In this tutorial, we will discuss how to integrate Linux Servers(Centos/RHEL) with Windows Active Directory for authentication purposes. In my case, I have Centos/RHEL 6 servers. Follow the below steps to integrate these servers with AD using samba, winbind, and Kerberos.
Step 1: Install the samba-winbind and kerberos packages.
# yum install samba-winbind samba-winbind-clients samba krb5-libs krb5-workstation pam_krb5
Step 2: Time synchronization.
AD is very picky about the time matching during authentication. So linux server and AD server time should be synchronized to the ntp server. Use the below command to sync the time of the Linux server with ntp server.
# ntpdate [ntp-server-ip-address/dns-name]
To make above configuration permanent edit the file “/etc/ntp.conf” and just replace what’s there with one or more NTP servers on your domain, like:
# vi /etc/ntp.conf server [ntp-server-ip-address/dns-name]
Start the Service:
# /etc/init.d/ntpd start # chkconfig ntpd on
Step 3: Edit the /etc/hosts file.
# vi /etc/hosts [ip-address] adserver.yourdomain adserver
Step 4: Edit /etc/krb5.conf.
# vi /etc/krb5.conf
[domain_realm]
yourdomain = YOURDOMAIN
[libdefaults]
ticket_lifetime = 24000
default_realm = YOURDOMAIN
dns_lookup_realm = true
dns_lookup_kdc = false
cache_type = 1
forwardable = true
proxiable = true
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
permitted_enctypes = des3-hmac-sha1 des-cbc-crc
allow_weak_crypto = no
[realms]
YOURDOMAIN = {
kdc = [ip address of AD server:Port]
admin_server = [ip address of AD server:Port]
default_domain = yourdomain
}
[appdefaults]
pam = {
debug = true
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
[logging]
default = FILE:/var/krb5/kdc.log
kdc = FILE:/var/krb5/kdc.log
admin_server = FILE:/var/log/kadmind.log
Step 5: Now Test the Kerberos Authentication.
# kinit [user-name]
If it prompts for the password, enter your user ad password, if everything is ok, then we will get the prompt otherwise re-check krb5.conf file.
Step 6: Now Configure Samba and Winbind.
Edit /etc/samba/smb.conf.
# vi /etc/samba/smb.conf
[global]
workgroup = [Workgroup-Name]
netbios name = site2 ## replace the site2 with hostname
realm =
security = ADS
template shell = /bin/bash
idmap backend = tdb
idmap uid = 1-100000000
idmap gid = 1-100000000
winbind use default domain = Yes
winbind nested groups = Yes
winbind enum users = Yes
winbind enum groups = Yes
template shell = /bin/bash
template homedir = /home/%D/%U
winbind separator = /
winbind nss info = sfu
winbind offline logon = true
hosts allow = 127.0.0.1 0.0.0.0/0
obey pam restrictions = yes
socket options = TCP_NODELAY
max log size = 150
passdb backend = tdbsam
printing = cups
load printers = yes
cups options = raw
printcap name = cups
disable spoolss = Yes
show add printer wizard = No
interfaces = eth0 lo
bind interfaces only = yes
winbind refresh tickets = true
log file = /var/log/samba/log.%m
max log size = 50
log level = 3
encrypt passwords = yes
#map untrusted to domain = yes
#auth methods = winbind guest sam
map untrusted to domain = Yes
[printers]
comment = All Printers
path = /var/spool/samba
browseable = yes
public = yes
guest ok = yes
writable = no
printable = yes
Step 7: Configure /etc/nsswitch.conf file to handle authentication.
# vi /etc/nsswitch.conf passwd: compat winbind shadow: winbind group: compat winbind
Step 8: Now restart winbind & Samba services.
# /etc/init.d/smb restart # /etc/init.d/winbind restart
Now join a domain:
# net ads join -U [User Name]
If the above command reports “Join is OK”, then test winbind:
Command to lists all the AD users:
# wbinfo -u
Step 9: Now do the testing & try to login to linux server via AD user credentials.
# ssh [username]@[ipaddress or hostname of linux server]