Skip to main content

AD Authentication in Linux

Recently I was working on a project to add linux machines ( Clients ) to a Windows Active Directory Server. When I started, I saw many blog post for that, some of them were not working & some were working to some extent. I tried a combination of them & succeeded in connecting a Linux client to Windows Domain ( AD ).

Following are the steps I followed which got the Linux Client into Windows domain:-

Before we start, we needed some basic info about the environment:-

Required # Active Directory Server with the users & groups already setup
# KDC server name (FQDN)
# Credentials of a User(administrator) who can join a client machine to AD

Make sure the AD & your linux client have time sync. Means any noticeable time difference may cause login delays

1 Install Linux Machine
fresh install of Centos 6.2 & Centos 5.8 32bit in text mode

Install support for host command
# yum install bind-utils ( Optional -- just for host command )

Install required softwares
In Centos 6.x
# yum install samba-common pam_krb5 samba-winbind krb5-workstation

In Centos 5.x
# yum install samba-common pam_krb5 krb5-workstation

Check if resolution works ( OPTIONAL )
# host -t srv _kerberos._tcp.<DOMAIN>
(Allows a client to locate a domain controller that is running the Kerberos

KDC service for the domain)

Make sure "hostname -f" returns answer
On your Linux box, set the fully-qualified hostname in /etc/sysconfig/network and 
/etc/hosts. Note that the first part of your hostname must be no longer than
 15 characters and unique in the domain
# /etc/sysconfig/network
# /etc/hosts  myhostname  localhost.localdomain localhost
# `hostname -f` should returns answer
6 Configure DNS Client ( this step is optional as long as the server names are
 resolving properly)
Make sure your Linux box has a properly configured DNS client (probably pointing at
 your domain controllers):
nameserver <>
7 Make required entries
 run the command:
# authconfig \
--disablecache \
--enablewinbind \
--enablewinbindauth \
--smbsecurity=ads \
--smbworkgroup=<TEST> \
--smbrealm=<TEST.COM> \
--enablewinbindusedefaultdomain \
--winbindtemplatehomedir=/home/%U \
--winbindtemplateshell=/bin/bash \

--enablekrb5 \
--krb5realm=<TEST.COM> \
--krb5kdc=<default kerberos KDC>  \
--enablekrb5kdcdns \
--enablekrb5realmdns \
--enablelocauthorize \
--enablemkhomedir \
--enablepamaccess \
make sure to replace:
<TEST> with your domain name in all CAPS
<TEST.COM> with your domain name (FQDN) in all CAPS
<default kerberos KDC> with your KDC server FQDN in all CAPS
8 Having Same User & Group IDs across multiple client machines
Edit smb.conf & add following lines as given below:
security = ads
allow trusted domains = No
idmap backend = idmap_rid:KPAK=5000-100000000
idmap uid = 5000-100000000
idmap gid = 5000-100000000
Out of these idmap uid & gid lines are already there. Make sure to change idmap uid & 

idmap gid lines
There is sed alternative for above work ( run these two commands):
# sed -i -e 's/idmap/#idmap/g' /etc/samba/smb.conf
# sed -i -e '/#idmap\ gid/i  \
allow trusted domains = No \
idmap backend = rid:<EXAMPLE>=5000-100000000 \
idmap uid = 5000-100000000 \
idmap gid = 5000-100000000
' /etc/samba/smb.conf

Fix Home Dir Permission
Open file /etc/pam.d/system-auth
& add umask=0077 to below line
session     optional
Now it should look like this:-
session     optional umask=0077
save & exit

There is a one liner for above task:-
# sed -i -e 's/ umask=0077/g'

Make sure winbind runs on reboot
# chkconfig winbind on

Join Domain
# net ads join -S <default kerberos KDC server FQDN> -U <administrator>
# net ads keytab create -S <default kerberos KDC server FQDN> -U <administrator>
provide the <administrator> password for above commands

Restart Winbind
# service winbind restart

Permission needs to be reset for domain user if local user with same name exists
( this should be done after joining to DOMAIN, otherwise users will not get the homedir or

 shell when they login)
if a username with same name as in AD exists in local system, make sure to update
 the home directory permissions for that user:
# chown <username>.domain\ users /home/<direname>
where "domain users" is the group to which all AD users are attached in linux
Test if it’s working fine:
# getent passwd <username_on_ad>
should return the id details for <username_on_ad>
replace <username_on_ad> with any valid user in AD

I was able to successfully join AD from Linux Machine.

Please share your experience on the above.


Popular posts from this blog

CentOS / Redhat : Configure CentOS as a Software Router with two interfaces

Linux can be easily configured to share an internet connection using iptables. All you need to have is, two network interface cards as follows: a) Your internal (LAN) network connected via eth0 with static ip address b) Your external WAN) network is connected via eth1 with static ip address  ( public IP provided by ISP ) Please note that interface eth1 may have public IP address or IP assigned by ISP. eth1 may be connected to a dedicated DSL / ADSL / WAN / Cable router: Step # 1: Enable Packet Forwarding Login as the root user. Open /etc/sysctl.conf file # vi /etc/sysctl.conf Add the following line to enable packet forwarding for IPv4: net.ipv4.conf.default.forwarding=1 Save and close the file. Restart networking: # service network restart Step # 2: Enable IP masquerading In Linux networking, Network Address Translation (NAT) or Network Masquerading (IP Masquerading) is a technique of transceivin

Virtual Box and Alt/Tab Keys

I use virtual box for all my testing activities. It comes too often that I have a virtual box VM window open & I want to switch to my host machine to see some stuff like tutorials etc.. If you press the alt+tab combination it just works inside the VM & doesn't switches to host machine. In these scenarios you can press the host key once ( not hold it ) & then whatever you press goes to host machine. So in general where host key is the default Right Ctrl, just press Right Ctrl once & now press the alt+tab & it will switch you out to host machine. This is really helpful when you have the VM windows open or you're working on seamless mode. Hope it help others too.

Set date and time in Linux

There are few ways to set the date and time on Linux command line. In order to do this, you must login as root and execute the following methods as follow: For you to remember the syntax, issue the command “date” first [root@linuxtechtips ~]# date Mon Aug 20 18:30:29 SGT 2012 Let say you want to change it to Sept 6, 2012, 3pm, just follow the pattern above [root@linuxtechtips ~]# date 090615002012 Thu Sep  6 15:00:00 SGT 2012 where as: 09 = month (September) 06 = day 15 = hour 00 = min 2012 = year Now it’s set, as simple as that: [root@linuxtechtips ~]# date Thu Sep  6 15:00:01 SGT 2012 Another example, you want it to change to 20th of December, 2012, 10:45pm [root@linuxtechtips ~]# date 122022452012 Thu Dec 20 22:45:00 SGT 2012 Viola!!! [root@linuxtechtips ~]# date Thu Dec 20 22:45:03 SGT 2012 Now if you want to challenge yourself, then you can use this as well: Using our example date above, use the date comman