summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--README.md8
-rw-r--r--doc/AD_client.md206
-rw-r--r--doc/AD_server.md107
-rw-r--r--doc/swiftkerbauth_guide.md8
4 files changed, 326 insertions, 3 deletions
diff --git a/README.md b/README.md
index f3ef73a..84f2c29 100644
--- a/README.md
+++ b/README.md
@@ -14,6 +14,8 @@ Table of Contents
-----------------
1. [Architecture](doc/architecture.md)
-2. [IPA Server Guide](doc/ipa_server.md)
-3. [IPA Client Guide](doc/ipa_client.md)
-4. [Swiftkerbauth Guide](doc/swiftkerbauth_guide.md)
+2. [RHEL IPA Server Guide](doc/ipa_server.md)
+3. [RHEL IPA Client Guide](doc/ipa_client.md)
+4. [Windows AD Server Guide](doc/AD_server.md)
+5. [Windows AD Client Guide](doc/AD_client.md)
+6. [Swiftkerbauth Guide](doc/swiftkerbauth_guide.md)
diff --git a/doc/AD_client.md b/doc/AD_client.md
new file mode 100644
index 0000000..0947a1e
--- /dev/null
+++ b/doc/AD_client.md
@@ -0,0 +1,206 @@
+#AD client setup guide
+
+###Contents
+* [Setup Overview] (#setup)
+* [Configure Network] (#network)
+* [Installing AD Client] (#AD-client)
+
+<a name="setup" />
+###Setup Overview
+
+This guide talks about adding fedora linux client to windows domain.
+The test setup included a client machine with Fedora 19 installed
+on it with all the latest packages updated. The crux is to add this linux
+machine to Windows Domain. This linux box is expected to act as RHS node and on which swiftkerbauth,
+apachekerbauth code would run.
+
+Set hostname (FQDN) to fcclient.winad.com
+
+ # hostnamectl set-hostname "fcclient.winad.com"
+
+ # hostname "fcclient.winad.com"
+
+
+<a name="network" />
+### Configure client
+
+* Deploy Fedora linux 19.
+
+* Update the system with latest packages.
+
+* Configure SELinux security parameters.
+
+* Install & configure samba
+
+* Configure DNS
+
+* Synchronize the time services
+
+* Join Domain
+
+* Install / Configure Kerberos Client
+
+
+The document assumes the installing Fedora Linux and configuring SELinux
+parameters to 'permissive' is known already.
+
+###Install & Configure Samba:
+ # yum -y install samba samba-client samba-common samba-winbind
+ samba-winbind-clients
+
+ # service start smb
+
+ # ps -aef | grep smb
+ # chkconfig smb on
+
+###Synchronize time services
+The kerberos authentication and most of the DNS functionality could fail with
+clock skew if times are not synchronized.
+
+ # cat /etc/ntp.conf
+ server ns1.bos.redhat.com
+ server 10.5.26.10
+
+ # service ntpd stop
+
+ # ntpdate 10.16.255.2
+
+ # service ntpd start
+
+ #chkconfig ntpd on
+
+Check if Windows server in the whole environment is also time synchronized with
+same source.
+
+ # C:\Users\Administrator>w32tm /query /status | find "Source"
+
+ Source: ns1.xxx.xxx.com
+
+###Configure DNS on client
+Improperly resolved hostname is the leading cause in authentication failures.
+Best practice is to configure fedora client to use Windows DNS.
+'nameserver' below is the IP address of the windows server.
