May 22, 2011

Windows AD authentication for Linux

Windows AD authentication for Linux Clients


Release:
RedHat Enterprise Linux 5
Windows Enterprise Server 2003 R2

Problem:
Need to login linux client using the windows active directory authentication using kerberos and samba winbind.

Solution:

Assumption:
Domain Name : TESTDOM.COM
AD Server IP Address : 192.168.1.60
AD Server Hostname : WIN2K3
Linux Client IP Address : 192.168.1.26
Linux Clinet Hostname : CLIENT

1)      Install the required RPMs
     
# yum install krb5-libs pam_krb5 krb5-workstation samba-common samba-client

2)      Add the  domain server entry in the host file

         # vi /etc/hosts
        
         192.168.1.60    win2k3.testdom.com       win2k3
         192.168.1.26    client.testdom.com       client

3)      Mention the name server ipaddress in the resolv.conf file

         # vi /etc/resolv.conf
        
         nameserver 192.168.1.60

Configure Kerberos for AD Integration:

4)      Modify the /etc/krb5.conf file, to enable the Domain controller authentication in Linux.

         # vi /etc/krb5.conf

         [logging]
         default = FILE:/var/log/krb5libs.log
         kdc = FILE:/var/log/krb5kdc.log
         admin_server = FILE:/var/log/kadmind.log

         [libdefaults]
         default_realm = WIN2K3.TESTDOM.COM
         dns_lookup_realm = true
         dns_lookup_kdc = true

         [realms]
         TESTDOM.COM = {
         kdc = win2k3.testdom.com
         admin_server = win2k3.testdom.com:749
         default_domain = testdom.com
         }

         [domain_realm]
         .testdom.com = TESTDOM.COM
         testdom.com = TESTDOM.COM
        
         [kdc]
         profile = /var/kerberos/krb5kdc/kdc.conf

         [appdefaults]
         pam = {
               debug = false
               ticket_lifetime = 36000
               renew_lifetime = 36000
               forwardable = true
               krb4_convert = false
         }
5)      PAM needs to be configured to use Active Directory authentication. Edit the system-auth file like below

          # vi /etc/pam.d/system-auth
         
          auth        required      pam_env.so
          auth        sufficient    pam_unix.so nullok try_first_pass
          auth        requisite     pam_succeed_if.so uid >= 500 quiet
          auth        sufficient    pam_winbind.so use_first_pass
          auth        required      pam_deny.so

          account     required      pam_unix.so broken_shadow
          account     sufficient    pam_succeed_if.so uid < 500 quiet
          account     [default=bad success=ok user_unknown=ignore] pam_winbind.so
          account     required      pam_permit.so

          password    requisite     pam_cracklib.so try_first_pass retry=3
          password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
          password    sufficient    pam_winbind.so use_authtok
          password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
          session     optional      pam_mkhomedir.so skel=/etc/skel/ umask=0077
          session     required      pam_limits.so
          session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
          session     required      pam_unix.so

Create Users and Group from DC:

6)      Add the below entries in /etc/samba/smb.conf file, will cause the winbind service to enumerate users and groups from the domain controller.

         # vi /etc/samba/smb.conf

         workgroup = TESTDOM
         password server = win2k3.testdom.com
         server string = Samba Server Version %v
         realm = TESTDOM.COM
         security = ads
         idmap uid = 16777216-33554431
         idmap gid = 16777216-33554431
         winbind separator = #
         winbind enum groups = yes
         winbind enum users = yes
         template homedir = /home/%U
         template shell = /bin/bash
         winbind use default domain = true
         winbind offline logon = false

Where,
idmap uid - the range of numeric uid's that winbind will use to enumerate domain users with on your system. You should select a range that does not conflict with uid numbers already in use on the system.

idmap gid - the range of numeric gid's that winbind will use to enumerate domain groups on your system.

winbind enum groups and winbind enum users - whether winbind should "create" the domain's groups/users on the system or not.

winbind separator - the character winbind will use to separate the domain name from the user or group name The template homedir statement is used to generate the home directory path for domain users.

realm - is used to describe a Kerberos-based security architecture

template homedir = /home/%U – here %u substituted with the user's Windows NT user name

template shell = /bin/bash – login shell for that user

7)      Change the user information and authentication type to winbind using the “authconfig-tui” command

         # authconfig-tui






                        Then Select “Next” and Select “ok”.

8)      Restart the winbind service and also configure winbind to start automatically.

         # service winbind restart
         # chkconfig --level 35 winbind on

9)      Join the Domain using the below command

                  # net ads join -U administrator

10)   To test the enumeration function of the winbind use the below commands.

         # wbinfo –u
         # wbinfo –g