Integrating Linux with Active Directory using Winbind,Samba & Kerbros

Integrating CentOS 7 with Active Directory using Winbind

#—— install auxillary packages —

yum -y install ntp
yum -y install bind-utils
yum -y install net-tools

#—— verify Centos can reach the AD server
ping ad-server-name

#—— setup time syncronization to the AD — set the server pool to include the AD
vi /etc/ntp.conf

# add the AD server to the ntp server pool,

systemctl start ntpd
systemctl enable ntpd

 

#—— create the home directory for the domain users (domain name)— note name capitalization
mkdir /home/XYZ
chmod 0777 /home/XYZ

#—— install the necessary packages
yum -y install samba samba-winbind*
yum -y install authconfig-gtk*

#—— verify the time can be pulled from the AD server
net time -S ad-server-name

#—— sync the time to the AD server
net time set -S ad-server-name

Now configure the file /etc/krb5.conf as follows

[libdefaults]        
               ticket_lifetime = 600      
               default_realm = YOURDOMAIN        
               default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc        
               default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc 
[realms]        
               YOURDOMAIN = {        
                       kdc = ip of you ads server        
                       default_domain = YOURDOMAIN        
               } 
[domain_realm]        
                .kerberos.server = YOURDOMAIN 
               .yourdomain = YOURDOMAIN        
               yourdomain = YOURDOMAIN 
[kdc]        
               profile = /etc/krb5kdc/kdc.conf 
[logging]        
               kdc = FILE:/var/log/krb5kdc.log        
               admin_server = FILE:/var/log/kadmin.log        
               default = FILE:/var/log/krb5lib.logog 

Add this line to /etc/hosts:

xxx.xxx.xxx.xxx    ad-server-name   ad-server

Test kerberos to ensure you can see the AD domain. Type this command

kinit Username@YOURDOMAIN

It will ask for the password, if you type in correctly then you will be returned to the prompt which means it worked.

Configure SAMBA

You can use this example samba file: (Location: /etc/samba/smb.conf)

[global]        
        netbios name = name of your server        
        socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384        
        idmap uid = 10000-20000        
        winbind enum users = yes        
        winbind gid = 10000-20000 
        winbind enum groups = yes      
        winbind separator = +        
        workgroup = YOURDOMAIN        
        security = ADS
        os level = 20        
        template homedir = /home/%D/%U 
        root preexec = /usr/local/sbin/mkhomedir.sh %U
        template shell = /bin/bash
        realm = YOURDOMAIN.COM        
        password server = ad-server-name        
        preferred master = no                       
        socket address = ip of your ads server        
        max log size = 50        
        log file = /var/log/samba3/log.%m        
        encrypt passwords = yes     
        dns proxy = no        
        wins server = ip of your wins server        
        wins proxy = no 

 

Now run samba

systemctl start smb

systemctl enable smb

 

The mkhomedir.sh file can contain:

 

———————– cut here ———————-

#!/bin/bash

if [ ! -e /home/DOMAIN/$1 ]; then
     mkdir /home/DOMAIN/$1
     chown $1:"Domain Users" /home/DOMAIN/$1
fi
exit 0

——————— cut here ———————–

 

Then set this file with permissions:

 

                chown root:root /usr/local/sbin/mkhomedir.sh

                chmod u=rwsx,g=rwx,o-rwx

We are going to test winbind to ensure windows authentication does indeed work You need to edit the file /etc/nsswitch.conf and change two lines to look like this

passwd:     files winbind
shadow:     files winbind
group:      files winbind

PAM, the Winbind libraries are set for authentication, account, password, and optionally session management. This is configured in the /etc/pam.d/system-auth and other files depends on version and vendor

+++ auth      required        pam_winbind.so  use_first_pass
+++ account   required        pam_winbind.so  use_first_pass
+++ password  sufficient      pam_winbind.so
+++ session   required        pam_winbind.so
+++ session    required      pam_mkhomedir.so skel=/etc/skel/ umask=0022

Start the winbindd deamon

systemctl start winbind

systemctl enable winbind

Join your samba server to your domain by typing in this command

kinit Administrator

net ads join -k

Alternatively, without using the Kerberos ticket:

net ads join -U Administrator

Other method to joint is with Authconfig

#—— setup winbind authentication
authconfig-tui

Here we need to select

  • User Information = Use Winbind
  • Authentication = Use Winbind Authentication
  • DOMAIN = XYZ
  • Domain controller = ad-server-name
  • Shell = /bin/bash

Need to provide windows administrator credentials to Join.

#—— verify domain join
net ads testjoin

#—— verify AD server info
net ads info

#—— remove the DOMAIN prefixes from the users and the groups
authconfig –enablewinbindusedefaultdomain –update

###
### on the AD server run the dsquery * command to verify the
### Centos results correspond to AD
### for granularity run the following: dsquery ou, dsquery group, dsquery user
###

#—— allow autocreation of home directories from ssh users login
authconfig –enablemkhomedir –update

 

Test your SAMBA server

Let’s make sure whether can see the contents of Active Directory. Type this commands

# wbinfo -u

Can you see the userlist of your Acitve Directory?

To see your groups type

# wbinfo -g