How do I add a linux box to Active Directory?
7:54 PM
Prerequisites
To enable a new or existing Red Hat linux host for AD SSO logins in the shared environment, make sure you have the following:
The latest configuration file for the data center you are located in downloaded to the target system(s) you are enabling before you proceed. Those links are noted below for your reference:
SSL Enabled SSO Files (Configuration Updated as of 5/29/2012)
The files below are "the standard" files that should be used to ensure LDAP calls go over SSL. Previous versions had this disabled by default due to errors at the time with the version of Windows being used on the backend. As such, this overrides any previous version of the files currently in production and should be ran to ensure your linux system has the most current configuration for CUST domain authentication.
Red Hat Enterprise Linux 4 & 5 - SSL Enabled
IAD03 Configuration Files
IAD05 Configuration Files
SJC03 Configuration Files
LHR02 Configuration Files
ASH01 Configuration Files
ASH Cloud Configuration Files
Red Hat Enterprise Linux 6 - SSL Enabled
IAD03 Configuration Files
IAD05 Configuration Files
SJC03 Configuration Files
LHR02 Configuration Files
ASH01 Configuration Files
ASHCloud Configuration Files
Ubuntu 10.10/11.10 - SSL Enabled
ASH01 Configuration Files
SSL Disabled SSO Files (Configuration Updated as of 5/29/2012)
The files below are "legacy" files that force LDAP calls go over unencrypted channels. These files are for backwards compatibility or in instances where the new SSL enabled files do not work for whatever reason. ONLY use thus version of the AD SSO script if you have issues with the SSL enabled files above.
Red Hat Enterprise Linux 4 & 5 - SSL Disabled
IAD03 Configuration Files
IAD05 Configuration Files
SJC03 Configuration Files
LHR02 Configuration Files
ASH01 Configuration Files
ASH Cloud Configuration Files
Red Hat Enterprise Linux 6 - SSL Disabled
IAD03 Configuration Files
IAD05 Configuration Files
SJC03 Configuration Files
LHR02 Configuration Files
ASH01 Configuration Files
ASHCloud Configuration Files
Ubuntu 10.10/11.10 - SSL Disabled
ASH01 Configuration Files
SUDO Not Working with SSL
For Ubuntu 10, there is a bit with LDAPS and setuid and setgid functions where among other things sudo does not work. As such, if you can't upgrade the customer to version 11.10, then use the Non-SSL version as listed above in this section.
NOTE - For more information on the latest configuration files you may click on the following link:
Red Hat LDAP & Kerberos Integration Files
Ensure the proper RPM's are installed on your system(s) you are enabling so ensure proper networking access to the Internet is configured and that the system is properly registered with Red Hat for up2date or yum to work depending on your version you are using. These will be called out in the script also to remind you of the same.
NOTE - This all is tested and confirmed working for Red Hat 4, 5 and 6/CentOS 4 and 5. If you find this also works for different flavors of linux please update this line accordingly.
Enabling a Linux Host
SCP the appropriate configuration file as referenced above to the server(s) in question
Using a program such as WinSCP is recommended.
After the tar is uploaded SSH into the server as your account and change to the root user
In the /root/ directory un-tar the tar file.
tar -vxof <filename>.tar
The archive will be extracted to the directory with the appropriate data center label
ASH01 => ./ASH01_SSL or ./ASH01_REL6_SSL
ASHCloud => ./ASHCloud_SSL or ./ASHCloud_REL6_SSL
IAD03 => ./IAD03_SSL or ./IAD03_REL6_SSL
IAD05 => ./IAD05_SSL or ./IAD05_REL6_SSL
LHR02 => ./LHR02_SSL or ./LHR02_REL6_SSL
SJC03 => ./SJC03_SSL or ./SJC03_REL6_SSL
Change directories into the appropriate folder
Run the enable_ad script contained for the data center chosen
sh enable_ad-<dcshortname>.sh
ASH01 - enable_ad-ash01.sh
ASHCloud - enable_ad-ashcloud.sh
IAD03 - enable_ad-iad03.sh
IAD05 - enable_ad-iad05.sh
LHR02 - enable_ad-lhr02.sh
SJC03 - enable_ad-sjc03.sh
This will query the installed packages on the target system. You need to make sure that all dependencies are installed prior to enabling the server for active directory before proceeding through the remainder of the script.
There will also be several prompts that will prompt you for a "yes" or "no" answer to continue.
If you answer "no" at any point or if the enable script errors at any point contact the SE on the customer account if the error is a result of something not being installed or enabled on the server. Or, you can check the included README.TXT file in the extracted directory for additional troubleshooting help.
