Skip to main content

AD Authentication in Linux

Recently I was working on a project to add linux machines ( Clients ) to a Windows Active Directory Server. When I started, I saw many blog post for that, some of them were not working & some were working to some extent. I tried a combination of them & succeeded in connecting a Linux client to Windows Domain ( AD ).

Following are the steps I followed which got the Linux Client into Windows domain:-

Before we start, we needed some basic info about the environment:-

Required # Active Directory Server with the users & groups already setup
# KDC server name (FQDN)
# Credentials of a User(administrator) who can join a client machine to AD

Make sure the AD & your linux client have time sync. Means any noticeable time difference may cause login delays

1 Install Linux Machine
fresh install of Centos 6.2 & Centos 5.8 32bit in text mode

Install support for host command
# yum install bind-utils ( Optional -- just for host command )

Install required softwares
In Centos 6.x
# yum install samba-common pam_krb5 samba-winbind krb5-workstation

In Centos 5.x
# yum install samba-common pam_krb5 krb5-workstation

Check if resolution works ( OPTIONAL )
# host -t srv _kerberos._tcp.<DOMAIN>
(Allows a client to locate a domain controller that is running the Kerberos

KDC service for the domain)

Make sure "hostname -f" returns answer
On your Linux box, set the fully-qualified hostname in /etc/sysconfig/network and 
/etc/hosts. Note that the first part of your hostname must be no longer than
 15 characters and unique in the domain
# /etc/sysconfig/network
# /etc/hosts  myhostname  localhost.localdomain localhost
# `hostname -f` should returns answer
6 Configure DNS Client ( this step is optional as long as the server names are
 resolving properly)
Make sure your Linux box has a properly configured DNS client (probably pointing at
 your domain controllers):
nameserver <>
7 Make required entries
 run the command:
# authconfig \
--disablecache \
--enablewinbind \
--enablewinbindauth \
--smbsecurity=ads \
--smbworkgroup=<TEST> \
--smbrealm=<TEST.COM> \
--enablewinbindusedefaultdomain \
--winbindtemplatehomedir=/home/%U \
--winbindtemplateshell=/bin/bash \

--enablekrb5 \
--krb5realm=<TEST.COM> \
--krb5kdc=<default kerberos KDC>  \
--enablekrb5kdcdns \
--enablekrb5realmdns \
--enablelocauthorize \
--enablemkhomedir \
--enablepamaccess \
make sure to replace:
<TEST> with your domain name in all CAPS
<TEST.COM> with your domain name (FQDN) in all CAPS
<default kerberos KDC> with your KDC server FQDN in all CAPS
8 Having Same User & Group IDs across multiple client machines
Edit smb.conf & add following lines as given below:
security = ads
allow trusted domains = No
idmap backend = idmap_rid:KPAK=5000-100000000
idmap uid = 5000-100000000
idmap gid = 5000-100000000
Out of these idmap uid & gid lines are already there. Make sure to change idmap uid & 

idmap gid lines
There is sed alternative for above work ( run these two commands):
# sed -i -e 's/idmap/#idmap/g' /etc/samba/smb.conf
# sed -i -e '/#idmap\ gid/i  \
allow trusted domains = No \
idmap backend = rid:<EXAMPLE>=5000-100000000 \
idmap uid = 5000-100000000 \
idmap gid = 5000-100000000
' /etc/samba/smb.conf

Fix Home Dir Permission
Open file /etc/pam.d/system-auth
& add umask=0077 to below line
session     optional
Now it should look like this:-
session     optional umask=0077
save & exit

There is a one liner for above task:-
# sed -i -e 's/ umask=0077/g'

Make sure winbind runs on reboot
# chkconfig winbind on

Join Domain
# net ads join -S <default kerberos KDC server FQDN> -U <administrator>
# net ads keytab create -S <default kerberos KDC server FQDN> -U <administrator>
provide the <administrator> password for above commands

Restart Winbind
# service winbind restart

Permission needs to be reset for domain user if local user with same name exists
( this should be done after joining to DOMAIN, otherwise users will not get the homedir or

 shell when they login)
if a username with same name as in AD exists in local system, make sure to update
 the home directory permissions for that user:
# chown <username>.domain\ users /home/<direname>
where "domain users" is the group to which all AD users are attached in linux
Test if it’s working fine:
# getent passwd <username_on_ad>
should return the id details for <username_on_ad>
replace <username_on_ad> with any valid user in AD

I was able to successfully join AD from Linux Machine.

Please share your experience on the above.


Popular posts from this blog

CentOS / Redhat : Configure CentOS as a Software Router with two interfaces

Linux can be easily configured to share an internet connection using iptables. All you need to have is, two network interface cards as follows: a) Your internal (LAN) network connected via eth0 with static ip address b) Your external WAN) network is connected via eth1 with static ip address  ( public IP provided by ISP ) Please note that interface eth1 may have public IP address or IP assigned by ISP. eth1 may be connected to a dedicated DSL / ADSL / WAN / Cable router: Step # 1: Enable Packet Forwarding Login as the root user. Open /etc/sysctl.conf file # vi /etc/sysctl.conf Add the following line to enable packet forwarding for IPv4: net.ipv4.conf.default.forwarding=1 Save and close the file. Restart networking: # service network restart Step # 2: Enable IP masquerading In Linux networking, Network Address Translation (NAT) or Network Masquerading (IP Masquerading) is a technique of transceivin

Linux Find Command: Find Files Modified On Specific Date

There are many situations in which we have to find out  all files that have been modified on a specific date  using find command under Linux. There are two ways to list files in given directory modified after given date of the current year. The latest version of GNU/find command use the following syntax: Syntax GNU/find latest version: find /path/to/dir -newermt "date" find /path/to/dir -newermt "May 13" find /path/to/dir -newermt "yyyy-mm-dd" ## List all files modified on given date find /path/to/dir -newermt yyyy-mm-dd ! -newermt yyyy-mm-dd -ls ### print all *.sh ### find /path/to/dir -newermt "yyyy-mm-dd" -print -type f -iname "*.sh" The other way of doing this works on the versions of find before v4.3.3: touch -t 02010000 /tmp/timestamp find /usr -newer /tmp/timestamp then we can remove the reference file: rm -f /tmp/stamp$$ To  find out all Shell Script files  (*.sh) in /home/linux/scripts that have been modifie

Shell Script: Find Number Of Arguments Passed

Many times , when we create shell scripts we try to do repetitive tasks through functions. Some functions take arguments & we have to check the no. of arguments that are passed to it. Each bash shell function has the following set of shell variables: [a] All function parameters or arguments can be accessed via  $1, $2, $3,..., $N . [b]  $*  or  $@  holds all parameters or arguments passed to the function. [c]  $#  holds the number of positional parameters passed to the function. [d] An array variable called  FUNCNAME  ontains the names of all shell functions currently in the execution call stack. Example Create a shell script as follows: #!/bin/bash # Purpose: Demo bash function # -----------------------------   ## Define a function called test() test(){   echo "Function name:  ${FUNCNAME}"   echo "The number of positional parameter : $#"   echo "All parameters or arguments passed to the function: '$@'"   e