UPDATE!! .. This article also works perfectly on Windows 2012 Server as well as Windows Server 2008. The process is exactly the same.
I’ve had countless numbers of people ask me over the years how to add a Linux system to Active Directory.
Here is a really quick and simple way to do it using Windbind for userlookups, and Kerberos for authentication.
In this example, I will be using the below details
Windows Domain Name: nt.example.com Windows Domain NetBIOS Name: NT Domain Controller: dc01.nt.example.com Client Server name: server01.nt.example.com
1. Firstly, install the necessary components.
yum install -y samba-winbind samba-winbind-clients oddjob-mkhomedir pam_krb5 krb5-workstation
2. Make sure OddJobd is running at Startup. This is only for Red Hat Enterprise Linux 6 and other Red Hat based Operating systems.
Red Hat Enterprise Linux 5 will use pam_mkhomedir. pam_mkhomedir has SELinux issues at present, so oddjobd is the way to go.
chkconfig oddjobd on
3. Set authconfig to point to the relevant systems for Authentication.
Note: If you do not wish your users to log into your server via a shell, set –winbindtemplateshell to –winbindtemplateshell=/sbin/nologin
authconfig --update --kickstart --enablewinbind --smbsecurity=ads --smbworkgroup=NT --smbrealm=NT.EXAMPLE.COM --winbindtemplatehomedir=/home/%U --winbindtemplateshell=/bin/bash --enablewinbindusedefaultdomain --enablelocauthorize --enablekrb5 --krb5realm=NT.EXAMPLE.COM --enablekrb5kdcdns --enablekrb5realmdns --enablepamaccess
4. Just like in Windows, Add your system to the domain. Here I have used the Domain Administrator account, but any account with enough rights to add a system to the domain will suffice.
[root@server ~]# net ads join -U Administrator Enter Administrator's password: Using short domain name -- NT Joined 'server' to realm 'nt.example.com'
Note: As you are now dealing with Active Directory, it now becomes time sensitive. Make sure your system clock is pointing to one of your Domain Controllers as the NTP server.
Otherwise you will end up with errors like this when you try to add the system to the domain.
[root@server ~]# net ads join -U Administrator Enter Administrator's password: Using short domain name -- NT Joined 'SERVER' to realm 'nt.example.com' [2012/07/06 17:24:04.397769, 0] libads/kerberos.c:333(ads_kinit_password) kerberos_kinit_password SERVER$@NT.EXAMPLE.COM failed: Clock skew too great [root@server ~]#
5. Configure Winbind Backend
The default Winbind backend is great for single systems being added to Active Directory, however if you are in a very large Linux estate like I usually am, you will need to change the backend to ensure that all UID’s/GID’s match across all your systems.
To do this, add the below two lines to your global Samba configuration. Replace “NT” with your own Domain name.
idmap config NT:backend = rid idmap config NT:range = 10000000-19999999 kerberos method = dedicated keytab dedicated keytab file=/etc/krb5.keytab
Just so we are on the same page, my global configuration now looks like this
workgroup = NT realm = NT.EXAMPLE.COM security = ads idmap uid = 16777216-33554431 idmap gid = 16777216-33554431 idmap config NT:backend = rid idmap config NT:range = 10000000-19999999 kerberos method = dedicated keytab dedicated keytab file=/etc/krb5.keytab template homedir = /home/%U template shell = /bin/bash winbind use default domain = true winbind offline logon = false
6. Restart Winbind service
Once you have added your system to the domain, it is important to restart the Winbind service.
[root@server ~]# service winbind restart Shutting down Winbind services: [FAILED] Starting Winbind services: [ OK ] [root@server ~]#
7. Create a Kerberos keytab to enable Single Sign On (SSO)
[root@server ~]# net ads keytab create -U Administrator Enter Administrator's password: [root@server ~]#
8. Test configuration. If you receive no output for a known username, then something is wrong.
[root@server ~]# getent passwd Administrator administrator:*:16777216:16777216:Administrator:/home/administrator:/bin/bash [root@server ~]#
or, if you enabled shell logins,
User@workstation:~$ ssh Administrator@server.nt.example.com Administrator@server.nt.example.com's password: Your password will expire in 11 days. Creating home directory for administrator. [administrator@server ~]$
9. This is optional, your home directory will not exist on the system when a new user logs in, run the below command if you with to have the homedir automatically created on first login.
[root@server ~]# authconfig --enablemkhomedir --update Starting Winbind services: [ OK ] Starting oddjobd: [ OK ] [root@server ~]#