• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer navigation

The Geek Diary

  • OS
    • Linux
    • CentOS/RHEL
    • Solaris
    • Oracle Linux
    • VCS
  • Interview Questions
  • Database
    • oracle
    • oracle 12c
    • ASM
    • mysql
    • MariaDB
  • DevOps
    • Docker
    • Shell Scripting
  • Big Data
    • Hadoop
    • Cloudera
    • Hortonworks HDP

Integrate Linux Servers with Active Directory using Samba, Winbind, and Kerberos

by admin

In this tutorial, we will discuss how to integrate Linux Servers(Centos/RHEL) with Windows Active Directory for authentication purposes. In my case, I have Centos/RHEL 6 servers. Follow the below steps to integrate these servers with AD using samba, winbind, and Kerberos.

Step 1: Install the samba-winbind and kerberos packages.

# yum install samba-winbind samba-winbind-clients samba krb5-libs  krb5-workstation pam_krb5

Step 2: Time synchronization.

AD is very picky about the time matching during authentication. So linux server and AD server time should be synchronized to the ntp server. Use the below command to sync the time of the Linux server with ntp server.

# ntpdate [ntp-server-ip-address/dns-name]

To make above configuration permanent edit the file “/etc/ntp.conf” and just replace what’s there with one or more NTP servers on your domain, like:

# vi /etc/ntp.conf
server [ntp-server-ip-address/dns-name]

Start the Service:

# /etc/init.d/ntpd start
# chkconfig ntpd on

Step 3: Edit the /etc/hosts file.

# vi /etc/hosts
[ip-address]  adserver.yourdomain adserver

Step 4: Edit /etc/krb5.conf.

# vi /etc/krb5.conf
[domain_realm]
yourdomain = YOURDOMAIN
[libdefaults]
    ticket_lifetime = 24000
    default_realm = YOURDOMAIN
    dns_lookup_realm = true
    dns_lookup_kdc = false
    cache_type = 1
    forwardable = true
    proxiable = true
    default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
    permitted_enctypes = des3-hmac-sha1 des-cbc-crc
    allow_weak_crypto = no
[realms] 
    YOURDOMAIN = {
    kdc = [ip address of AD server:Port]
    admin_server = [ip address of AD server:Port]
    default_domain = yourdomain
  }
[appdefaults]
  pam = {
    debug = true
    ticket_lifetime = 36000
    renew_lifetime = 36000
    forwardable = true
    krb4_convert = false
  }
[logging]
  default = FILE:/var/krb5/kdc.log
  kdc = FILE:/var/krb5/kdc.log
  admin_server = FILE:/var/log/kadmind.log

Step 5: Now Test the Kerberos Authentication.

# kinit [user-name]

If it prompts for the password, enter your user ad password, if everything is ok, then we will get the prompt otherwise re-check krb5.conf file.

Step 6: Now Configure Samba and Winbind.

Edit /etc/samba/smb.conf.

# vi /etc/samba/smb.conf
[global]
    workgroup = [Workgroup-Name]
    netbios name = site2       ## replace the site2 with hostname
    realm = 
    security = ADS
    template shell = /bin/bash
    idmap backend = tdb
    idmap uid = 1-100000000
    idmap gid = 1-100000000
    winbind use default domain = Yes
    winbind nested groups = Yes
    winbind enum users = Yes
    winbind enum groups = Yes
    template shell = /bin/bash
    template homedir = /home/%D/%U
    winbind separator = /
    winbind nss info = sfu
    winbind offline logon = true
    hosts allow = 127.0.0.1 0.0.0.0/0
    obey pam restrictions = yes
    socket options = TCP_NODELAY
    max log size = 150
    passdb backend = tdbsam
    printing = cups
    load printers = yes
    cups options = raw
    printcap name = cups
    disable spoolss = Yes
    show add printer wizard = No
    interfaces = eth0 lo
    bind interfaces only = yes
    winbind refresh tickets = true
    log file = /var/log/samba/log.%m
    max log size = 50
    log level = 3
    encrypt passwords = yes
    #map untrusted to domain = yes
    #auth methods = winbind guest sam
    map untrusted to domain = Yes
[printers]
    comment = All Printers
    path = /var/spool/samba
    browseable = yes
    public = yes
    guest ok = yes
    writable = no
    printable = yes

Step 7: Configure /etc/nsswitch.conf file to handle authentication.

# vi /etc/nsswitch.conf
passwd:   compat winbind
shadow:   winbind
group:      compat winbind

Step 8: Now restart winbind & Samba services.

# /etc/init.d/smb restart
# /etc/init.d/winbind restart

Now join a domain:

# net ads join -U [User Name]

If the above command reports “Join is OK”, then test winbind:

Command to lists all the AD users:

# wbinfo -u

Step 9: Now do the testing & try to login to linux server via AD user credentials.

# ssh [username]@[ipaddress or hostname of linux server]

Filed Under: CentOS/RHEL, CentOS/RHEL 6, Linux

Some more articles you might also be interested in …

  1. Error: Docker max virtual memory areas vm.max_map_count 65530 is too low increase to at least
  2. bluetoothd: command not found
  3. How to recover deleted Logical volume (LV) in LVM using vgcfgrestore
  4. CentOS / RHEL 5 : How to Boot into Rescue Mode
  5. CentOS / RHEL : How to add a new Physical Volume to an existing Volume Group
  6. iSCSI connection command examples (Cheat Sheet)
  7. csplit: command not found
  8. How to make ethtool settings persistent across reboots in CentOS / RHEL 6,7
  9. tail command examples in UNIX/Linux
  10. cpufreq-set Command Examples in Linux

You May Also Like

Primary Sidebar

Recent Posts

  • fprintd-delete Command Examples in Linux
  • fprintd-delete: command not found
  • foreman: command not found
  • foreman Command Examples in Linux

© 2023 · The Geek Diary

  • Archives
  • Contact Us
  • Copyright