Jump to content

Red Hat Linux Active Directory Integration

loosebit

By loosebit
in Business and Enterprise IT

 Share

Recommended Posts

loosebit Newbie

loosebit

Posted
Posted

Red Hat Linux Active Directory Integration

Can Linux boxes exist in a Windows Active Directory domain? The answer has been yes for a long time. However until very recently this has been a very painful and tedious process. Exporting certifications, trial and error config files, changing security settings on domain controller, a major headache.

Thankfully RedHat has actually realized this was a problem. It’s funny that while Server 2012 is already released RedHat just not added a simple method to integrate authentication with a Windows Active Directory domain.

Windows-Server-2008-R2_ad_authentication

We are a release behind, better now than ever.

redhat_ad_authentication_sssd-300x97.png

The real OS of choice.

NOTE: All Sample Configs are located at the bottom of this page.

To start this article ONLY applied to:

  • Red Hat Enterprise Linux 6.4

CENTOS 6.4

You can find out your verion by using

cat /etc/system-release (CENTOS)cat/etc/redhat-release (Red Hat)

If you are not familiar with SSSD(System Security Services Daemon) then I suggest you do some reading before you dive into this article. Also this is more gear towards Linux admins and not Windows admins. With these new changes you won’t have access your windows admin for anything, well unless you need that domain admin access of course.

BEFORE WE DO ANYTHING ALWAYS BACKUP YOUR CONFIGS

authconfig --savebackup=mybackup

First to get started let’s check what version of SSSD you have installed on your box.

NOTE: If a domain name is in CAPS it is on purpose. This was not done for show.

rpm -q sssd

You will need at least SSSD 1.9.2 for this.

Let’s go ahead and setup all of the nessesary nss and pam config files.




authconfig --enablesssd --ldapserver=ldap://dc1.youdomain.com --ldapbasedn="dc=YOURDOMAIN,dc=COM" --enablerfc2307bis --enablesssdauth --krb5kdc=dc1.youdomain.com --krb5realm=YOURDOMAIN.COM --disableforcelegacy --enablelocauthorize --enablemkhomedir --updateallvi /etc/krb5.conf[logging]



default = FILE:/var/log/krb5libs.log



kdc = FILE:/var/log/krb5kdc.log



admin_server = FILE:/var/log/kadmind.log[libdefaults]



default_realm = YOURDOMAIN.COM



dns_lookup_realm = false



dns_lookup_kdc = false



ticket_lifetime = 24h



renew_lifetime = 7d



forwardable = true#These encryption types are required for ntvlmi and krb5i(packet signing)default_tgs_enctypes = rc4-hmac aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96default_tkt_enctypes = rc4-hmac aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96permitted_enctypes = rc4-hmac aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96



[realms]



YOURDOMAIN.COM = {



kdc = domaincontroller.yourdomain.com:88



admin_server = domaincontroller.yourdomain.com:749



default_domain = yourdomain.com



}[domain_realm]



.yourdomain.com = YOURDOMAIN.COM



yourdomain.com = YOURDOMAIN.COM






Next









vi /etc/samba/smb.conf[global]



workgroup = YOURDOMAIN



client signing = yes



client use spnego = yes



kerberos method = secrets and keytab



log file = /var/log/samba/%m.log



realm = YOURDOMAIN.COM



security = adsvi /etc/sssd/sssd.conf[sssd]



config_file_version = 2



services = nss, pam



domains = YOURDOMAIN.COM[nss]



nss_filter_groups = root



nss_filter_users = root



nss_entry_cache_timeout = 30



nss_enum_cache_timeout = 30



[domain/YOURDOMAIN.COM]id_provider = ad



ad_server=domaincontroller.yourdomain.com



ad_domain=yourdomain.com






Now you will need a active directory account with administrator privledges to add a machines to the domain.  Before you run kinit make sure you update your time with a domain controller.









ntpdate dc1.youdomain.com






Once Time is synced continue with..









kinit administrator






Type your password.






Confirm that you have received a kerberos ticket but using



klist






If you do not see any tickets please refer to your logs.  SSSD is some what helpful inside /var/log/messages






Now we have a ticket we need to add this machine to the domain.









net ads join -k






If you receive a success message your new linux box should be inside active directory inside the default Computers Group.  Verify with an Active Directory Admin to make sure your server object was created.  Let’s run:









service sssd restart






If you did not receive any warning messages inside /var/log/messages we should be good to go.






Test by running









id yourusernamead






and









getent passwd yourusernamead






You should be able to look up accounts at this point.






Now the best part of this.  Let’s setup Putty and SSHD to use your kerberos key to authenticate into your linux box.  As you noted inside our sssd.conf we have added root accounts not to use AD authentication.






First let’s make some changes to our SSHD configs.









vi /etc/ssh/sshd_conf






Make sure you have this line un commented









GSSAPIAuthentication yesvi /etc/ssh/ssh_confGSSAPIAuthentication yes GSSAPIDelegateCredentials yes






Also before trying to use Putty make sure you have a newer release and make sure your authentication settings are setup as follows:







Putty_Config_AD_Linux.png




Make sure this is enabled.












Now open a new session to your linux box.  Type in your active directory username and press enter.  If kerberos negotiation is successful you will NOT be prompted for a password.






Happy Shelling






Sample Config Files









ssh_conf



sshd_conf




If you are a RedHat subscriber you can read their article on this subject here.








			
		


		
			

				
					
						

	
	
		

			
				
				

					
				

			
			
			
		

	


					
				
				
			

		

		
			

		
	


	

	





	
Link to comment

	
		
	
	
	

	
	
Share on other sites

	

	


	

	

	




	



					
					
					
				
			
			



		

	


	
	
	
	
	
		
	

			
				
				

	
		

			
Join the conversation

			

	
				
					You can post now and register later.
				
				If you have an account, sign in now to post with your account.
				
			

	
		

	




	
	
		
	
		
	
		
	
	
		
		
	
	

		

		


	
		Guest
	


		

			
				
					
				
					
						
    
							
  • 
								


	
	
	
	

								
							
    • 
						

					
				
					
				
			
			
				
					
						
							
						
						



    

		
		

			
		

		
			
 Reply to this topic...

		
		

			

				
					×
					  Pasted as rich text.   Paste as plain text instead
				
			

		

		

			

				  Only 75 emoji are allowed.
			

		

		

			

				×
				  Your link has been automatically embedded.   Display as a link instead
			

		

		

			

			

		

		

			

				×
				  Your previous content has been restored.   Clear editor
			

		

		

			

				×
				  You cannot paste images directly. Upload or insert images from URL.
			

		

		
	

		
	

	

	

		

			×
			
		

		

	



						
					
				
					
				
					
				
			
			
    
				
					
						
					
						
					
						
							
  • 
								

    
	
    

    

								
							
    • 
						
					
				
				
					
  • 

	

    • 
				
			

		

	



			
		

	

	
		

			

				
					


    
          Share
    

    

        
        
            

            
        
    


				
				
					

				
                

                




				
			

		

	







	

		
			
				Go to topic listing
			
		
	

	




						


	

		
    
			
				
					
					
  • 

    
    
    
        
            Recently Browsing
        
        
          0 members
        
    
    
    
    
        
      
            
                
    • No registered users viewing this page.
      • 
            
        
    
        
    
    

    • 
				
			
		

	


					

					


					

				

			

			
		

		
		


	

		×
		

			
				

					
				

			

			

			

			
		

	






	

		×
		

			
    
				
  • Create New...
    •