamFilter.org (http://freespamfilter.org) for some ideas on filtering SPAM, phishing, and viruses on that server.

Joe

Thanks for the suggestion. I'm doing everything over right now. I'm going to install Fedora and I found a tut online. I hope this work

 

[Brazen]

Originally posted by: Brazen
Roundcube looks pretty awesome.

here is a quick guide to attaching to AD, command lines start with a '#'. Replace "DOMAIN" with the all-caps name of your domain (yes, case is important):

install software:
# sudo yum -y install krb5-workstation samba

backup and wipe out config files
# sudo mv /etc/samba/smb.conf /etc/samba/smb.conf.original
# sudo mv /etc/krb5.conf /etc/krb5.conf.original

create a blank krb.conf (DCs will be found through dns)
# sudo touch /etc/krb5.conf

Test your connection with:
# sudo kinit Administrator@DOMAIN
enter the password for the "Administrator" on DOMAIN. You should not get an error.

# sudo nano /etc/samba/smb.conf
put this in the smb.conf:

[global]
server string = %h server (Samba, CentOS 5)
realm = DOMAIN
workgroup = DOMAIN
security = ADS
encrypt passwords = yes

### winbind configuration
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes

### default Samba stuff that needs to be set
log file = /var/log/samba/%m.log
max log size = 100
socket options = TCP_NODELAY

# if this isn't a print server, leaving out this section will fill up the logs
load printers = no
printing = bsd
printcap name = /dev/null
show add printer wizard = no
disable spoolss = yes

notice the two entries of "DOMAIN" that need to be replaced by you.

# sudo nano /etc/pam.d/samba
Add the following lines:

auth required pam_winbind.so
account required pam_winbind.so

Close and save the file.

# sudo nano /etc/nsswitch.conf
Add ?winbind? without the quotes to the end of the passwd and group lines.

# sudo ldconfig ?v | grep winbind
This will rebuild the linker cache. Just do it.

# sudo net ads join -U Administrator@DOMAIN
This will actually do the join of the server to the domain.

Restart smb and winbind and start both on boot. Also, it is important that anytime you restart smb, you must restart winbind AFTER.
# sudo /etc/init.d/smb restart && sudo /etc/init.d/winbind restart
# sudo chkconfig smb on && sudo chkconfig winbind on

Test with this:
# getent passwd
# getent group
They should return Active Directory users and groups, respectively

 

[Brazen]

Originally posted by: zetsway

Originally posted by: Netopia
I know not. But at your suggestion, I will look at RoundCube.

After you get the AD stuff worked out, but before you put the mail server into full operation, you may want to take a look at FreeSpamFilter.org (http://freespamfilter.org) for some ideas on filtering SPAM, phishing, and viruses on that server.

Joe

Thanks for the suggestion. I'm doing everything over right now. I'm going to install Fedora and I found a tut online. I hope this work

For the love of all things holy, please do not use Fedora for a production server.

 

[zetsway]

Originally posted by: Brazen

Originally posted by: zetsway

Originally posted by: Netopia
I know not. But at your suggestion, I will look at RoundCube.

After you get the AD stuff worked out, but before you put the mail server into full operation, you may want to take a look at FreeSpamFilter.org (http://freespamfilter.org) for some ideas on filtering SPAM, phishing, and viruses on that server.

Joe

Thanks for the suggestion. I'm doing everything over right now. I'm going to install Fedora and I found a tut online. I hope this work

For the love of all things holy, please do not use Fedora for a production server.

Why not? AND THANK YOU!!!!! I spent I don't know how many hours trying to get this working. Oh I'm so happy it works.

 

[Brazen]

Originally posted by: zetsway

Originally posted by: Brazen

For the love of all things holy, please do not use Fedora for a production server.

Why not? AND THANK YOU!!!!! I spent I don't know how many hours trying to get this working. Oh I'm so happy it works.

So you got it working with the directions I posted? That's good. It took me forever to get those steps down. There are guides out there, but they are old and have outdated/incorrect information and/or want you to do something funky like put static entries for your domain controllers in the krb.conf which is error-prone and gonna break if you ever migrate your domain controller(s).

Anyway, I would not use Fedora for a couple reasons:

1) Fedora is RedHat's "experimental" distrobution. It's releases are based on a time-frame, not stability. RHEL is RedHat's rock-solid-tried-and-true-stake-our-reputation-on-it distrobution which the developers put more focus into making sure it is stable and maintainable. Fedora is stable enough from what I've seen, but I've also seen some server-things that just don't work right in Fedora but work just like the documentation says it should in RHEL. This is keeping in mind that RedHat does not distribute free binaries for RHEL (only source code) so you'll need to go with CentOS (which I've used and have experienced ZERO differences from our RHEL boxen). This exact same thing goes for Ubuntu LTS (which I would suggest over RedHat) - Ubuntu LTS is the stable-minded platform and the non-LTS releases are more stable-but-experimental. Debian is also a good choice for a rock-solid server platform, though not as noob-friendly-by-default as Ubuntu.

