-
Authenticate Linux Against Microsoft Active Directory
Hi all. I have Googled this topic to death and pulled in every resource I know. My company has about 200 Linux servers (RHEL 6.7) that we want to authenticate against Microsoft Active Directory (AD.) I installed open LDAP on a test server and it can see the AD server on TCP/389 but I can't connect to it. Is there a quick way to do this? I want to do it both secure and non-secure. Any help would be really appreciated.
I equivocate, therefore I might be.
My Linux/Unix Boxes:
Home: Slackware 10, CentOS 5.3, RHEL 5, Ubuntu Workstation 9.10, Work: RHEL 5, CentOS 5
-
Try using samba
I used samba on some CentOS 5, and 6 systems
Code:
Use AD to Login to Linux boxes.
On "YourDomain"
add to "YourDomain" DNS <Not Required>
Installs;
CentOS 5.x
yum -y install samba3x samba3x-winbind samba3x-common samba3x-domainjoin samba3x-client samba3x-doc
CentOS 6.x
yum -y install samba samba-winbind samba-common samba-winbind-clients samba-client samba-doc
Files to edit;
/etc/smb.conf can be done with system-config-authconfig in RH derived distros.
ServerNames, realms, and workgroups should be in CAPS.
lower/mixed case does not work
Join Domain!!!
as root:
>net ads join -U AdminUser@"YourDomain"
an error about DNS/Reverse DNS does not appear to cause issues.
Ensure The following lines are included;
These should be in the authconfig generated area
template homedir = /home/%U
template shell = /bin/bash
This one should follow the authconfig--end-line
obey pam restrictions = yes
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>> full working smb.conf on centos 5.x system <<<<<<<<<<<<<<<<<<<<<
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
[global]
#--authconfig--start-line--
# Generated by authconfig on 2011/09/15 12:13:43
# DO NOT EDIT THIS SECTION (delimited by --start-line--/--end-line--)
# Any modification may be deleted or altered by authconfig in future
workgroup = "YourADWorkGroup"
password server = "YourADServer.YourDomain"
realm = "YourDomain"
security = ads
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
template homedir = /home/%U
template shell = /bin/bash
winbind use default domain = false
winbind offline logon = false
#--authconfig--end-line--
obey pam restrictions = yes
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Kebros setup /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = "YourDomain"
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
[realms]
"YourDomain" = {
kdc = "YourADServer.YourDomain"
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
/etc/sudoers use visudo to edit this file
add lines like the following to
## allow super user ability via sudo to the AD group misadmin
%"YourDomain"\\YourServerAdminGroup ALL=(ALL) ALL
some Centos 6.x suggestions http://mikrocentillion.wordpress.com/2013/06/05/centos-6-authenticate-and-sudo-active-directory-users/
Try
authconfig --update --kickstart --enablewinbind --enablewinbindauth --smbsecurity=ads --smbworkgroup=AGRIC \
--smbservers="YourADServer.YourDomain" --winbindjoin=<adminuser> --winbindtemplatehomedir=/home/%U --winbindtemplateshell=/bin/bash \
--enablewinbindusedefaultdomain --enablelocauthorize
authconfig --enablemkhomedir --update
start winbind, and samba;
service smb start < Not Required unless a file server>
service nmb start < Not Required unless a file server>
service winbind start
ensure they start on boot;
chkconfig --add smb < Not Required unless a file server>
chkconfig --add nmb < Not Required unless a file server>
chkconfig --add winbind
chlconfig oddjobd on
chkconfig smb on
chkconfig nmb on
chkconfig winbind on
This should "auto generate the smb.conf file
authconfig --update --kickstart --enablewinbind --enablewinbindauth --smbsecurity=ads --smbworkgroup="YourADWorkGroup" \
--smbrealm="YourDomain" --smbservers="YourADServer.YourDomain" --winbindjoin=<BIND User> --winbindtemplatehomedir=/home/%U --winbindtemplateshell=/bin/bash \
--enablewinbindusedefaultdomain --enablelocauthorize
The fields in quotes ("") need your local values to replace the camelcase text and remove the quotes.
I don't remember where I found this all though there is atleast 1 website mentioned in there.
Play with the above and see what happens.
-
Linux and Mac OS X are now a big part of just about every IT infrastructure. In fact, estimates are that Windows is only one in five devices inside a corporation when you include all devices (desktops, laptops, servers, mobile). As organizations leverage different platforms, that puts a great deal of pressure on the ability to centrally manage user access.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|