Linux and AD authentication

AD – Active Directory
So, how to, with least efford possible, get data from MS AD using CentOS 6U4.
A good link, with a general explanation.
All things considered, I chose Winbind option…..

1. Enter AD server and DNS server (in my case the same machine) in /etc/hosts file :
10.10.10.19 ad.my.domain
Put FQDN here.
2. In /etc/resolv.conf put AD+DNS server in the first place :
nameserver 10.10.10.19
AD+DNS server needs to be pingable by name :
# ping ad.my.domain
PING ad.my.domain (10.10.10.19) 56(84) bytes of data.
64 bytes from ad.my.domain (10.10.10.19): icmp_seq=1 ttl=127 time=1.45 ms
3. It is totally necessary that Linux and AD servers have the dsame time on them (use same NTP servers). Windows is very touchy concerning time discrepances.
4. Set up YUM (se my previous post)
5. Install Kerberos package (krb5) and test it :
# rpm -qa|grep krb5
krb5-pkinit-openssl-1.10.3-10.el6.i686
krb5-appl-servers-1.0.1-7.el6_2.1.i686
krb5-libs-1.10.3-10.el6.i686
krb5-server-ldap-1.10.3-10.el6.i686
krb5-auth-dialog-0.13-3.el6.i686
krb5-workstation-1.10.3-10.el6.i686
krb5-devel-1.10.3-10.el6.i686
krb5-appl-clients-1.0.1-7.el6_2.1.i686
krb5-server-1.10.3-10.el6.i686
I am not quite sure that ALL of those packages are necessary, but better that they are here 😉
6. Change /etc/krb5.conf fajl :
[libdefaults]
allow_weak_crypto = true
ticket_lifetime = 600
default_realm = my.domain
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc arcfour-hmac-md5 des-cbc-md5
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc arcfour-hmac-md5 des-cbc-md5
[realms]
my.domain = {
kdc = 10.10.10.19
default_domain = my.domain
}
[domain_realm]
.yourdomain = my.domain
yourdomain = my.domain
[kdc]
profile = /etc/krb5kdc/kdc.conf
[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.logog
Check Kerberos :
# kinit squid1@MY.DOMAIN
Password for squid1@MY.DOMAIN:
# <-- no record, as it should be # klist <-- this is a way to list a ticket we just got Ticket cache: FILE:/tmp/krb5cc_0 Default principal: squid1@MY.DOMAIN Valid starting Expires Service principal 01/27/14 15:03:56 01/27/14 15:13:56 krbtgt/MY.DOMAIN@MY.DOMAIN For some totally mysterious reason in kinit domain name MUST be written in capital letters, or it will not work..... 7. Samba and Winbind configuration
Change the Samba configuration file /etc/samba/smb.conf :
[global]
workgroup = domen <-- check this, if it is my.domain or something else..... password server = 10.10.10.19 wins server = 10.10.10.19 realm = MY.DOMAIN security = ads template shell = /bin/bash winbind use default domain = false winbind offline logon = false winbind separator = + allow trusted domains = Yes log file = /var/log/samba/%m.log load printers = no Test the configuration : # testparm Load smb config files from /etc/samba/smb.conf rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) Loaded services file OK. WARNING: The setting 'security=ads' should NOT be combined with the 'password server' parameter. (by default Samba will discover the correct DC to contact automatically). 'winbind separator = +' might cause problems with group membership. Server role: ROLE_DOMAIN_MEMBER Press enter to see a dump of your service definitions 8. Set up Winbind to be responsible for authentication :
In file /etc/nsswitch add to already existing :
passwd: compat winbind
shadow: compat
group: compat winbind
Line “files” already exists and must be removed. And do not worry, authentication using passwd+shadow will still work.
9. Entering the domain
# service smb start
# service winbind start
# service nmb start
Once, it all works as it should, service should start automatically when server restarts :
# chkconfig smb on
# chkconfig winbind on
# chkconfig nmb on
Checking (listing users under AD doomain, switch -g gives the list of groups) :
# wbinfo -u|grep squid
DOMAIN+squid1 <-- this DOMAIN is from smb.conf, under workgroup!!!! DOMAIN+squid And now to enter our machine in domain : # net ads join -S name.of.AD.server -U squid1%my.password Using short domain name -- DOMAIN Joined 'CENTOS6U4' to dns domain 'MY.DOMAIN' No DNS domain configured for centos6u4. Unable to perform DNS Update. DNS update failed! Note!! name.of.AD.server MUST go as a name, NOT the IP address. Squid1 is my test account..... Also note that DOMAIN and MY.DOMAIN are not the same!!! DOMAIN is workgroup (see smb.conf) and MY.DOMAIN is a AD domain. Note : take care that if you are using a virtual machine on WIN, connecting to AD server may be disabled through WIN firewall..... 😉

This entry was posted in Linux and tagged , . Bookmark the permalink.

Comments are closed.