Skip to main content

AD Authentication in Linux


Recently I was working on a project to add linux machines ( Clients ) to a Windows Active Directory Server. When I started, I saw many blog post for that, some of them were not working & some were working to some extent. I tried a combination of them & succeeded in connecting a Linux client to Windows Domain ( AD ).
Following are the steps I followed which got the Linux Client into Windows domain:-


Before we start, we needed some basic info about the environment:-


Required # Active Directory Server with the users & groups already setup
# KDC server name (FQDN)
# Credentials of a User(administrator) who can join a client machine to AD

IMPORTANT:
Make sure the AD & your linux client have time sync. Means any noticeable time difference may cause login delays

STEPS FOR CONFIGURING LINUX CLIENT TO JOIN ACTIVE DIRECTORY (AD):
1 Install Linux Machine
fresh install of Centos 6.2 & Centos 5.8 32bit in text mode
2

Install support for host command
# yum install bind-utils ( Optional -- just for host command )
3

Install required softwares
In Centos 6.x
# yum install samba-common pam_krb5 samba-winbind krb5-workstation

In Centos 5.x
# yum install samba-common pam_krb5 krb5-workstation
4

Check if resolution works ( OPTIONAL )
# host -t srv _kerberos._tcp.<DOMAIN>
(Allows a client to locate a domain controller that is running the Kerberos
KDC service for the domain)
5

Make sure "hostname -f" returns answer
On your Linux box, set the fully-qualified hostname in /etc/sysconfig/network and 
/etc/hosts. Note that the first part of your hostname must be no longer than
 15 characters and unique in the domain
# /etc/sysconfig/network
HOSTNAME=myhostname.example.com
# /etc/hosts
127.0.0.1  myhostname.example.com  myhostname  localhost.localdomain localhost
# `hostname -f` should returns answer
6 Configure DNS Client ( this step is optional as long as the server names are
 resolving properly)
Make sure your Linux box has a properly configured DNS client (probably pointing at
 your domain controllers):
search example.com
nameserver <192.168.1.10>
7 Make required entries
 run the command:
# authconfig \
--disablecache \
--enablewinbind \
--enablewinbindauth \
--smbsecurity=ads \
--smbworkgroup=<TEST> \
--smbrealm=<TEST.COM> \
--enablewinbindusedefaultdomain \
--winbindtemplatehomedir=/home/%U \
--winbindtemplateshell=/bin/bash \
--enablekrb5 \
--krb5realm=<TEST.COM> \
--krb5kdc=<default kerberos KDC>  \
--enablekrb5kdcdns \
--enablekrb5realmdns \
--enablelocauthorize \
--enablemkhomedir \
--enablepamaccess \
--updateall
make sure to replace:
<TEST> with your domain name in all CAPS
<TEST.COM> with your domain name (FQDN) in all CAPS
<default kerberos KDC> with your KDC server FQDN in all CAPS
8 Having Same User & Group IDs across multiple client machines
Edit smb.conf & add following lines as given below:
[global]
….
security = ads
allow trusted domains = No
idmap backend = idmap_rid:KPAK=5000-100000000
idmap uid = 5000-100000000
idmap gid = 5000-100000000
…..
Out of these idmap uid & gid lines are already there. Make sure to change idmap uid & 
idmap gid lines
There is sed alternative for above work ( run these two commands):
# sed -i -e 's/idmap/#idmap/g' /etc/samba/smb.conf
# sed -i -e '/#idmap\ gid/i  \
allow trusted domains = No \
idmap backend = rid:<EXAMPLE>=5000-100000000 \
idmap uid = 5000-100000000 \
idmap gid = 5000-100000000
' /etc/samba/smb.conf
9

Fix Home Dir Permission
Open file /etc/pam.d/system-auth
& add umask=0077 to below line
session     optional      pam_mkhomedir.so
Now it should look like this:-
session     optional      pam_mkhomedir.so umask=0077
save & exit

There is a one liner for above task:-
# sed -i -e 's/pam_mkhomedir.so/pam_mkhomedir.so umask=0077/g'
 /etc/pam.d/system-auth-ac
10

Make sure winbind runs on reboot
# chkconfig winbind on
11

Join Domain
# net ads join -S <default kerberos KDC server FQDN> -U <administrator>
# net ads keytab create -S <default kerberos KDC server FQDN> -U <administrator>
provide the <administrator> password for above commands
12

Restart Winbind
# service winbind restart
13

Permission needs to be reset for domain user if local user with same name exists
( this should be done after joining to DOMAIN, otherwise users will not get the homedir or
 shell when they login)
if a username with same name as in AD exists in local system, make sure to update
 the home directory permissions for that user:
# chown <username>.domain\ users /home/<direname>
where "domain users" is the group to which all AD users are attached in linux
14
Test if it’s working fine:
# getent passwd <username_on_ad>
should return the id details for <username_on_ad>
replace <username_on_ad> with any valid user in AD


I was able to successfully join AD from Linux Machine.

Please share your experience on the above.



Labels:

Comments

Post a Comment

Popular posts from this blog

Virtual Box and Alt/Tab Keys

I use virtual box for all my testing activities. It comes too often that I have a virtual box VM window open & I want to switch to my host machine to see some stuff like tutorials etc.. If you press the alt+tab combination it just works inside the VM & doesn't switches to host machine. In these scenarios you can press the host key once ( not hold it ) & then whatever you press goes to host machine. So in general where host key is the default Right Ctrl, just press Right Ctrl once & now press the alt+tab & it will switch you out to host machine. This is really helpful when you have the VM windows open or you're working on seamless mode. Hope it help others too.
4 comments
Read more

CentOS / Redhat : Configure CentOS as a Software Router with two interfaces

Linux can be easily configured to share an internet connection using iptables. All you need to have is, two network interface cards as follows: a) Your internal (LAN) network connected via eth0 with static ip address 192.168.0.1 b) Your external WAN) network is connected via eth1 with static ip address 10.10.10.1  ( public IP provided by ISP ) Please note that interface eth1 may have public IP address or IP assigned by ISP. eth1 may be connected to a dedicated DSL / ADSL / WAN / Cable router: Step # 1: Enable Packet Forwarding Login as the root user. Open /etc/sysctl.conf file # vi /etc/sysctl.conf Add the following line to enable packet forwarding for IPv4: net.ipv4.conf.default.forwarding=1 Save and close the file. Restart networking: # service network restart Step # 2: Enable IP masquerading In Linux networking, Network Address Translation (NAT) or Network Masquerading (IP Masquerading) is a technique of transce...
4 comments
Read more

AMD Radeon™ HD 7670M on Ubuntu 12.04

Update:   Recently I install kubuntu 13.10 and there is no problem with graphics. It just works  fine out of the box. I've seen many blog posts on how to make AMD HD7670M work on Ubuntu 12.04, specially when its in switchable graphics board like Dell Inspiron 15R 5520. I tried many things to make it work so that I could use the cinnamon desktop on ubuntu & other things too.. But to my surprise even the drivers from AMD site didn't work. Then I tried a combination of those blog posts I read & somehow I became successful in running the full graphics including compiz settings inside My Ubuntu Machine. Following are the steps I followed & it worked... 1. Create a backup of your xorg configuration file: sudo cp /etc/X11/xorg.conf /etc/X11/xorg.conf.BAK 2. Remove/purge current fglrx and fglrx-amdcccle : sudo apt-get remove --purge fglrx* 3. Install the driver: sudo apt-get install fglrx fglrx-amdcccle 4. Install additiona...
21 comments
Read more