Overview :
In this tutorial we will discuss how to intergrate Linux Servers(Centos/RHEL) with Windows Active Directory for authentication purpose.In my scenario i have Centos 6 / RHEL 6 servers. Follow the below steps to integrate these servers with AD using samba, winbind and Kerberos.
Step:1 Install the samba-winbind and kerberos packages
# yum install samba-winbind samba-winbind-clients samba krb5-libs krb5-workstation pam_krb5
Step:2 Time synchronization
AD is very picky about the time matching during authentication. So linux server and AD server time should be synchronized to the ntp server. Use below command to sync the time of linux server with ntp server
# ntpdate <ntp-server-ip-address/dns-name>
To make above configuration permanent edit the file “/etc/ntp.conf” and just replace what’s there with one or more NTP servers on your domain, like
server <ntp-server-ip-address/dns-name>
Start the Service :
# /etc/init.d/ntpd start ; chkconfig ntpd on
Step:3 Edit the /etc/hosts file
<ip-address> adserver.yourdomain adserver
Step:4 Edit /etc/krb5.conf
[domain_realm]
yourdomain = YOURDOMAIN
[libdefaults]
ticket_lifetime = 24000
default_realm = YOURDOMAIN
dns_lookup_realm = true
dns_lookup_kdc = false
cache_type = 1
forwardable = true
proxiable = true
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
permitted_enctypes = des3-hmac-sha1 des-cbc-crc
allow_weak_crypto = no
[realms]
YOURDOMAIN = {
kdc = <ip address of AD server:Port>
admin_server = <ip address of AD server:Port>
default_domain = yourdomain
}
[appdefaults]
pam = {
debug = true
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
[logging]
default = FILE:/var/krb5/kdc.log
kdc = FILE:/var/krb5/kdc.log
admin_server = FILE:/var/log/kadmind.log
Step:5 Now Test the Kerberos Authentication
# kinit <user-name>
If it prompts for the password , enter your user ad password , if every thing is ok , then we will get the prompt otherwise re-check krb5.conf file.
Step:6 Now Configure Samba and Winbind
Edit /etc/samba/smb.conf
[global] workgroup = <Workgroup-Name> netbios name = site2 // replace the site2 with hostname realm = <realm name> security = ADS template shell = /bin/bash idmap backend = tdb idmap uid = 1-100000000 idmap gid = 1-100000000 winbind use default domain = Yes winbind nested groups = Yes winbind enum users = Yes winbind enum groups = Yes template shell = /bin/bash template homedir = /home/%D/%U winbind separator = / winbind nss info = sfu winbind offline logon = true hosts allow = 127.0.0.1 0.0.0.0/0 obey pam restrictions = yes socket options = TCP_NODELAY max log size = 150 passdb backend = tdbsam printing = cups load printers = yes cups options = raw printcap name = cups disable spoolss = Yes show add printer wizard = No interfaces = eth0 lo bind interfaces only = yes winbind refresh tickets = true log file = /var/log/samba/log.%m max log size = 50 log level = 3 encrypt passwords = yes #map untrusted to domain = yes #auth methods = winbind guest sam map untrusted to domain = Yes [printers] comment = All Printers path = /var/spool/samba browseable = yes public = yes guest ok = yes writable = no printable = yes
Step:7 Configure /etc/nsswitch.conf file to handle authentication.
passwd: compat winbind shadow: winbind group: compat winbind
Step:8 Now restart winbind & Samba services
# /etc/init.d/smb restart
# /etc/init.d/winbind restart
Now join a domain
# net ads join -U <User Name>
If above command reports “Join is OK”, then test winbind:
Command to lists all the AD users
# wbinfo -u
Step:9 Now do the testing & try to login to linux server via AD user credentials
# ssh <username>@<ipaddress or hostname of linux server>