Note: at one point during the deployment, you might see the following error:
Running LDAP test.
ldap_start_tls: Operations error (1)
additional info: 00000000: LdapErr: DSID-0C090DF2, comment: TLS or SSL already in effect, data 0, v1db1
This error is a simple warning and not an error. The explanation can be found here:
ldapsearch(1) and other tools will return
ldap_start_tls: Operations error (1)
additional info: TLS already started
when the user (though command line options and/or ldap.conf(5)) has requested TLS (SSL) be started twice. For instance, when specifying both "-H ldaps://server.do.main" and "-ZZ".
On the next prompt, simply type 'yes' and proceed.
To revert the server back to its original files, copy over the following files:
sh revert_ad.sh
Once the appropriate enable script has completed the initial configuration you will need to run the Kerberos 5 configuration option. To do so run the script with the -kerb5 switch.
sh enable_ad-<dcshortname>.sh -kerb5
Once that is completed type id <username> where <username> is your CUST username. It should return with your AD unix attributes.
Finally make sure the Sudoer file has the correct users and groups added to it
visudo
# "sudoers" File Contents
Users:
opsadmin ALL=(ALL) ALL
Groups:
%opsource ALL=(ALL) ALL
%<customername>_sudo ALL=(ALL) ALL
NOTE - If you have issues not finding the customer objects for the server you are adding, please make sure the customer has been added to Active Directory
AD Domain Controller List
# ASH01
10.182.71.23 ashopsad03p.Latheef,com
10.182.71.24 ashopsad04p.Latheef,com
# ASHCloud
10.176.49.23 ashopsad05p.Latheef,com
10.176.49.24 ashopsad06p.Latheef,com
# IAD03
209.34.79.73 iadopsad03p.Latheef,com
209.34.79.74 iadopsad04p.Latheef,com
# IAD05
10.136.56.23 iadopsad14p.Latheef,com
10.136.56.24 iadopsad13p.Latheef,com
# LHR
10.120.12.23 lhropsad03p.Latheef,com
10.120.12.24 lhropsad04p.Latheef,com
# SJC03
10.128.12.23 sjcopsad03p.Latheef,com
10.128.12.24 sjcopsad04p.Latheef,com
To enable a new or existing Red Hat linux host for AD SSO logins in the shared environment, make sure you have the following:
The latest configuration file for the data center you are located in downloaded to the target system(s) you are enabling before you proceed. Those links are noted below for your reference:
SSL Enabled SSO Files (Configuration Updated as of 5/29/2012)
The files below are "the standard" files that should be used to ensure LDAP calls go over SSL. Previous versions had this disabled by default due to errors at the time with the version of Windows being used on the backend. As such, this overrides any previous version of the files currently in production and should be ran to ensure your linux system has the most current configuration for CUST domain authentication.
Red Hat Enterprise Linux 4 & 5 - SSL Enabled
IAD03 Configuration Files
IAD05 Configuration Files
SJC03 Configuration Files
LHR02 Configuration Files
ASH01 Configuration Files
ASH Cloud Configuration Files
Red Hat Enterprise Linux 6 - SSL Enabled
IAD03 Configuration Files
IAD05 Configuration Files
SJC03 Configuration Files
LHR02 Configuration Files
ASH01 Configuration Files
ASHCloud Configuration Files
Ubuntu 10.10/11.10 - SSL Enabled
ASH01 Configuration Files
SSL Disabled SSO Files (Configuration Updated as of 5/29/2012)
The files below are "legacy" files that force LDAP calls go over unencrypted channels. These files are for backwards compatibility or in instances where the new SSL enabled files do not work for whatever reason. ONLY use thus version of the AD SSO script if you have issues with the SSL enabled files above.
Red Hat Enterprise Linux 4 & 5 - SSL Disabled
IAD03 Configuration Files
IAD05 Configuration Files
SJC03 Configuration Files
LHR02 Configuration Files
ASH01 Configuration Files
ASH Cloud Configuration Files
Red Hat Enterprise Linux 6 - SSL Disabled
IAD03 Configuration Files
IAD05 Configuration Files
SJC03 Configuration Files
LHR02 Configuration Files
ASH01 Configuration Files
ASHCloud Configuration Files
Ubuntu 10.10/11.10 - SSL Disabled
ASH01 Configuration Files
SUDO Not Working with SSL
For Ubuntu 10, there is a bit with LDAPS and setuid and setgid functions where among other things sudo does not work. As such, if you can't upgrade the customer to version 11.10, then use the Non-SSL version as listed above in this section.
