Configure CentOS to authenticate to AD

Posted on by No Comments ↓

Install the necessary packages

# yum install authconfig krb5-workstation pam_krb5 samba-common oddjob-mkhomedir sudo ntp samba-winbind-modules samba-winbind

Run authconfig to setup the initial authentication configuration

authconfig --disablecache --enablewinbind --enablewinbindauth --smbsecurity=ads --smbworkgroup=ITSOL --smbrealm=ITSOL.BIZ --enablewinbindusedefaultdomain --winbindtemplatehomedir=/home/teleena.local/%U --winbindtemplateshell=/bin/bash --enablekrb5 --krb5realm=ITSOL.BIZ --enablekrb5kdcdns --enablekrb5realmdns --enablelocauthorize --enablemkhomedir --enablepamaccess --updateall

Check your /etc/krb5.conf and test Kerberos authentication

 

[logging] 
default = FILE:/var/log/krb5libs.log 
kdc = FILE:/var/log/krb5kdc.log 
admin_server = FILE:/var/log/kadmind.log

[libdefaults] 
default_realm = ITSOL.BIZ 
dns_lookup_realm = true 
dns_lookup_kdc = true 
ticket_lifetime = 24h 
renew_lifetime = 7d 
forwardable = true

[realms] 
ITSOL.BIZ = { 
admin_server =  itsol.biz
kdc_server =  itsol.biz
}

ITSOL.BIZ = { 
  kdc = itsol.biz
  admin_server = itsol.biz
}

[domain_realm] 
.itsol.biz = ITSOL.BIZ 
itsol.biz = ITSOL.BIZ

To test Kerberos authentication:

# kinit bisser.todorov
# klist -a

The output should look like this:

Ticket cache: KEYRING:persistent:0:0
Default principal: bisser.todorov@ITSOL.BIZ

Valid starting Expires Service principal
04/07/2017 15:33:30 04/08/2017 01:33:30 krbtgt/ITSOL.BIZ@ITSOL.BIZ
 renew until 04/14/2017 15:33:26
 Addresses: (none)

Configure NTP

Kerberos authentication is very sensible about the time, so be sure your server’s time is synchronised. Configure and start NTP client. Comment all existing servers in /etc/ntp.conf and add your DCs

server dc1.itsol.biz iburst
server dc2.itsol.biz iburst
server dc3.itsol.biz iburst

Join the machine to the AD and test

# net ads join ITSOL.BIZ -U bisser.todorov
# net ads testjoin

The response should be “Join is OK”
Check your /etc/samba/smb.conf file

Setup a home folder

# mkdir /home/itsol.biz 
# chmod 777 /home/itsol.biz/

Grant linuxusers group sudo rights

# sudoedit /etc/sudoers

and add to the bottom:

%linuxusers ALL=(ALL) NOPASSWD:ALL

Configure SSHD for SSO

Check and if needed update your /etc/ssh/sshd_config

GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
GSSAPIEnablek5users yes

Restart SSHD

Restrict access to only specific AD group members

Edit your /etc/security/access.conf

+:root:LOCAL
+:@localusers:ALL
+:VPNUsers:ALL
- : ALL : ALL

Test your setup

Enjoy!

 

Another way of configuring authentication is using

# authconfig-tui

Leave a Reply

Your email address will not be published. Required fields are marked *

*