==== Linux User Authentication Against Active Directory Using Winbind ====

This tutorial walks you through configuring CentOS (tested on v7) to allow Active Directory users to authenticate using their AD credentials. This tutorial assumes you already have a functioning AD forest with users & groups.

Install dependencies
<code>
sudo yum -y install authconfig krb5-workstation pam_krb5 samba-common \
samba-winbind oddjob-mkhomedir ntp
</code>

Run authconfig to build initial authentication configuration
<code>
sudo authconfig --disablecache --enablewinbind --enablewinbindauth \
--smbsecurity=ads --smbworkgroup=UNT --smbrealm=UNT.AD.UNT.EDU \
--enablewinbindusedefaultdomain \
--winbindtemplatehomedir=/home/UNT.AD.UNT.EDU/%U \
--winbindtemplateshell=/bin/bash --enablekrb5 \
--krb5realm=UNT.AD.UNT.EDU --enablekrb5kdcdns \
--enablekrb5realmdns --enablelocauthorize --enablemkhomedir \
--enablepamaccess --updateall
</code>

Modify /etc/krb5.conf
<code>
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = UNT.AD.UNT.EDU
default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes

[appdefaults]
pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
}
</code>

Modify /etc/samba/smb.conf
<code>
[global]
        client ntlmv2 auth = yes
        kerberos method = secrets and keytab
        encrypt passwords = true
        workgroup = UNT
        security = ads        
        realm = UNT.AD.UNT.EDU
        template homedir = /home/UNT.AD.UNT.EDU/%U
        template shell = /bin/bash
        obey pam restrictions = yes
        unix password sync = yes
        passwd program = /usr/bin/passwd %u
        passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
        pam password change = yes
        map to guest = bad user
        server string = Samba Server Version %v
        # log files split per-machine:
        log file = /var/log/samba/log.%m
        # maximum size of 50KB per log file, then rotate:
        max log size = 50
        passdb backend = tdbsam
        # the following login script name is determined by the machine name
        # (%m):
        # the following login script name is determined by the UNIX user used:
        # use an empty path to disable profile support:
        # various scripts can be used on a domain controller or a stand-alone
        # machine to add or delete corresponding UNIX accounts:
        dns proxy = no
        load printers = yes
        cups options = raw
        allow trusted domains = no
        # obtain a list of printers automatically on UNIX System V systems:
        # Some defaults for winbind (make sure you're not using the ranges
        # for something else.)
        #idmap uid = 10000-900000
        #idmap gid = 10000-900000
        #idmap backend = rid:UNT=10000-900000

        idmap backend = tdb
        idmap uid = 1000000-1999999
        idmap gid = 1000000-1999999
        idmap config UNT : backend  = ad
        idmap config UNT : range = 1000000 - 99999999
        idmap config UNT : schema_mode = rfc2307
        
        winbind enum groups = no
        winbind enum users = no
        winbind use default domain = yes
        winbind refresh tickets = yes
        winbind nested groups = yes
        winbind offline logon = false
        

[homes]
        comment = Home Directories
        browseable = no
        writable = yes

[printers]
        comment = All Printers
        path = /var/spool/samba
        browseable = no
        guest ok = no
        writable = no
        printable = yes

</code>

Modify /etc/nsswitch.conf
<code>
passwd:         compat winbind
group:          compat winbind
shadow:         compat winbind
hosts:          files mdns4_minimal [NOTFOUND=return] dns mdns4
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

</code>

Test that domain authentication via kerberos is working
<code>
kinit joe9876
</code>

Sync time with the ad domain
<code>
sudo ntpdate unt.ad.unt.edu
</code>

Join the linux system to the domain
<code>
sudo net ads join unt.ad.unt.edu -U adminUser
sudo net ads testjoin
</code>

Create home directory structure
<code>
sudo mkdir /home/UNT.AD.UNT.EDU
sudo chmod 777 /home/UNT.AD.UNT.EDU
</code>

Add members of the itsm-team AD group to sudoers
<code>
sudo sh -ec 'echo %itsm-team ALL=\(ALL\) ALL > /etc/sudoers.d/itsm-team'
</code>

Maybe a duplicate of other services; however, needed to prevent any AD account from authenticating over SSH
<code>
sudo sh -ec 'echo auth include system-auth > /etc/pam.d/unt-ad-auth'
sudo sh -ec 'echo account include system-auth >> /etc/pam.d/unt-ad-auth'
sudo sh -ec 'echo password include system-auth >> /etc/pam.d/unt-ad-auth'
sudo sh -ec 'echo session include system-auth >> /etc/pam.d/unt-ad-auth'
sudo sh -ec 'echo account [default=bad success=ignore] pam_succeed_if.so user ingroup itsm-team quiet >> /etc/pam.d/unt-ad-auth'
</code>

Make sure all required services are set to start on boot
<code>
sudo chkconfig oddjobd on
sudo chkconfig winbind on 
sudo chkconfig messagebus on
sudo reboot
</code>

Try logging in with your AD credentials to see if it works.

===Resources===
  * [[https://community.spiceworks.com/how_to/44885-setup-centos-to-authenticate-via-active-directory]]