Shashikant shah

Tuesday, 2 October 2012

Windows AD authentication for Linux Clients


Release:
RedHat Enterprise Linux 5
Windows Enterprise Server 2003 R2

Assumption:
Domain Name : EXAMPLE.COM
AD Server IP Address : 192.168.1.60
AD Server Hostname : SHASHI
Linux Client IP Address : 192.168.1.26
Linux Clinet Hostname : CLIENT

1).Install the required RPMs

# yum install krb5-libs pam_krb5 krb5-workstation samba-common samba-client

2) Add the domain server entry in the host file

# vi /etc/hosts
192.168.1.60 shashi.example.com shashi
192.168.1.26 client.example.com client

3) Mention the name server ipaddress in the resolv.conf file

# vi /etc/resolv.conf
nameserver 192.168.1.60

Configure Kerberos for AD Integration:

4) Modify the /etc/krb5.conf file, to enable the Domain controller authentication in Linux.



# vi /etc/krb5.conf

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = SHASHI.EXAMPLE.COM
dns_lookup_realm = true
dns_lookup_kdc = true

[realms]
EXAMPLE.COM = {
kdc = shashi.example.com
admin_server = shashi.example.com:749
default_domain = example.com
}

[domain_realm]
.testdom.com = EXAMPLE.COM
testdom.com = EXAMPLE.COM

[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
5) PAM needs to be configured to use Active Directory authentication. Edit the system-auth file like below

# vi /etc/pam.d/system-auth
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_winbind.so use_first_pass
auth required pam_deny.so

account required pam_unix.so broken_shadow
          account     sufficient    pam_succeed_if.so uid < 500 quiet
          account     [default=bad success=ok user_unknown=ignore] pam_winbind.so
          account     required      pam_permit.so

          password    requisite     pam_cracklib.so try_first_pass retry=3
          password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
          password    sufficient    pam_winbind.so use_authtok
          password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
          session     optional      pam_mkhomedir.so skel=/etc/skel/ umask=0077
          session     required      pam_limits.so
          session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
          session     required      pam_unix.so

Create Users and Group from DC:

6)      Add the below entries in /etc/samba/smb.conf file, will cause the winbind service to enumerate users and groups from the domain controller.

         # vi /etc/samba/smb.conf

         workgroup = EXAMPLE
         password server = shashi.example.com
         server string = Samba Server Version %v
         realm = EXAMPLE.COM
         security = ads
         idmap uid = 16777216-33554431
         idmap gid = 16777216-33554431
         winbind separator = #

         winbind enum groups = yes
         winbind enum users = yes
         template homedir = /home/%U
         template shell = /bin/bash
         winbind use default domain = true
         winbind offline logon = false

Where,
idmap uid - the range of numeric uid's that winbind will use to enumerate domain users with on your system. You should select a range that does not conflict with uid numbers already in use on the system.

idmap gid - the range of numeric gid's that winbind will use to enumerate domain groups on your system.

winbind enum groups and winbind enum users - whether winbind should "create" the domain's groups/users on the system or not.

winbind separator - the character winbind will use to separate the domain name from the user or group name The template homedir statement is used to generate the home directory path for domain users.

realm - is used to describe a Kerberos-based security architecture

template homedir = /home/%Uhere %u substituted with the user's Windows NT user name

template shell = /bin/bashlogin shell for that user

7) Change the user information and authentication type to winbind using the “authconfig-tuicommand

# authconfig-tui





Then Select “Next” and Select “ok”.

8) Restart the winbind service and also configure winbind to start automatically.

# service winbind restart
# chkconfig --level 35 winbind on

9) Join the Domain using the below command

# net ads join -U administrator

10) To test the enumeration function of the winbind use the below commands.

# wbinfo –u
# wbinfo –g


No comments:

Post a Comment