NOTE - For more information on the latest configuration files you may click on the following link:
Red Hat LDAP & Kerberos Integration Files
Ensure the proper RPM's are installed on your system(s) you are enabling so ensure proper networking access to the Internet is configured and that the system is properly registered with Red Hat for up2date or yum to work depending on your version you are using. These will be called out in the script also to remind you of the same.
NOTE - This all is tested and confirmed working for Red Hat 4, 5 and 6/CentOS 4 and 5. If you find this also works for different flavors of linux please update this line accordingly.
Enabling a Linux Host
SCP the appropriate configuration file as referenced above to the server(s) in question
Using a program such as WinSCP is recommended.
After the tar is uploaded SSH into the server as your account and change to the root user
In the /root/ directory un-tar the tar file.
tar -vxof <filename>.tar
The archive will be extracted to the directory with the appropriate data center label
ASH01 => ./ASH01_SSL or ./ASH01_REL6_SSL
ASHCloud => ./ASHCloud_SSL or ./ASHCloud_REL6_SSL
IAD03 => ./IAD03_SSL or ./IAD03_REL6_SSL
IAD05 => ./IAD05_SSL or ./IAD05_REL6_SSL
LHR02 => ./LHR02_SSL or ./LHR02_REL6_SSL
SJC03 => ./SJC03_SSL or ./SJC03_REL6_SSL
Change directories into the appropriate folder
Run the enable_ad script contained for the data center chosen
sh enable_ad-<dcshortname>.sh
ASH01 - enable_ad-ash01.sh
ASHCloud - enable_ad-ashcloud.sh
IAD03 - enable_ad-iad03.sh
IAD05 - enable_ad-iad05.sh
LHR02 - enable_ad-lhr02.sh
SJC03 - enable_ad-sjc03.sh
This will query the installed packages on the target system. You need to make sure that all dependencies are installed prior to enabling the server for active directory before proceeding through the remainder of the script.
There will also be several prompts that will prompt you for a "yes" or "no" answer to continue.
If you answer "no" at any point or if the enable script errors at any point contact the SE on the customer account if the error is a result of something not being installed or enabled on the server. Or, you can check the included README.TXT file in the extracted directory for additional troubleshooting help.
Note: at one point during the deployment, you might see the following error:
Running LDAP test.
ldap_start_tls: Operations error (1)
additional info: 00000000: LdapErr: DSID-0C090DF2, comment: TLS or SSL already in effect, data 0, v1db1
This error is a simple warning and not an error. The explanation can be found here:
ldapsearch(1) and other tools will return
ldap_start_tls: Operations error (1)
additional info: TLS already started
when the user (though command line options and/or ldap.conf(5)) has requested TLS (SSL) be started twice. For instance, when specifying both "-H ldaps://server.do.main" and "-ZZ".
On the next prompt, simply type 'yes' and proceed.
To revert the server back to its original files, copy over the following files:
sh revert_ad.sh
Once the appropriate enable script has completed the initial configuration you will need to run the Kerberos 5 configuration option. To do so run the script with the -kerb5 switch.
sh enable_ad-<dcshortname>.sh -kerb5
Once that is completed type id <username> where <username> is your CUST username. It should return with your AD unix attributes.
Finally make sure the Sudoer file has the correct users and groups added to it
visudo
# "sudoers" File Contents
Users:
opsadmin ALL=(ALL) ALL
Groups:
%opsource ALL=(ALL) ALL
%<customername>_sudo ALL=(ALL) ALL
NOTE - If you have issues not finding the customer objects for the server you are adding, please make sure the customer has been added to Active Directory
AD Domain Controller List
# ASH01
10.182.71.23 ashopsad03p.Latheef,com
10.182.71.24 ashopsad04p.Latheef,com
# ASHCloud
10.176.49.23 ashopsad05p.Latheef,com
10.176.49.24 ashopsad06p.Latheef,com
# IAD03
209.34.79.73 iadopsad03p.Latheef,com
209.34.79.74 iadopsad04p.Latheef,com
# IAD05
10.136.56.23 iadopsad14p.Latheef,com
10.136.56.24 iadopsad13p.Latheef,com
# LHR
10.120.12.23 lhropsad03p.Latheef,com
10.120.12.24 lhropsad04p.Latheef,com
# SJC03
10.128.12.23 sjcopsad03p.Latheef,com
10.128.12.24 sjcopsad04p.Latheef,com
0 comments