Friday, 10 August 2012

Windows AD authentication for Linux Clients

RedHat Enterprise Linux 6
Windows Enterprise Server 2003 R2

Need to login linux client using the windows active directory authentication using kerberos and samba


Domain Name : MANSOOR.COM
AD Server IP Address :
AD Server Hostname : AKT-VPC
Linux Client IP Address :
Linux Clinet Hostname : AKT-VPC4

Step # 1 Install the required RPMs
# yum install krb5-libs pam_krb5 krb5-workstation samba-common samba-client samba-winbind

Step # 2 Add the  domain server entry in the host file
   # vi /etc/hosts       akt-vpc       akt-vpc4

Step 3 # Mention the name server ipaddress in the resolv.conf file
     # vi /etc/resolv.conf

Step 4 # Configure Kerberos for AD Integration:

     Modify the /etc/krb5.conf file, to enable the Domain controller authentication in Linux.
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

 default_realm = MANSOOR.COM
 dns_lookup_realm = true
 dns_lookup_kdc = true
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true

  kdc =
  admin_server =
  default_domain =

[domain_realm] = MANSOOR.COM = MANSOOR.COM

  profile = /var/kerberos/krb5kdc/kdc.conf

  pam = {
        debug = false
        ticket_lifetime = 36000
        renew_lifetime = 36000
        forwardable = true
        krb4_convert = false

Step 5 # Configure PAM for AD Integration:
PAM needs to be configured to use Active Directory authentication. Edit the system-auth file like below

# vi /etc/pam.d/system-auth
   auth        required
   auth        sufficient nullok try_first_pass
   auth        requisite uid >= 500 quiet
   auth        sufficient use_first_pass
   auth        sufficient use_first_pass
   auth        required

   account     required broken_shadow
   account     sufficient
   account     sufficient uid < 500 quiet
   account     [default=bad success=ok user_unknown=ignore]
   account     [default=bad success=ok user_unknown=ignore]
   account     required

   password    requisite try_first_pass retry=3
   password    sufficient nullok try_first_pass use_authtok
   password    sufficient use_authtok
   password    sufficient use_authtok
   password    required

   session     optional revoke
   session     required
   session     optional skel=/etc/skel/ umask=0022
   session     [success=1 default=ignore] service in crond quiet
   session     required
   session     optional
Step 7 # Change the user information and authentication type to winbind using the “authconfig-tui” command

Do as shown below
Select Next
Select Join Domain
Select YES

Select OK (don’t give any password)
Enter the Administrator password: (provide the windows ads administrator password here)
Select OK
Joined domain MANSOOR.
Starting Winbind services:                                 [  OK  ]

Setp 8 # Restart the winbind service
# service winbind restart
         # chkconfig --level 35 winbind on

Step 9 # To test the enumeration function of the winbind use the below commands.

         # wbinfo -u List all domain users
         #  wbinfo -g List all domain groups
        # getent passwd Get the entries in the linux database to check it's picking up domain users
        #  getent group As above, but for domain groups
        #wbinfo -a user%pass Authenticate a (domain) username and password combination

      Step 10 # Samba configuration

# vi /etc/samba/smb.conf

        workgroup = MANSOOR
        realm = MANSOOR.COM
        server string = Samba Server Version %v
        security = ADS
        password server =
        idmap uid = 16777216-33554431
        idmap gid = 16777216-33554431
        template homedir = /home/%U
        template shell = /bin/bash
        winbind separator = #
        winbind enum users = Yes
        winbind enum groups = Yes
        winbind use default domain = Yes
     winbind offline logon = false
# service smb restart
# chkconfig smb on

     Step 10 # SSH configuration

vim /etc/pam.d/sshd using Winbind:
   auth      required
   auth      include     password-auth
   auth      required
   auth      sufficient service=system-auth
   auth      sufficient

   account    sufficient service=system-auth
   account    sufficient
   account    required
   account    include     password-auth

   password  required service=system-auth
   password   include     password-auth

   session    sufficient service=system-auth
   session   required
   session   optional
   session   required
   session   include      password-auth
# service sshd restart
# chkconfig sshd on

    Step 11 # VSFTPD configuration
   # Vim /etc/pam.d/vsftpd
   #Add below lines
    auth       sufficient
    account    sufficient

   #chkconfig vsftpd on
   #service vsftpd restart

No comments:

Post a Comment