In this tutorial, we will discuss how to integrate Linux Servers(Centos/RHEL) with Windows Active Directory for authentication purposes. In my case, I have Centos/RHEL 6 servers. Follow the below steps to integrate these servers with AD using samba, winbind, and Kerberos.
Step 1: Install the samba-winbind and kerberos packages.
# yum install samba-winbind samba-winbind-clients samba krb5-libs krb5-workstation pam_krb5
Step 2: Time synchronization.
AD is very picky about the time matching during authentication. So linux server and AD server time should be synchronized to the ntp server. Use the below command to sync the time of the Linux server with ntp server.
# ntpdate [ntp-server-ip-address/dns-name]
To make above configuration permanent edit the file “/etc/ntp.conf” and just replace what’s there with one or more NTP servers on your domain, like:
# vi /etc/ntp.conf server [ntp-server-ip-address/dns-name]
Start the Service:
# /etc/init.d/ntpd start # chkconfig ntpd on
Step 3: Edit the /etc/hosts file.
# vi /etc/hosts [ip-address] adserver.yourdomain adserver
Step 4: Edit /etc/krb5.conf.
# vi /etc/krb5.conf [domain_realm] yourdomain = YOURDOMAIN [libdefaults] ticket_lifetime = 24000 default_realm = YOURDOMAIN dns_lookup_realm = true dns_lookup_kdc = false cache_type = 1 forwardable = true proxiable = true default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc permitted_enctypes = des3-hmac-sha1 des-cbc-crc allow_weak_crypto = no [realms] YOURDOMAIN = { kdc = [ip address of AD server:Port] admin_server = [ip address of AD server:Port] default_domain = yourdomain }
[appdefaults] pam = { debug = true ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } [logging] default = FILE:/var/krb5/kdc.log kdc = FILE:/var/krb5/kdc.log admin_server = FILE:/var/log/kadmind.log
Step 5: Now Test the Kerberos Authentication.
# kinit [user-name]
If it prompts for the password, enter your user ad password, if everything is ok, then we will get the prompt otherwise re-check krb5.conf file.
Step 6: Now Configure Samba and Winbind.
Edit /etc/samba/smb.conf.
# vi /etc/samba/smb.conf [global] workgroup = [Workgroup-Name] netbios name = site2 ## replace the site2 with hostname realm =security = ADS template shell = /bin/bash idmap backend = tdb idmap uid = 1-100000000 idmap gid = 1-100000000 winbind use default domain = Yes winbind nested groups = Yes winbind enum users = Yes winbind enum groups = Yes template shell = /bin/bash template homedir = /home/%D/%U winbind separator = / winbind nss info = sfu winbind offline logon = true hosts allow = 127.0.0.1 0.0.0.0/0 obey pam restrictions = yes socket options = TCP_NODELAY max log size = 150 passdb backend = tdbsam printing = cups load printers = yes cups options = raw printcap name = cups disable spoolss = Yes show add printer wizard = No interfaces = eth0 lo bind interfaces only = yes winbind refresh tickets = true log file = /var/log/samba/log.%m max log size = 50 log level = 3 encrypt passwords = yes #map untrusted to domain = yes #auth methods = winbind guest sam map untrusted to domain = Yes [printers] comment = All Printers path = /var/spool/samba browseable = yes public = yes guest ok = yes writable = no printable = yes
Step 7: Configure /etc/nsswitch.conf file to handle authentication.
# vi /etc/nsswitch.conf passwd: compat winbind shadow: winbind group: compat winbind
Step 8: Now restart winbind & Samba services.
# /etc/init.d/smb restart # /etc/init.d/winbind restart
Now join a domain:
# net ads join -U [User Name]
If the above command reports “Join is OK”, then test winbind:
Command to lists all the AD users:
# wbinfo -u
Step 9: Now do the testing & try to login to linux server via AD user credentials.
# ssh [username]@[ipaddress or hostname of linux server]