====== CentOS 7 AD Client ======


====== Install nslcd and kerberos ======

<code>
yum install -y pam_krb5 krb5-workstation
yum install -y nscd nss-pam-ldapd wget
</code>

====== Enalble nslcd service ======

<code>
systemctl enable nslcd
</code>

====== Configure nslcd ======

<code>
authconfig-tui
</code>

select "Use LDAP" and "Use LDAP Authentication"
select "Use TLS"
<code>
Server: ldaps://ad1.acm.cs
Base DN: dc=acm,dc=cs
</code>

====== Update nslcd config ======

<file|/etc/nslcd.conf>
uri ldaps://ad1.acm.cs
uri ldaps://ad2.acm.cs
uri ldaps://ad3.acm.cs

ldap_version 3

base dc=acm,dc=cs

binddn apacheacm@acm.cs
bindpw (ask sysadmin)

base   group  ou=ACMGroups,dc=acm,dc=cs
base   passwd ou=ACMUsers,dc=acm,dc=cs
base   shadow ou=ACMUsers,dc=acm,dc=cs

bind_timelimit 3

timelimit 30

ssl on
#ssl start_tls
tls_reqcert never

# Mappings for Active Directory
pagesize 1000
referrals off
idle_timelimit 800
filter passwd (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
map    passwd uid              sAMAccountName
map    passwd homeDirectory    unixHomeDirectory
map    passwd gecos            displayName
filter shadow (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
map    shadow uid              sAMAccountName
map    shadow shadowLastChange pwdLastSet
filter group  (objectClass=group)
</file>
nslcd.conf should not be world readable if bindpw is set

<code>
chmod 600 /etc/nslcd.conf
</code>

====== More LDAP Config ======
make sure that passwd, group and shadow have files and then ldap
<file|/etc/nsswitch.conf>
passwd:         files ldap 
group:          files ldap 
shadow:         files ldap
</file>

====== Start nslcd Service ======
<code>
systemctl start nslcd
</code>
====== Testing the configuration ======
<code>
getent passwd
</code>
you should see the users form AD

<code>
su - usernameInAd
</code>
this should work
<code>
[root@centosimg acmadmin]# su - bmiddha
su: warning: cannot change directory to /home/bmiddha: No such file or directory
-bash-4.2$ 
</code>


====== Password auth with kerberos ======

<file|/etc/krb5.conf>
[libdefaults]
        default_realm = ACM.CS
        dns_lookup_realm = false
        dns_lookup_kdc = true

[realms]

[domain_realm]
        acm.cs = ACM.CS
        .acm.cs = ACM.CS

[logging]
#       kdc = CONSOLE
</file>

Now you should be able to ssh with password

====== Sudo access to LAN Admins ======
Create this file

<file|/etc/sudoers.d/AcmLanAdmins>
%AcmLanAdmins ALL=(ALL) ALL
</file>

====== Auto create home directories ======
Run this
<code>
authconfig --enablemkhomedir --updateall
</code>
Append File
<file|/etc/pam.d/sshd>
.
.
# Create home directories
session         required        pam_mkhomedir.so skel=/etc/skel/
</file>

====== All Done! ======