/ Linux

Active Directory Authentication on CentOS

We will setup a Linux Server to Authenticate against Microsoft's, Active Directory.

Please also lookout for Squid Proxy AD Setup, where we essentially will let our users authenticate against the AD in order to determine what kind of internet access will be provided. In this scenario we can control our level of internet usage provided to our users, from a central point.

Install Packages:

$ yum install authconfig krb5-workstation pam_krb5 samba-common oddjob-mkhomedir sudo -y

AuthConfig:

$ authconfig --disablecache --enablewinbind --enablewinbindauth \\
--smbsecurity=ads --smbworkgroup=LAN --smbrealm=LAN.RUANBEKKER.COM \\
--enablewinbindusedefaultdomain --winbindtemplatehomedir=/home/lan.ruanbekker.com/%U \\
--winbindtemplateshell=/bin/bash --enablekrb5 --krb5realm=LAN.RUANBEKKER.COM \\
--enablekrb5kdcdns --enablekrb5realmdns --enablelocauthorize --enablemkhomedir \\
--enablepamaccess --updateall

Configuration:

  • KRB5:

Verify that your /etc/krb5.conf looks more or less like the following:

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = LAN.TCPD.CO.ZA
 dns_lookup_realm = true
 dns_lookup_kdc = true
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true

[realms]

 LAN.RUANBEKKER.COM = {
 kdc = lan.ruanbekker.com
 admin_server = lan.ruanbekker.com
 }

[domain_realm]
lan.ruanbekker.com = RUANBEKKER.COM
 .lan.ruanbekker.com = RUANBEKKER.COM

PAM:

and for /etc/pam.d/system-auth

auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_krb5.so use_first_pass
auth required pam_deny.so

account required pam_access.so
account required pam_unix.so broken_shadow
account [default=ignore success=1] pam_succeed_if.so uid < 16777216 quiet
account [default=bad success=ignore] pam_succeed_if.so user ingroup linuxusers quiet
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_krb5.so
account required pam_permit.so

password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_krb5.so use_authtok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_oddjob_mkhomedir.so umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_krb5.so

Prepare: Logs and Permissions:

$ touch /var/log/krb5libs.log
$ touch /var/log/krb5kdc.log
$ touch /var/log/kadmind.log
$ chown 777 /var/log/krb5libs.log /var/log/krb5kdc.log /var/log/kadmind.log
$ mkdir /home/lan.ruanbekker.com
$ chown -R 777 /home/lan.ruanbekker.com/

Note: Make sure you are able to resolve all hostnames and FQDN before proceeding

Verify and Join:

$ kinit username

$ net ads join lan.ruanbekker.com -U Administrator
$ net ads testjoin

Sudoers:

In active directory, any users part of linuxusers will be able to run commands on privileged rights

$ echo '%linuxusers ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers

Enable on Boot:

Enable your services on boot

$ chkconfig oddjobd on
$ chkconfig winbind on
$ chkconfig messagebus on

For this scenario, disable selinux

$ sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config

Restart your server, and you should be able to have your server setup to authenticate against your active directory.

Related to this Post:

[Squid Proxy AD Setup](coming soon) - Coming Soon
Domain Controller on Samba4