How to configure Linux to authenticate through Active Directory

AllCloud Blog:
Cloud Insights and Innovation

Note: These steps were tested on Amazon Linux AMI

The following steps are for configuring Linux to use active directory as authentication server:

  • Configure your hostname
vi /etc/sysconfig/network
vi /etc/hosts
  • Check that you can resolve your domain srv record
host -t srv has SRV record 0 100 88 has SRV record 0 100 88
  • Check you can resolve your host address
hostname -f
  • Install winbind and other dependencies
wget -O /etc/yum.repos.d/sernet-samba.repo
yum install pam_krb5 sudo authconfig samba3 samba3-winbind -y
  • Run authconfig command to configure linux to authenticate using winbind
authconfig –disablecache –enablewinbind –enablewinbindauth –smbsecurity=ads –smbworkgroup=EMIND –smbrealm=EMIND.CLOUD –enablewinbindusedefaultdomain –winbindtemplatehomedir=/home/emind/%U –winbindtemplateshell=/bin/bash –enablekrb5 –krb5realm=EMIND.CLOUD –enablekrb5kdcdns –enablekrb5realmdns –enablelocauthorize –enablemkhomedir –enablepamaccess –updateall
  • Change samba to use rid for uid and gid mapping in order to make it the same across stations
vi /etc/samba/smb.conf
#–authconfig–start-line–# Generated by authconfig on 2013/10/08 07:10:11
# DO NOT EDIT THIS SECTION (delimited by –start-line–/–end-line–)
# Any modification may be deleted or altered by authconfig in futureworkgroup = emind
realm =
security = ads
# idmap config * : range = 16777216-33554431
# idmap domains = emind
idmap config * : backend = tdb
idmap config * : range = 500-1000000
idmap config emind:backend = rid
idmap config emind:base_rid = 500
idmap config emind:range = 500-1000000
template homedir = /home/emind/%U
template shell = /bin/bash
winbind use default domain = true
winbind offline logon = false#–authconfig–end-line–
; workgroup = TUX-NET
interfaces = eth0
bind interfaces only = true
printing = cups
printcap name = cups
load printers = yes
  • Add the workstation to AD
net ads join -U administrator
  • Configure PAM authentication. In this example I enable access to users that are in linuxusers group

vi /etc/pam.d/password-auth

# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required
auth sufficient nullok try_first_pass
auth requisite user ingroup linuxusers debug
auth requisite uid >= 500 quiet
auth sufficient use_first_pass
auth sufficient use_first_pass
auth required

account required
account required broken_shadow
account sufficient
account sufficient uid < 500 quiet
account [default=bad success=ok user_unknown=ignore]
account [default=bad success=ok user_unknown=ignore]
account required

password requisite try_first_pass retry=3 type=
password sufficient sha512 shadow nullok try_first_pass use_authtok
password sufficient use_authtok
password sufficient use_authtok
password required

session optional revoke
session required
session optional umask=0077
session [success=1 default=ignore] service in crond quiet use_uid
session required
session optional

  • Restart winbind
service winbind restart
  • Change ssh authentication to allow password

vi /etc/ssh/sshd_config

PasswordAuthentication yes

service sshd restart

  • Useful commands to check that winbind is working
wbinfo -g
wbinfo -n user_name
getent passwd username
wbinfo -D
getent group linuxusers

Lahav Savir

Founder and CTO, Cloud Platforms

Read more posts by Lahav Savir