Ldap – how to join centos 7 to samba domain

centos7ldapopenldappam-ldapsamba

In my office, we use samba domain + ldap. I already join some Windows 7 machines, but now I need to join CentOS 7 to that domain. How can I do that?

Below are steps that I already did:

  1. install nss-pam-ldap.x86_64
  2. configure smb.conf in /etc/samba/
  3. configure all files in /etc/pam.d/, that call pam_unix.so to call and pam_ldap.so
  4. add ldap to paswd, shadow and group lines in nsswich.conf
  5. configure nslcd.conf

When i try to join with:

net join -U administrator

I get this:

cannot join standalone machine

When I run 

journalcrl -r

I get some pam_ldap error:

pam_ldap: error opening connection to nslcd: No such file or directory.

Best Answer

Krisko. First you have to install the packages for an sssd integration:

yum install \
realmd \
sssd \
sssd-krb5 \
sssd-krb5-common \
sssd-common \
sssd-common-pac \
sssd-ad \
sssd-proxy \
sssd-tools \
python-sssdconfig \
samba \
samba-common \
authconfig \
authconfig-gtk

Then create the machine account in an AD container your user ([Domain UID]) has full access to.

Add the machine to the domain: realm --verbose join [FQ Domain name] -U [Domain UID]

Adjust /etc/sssd/sssd.conf

[sssd]
domains = <FQ Domain name lowercase>
config_file_version = 2
services = nss, pam

[domain/bdp.pt]
ad_domain = <FQ Domain name lowercase>
krb5_realm = <FQ Domain name uppercase>
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False
fallback_homedir = /home/%u@%d
access_provider = simple
simple_allow_groups = <Comma separated list of AD groups allowed to login in the form <FQDomainLowercase>\<GroupName>>
simple_allow_users = <Same for users>

You may have to adjust these 2 sections of /etc/krb5.conf

[realms]
 <FQDomainUpperCase> = {
 }

[domain_realm]
 <FQDomainLowerCase> = <FQDomainUpperCase>
 .<FQDomainLowerCase> = <FQDomainUpperCase>

Then this will no longer be a standalone machine, and you may authenticate domain users. Hope it helps.

Related Topic