Why?
That’s a good question. Why? That’s because then it allows us to authenticate users centrally whom already has Windows Active Directory user accounts. This really comes handy as we then don’t need to provision CentOS local user account as new users are in demand for server access. Think about a scenario, for example, a company whose having thousands of users who wish to have server access for system administration. That would be a pain in the neck if our plan to setup each individual accounts locally. Problem even get started to worse if the server count increase over the time. Thus, having your LInux systems’s authentication over Windows Active Directory should be one of the obvious solutions.
Getting Started
This tutorial is based on the following configuration:
- domain name : osradar.com
- workgroup : OSRADAR
- kerberos realm : OSRADAR.COM
- Winsdows AD IP address: 172.17.0.51
- Windows AS DNS name: windows-ad.osradar.com
- a valid user called “winaduser01” already existed at Windows AD.
01. Install packages
# yum install krb5-workstation pam_krb5 samba samba-client samba-winbind authconfig
02. Ensure that the clocks on both systems are in sync. Time synchronization is essential for Kerberos to work.
03. To have working DNS resolution, point all Linux client systems to Windows AD – Essential for Kerberos to work. Optionally, you can also work with /etc/hosts if required.
# vim /etc/hosts 172.17.0.51 windows-ad.osradar.com
04. Configure Kerberos to use AD Kerberos realm.
# vi /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
default_realm = OSRADAR.COM
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
OSRADAR.COM = {
kdc = 172.17.0.51
admin_server = 172.17.0.51
}
05. Verify Kerberos operation – (Assume following winaduser01 exist on the Windows AD)
# kinit winaduser01 Password for [email protected]:
(This of course is to get a Kerberos Ticket for our Linux client system)
# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: [email protected] Valid starting Expires Service principal 04/27/2019 00:42:19 04/27/2019 10:42:19 krbtgt/[email protected] renew until 05/04/2019 00:42:10
(To list whether do we have valid Kerberos Tickets now..)
# kdestroy
(Optionally, if you want to remove the existing Kerberos Ticket)
06. Configure Samba to connect to AD server.
# vi /etc/samba/smb.conf [global] workgroup = OSRADAR realm = OSRADAR.COM security = ads idmap config * : range = 16777216-33554431 winbind separator = + template homedir = /home/%U template shell = /bin/bash kerberos method = secrets only winbind use default domain = true winbind offline logon = true server string = Samba Server Version %v netbios name = MYLINUXPC1 interfaces = lo ens9 172.17.0.0/24 hosts allow = 127. 172.17.0. passdb backend = tdbsam winbind enum users = yes winbind enum groups = yes client use spnego = yes client ntlmv2 auth = yes encrypt passwords = yes idmap config MYCOMPANY:backend = rid idmap config MYCOMPANY:range = 10000000-1999999
07. Check for configuration errors if present.
# testparm
08. Configure NSS and PAM to use winbind for system authentication
# authconfig --enablewinbind --enablewins --enablewinbindauth --update
09. Service Restarts
# systemctl restart smb # systemctl restart winbind
10. Lets add our linux client machine to the Winsows AD Domain
# kinit winaduser01
# net ads join -U winaduser01 Enter winaduser's password: Joined 'MYLINUXPC1' to dns domain 'OSRADAR.COM'
Congratulations. If you see the above message, it confirms that your Linux system is correctly joined with WIndows. Now, you can perform any user authentication against any user who has a valid account on windows Active Directory.
Optionally, if you want to leave the joined domains
# net ads leave -U winaduser01
“I hope this has been informative for you..”