+ # cat /etc/resolve.conf
+ domain server.winad.com
+ search server.winad.com
+ nameserver 10.nn.nnn.3
+
+###Set the hostname of the client properly (FQDN)
+ # cat /etc/sysconfig/network
+ HOSTNAME=fcclient.winad.com
+
+
+###Install & Configure kerberos client
+
+ # yum -y install krb5-workstation
+
+Edit the /etc/krb5.conf as follows:
+
+ # cat /etc/krb5.conf
+ [logging]
+ default = FILE:/var/log/krb5libs.log
+ kdc = FILE:/var/log/krb5kdc.log
+ admin_server = FILE:/var/log/kadmind.log
+
+ [libdefaults]
+ default_realm = WINAD.COM
+ dns_lookup_realm = false
+ dns_lookup_kdc = false
+ ticket_lifetime = 24h
+ renew_lifetime = 7d
+ forwardable = true
+
+ [realms]
+ WINAD.COM = {
+ kdc = server.winad.com
+ admin_server = server.winad.com
+ }
+ [domain_realm]
+ .demo = server.winad.com
+ demo = server.winad.com
+
+###Join Domain
+Fire command 'system-config-authentication' on client. This should display a
+graphical wizard. Below inputs would help configure this wizard.
+
+ - User account data base = winbind
+ - winbind domain = winad
+ - security model = ads
+ - winbind ads realm = winad.com
+ - winbind controller = server.winad.com
+ - template shell = /bin/bash
+ - let the other options be as is to default.
+ - Perform Join domain and appy settings and quit. Please note this join should
+ not see any errors. This makes the client fedora box to join the windows
+ domain.
+
+###Configure the kerberos client
+This would bring the users/groups from Windows Active directory to this
+fedora client.
+
+Edit /etc/samba/smb.conf file to have below parameters in the global section.
+
+ # cat /etc/samba/smb.conf
+ [global]
+ workgroup = winad
+ realm = winad.com
+ server string = Samba Server Version %v
+ security = ADS
+ allow trusted domains = No
+ password server = server.winad.com
+ log file = /var/log/samba/log.%m
+ max log size = 50
+ idmap uid = 10000­19999
+ idmap gid = 10000­19999
+ template shell = /bin/bash
+ winbind separator = +
+ winbind use default domain = Yes
+ idmap config REFARCH­AD:range = 10000000­19999999
+ idmap config REFARCH­AD:backend = rid
+ cups options = raw
+
+
+ # service smb stop
+
+ # service winbind stop
+
+ # tar -cvf /var/tmp/samba-cache-backup.tar /var/lib/samba
+
+ # ls -la /var/tmp/samba-cache-backup.tar
+
+ # rm ­-f /var/lib/samba/*
+
+
+Verify that no kerberos ticket available and cached.
+
+ # kdestroy
+
+ # klist
+
+Rejoin the domain.
+
+ # net join -S server -U Administrstor
+
+Test that client rejoined the domain.
+
+ # net ads info
+
+Restart smb and winbind service.
+
+ # wbinfo --domain-users
+
+Perform kinit for the domain users prepared on active directory. This is obtain
+the kerberos ticket for user 'auth_admin'
+
+ # kinit auth_admin
+
+ # id -Gn auth_admin
+
+###Notes
+Obtaining the HTTP service principal & keytab file and installing it with
+swiftkerbauth is added to swiftkerbauth_guide
+
+###References
+Reference Document for adding Linux box to windows domain :
+Integrating Red Hat Enterprise Linux 6
+with Active Directory
diff --git a/doc/AD_server.md b/doc/AD_server.md
new file mode 100644
index 0000000..c34f0f1
--- /dev/null
+++ b/doc/AD_server.md
@@ -0,0 +1,107 @@
+#Windows Active Directory & Domain Controller Server Guide
+
+###Contents
+* [Setup Overview] (#Setup)
+* [Installing Active Directory Services] (#AD-server)
+* [Configuring DNS] (#DNS)
+* [Adding Users and Groups] (#users-groups)
+
+
+<a name="Setup" />
+###Setup Overview
+
+The setup includes a server machine installed with Windows 2008 R2 Server, with
+Domain Controller, Active Directory services & DNS server installed alongwith.
+The steps to install windows operating system and above servers can be found
+on MicroSoft Documentation. This windows Active Directory server would act as an
+authentication server in the whole setup. This would provide the access control
+and permissions for users on certain data objects.
