How to configure Linux to authenticate through Active Directory


AllCloud Blog:
Cloud Insights and Innovation

Note: These steps were tested on Amazon Linux AMI

The following steps are for configuring Linux to use active directory as authentication server:

  • Configure your hostname
hostname test.emind.cloud
vi /etc/sysconfig/network

HOSTNAME=test.emind.cloud
vi /etc/hosts

192.168.14.101 test.emind.cloud
  • Check that you can resolve your domain srv record
host -t srv _kerberos._tcp.emind.cloud
_kerberos._tcp.emind.cloud has SRV record 0 100 88 ad-1.emind.cloud.
_kerberos._tcp.emind.cloud has SRV record 0 100 88 ad-2.emind.cloud.
  • Check you can resolve your host address
hostname -f
test.emind.cloud
  • Install winbind and other dependencies
wget https://ftp.sernet.de/pub/samba/3.6/centos/6/sernet-samba.repo -O /etc/yum.repos.d/sernet-samba.repo
yum install pam_krb5 sudo authconfig samba3 samba3-winbind -y
  • Run authconfig command to configure linux to authenticate using winbind
authconfig –disablecache –enablewinbind –enablewinbindauth –smbsecurity=ads –smbworkgroup=EMIND –smbrealm=EMIND.CLOUD –enablewinbindusedefaultdomain –winbindtemplatehomedir=/home/emind/%U –winbindtemplateshell=/bin/bash –enablekrb5 –krb5realm=EMIND.CLOUD –enablekrb5kdcdns –enablekrb5realmdns –enablelocauthorize –enablemkhomedir –enablepamaccess –updateall
  • Change samba to use rid for uid and gid mapping in order to make it the same across stations
vi /etc/samba/smb.conf
[global]
#–authconfig–start-line–# Generated by authconfig on 2013/10/08 07:10:11
# DO NOT EDIT THIS SECTION (delimited by –start-line–/–end-line–)
# Any modification may be deleted or altered by authconfig in futureworkgroup = emind
realm = emind.cloud
security = ads
# idmap config * : range = 16777216-33554431
# idmap domains = emind
idmap config * : backend = tdb
idmap config * : range = 500-1000000
idmap config emind:backend = rid
idmap config emind:base_rid = 500
idmap config emind:range = 500-1000000
template homedir = /home/emind/%U
template shell = /bin/bash
winbind use default domain = true
winbind offline logon = false#–authconfig–end-line–
; workgroup = TUX-NET
interfaces = 127.0.0.1 eth0
bind interfaces only = true
printing = cups
printcap name = cups
load printers = yes
  • Add the workstation to AD
net ads join -U administrator
  • Configure PAM authentication. In this example I enable access to users that are in linuxusers group

vi /etc/pam.d/password-auth

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so user ingroup linuxusers debug
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_krb5.so use_first_pass
auth sufficient pam_winbind.so use_first_pass
auth required pam_deny.so

account required pam_access.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_krb5.so
account [default=bad success=ok user_unknown=ignore] pam_winbind.so
account required pam_permit.so

password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_krb5.so use_authtok
password sufficient pam_winbind.so use_authtok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_mkhomedir.so umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_krb5.so

  • Restart winbind
service winbind restart
  • Change ssh authentication to allow password

vi /etc/ssh/sshd_config


PasswordAuthentication yes

service sshd restart

  • Useful commands to check that winbind is working
wbinfo -g
wbinfo -n user_name
getent passwd username
wbinfo -D emind.cloud
getent group linuxusers
kinit username@emind.cloud

Lahav Savir

Founder and CTO, Cloud Platforms

Read more posts by Lahav Savir

Copyright 2021 | AllCloud | All Rights Reserved