Join CentOS7 system into Windows Domain

0
230

Why?
That’s a good question. Why? That’s because then it allows us to authenticate users centrally whom already has Windows Active Directory user accounts. This really comes handy as we then don’t need to provision CentOS local user account as new users are in demand for server access. Think about a scenario, for example, a company whose having thousands of users who wish to have server access forĀ  system administration. That would be a pain in the neck if our plan to setup each individual accounts locally. Problem even get started to worse if the server count increase over the time. Thus, having your LInux systems’s authentication over Windows Active Directory should be one of the obvious solutions.

Getting Started

This tutorial is based on the following configuration:

  • domain name : osradar.com
  • workgroup : OSRADAR
  • kerberos realm : OSRADAR.COM
  • Winsdows AD IP address: 172.17.0.51
  • Windows AS DNS name: windows-ad.osradar.com
  • a valid user called “winaduser01” already existed at Windows AD.

01. Install packages

# yum install krb5-workstation pam_krb5 samba samba-client samba-winbind authconfig

 

02. Ensure that the clocks on both systems are in sync. Time synchronization is essential for Kerberos to work.

03. To have working DNS resolution, point all Linux client systems to Windows AD – Essential for Kerberos to work. Optionally, you can also work with /etc/hosts if required.

# vim /etc/hosts

172.17.0.51 windows-ad.osradar.com

04. Configure Kerberos to use AD Kerberos realm.

# vi /etc/krb5.conf

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
dns_lookup_realm = true
dns_lookup_kdc = true

ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
default_realm = OSRADAR.COM
default_ccache_name = KEYRING:persistent:%{uid}

[realms]
OSRADAR.COM = {
kdc = 172.17.0.51
admin_server = 172.17.0.51
}

 

05. Verify Kerberos operation – (Assume following winaduser01 exist on the Windows AD)

# kinit winaduser01
Password for winaduser01@OSRADAR.COM:

(This of course is to get a Kerberos Ticket for our Linux client system)

# klist

Ticket cache: FILE:/tmp/krb5cc_0
Default principal: winaduser01@OSRADAR.COM
Valid starting Expires Service principal
04/27/2019 00:42:19 04/27/2019 10:42:19 krbtgt/OSRADAR.COM@OSRADAR.COM
renew until 05/04/2019 00:42:10

(To list whether do we have valid Kerberos Tickets now..)

# kdestroy

(Optionally, if you want to remove the existing Kerberos Ticket)

 

06. Configure Samba to connect to AD server.

# vi /etc/samba/smb.conf

[global]
workgroup = OSRADAR
realm = OSRADAR.COM
security = ads
idmap config * : range = 16777216-33554431
winbind separator = +
template homedir = /home/%U
template shell = /bin/bash
kerberos method = secrets only
winbind use default domain = true
winbind offline logon = true

server string = Samba Server Version %v
netbios name = MYLINUXPC1
interfaces = lo ens9 172.17.0.0/24
hosts allow = 127. 172.17.0.
passdb backend = tdbsam
winbind enum users = yes
winbind enum groups = yes
client use spnego = yes
client ntlmv2 auth = yes
encrypt passwords = yes
idmap config MYCOMPANY:backend = rid
idmap config MYCOMPANY:range = 10000000-1999999

 

07. Check for configuration errors if present.

# testparm

 

08. Configure NSS and PAM to use winbind for system authentication

# authconfig --enablewinbind --enablewins --enablewinbindauth --update

 

09. Service Restarts

# systemctl restart smb
# systemctl restart winbind

 

10. Lets add our linux client machine to the Winsows AD Domain

# kinit winaduser01
# net ads join -U winaduser01
Enter winaduser's password:
Joined 'MYLINUXPC1' to dns domain 'OSRADAR.COM'

 

Congratulations. If you see the above message, it confirms that your Linux system is correctly joined with WIndows. Now, you can perform any user authentication against any user who has a valid account on windows Active Directory.

Optionally, if you want to leave the joined domains

# net ads leave -U winaduser01

 

“I hope this has been informative for you..”

LEAVE A REPLY

Please enter your comment!
Please enter your name here