diff options
authorPrashanth Pai <>2013-10-04 17:50:32 +0530
committerLuis Pabon <>2013-10-17 13:01:12 -0700
commit41261e3828f5102ae8d203a5b576b0001bdcc075 (patch)
parent373032fc97d27c79895e6114670760aa717f9f61 (diff)
Add Windows AD documentation
Added documentation to setup swiftkerbauth environment with Windows Active Directory Server and Linux client Change-Id: I18333428c633b23fd15afc8965266d546f0bb03b Original-author: Chetan Risbud <> Signed-off-by: Prashanth Pai <> Reviewed-on: Reviewed-by: Luis Pabon <> Tested-by: Luis Pabon <>
4 files changed, 326 insertions, 3 deletions
diff --git a/ b/
index f3ef73a..84f2c29 100644
--- a/
+++ b/
@@ -14,6 +14,8 @@ Table of Contents
1. [Architecture](doc/
-2. [IPA Server Guide](doc/
-3. [IPA Client Guide](doc/
-4. [Swiftkerbauth Guide](doc/
+2. [RHEL IPA Server Guide](doc/
+3. [RHEL IPA Client Guide](doc/
+4. [Windows AD Server Guide](doc/
+5. [Windows AD Client Guide](doc/
+6. [Swiftkerbauth Guide](doc/
diff --git a/doc/ b/doc/
new file mode 100644
index 0000000..0947a1e
--- /dev/null
+++ b/doc/
@@ -0,0 +1,206 @@
+#AD client setup guide
+* [Setup Overview] (#setup)
+* [Configure Network] (#network)
+* [Installing AD Client] (#AD-client)
+<a name="setup" />
+###Setup Overview
+This guide talks about adding fedora linux client to windows domain.
+The test setup included a client machine with Fedora 19 installed
+on it with all the latest packages updated. The crux is to add this linux
+machine to Windows Domain. This linux box is expected to act as RHS node and on which swiftkerbauth,
+apachekerbauth code would run.
+Set hostname (FQDN) to
+ # hostnamectl set-hostname ""
+ # hostname ""
+<a name="network" />
+### Configure client
+* Deploy Fedora linux 19.
+* Update the system with latest packages.
+* Configure SELinux security parameters.
+* Install & configure samba
+* Configure DNS
+* Synchronize the time services
+* Join Domain
+* Install / Configure Kerberos Client
+The document assumes the installing Fedora Linux and configuring SELinux
+parameters to 'permissive' is known already.
+###Install & Configure Samba:
+ # yum -y install samba samba-client samba-common samba-winbind
+ samba-winbind-clients
+ # service start smb
+ # ps -aef | grep smb
+ # chkconfig smb on
+###Synchronize time services
+The kerberos authentication and most of the DNS functionality could fail with
+clock skew if times are not synchronized.
+ # cat /etc/ntp.conf
+ server
+ server
+ # service ntpd stop
+ # ntpdate
+ # service ntpd start
+ #chkconfig ntpd on
+Check if Windows server in the whole environment is also time synchronized with
+same source.
+ # C:\Users\Administrator>w32tm /query /status | find "Source"
+ Source:
+###Configure DNS on client
+Improperly resolved hostname is the leading cause in authentication failures.
+Best practice is to configure fedora client to use Windows DNS.
+'nameserver' below is the IP address of the windows server.
+ # cat /etc/resolve.conf
+ domain
+ search
+ nameserver 10.nn.nnn.3
+###Set the hostname of the client properly (FQDN)
+ # cat /etc/sysconfig/network
+###Install & Configure kerberos client
+ # yum -y install krb5-workstation
+Edit the /etc/krb5.conf as follows:
+ # cat /etc/krb5.conf
+ [logging]
+ default = FILE:/var/log/krb5libs.log
+ kdc = FILE:/var/log/krb5kdc.log
+ admin_server = FILE:/var/log/kadmind.log
+ [libdefaults]
+ default_realm = WINAD.COM
+ dns_lookup_realm = false
+ dns_lookup_kdc = false
+ ticket_lifetime = 24h
+ renew_lifetime = 7d
+ forwardable = true
+ [realms]
+ kdc =
+ admin_server =
+ }
+ [domain_realm]
+ .demo =
+ demo =
+###Join Domain
+Fire command 'system-config-authentication' on client. This should display a
+graphical wizard. Below inputs would help configure this wizard.
+ - User account data base = winbind
+ - winbind domain = winad
+ - security model = ads
+ - winbind ads realm =
+ - winbind controller =
+ - template shell = /bin/bash
+ - let the other options be as is to default.
+ - Perform Join domain and appy settings and quit. Please note this join should
+ not see any errors. This makes the client fedora box to join the windows
+ domain.
+###Configure the kerberos client
+This would bring the users/groups from Windows Active directory to this
+fedora client.
+Edit /etc/samba/smb.conf file to have below parameters in the global section.
