Note: These steps were tested on Amazon Linux AMI
The following steps are for configuring Linux to use active directory as authentication server:
- Configure your hostname
…
HOSTNAME=test.emind.cloud
…
…
192.168.14.101 test.emind.cloud
…
- Check that you can resolve your domain srv record
_kerberos._tcp.emind.cloud has SRV record 0 100 88 ad-1.emind.cloud.
_kerberos._tcp.emind.cloud has SRV record 0 100 88 ad-2.emind.cloud.
- Check you can resolve your host address
test.emind.cloud
- Install winbind and other dependencies
yum install pam_krb5 sudo authconfig samba3 samba3-winbind -y
- Run authconfig command to configure linux to authenticate using winbind
- Change samba to use rid for uid and gid mapping in order to make it the same across stations
[global]
#–authconfig–start-line–# Generated by authconfig on 2013/10/08 07:10:11
# DO NOT EDIT THIS SECTION (delimited by –start-line–/–end-line–)
# Any modification may be deleted or altered by authconfig in futureworkgroup = emind
realm = emind.cloud
security = ads
# idmap config * : range = 16777216-33554431
# idmap domains = emind
idmap config * : backend = tdb
idmap config * : range = 500-1000000
idmap config emind:backend = rid
idmap config emind:base_rid = 500
idmap config emind:range = 500-1000000
template homedir = /home/emind/%U
template shell = /bin/bash
winbind use default domain = true
winbind offline logon = false#–authconfig–end-line–
; workgroup = TUX-NET
interfaces = 127.0.0.1 eth0
bind interfaces only = true
printing = cups
printcap name = cups
load printers = yes
- Add the workstation to AD
- Configure PAM authentication. In this example I enable access to users that are in linuxusers group
vi /etc/pam.d/password-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so user ingroup linuxusers debug
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_krb5.so use_first_pass
auth sufficient pam_winbind.so use_first_pass
auth required pam_deny.so
account required pam_access.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_krb5.so
account [default=bad success=ok user_unknown=ignore] pam_winbind.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_krb5.so use_authtok
password sufficient pam_winbind.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_mkhomedir.so umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_krb5.so
- Restart winbind
- Change ssh authentication to allow password
vi /etc/ssh/sshd_config
…
PasswordAuthentication yes
…
service sshd restart
- Useful commands to check that winbind is working
wbinfo -n user_name
getent passwd username
wbinfo -D emind.cloud
getent group linuxusers
kinit username@emind.cloud