Active Directory - Join Linux to a Domain
Join Linux to an Active Directory Domain New Page This document will walk you through the steps needed to join linux to an Active Directory Domain and allow users to login using their Active Directory credentials.
You will need the latest versions of the following software packages:
krb5
samba
winbind
Create your /etc/krb5.conf file similiar to the following:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = DOMAIN.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
[realms]
DOMAIN.COM = {
kdc = DOMAIN.COM:88
admin_server = DOMAIN.COM:749
}
[domain_realm]
.DOMAIN.COM = DOMAIN.COM
DOMAIN.COM = DOMAIN.COM
.medctr = DOMAIN.COM
medctr = DOMAIN.COM
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
Initialize your connection to the domain
# kinit admin_user@DOMAIN.COM
if you get errors, then there is a problem.
# klist
You should see similiar output as follows:
Default principal: user@DOMAIN.COM Valid starting Expires Service principal 02/17/06 16:13:23 02/18/06 02:13:30 krbtgt/ DOMAIN.COM@DOMAIN.COM renew until 02/18/06 16:13:23 Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cache
Now Edit your /etc/nsswitch.conf and make the following changes:
passwd: files compat winbind shadow: files compat winbind group: files compat winbind
Now setup your /etc/samba/smb.conf similiar to the following:
[global] security = ads workgroup = medctr realm = DOMAIN.COM password server = DOMAIN.COM idmap uid = 16777216-33554431 idmap gid = 16777216-33554431 template shell = /bin/bash template homedir = /home/%D/%U winbind use default domain = yes winbind trusted domains only = no winbind separator = + log level = 3 log file = /var/log/samba/%m.log max log size = 50 preferred master = no dns proxy = no guest ok = no guest account = nobody [homes] comment = Home Directories browseable = no writeable = yes # This one is useful for people to share files [tmp] comment = Temporary file space path = /tmp writeable = yes guest ok = yes browseable = n
Notice the line "template homedir = /home/%D/%U" above. You will need to create /home/%D. In this case we created /home/MEDCTR
Now restart samba....
# service smb restart
Now join the domain with this command:
# net ads join -U admin_user
If you recieve an error similiar to the following, make sure hostname -f returns the name of the pc plus the full domain name you are trying to join. If it does not, you will need to correct this in /etc/hosts
Failed to set servicePrincipalNames. Please ensure that the DNS domain of this server matches the AD domain, Or rejoin with using Domain Admin credentials. Disabled account for 'CARTMAN' in realm 'DOMAIN.COM'
Test the validity of your join with this command:
# net ads testjoin
Now restart winbind....
# service winbind restart
Test your DOMAIN login with the following:
# wbinfo --authenticate=MEDCTR+username%password
should see this output:
plaintext password authentication succeeded challenge/response password authentication succeeded
If this step is giving you trouble, try leaving the domain, deleting samba cache and rejoining with this sequence of commands.
# net ads leave # rm -rf /var/cache/samba/* # service smb restart # net ads join -U admin_user # service winbind restart # net ads testjoin # wbinfo --authenticate=MEDCTR+username%password
Now setup pam.d to use winbind for authentication:
This can be also be accomplished using the system-config-authentication tool
Make your /etc/pam.d/system-auth file look similiar to the following:
auth required /lib/security/$ISA/pam_env.so auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok auth sufficient /lib/security/$ISA/pam_winbind.so use_first_pass auth required /lib/security/$ISA/pam_deny.so account required /lib/security/$ISA/pam_unix.so broken_shadow account sufficient /lib/security/$ISA/pam_localuser.so account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet account [default=bad success=ok user_unknown=ignore] /lib/security/$ISA/pam_winbind.so account required /lib/security/$ISA/pam_permit.so password requisite /lib/security/$ISA/pam_cracklib.so retry=3 password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow password sufficient /lib/security/$ISA/pam_winbind.so use_authtok password required /lib/security/$ISA/pam_deny.so session required /lib/security/$ISA/pam_limits.so session required /lib/security/$ISA/pam_unix.so session required /lib/security/$ISA/pam_mkhomedir.so skel=/etc/skel/ umask=0077
Notice the last line... this will auto create home directories for any new users logging in.
You can install and setup pam_mount to auto mount shares if you wish:
yum -y install pam_mount
Edit /etc/security/pam_mount.conf. Scroll down to line 60 where you see the line:
options_require nosuid, nodev
comment that line out by placing a # in front. Edit your volumn line for your needs on or about line 94:
volume * smb server share /home/DOMAIN/&/share uid=& - - * = everyone & = user logging in
Now add pam_mount to your PAM configuration. I would suggest only adding it to those modules in which users will be logging in through using winbind. My reasoning is that su will ask for your root password twice if you put this in system-auth.
My /etc/pam.d/sshd file
auth required pam_stack.so service=system-auth auth required pam_mount.so use_first_pass account required pam_nologin.so account required pam_stack.so service=system-auth password required pam_stack.so service=system-auth session required pam_stack.so service=system-auth session required pam_loginuid.so session optional pam_mount.so
You should now be able to log into this box using your Active Directory Credentials. Feel free to contact me to comment or ask questions.
If you are in a DDNS environment, you may need to add a dns record to your dns server for this machine if you want people to be able to connect to your samba server. FQDN = "Fully Qualified Domain Name"
# nsupdate > update add FQDN 86400 A IP > send > quit
Flush your DNS cache and try to ping your added FQDN
# net cache flush