+ # cat /etc/samba/smb.conf
+ [global]
+ workgroup = winad
+ realm =
+ server string = Samba Server Version %v
+ security = ADS
+ allow trusted domains = No
+ password server =
+ log file = /var/log/samba/log.%m
+ max log size = 50
+ idmap uid = 10000­19999
+ idmap gid = 10000­19999
+ template shell = /bin/bash
+ winbind separator = +
+ winbind use default domain = Yes
+ idmap config REFARCH­AD:range = 10000000­19999999
+ idmap config REFARCH­AD:backend = rid
+ cups options = raw
+ # service smb stop
+ # service winbind stop
+ # tar -cvf /var/tmp/samba-cache-backup.tar /var/lib/samba
+ # ls -la /var/tmp/samba-cache-backup.tar
+ # rm ­-f /var/lib/samba/*
+Verify that no kerberos ticket available and cached.
+ # kdestroy
+ # klist
+Rejoin the domain.
+ # net join -S server -U Administrstor
+Test that client rejoined the domain.
+ # net ads info
+Restart smb and winbind service.
+ # wbinfo --domain-users
+Perform kinit for the domain users prepared on active directory. This is obtain
+the kerberos ticket for user 'auth_admin'
+ # kinit auth_admin
+ # id -Gn auth_admin
+Obtaining the HTTP service principal & keytab file and installing it with
+swiftkerbauth is added to swiftkerbauth_guide
+Reference Document for adding Linux box to windows domain :
+Integrating Red Hat Enterprise Linux 6
+with Active Directory
diff --git a/doc/ b/doc/
new file mode 100644
index 0000000..c34f0f1
--- /dev/null
+++ b/doc/
@@ -0,0 +1,107 @@
+#Windows Active Directory & Domain Controller Server Guide
+* [Setup Overview] (#Setup)
+* [Installing Active Directory Services] (#AD-server)
+* [Configuring DNS] (#DNS)
+* [Adding Users and Groups] (#users-groups)
+<a name="Setup" />
+###Setup Overview
+The setup includes a server machine installed with Windows 2008 R2 Server, with
+Domain Controller, Active Directory services & DNS server installed alongwith.
+The steps to install windows operating system and above servers can be found
+on MicroSoft Documentation. This windows Active Directory server would act as an
+authentication server in the whole setup. This would provide the access control
+and permissions for users on certain data objects.
+Windows 2008 R2 deployment:
+Configuring Active Directory, Domain Services, DNS server:
+<a name="AD-server" />
+###Installing AD Server
+Administrators need to follow simple instructions in Server Manager on Windows
+2008, and should add Active Directory Domain Services & DNS server. It is
+recommended to use static IP for DNS server. Preferred Hostname(FQDN) for
+Windows server could be of format hostname '' where
+'' is a domain name.
+Following tips would help prepare a test setup neatly.
+ - Select Active Directory Domain services wizard in Server Manager
+ - Move on to install it with all the pre-requisits, e.g. .NET framework etc.
+ - Configure Active directory after installtion via exapanding the 'Roles'
+ section in the server manager.
+ - Create a new Domain in the New Forest.
+ - Type the FQDN,
+ - Set Forest functional level Windows 2008 R2.
+ - Selct additional options for this domain controller as DNS server.
+ - Leave the log locations to default provided by wizard.
+ - Set the Administrator Password carefully.
+ - Thats it. You are done configuring active directory.
+<a name="dns" />
+###Configuring DNS
+This section explains configuring the DNS server installed on Windows 2008 R2
+server. You must know know about
+ - Forward lookup zone
+ - Reverse lookup zone
+ - Zone type
+A forward lookup zone is simply a way to resolve hostnames to IP address.
+A reverse lookup zone is to lookup DNS hostname of the host IP.
+Following tips would help configure the Zones on DNS server.
+ - Create a Forward lookup zone.
+ - Create it a primary zone.
+ - Add the Clients using their ip addresses and FQDN to this forward lookup
+ zones.
+ - This would add type 'A' record for that host on DNS server.
+ - Similarly create a Reverser lookup zone.
+ - Add clients 'PTR' record to this zone via browsing through the forward
+ zones clients.
+The above setup can be tested on client once it joins the domain using 'dig'
+command as mentioned below.
+On client:
+ # dig
+ This should yield you a Answer section mentioning its IP address.
+ Reverse lookup can be tested using
+ # 'dig -t ptr'
+ The answer section should state the FQDN of the client.
+ Repeat the above steps on client for Windows AD server as well.
+<a name="users-groups" />
+###Adding users and groups
+Adding groups and users to the Windows domain is easy task.
+ - Start -> Administrative Tools -> Active Directory Users & Computers
+ - Expand the domain name which was prepared earlier. e.g
+ - Add groups with appropreate access rights.
+ - Add users to the group with appropreate permissions.
+ - Make sure you set password for users prepared on AD server.
diff --git a/doc/ b/doc/
index eaebca5..ef76ad0 100644
--- a/doc/
+++ b/doc/
@@ -43,6 +43,14 @@ Retrieve the HTTP service principal to a keytab file:
Copy keytab file to client:
> scp /tmp/http.keytab root@
+## Creating HTTP Service Principal on Windows AD server
+Add a HTTP Kerberos service principal:
+> c:\>ktpass.exe -princ HTTP/ -mapuser
+> auth_admin@WINAD.COM -pass Redhat*123 -out c:\HTTP.keytab
+Use winscp to copy HTTP.ketab file to /etc/httpd/conf/http.keytab
<a name="install-swiftkerbauth" />