classes:linux_ad_auth

Linux User Authentication Against Active Directory Using Winbind

This tutorial walks you through configuring CentOS (tested on v7) to allow Active Directory users to authenticate using their AD credentials. This tutorial assumes you already have a functioning AD forest with users & groups.

Install dependencies

sudo yum -y install authconfig krb5-workstation pam_krb5 samba-common \
samba-winbind oddjob-mkhomedir ntp

Run authconfig to build initial authentication configuration

sudo authconfig --disablecache --enablewinbind --enablewinbindauth \
--smbsecurity=ads --smbworkgroup=UNT --smbrealm=UNT.AD.UNT.EDU \
--enablewinbindusedefaultdomain \
--winbindtemplatehomedir=/home/UNT.AD.UNT.EDU/%U \
--winbindtemplateshell=/bin/bash --enablekrb5 \
--krb5realm=UNT.AD.UNT.EDU --enablekrb5kdcdns \
--enablekrb5realmdns --enablelocauthorize --enablemkhomedir \
--enablepamaccess --updateall

Modify /etc/krb5.conf

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = UNT.AD.UNT.EDU
default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes

[appdefaults]
pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
}

Modify /etc/samba/smb.conf

[global]
        client ntlmv2 auth = yes
        kerberos method = secrets and keytab
        encrypt passwords = true
        workgroup = UNT
        security = ads        
        realm = UNT.AD.UNT.EDU
        template homedir = /home/UNT.AD.UNT.EDU/%U
        template shell = /bin/bash
        obey pam restrictions = yes
        unix password sync = yes
        passwd program = /usr/bin/passwd %u
        passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
        pam password change = yes
        map to guest = bad user
        server string = Samba Server Version %v
        # log files split per-machine:
        log file = /var/log/samba/log.%m
        # maximum size of 50KB per log file, then rotate:
        max log size = 50
        passdb backend = tdbsam
        # the following login script name is determined by the machine name
        # (%m):
        # the following login script name is determined by the UNIX user used:
        # use an empty path to disable profile support:
        # various scripts can be used on a domain controller or a stand-alone
        # machine to add or delete corresponding UNIX accounts:
        dns proxy = no
        load printers = yes
        cups options = raw
        allow trusted domains = no
        # obtain a list of printers automatically on UNIX System V systems:
        # Some defaults for winbind (make sure you're not using the ranges
        # for something else.)
        #idmap uid = 10000-900000
        #idmap gid = 10000-900000
        #idmap backend = rid:UNT=10000-900000

        idmap backend = tdb
        idmap uid = 1000000-1999999
        idmap gid = 1000000-1999999
        idmap config UNT : backend  = ad
        idmap config UNT : range = 1000000 - 99999999
        idmap config UNT : schema_mode = rfc2307
        
        winbind enum groups = no
        winbind enum users = no
        winbind use default domain = yes
        winbind refresh tickets = yes
        winbind nested groups = yes
        winbind offline logon = false
        

[homes]
        comment = Home Directories
        browseable = no
        writable = yes

[printers]
        comment = All Printers
        path = /var/spool/samba
        browseable = no
        guest ok = no
        writable = no
        printable = yes

Modify /etc/nsswitch.conf

passwd:         compat winbind
group:          compat winbind
shadow:         compat winbind
hosts:          files mdns4_minimal [NOTFOUND=return] dns mdns4
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

Test that domain authentication via kerberos is working

kinit joe9876

Sync time with the ad domain

sudo ntpdate unt.ad.unt.edu

Join the linux system to the domain

sudo net ads join unt.ad.unt.edu -U adminUser
sudo net ads testjoin

Create home directory structure

sudo mkdir /home/UNT.AD.UNT.EDU
sudo chmod 777 /home/UNT.AD.UNT.EDU

Add members of the itsm-team AD group to sudoers

sudo sh -ec 'echo %itsm-team ALL=\(ALL\) ALL > /etc/sudoers.d/itsm-team'

Maybe a duplicate of other services; however, needed to prevent any AD account from authenticating over SSH

sudo sh -ec 'echo auth include system-auth > /etc/pam.d/unt-ad-auth'
sudo sh -ec 'echo account include system-auth >> /etc/pam.d/unt-ad-auth'
sudo sh -ec 'echo password include system-auth >> /etc/pam.d/unt-ad-auth'
sudo sh -ec 'echo session include system-auth >> /etc/pam.d/unt-ad-auth'
sudo sh -ec 'echo account [default=bad success=ignore] pam_succeed_if.so user ingroup itsm-team quiet >> /etc/pam.d/unt-ad-auth'

Make sure all required services are set to start on boot

sudo chkconfig oddjobd on
sudo chkconfig winbind on 
sudo chkconfig messagebus on
sudo reboot

Try logging in with your AD credentials to see if it works.

Resources

https://community.spiceworks.com/how_to/44885-setup-centos-to-authenticate-via-active-directory