May 22, 2011

Windows AD authentication for Linux

Windows AD authentication for Linux Clients

RedHat Enterprise Linux 5
Windows Enterprise Server 2003 R2

Need to login linux client using the windows active directory authentication using kerberos and samba winbind.


Domain Name : TESTDOM.COM
AD Server IP Address :
AD Server Hostname : WIN2K3
Linux Client IP Address :
Linux Clinet Hostname : CLIENT

1)      Install the required RPMs
# yum install krb5-libs pam_krb5 krb5-workstation samba-common samba-client

2)      Add the  domain server entry in the host file

         # vi /etc/hosts
               win2k3       client

3)      Mention the name server ipaddress in the resolv.conf file

         # vi /etc/resolv.conf

Configure Kerberos for AD Integration:

4)      Modify the /etc/krb5.conf file, to enable the Domain controller authentication in Linux.

         # vi /etc/krb5.conf

         default = FILE:/var/log/krb5libs.log
         kdc = FILE:/var/log/krb5kdc.log
         admin_server = FILE:/var/log/kadmind.log

         default_realm = WIN2K3.TESTDOM.COM
         dns_lookup_realm = true
         dns_lookup_kdc = true

         TESTDOM.COM = {
         kdc =
         admin_server =
         default_domain =

         [domain_realm] = TESTDOM.COM = TESTDOM.COM
         profile = /var/kerberos/krb5kdc/kdc.conf

         pam = {
               debug = false
               ticket_lifetime = 36000
               renew_lifetime = 36000
               forwardable = true
               krb4_convert = false
5)      PAM needs to be configured to use Active Directory authentication. Edit the system-auth file like below

          # vi /etc/pam.d/system-auth
          auth        required
          auth        sufficient nullok try_first_pass
          auth        requisite uid >= 500 quiet
          auth        sufficient use_first_pass
          auth        required

          account     required broken_shadow
          account     sufficient uid < 500 quiet
          account     [default=bad success=ok user_unknown=ignore]
          account     required

          password    requisite try_first_pass retry=3
          password    sufficient md5 shadow nullok try_first_pass use_authtok
          password    sufficient use_authtok
          password    required

session     optional revoke
          session     optional skel=/etc/skel/ umask=0077
          session     required
          session     [success=1 default=ignore] service in crond quiet use_uid
          session     required

Create Users and Group from DC:

6)      Add the below entries in /etc/samba/smb.conf file, will cause the winbind service to enumerate users and groups from the domain controller.

         # vi /etc/samba/smb.conf

         workgroup = TESTDOM
         password server =
         server string = Samba Server Version %v
         realm = TESTDOM.COM
         security = ads
         idmap uid = 16777216-33554431
         idmap gid = 16777216-33554431
         winbind separator = #
         winbind enum groups = yes
         winbind enum users = yes
         template homedir = /home/%U
         template shell = /bin/bash
         winbind use default domain = true
         winbind offline logon = false

idmap uid - the range of numeric uid's that winbind will use to enumerate domain users with on your system. You should select a range that does not conflict with uid numbers already in use on the system.

idmap gid - the range of numeric gid's that winbind will use to enumerate domain groups on your system.

winbind enum groups and winbind enum users - whether winbind should "create" the domain's groups/users on the system or not.

winbind separator - the character winbind will use to separate the domain name from the user or group name The template homedir statement is used to generate the home directory path for domain users.

realm - is used to describe a Kerberos-based security architecture

template homedir = /home/%U – here %u substituted with the user's Windows NT user name

template shell = /bin/bash – login shell for that user

7)      Change the user information and authentication type to winbind using the “authconfig-tui” command

         # authconfig-tui

                        Then Select “Next” and Select “ok”.

8)      Restart the winbind service and also configure winbind to start automatically.

         # service winbind restart
         # chkconfig --level 35 winbind on

9)      Join the Domain using the below command

                  # net ads join -U administrator

10)   To test the enumeration function of the winbind use the below commands.

         # wbinfo –u
         # wbinfo –g