Authenticate Linux Against Microsoft Active Directory


Results 1 to 3 of 3

Thread: Authenticate Linux Against Microsoft Active Directory

Hybrid View

  1. #1
    Join Date
    Jun 2003
    Location
    People's Republic of North America (Former United States)
    Posts
    849

    Authenticate Linux Against Microsoft Active Directory

    Hi all. I have Googled this topic to death and pulled in every resource I know. My company has about 200 Linux servers (RHEL 6.7) that we want to authenticate against Microsoft Active Directory (AD.) I installed open LDAP on a test server and it can see the AD server on TCP/389 but I can't connect to it. Is there a quick way to do this? I want to do it both secure and non-secure. Any help would be really appreciated.
    I equivocate, therefore I might be.

    My Linux/Unix Boxes:
    Home: Slackware 10, CentOS 5.3, RHEL 5, Ubuntu Workstation 9.10, Work: RHEL 5, CentOS 5

  2. #2
    Join Date
    Oct 2002
    Location
    AZ, USA
    Posts
    110

    Try using samba

    I used samba on some CentOS 5, and 6 systems
    Code:
    Use AD to Login to Linux boxes.
    
    On "YourDomain"
         add to "YourDomain" DNS <Not Required>
    
    
    Installs;
    CentOS 5.x
    	yum -y install samba3x samba3x-winbind samba3x-common samba3x-domainjoin samba3x-client samba3x-doc
    CentOS 6.x
    	yum -y install samba samba-winbind samba-common samba-winbind-clients samba-client samba-doc
    
    Files to edit;
    /etc/smb.conf  can be done with system-config-authconfig in RH derived distros.
    				ServerNames, realms, and workgroups should be in CAPS.
    				lower/mixed case does not work
    		Join Domain!!!
    			as root:
    				>net ads join -U AdminUser@"YourDomain"
    			an error about DNS/Reverse DNS does not appear to cause issues.
    		
    		Ensure The following lines are included;
    			These should be in the authconfig generated area
    				template homedir = /home/%U
    				template shell = /bin/bash
    
    			This one should follow the authconfig--end-line
    				obey pam restrictions = yes
    >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
    >>>>>>   full working smb.conf on centos 5.x system <<<<<<<<<<<<<<<<<<<<<
    >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
    [global]
    #--authconfig--start-line--
    
    # Generated by authconfig on 2011/09/15 12:13:43
    # DO NOT EDIT THIS SECTION (delimited by --start-line--/--end-line--)
    # Any modification may be deleted or altered by authconfig in future
    
       workgroup = "YourADWorkGroup"
       password server = "YourADServer.YourDomain"
       realm = "YourDomain"
       security = ads
       idmap uid = 16777216-33554431
       idmap gid = 16777216-33554431
       template homedir = /home/%U
       template shell = /bin/bash
       winbind use default domain = false
       winbind offline logon = false
    
    #--authconfig--end-line--
    
       obey pam restrictions = yes
       
    >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
    
    
    Kebros setup /etc/krb5.conf
    [logging]
     default = FILE:/var/log/krb5libs.log
     kdc = FILE:/var/log/krb5kdc.log
     admin_server = FILE:/var/log/kadmind.log
    
    [libdefaults]
     default_realm = "YourDomain"
     dns_lookup_realm = false
     dns_lookup_kdc = false
     ticket_lifetime = 24h
     forwardable = yes
    
    [realms]
     "YourDomain" = {
      kdc = "YourADServer.YourDomain"
     }
    
    [domain_realm]
     .example.com = EXAMPLE.COM
     example.com = EXAMPLE.COM
    
    [appdefaults]
     pam = {
       debug = false
       ticket_lifetime = 36000
       renew_lifetime = 36000
       forwardable = true
       krb4_convert = false
     }
    
    /etc/sudoers   use visudo to edit this file
    				add lines like the following to
    				## allow super user ability via sudo to the AD group misadmin
    					%"YourDomain"\\YourServerAdminGroup    ALL=(ALL) ALL
    
    
    some Centos 6.x suggestions http://mikrocentillion.wordpress.com/2013/06/05/centos-6-authenticate-and-sudo-active-directory-users/
    Try 
    authconfig --update --kickstart --enablewinbind --enablewinbindauth --smbsecurity=ads --smbworkgroup=AGRIC \
     --smbservers="YourADServer.YourDomain" --winbindjoin=<adminuser> --winbindtemplatehomedir=/home/%U --winbindtemplateshell=/bin/bash \
    --enablewinbindusedefaultdomain --enablelocauthorize
    
    authconfig --enablemkhomedir --update
    
    start winbind, and samba;
    	service smb start		< Not Required unless a file server>
    	service nmb start		< Not Required unless a file server>
    	service winbind start
    
    ensure they start on boot;
    	chkconfig --add smb		< Not Required unless a file server>
    	chkconfig --add nmb		< Not Required unless a file server>
    	chkconfig --add winbind
    	chlconfig oddjobd on
    	chkconfig smb on
    	chkconfig nmb on
    	chkconfig winbind on
    
    	
    This should "auto generate the smb.conf file	
    authconfig --update --kickstart --enablewinbind --enablewinbindauth --smbsecurity=ads --smbworkgroup="YourADWorkGroup" \
    --smbrealm="YourDomain" --smbservers="YourADServer.YourDomain" --winbindjoin=<BIND User> --winbindtemplatehomedir=/home/%U --winbindtemplateshell=/bin/bash \
    --enablewinbindusedefaultdomain --enablelocauthorize
    The fields in quotes ("") need your local values to replace the camelcase text and remove the quotes.
    I don't remember where I found this all though there is atleast 1 website mentioned in there.

    Play with the above and see what happens.

  3. #3
    Join Date
    Apr 2017
    Posts
    3
    Linux and Mac OS X are now a big part of just about every IT infrastructure. In fact, estimates are that Windows is only one in five devices inside a corporation when you include all devices (desktops, laptops, servers, mobile). As organizations leverage different platforms, that puts a great deal of pressure on the ability to centrally manage user access.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •