Chapter 10

Directory Services

A category of local area network services that primarily serves as organization for domain objects and acts as the domain authority.

In the past directory services have included services that are typically managed as separate services today, such as:

  • Identity Services
  • Name Services (DNS)
  • File Share Services
  • Print Services
  • Network Policy Services (Group Policy)
  • Dynamic IP Assignment Services (DHCP)

Subsections of Directory Services

Join CentOS 7 to AD/Samba Domain

based on: https://www.tecmint.com/integrate-centos-7-to-samba4-active-directory

Starting with a fully installed CentOS (Red Hat-family OS), set your hostname with:

hostnamectl set-hostname <hostname>
reboot

Install required packages:

yum -y install ntpdate authconfig samba-windbind samba-client samba-winbind-clients

Synchronize to domain NTP server:

ntpdate <domain.tld> #assuming your domain controller provides NTP services

Use authconfig to join the domain:

authconfig --update --enablewinbind --enableshadow --enablewinbindauth --smbsecurity ads --smbrealm <DOMAIN> --smbservers (<dc1.domain.tld,dc2.domain.tld>) --ldapserver <DOMAIN.TLD> --winbindtemplatehomedir=/bin/bash

Give it your domain admin username and password when prompted. No need to include domain/ or @domain.tld in the username.

Edit your samba config with the following:

vi /etc/samba/smb.conf

Add the following after the line: kerberos method = secrets only

winbind use default domain = true
winbind offline logon = true

Save and Quit

Test you configuration with:

su - <domain account>

Join Fedora to AD Domain

Linux samba tools are compatible with Microsoft Active Directory, and allow Linux client OS to attach to the AD domain, albeit with some limited functionality.

How to Set Static IP Address

Before joining to the domain, set your static IP address (or do so during setup, or leave DHCP enabled)

dnf -y install NetworkManager
systemctl enable --now NetworkManager
nmcli connection modify <iface name> ipv4.gateway <gateway ip>
nmcli connection modify <iface name> ipv4.address <ip address>
nmcli connection modify <iface name> ipv4.dns <dns ip address>
nmcli connection up <iface name>
apt-get install network-manager
systemctl enable --now NetworkManager
nmtui
apk add networkmanager
rc-service networkmanager start
rc-update add networkmanager default
adduser <your username> plugdev #you will need to relog to apply the new group membership
nmtui
pacman -Syu networkmanager
systemctl --now enable NetworkManager.service
nmtui

Install Samba tools and dependencies

dnf install -y realmd sssd oddjob oddjob-mkhomedir adcli samba-common-tools

Samba commands to join the domain

realm discover DOMAIN.TLD
realm join DOMAIN.TLD

NIS vs LDAP

NIS is the traditional domain controller and identity service for Linux-only environments. It still works fine for this purpose today, but it is more limited than LDAP. It replicates the data in /etc/ from the group, hosts, mail, netgroup, networks, passwd, printcap, protocols, rpc, and service directories - out to all domain joined hosts in the network. These files comprise information that is also stored in LDAP when connected to Linux. However LDAP is also compatible with Windows where NIS has only limited Windows compatibilities.

LDAP is an extensible data framework, meaning that it can manage data for tasks that many not be explicitly defined by standard LDAP structures. That is to say, LDAP can be customized to store data for whatever purpose the network needs. Examples of LDAP data constructs are:

  • anything NIS does
  • mail routing
  • address book for mail clients
  • zone descriptions for BIND9
  • Samba authentication

Therefore, LDAP is generally preferred over NIS when supported, and especially in heterogeneous environments. Even Linux-only environments may prefer to deploy and LDAP directory, since LDAP has become so ubiquitous. This is also influenced by the Samba project(https://www.samba.org) which is the free and open source implementation of LDAP.

Working with Account Lockout in Samba 4/LDAP

Though samba-tool is a frequently referenced command when working with Samba directory services, it fails to provide more than the most frequently used functions for interacting with LDAP, such as: add user, delete user, set password, etc. A more detailed utility is pdbedit.

While trying to launch AD Users and Computers I found that my Administrator account would not connect the snap-in to my Samba server, which is usually and indication of account lockout (probably due to too many bad password attempts). You can use pdbedit to determine if a Samba account is locked out:

pdbedit -Lv #lists all LDAP accounts and attributes contained in the local server
pdbedit -v -u Administrator #lists all attributes for the Administrator account

Relevant attributes for Samba user accounts:

  • Unix username
  • user SID
  • logon time
  • logoff time
  • password last set
  • password can change
  • password must change (aka password expiration)
  • last bad password (last bad password attempt timestamp; 0 if none)
  • bad password count (resets with a good password attempt)
  • account flags:
    • D - account disabled
    • H - homedir required
    • L - account auto-locked (aka locked out)
    • N - password not required
    • U - normal user account
    • W - workstation trust account
    • X - password does not expire

Considering we are dealing with an account lockout, use the following command to unlock an account:

pdbedit -z <account name>

But that only resets the bad password count, so we must also reset the account flags with:

pdbedit -r -c "[]" <account name>

That will reset the account flags to [U ], but you can specify which flags to reset, for example with [N D H L X].

Info

In this case the trouble didn’t end up being account lockout… somehow my RSAT tools had become uninstalled on my local machine, so the fix was actually just to reinstall them 😑