Wednesday, 21 March 2018

How to join CentOS7/RHEL7 to Active Directory using Winbind



We can integrate a Linux host with Windows Active Directory domain controller for authentication purpose. To complete the scenario, we have Centos / RHEL 7 servers and existing Active Directory domain controller. Also required AD administrator account or user has sufficient rights to join AD.

To join RHEL/CentOS7 to Active Directory, the following packages need to be installed on the system:

[root@linuxcnf ~]#  yum install authconfig samba-client  samba-winbind samba-winbind-clients ntp pam_krb5 krb5-workstation

Configuration:

Sync the time with site NTP server and add the below entry in /etc/ntp.conf:

[root@linuxcnf ~]#  ntpdate –u 192.168.43.14
[root@linuxcnf ~]#  vi /etc/ntp.conf
server 192.168.43.14 iburst

Start ntpd and enable it on boot:

[root@linuxcnf ~]#  service ntpd start
[root@linuxcnf ~]#  chkconfig ntpd on
[root@linuxcnf ~]#  ntpstat

Add the below entry in /etc/resolve.conf file:

[root@linuxcnf ~]#  vi /etc/resolv.conf
nameserver 192.162.43.14

Add the below entry in /etc/hosts file:

[root@linuxcnf ~]#  vi /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6

192.162.43.14 adauth.linuxcnf.com

Add the below entry in last of respective sections in /etc/krb5.conf file:

[root@linuxcnf ~]#  ~]# vi /etc/krb5.conf
[libdefaults]
default_realm = LinuxCNF.com
 [realms]
 LinuxCNF.com = {
  kdc = adauth.LinuxCNF.com
 }

Add the below entry in /etc/samba/smb.conf file:

[root@linuxcnf ~]#  vi /etc/samba/smb.conf
[global]
   …
   workgroup = LinuxCNF
   password server = adauth.linuxcnf.com
   realm = LinuxCNF.com
   security = ads
   idmap config * : range = 16777216-33554431
   template homedir = /home/%U
   template shell = /bin/bash
   kerberos method = secrets only
   winbind use default domain = true
   winbind offline logon = false

Join the domain, providing the name of a user with admin rights:

[root@linuxcnf ~]#  net ads join -U administrator
Enter administrator's password:

Start winbind and enable it on boot:

[root@linuxcnf ~]#  service winbind start
[root@linuxcnf ~]#  chkconfig winbind on

To verify/test the active directory AD join status:

[root@linuxcnf ~]#  net ads testjoin
Join is OK

To verify the system can talk to Active Directory:

[root@linuxcnf ~]#  wbinfo -t
checking the trust secret for domain LinuxCNF via RPC calls succeeded

To list all AD users:

[root@linuxcnf ~]#  wbinfo -u
administrator
guest
linuxcnf

To list all AD groups:

[root@linuxcnf ~]#  wbinfo -g
domain computers
domain users
domain guests

Use below command to configure the NSS and PAM stack:

[root@linuxcnf ~]#  authconfig --enablewinbindauth  --enablemkhomedir --update

Ensure that /etc/nsswitch.conf has the following passwd and group entries:

[root@linuxcnf ~]#   cat /etc/nsswitch.conf
passwd:     files sss winbind
group:      files sss winbind

Test resolving AD users and groups and authentication of AD users:

[root@linuxcnf ~]#  getent passwd aduser
aduser:*:16777220:16777216:AD User:/home/aduser:/bin/bash

[root@linuxcnf ~]#  id aduser
uid=16777220(aduser) gid=16777216(domain users) groups=16777216(domain users)

Test SSH authentication through AD user and password:

[root@linuxcnf ~]#  ssh aduser@127.0.0.1
aduser@127.0.0.1's password:
Creating home directory for aduser.
[aduser@linuxcnf ~]$


No comments:

Post a comment