+
+
+Windows 2008 R2 deployment:
+
+http://technet.microsoft.com/en-us/library/dd283085.aspx
+
+
+Configuring Active Directory, Domain Services, DNS server:
+
+http://technet.microsoft.com/en-us/library/cc770946.aspx
+
+
+<a name="AD-server" />
+###Installing AD Server
+
+Administrators need to follow simple instructions in Server Manager on Windows
+2008, and should add Active Directory Domain Services & DNS server. It is
+recommended to use static IP for DNS server. Preferred Hostname(FQDN) for
+Windows server could be of format hostname 'server.winad.com' where
+'winad.com' is a domain name.
+
+Following tips would help prepare a test setup neatly.
+
+ - Select Active Directory Domain services wizard in Server Manager
+ - Move on to install it with all the pre-requisits, e.g. .NET framework etc.
+ - Configure Active directory after installtion via exapanding the 'Roles'
+ section in the server manager.
+ - Create a new Domain in the New Forest.
+ - Type the FQDN, winad.com
+ - Set Forest functional level Windows 2008 R2.
+ - Selct additional options for this domain controller as DNS server.
+ - Leave the log locations to default provided by wizard.
+ - Set the Administrator Password carefully.
+ - Thats it. You are done configuring active directory.
+
+
+<a name="dns" />
+###Configuring DNS
+
+This section explains configuring the DNS server installed on Windows 2008 R2
+server. You must know know about
+
+ - Forward lookup zone
+
+ - Reverse lookup zone
+
+ - Zone type
+
+A forward lookup zone is simply a way to resolve hostnames to IP address.
+A reverse lookup zone is to lookup DNS hostname of the host IP.
+
+Following tips would help configure the Zones on DNS server.
+
+ - Create a Forward lookup zone.
+ - Create it a primary zone.
+ - Add the Clients using their ip addresses and FQDN to this forward lookup
+ zones.
+ - This would add type 'A' record for that host on DNS server.
+ - Similarly create a Reverser lookup zone.
+ - Add clients 'PTR' record to this zone via browsing through the forward
+ zones clients.
+
+The above setup can be tested on client once it joins the domain using 'dig'
+command as mentioned below.
+
+
+On client:
+
+ # dig fcclient.winad.com
+ This should yield you a Answer section mentioning its IP address.
+
+ Reverse lookup can be tested using
+
+ # 'dig -t ptr 101.56.168.192.in-addr.arpa.'
+ The answer section should state the FQDN of the client.
+
+ Repeat the above steps on client for Windows AD server as well.
+
+
+<a name="users-groups" />
+###Adding users and groups
+
+Adding groups and users to the Windows domain is easy task.
+
+ - Start -> Administrative Tools -> Active Directory Users & Computers
+ - Expand the domain name which was prepared earlier. e.g winad.com
+ - Add groups with appropreate access rights.
+ - Add users to the group with appropreate permissions.
+ - Make sure you set password for users prepared on AD server.
diff --git a/doc/swiftkerbauth_guide.md b/doc/swiftkerbauth_guide.md
index eaebca5..ef76ad0 100644
--- a/doc/swiftkerbauth_guide.md
+++ b/doc/swiftkerbauth_guide.md
@@ -43,6 +43,14 @@ Retrieve the HTTP service principal to a keytab file:
Copy keytab file to client:
> scp /tmp/http.keytab root@192.168.56.101:/etc/httpd/conf/http.keytab
+## Creating HTTP Service Principal on Windows AD server
+
+Add a HTTP Kerberos service principal:
+> c:\>ktpass.exe -princ HTTP/fcclient.winad.com@WINAD.COM -mapuser
+> auth_admin@WINAD.COM -pass Redhat*123 -out c:\HTTP.keytab
+
+Use winscp to copy HTTP.ketab file to /etc/httpd/conf/http.keytab
+
*****
<a name="install-swiftkerbauth" />