AD Authentication in Linux


Recently I was working on a project to add linux machines ( Clients ) to a Windows Active Directory Server. When I started, I saw many blog post for that, some of them were not working & some were working to some extent. I tried a combination of them & succeeded in connecting a Linux client to Windows Domain ( AD ).


Following are the steps I followed which got the Linux Client into Windows domain:-


Before we start, we needed some basic info about the environment:-


Required # Active Directory Server with the users & groups already setup
# KDC server name (FQDN)
# Credentials of a User(administrator) who can join a client machine to AD

IMPORTANT:
Make sure the AD & your linux client have time sync. Means any noticeable time difference may cause login delays

STEPS FOR CONFIGURING LINUX CLIENT TO JOIN ACTIVE DIRECTORY (AD):
1 Install Linux Machine
fresh install of Centos 6.2 & Centos 5.8 32bit in text mode
2

Install support for host command
# yum install bind-utils ( Optional -- just for host command )
3

Install required softwares
In Centos 6.x
# yum install samba-common pam_krb5 samba-winbind krb5-workstation

In Centos 5.x
# yum install samba-common pam_krb5 krb5-workstation
4

Check if resolution works ( OPTIONAL )
# host -t srv _kerberos._tcp.<DOMAIN>
(Allows a client to locate a domain controller that is running the Kerberos

KDC service for the domain)
5

Make sure "hostname -f" returns answer
On your Linux box, set the fully-qualified hostname in /etc/sysconfig/network and 
/etc/hosts. Note that the first part of your hostname must be no longer than
 15 characters and unique in the domain
# /etc/sysconfig/network
HOSTNAME=myhostname.example.com
# /etc/hosts
127.0.0.1  myhostname.example.com  myhostname  localhost.localdomain localhost
# `hostname -f` should returns answer
6 Configure DNS Client ( this step is optional as long as the server names are
 resolving properly)
Make sure your Linux box has a properly configured DNS client (probably pointing at
 your domain controllers):
search example.com
nameserver <192.168.1.10>
7 Make required entries
 run the command:
# authconfig \
--disablecache \
--enablewinbind \
--enablewinbindauth \
--smbsecurity=ads \
--smbworkgroup=<TEST> \
--smbrealm=<TEST.COM> \
--enablewinbindusedefaultdomain \
--winbindtemplatehomedir=/home/%U \
--winbindtemplateshell=/bin/bash \

--enablekrb5 \
--krb5realm=<TEST.COM> \
--krb5kdc=<default kerberos KDC>  \
--enablekrb5kdcdns \
--enablekrb5realmdns \
--enablelocauthorize \
--enablemkhomedir \
--enablepamaccess \
--updateall
make sure to replace:
<TEST> with your domain name in all CAPS
<TEST.COM> with your domain name (FQDN) in all CAPS
<default kerberos KDC> with your KDC server FQDN in all CAPS
8 Having Same User & Group IDs across multiple client machines
Edit smb.conf & add following lines as given below:
[global]
….
security = ads
allow trusted domains = No
idmap backend = idmap_rid:KPAK=5000-100000000
idmap uid = 5000-100000000
idmap gid = 5000-100000000
…..
Out of these idmap uid & gid lines are already there. Make sure to change idmap uid & 

idmap gid lines
There is sed alternative for above work ( run these two commands):
# sed -i -e 's/idmap/#idmap/g' /etc/samba/smb.conf
# sed -i -e '/#idmap\ gid/i  \
allow trusted domains = No \
idmap backend = rid:<EXAMPLE>=5000-100000000 \
idmap uid = 5000-100000000 \
idmap gid = 5000-100000000
' /etc/samba/smb.conf
9

Fix Home Dir Permission
Open file /etc/pam.d/system-auth
& add umask=0077 to below line
session     optional      pam_mkhomedir.so
Now it should look like this:-
session     optional      pam_mkhomedir.so umask=0077
save & exit

There is a one liner for above task:-
# sed -i -e 's/pam_mkhomedir.so/pam_mkhomedir.so umask=0077/g'
 /etc/pam.d/system-auth-ac
10

Make sure winbind runs on reboot
# chkconfig winbind on
11

Join Domain
# net ads join -S <default kerberos KDC server FQDN> -U <administrator>
# net ads keytab create -S <default kerberos KDC server FQDN> -U <administrator>
provide the <administrator> password for above commands
12

Restart Winbind
# service winbind restart
13

Permission needs to be reset for domain user if local user with same name exists
( this should be done after joining to DOMAIN, otherwise users will not get the homedir or

 shell when they login)
if a username with same name as in AD exists in local system, make sure to update
 the home directory permissions for that user:
# chown <username>.domain\ users /home/<direname>
where "domain users" is the group to which all AD users are attached in linux
14
Test if it’s working fine:
# getent passwd <username_on_ad>
should return the id details for <username_on_ad>
replace <username_on_ad> with any valid user in AD


I was able to successfully join AD from Linux Machine.

Please share your experience on the above.



0 comments:

Post a Comment