Getting Started

This tutorial is based on the following configuration:

• domain name : osradar.com
• workgroup : OSRADAR
• kerberos realm : OSRADAR.COM
• Winsdows AD IP address: 172.17.0.51
• Windows AS DNS name: windows-ad.osradar.com
• a valid user called “winaduser01” already existed at Windows AD.

01. Install packages

# yum install krb5-workstation pam_krb5 samba samba-client samba-winbind authconfig

02. Ensure that the clocks on both systems are in sync. Time synchronization is essential for Kerberos to work.

03. To have working DNS resolution, point all Linux client systems to Windows AD – Essential for Kerberos to work. Optionally, you can also work with /etc/hosts if required.

# vim /etc/hosts

172.17.0.51 windows-ad.osradar.com

04. Configure Kerberos to use AD Kerberos realm.

# vi /etc/krb5.conf

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
dns_lookup_realm = true
dns_lookup_kdc = true

ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
default_realm = OSRADAR.COM
default_ccache_name = KEYRING:persistent:%{uid}

[realms]
OSRADAR.COM = {
kdc = 172.17.0.51
admin_server = 172.17.0.51
}

05. Verify Kerberos operation – (Assume following winaduser01 exist on the Windows AD)

# kinit winaduser01
Password for winaduser01@OSRADAR.COM:

(This of course is to get a Kerberos Ticket for our Linux client system)

# klist

Ticket cache: FILE:/tmp/krb5cc_0
Default principal: winaduser01@OSRADAR.COM
Valid starting Expires Service principal
04/27/2019 00:42:19 04/27/2019 10:42:19 krbtgt/OSRADAR.COM@OSRADAR.COM
renew until 05/04/2019 00:42:10

(To list whether do we have valid Kerberos Tickets now..)

# kdestroy

(Optionally, if you want to remove the existing Kerberos Ticket)

06. Configure Samba to connect to AD server.

# vi /etc/samba/smb.conf

[global]
workgroup = OSRADAR
realm = OSRADAR.COM
security = ads
idmap config * : range = 16777216-33554431
winbind separator = +
template homedir = /home/%U
template shell = /bin/bash
kerberos method = secrets only
winbind use default domain = true
winbind offline logon = true

server string = Samba Server Version %v
netbios name = MYLINUXPC1
interfaces = lo ens9 172.17.0.0/24
hosts allow = 127. 172.17.0.
passdb backend = tdbsam
winbind enum users = yes
winbind enum groups = yes
client use spnego = yes
client ntlmv2 auth = yes
encrypt passwords = yes
idmap config MYCOMPANY:backend = rid
idmap config MYCOMPANY:range = 10000000-1999999

07. Check for configuration errors if present.

# testparm

08. Configure NSS and PAM to use winbind for system authentication

# authconfig --enablewinbind --enablewins --enablewinbindauth --update

09. Service Restarts

# systemctl restart smb
# systemctl restart winbind

10. Lets add our linux client machine to the Winsows AD Domain

# kinit winaduser01

# net ads join -U winaduser01
Enter winaduser's password:
Joined 'MYLINUXPC1' to dns domain 'OSRADAR.COM'

Congratulations. If you see the above message, it confirms that your Linux system is correctly joined with WIndows. Now, you can perform any user authentication against any user who has a valid account on windows Active Directory.

Optionally, if you want to leave the joined domains

# net ads leave -U winaduser01

“I hope this has been informative for you..”

The post Join CentOS7 system into Windows Domain appeared first on Linux Windows and android Tutorials.