2) There is an upgrade to Fedora roughly every 6 months. That means every six months you need to take the time to go through a version upgrade. This is an unnecessary hassle even if things go smoothly, and things are less likely to go smoothly based on what I just said in #1. With RHEL(CentOS) you get like 2 years between version upgrades and the likeliness of a smooth upgrade is much better. Again, this goes the same for Ubuntu LTS - you can upgrade from one Ubuntu LTS release to the next LTS a couple years later; and Debian goes a couple years between version also. If you go with a non-LTS of Ubuntu, you'll have to upgrade to the next one in 6 months.

Granted, you don't HAVE to perform the upgrade right away in six months, but security updates will run out and then you'll have to wipe out and reinstall or do several successive upgrades through the releases to get up to the latest version.

edit: and by the way, Ubuntu LTS is my distro of choice for servers, if you want to know.

 

[zetsway]

The linux guy on my team told me to go with CentOS but I couldn't get it to work with CentOS.
Since I got it working I don't want to break it because it took me forever to get it working. Down the road *cough* *cough* I can change it to CentOS. Now I don't know what I should do. I guess I should take the time and do it right the first time *sigh*

 

[Brazen]

Originally posted by: zetsway
The linux guy on my team told me to go with CentOS but I couldn't get it to work with CentOS.
Since I got it working I don't want to break it because it took me forever to get it working. Down the road *cough* *cough* I can change it to CentOS. Now I don't know what I should do. I guess I should take the time and do it right the first time *sigh*

It is MUCH easier to do it right the first time. Install VMWare Server and try it out in a virtual machine first, if you want. The instructions I posted are from the notes I took on setting up our CentOS server.

 

[zetsway]

Originally posted by: Brazen

Originally posted by: zetsway
The linux guy on my team told me to go with CentOS but I couldn't get it to work with CentOS.
Since I got it working I don't want to break it because it took me forever to get it working. Down the road *cough* *cough* I can change it to CentOS. Now I don't know what I should do. I guess I should take the time and do it right the first time *sigh*

It is MUCH easier to do it right the first time. Install VMWare Server and try it out in a virtual machine first, if you want. The instructions I posted are from the notes I took on setting up our CentOS server.

ok ok ok I'll do it right thanks again for your help. I'll post here if I have any problems. I'm going to do install it as soon as I get to work.

Boy I hate installing this crap when I finally got it to work. I'm praying that all goes well and everything works. It took me over an hour last time to install all the plugins; when Fedora had it all installed for you. I'm using CentOS v5.

I'll let you know what happens.

 

[zetsway]

Guess what for the first time my connection closed on me when trying to remote in from home. I'm going to uninstall this as soon as I get to work.

 

[Netopia]

I look forward to reading of your ongoing adventures.... AND SUCCESSES!

Joe

 

[zetsway]

Boy was Brazen right! I came in this morning and both Fedora severs crashed. I had bugs and all sorts of errors Before I posted here I was running CentOS on both servers for a week and I didn't have any problems. Thank you for your words of wisdom

 

[zetsway]

I have a problem with your instructions Brazen. When I rebooted it said "Who am I"


Here's what I found:

The netbios has to be in there
You also have me doing a mv instead of a cp of /etc/samba/smb.conf /etc/samba/smb.conf.original

no big deal there.

But here's the problem I get a GM error when I rebooted. I have no idea what that means

It join to the domain but I can remote into it. I'll have to check when I get back to work and I'll post my findings here.

 

[zetsway]

OK so after I join the domain and reboot I get the following Error GDM user does not exist. Nooooooo
I have no idea what happened. I tried the steps again and the same thing happened. Please helppppp

 

[Brazen]

Originally posted by: zetsway
OK so after I join the domain and reboot I get the following Error GDM user does not exist. Nooooooo
I have no idea what happened. I tried the steps again and the same thing happened. Please helppppp

You'll probably just need to edit a file under /etc/pam.d/ to allow gdm to authenticate through winbind. It would be similar to the /etc/pam.d/samba in my instructions. In fact, you could do without the change to /etc/pam.d/samba if you are not using this as a file server (kinda crazy that samba provides the AD connection, but you still have to tell samba how to use it).

The netbios has to be in there

It should not need netbios if your dns is working correctly. I think what I do is manually add the server name and ip address to my dns server (there should be a way for linux to add itself automatically to a ddns enabled server, but I have not bothered to find out how, or why it doesn't do it by automagical default)

You also have me doing a mv instead of a cp of /etc/samba/smb.conf /etc/samba/smb.conf.original

a "mv" is what I intended. I like to start with a clean slate. I literally wipe out the config and only put in the entries I listed. The only additions is the share definitions, which you do not want if you are not using this as a file server.