UPDATE!! .. This article also works perfectly on Windows 2012 Server as well as Windows Server 2008. The process is exactly the same.
I’ve had countless numbers of people ask me over the years how to add a Linux system to Active Directory.
Here is a really quick and simple way to do it using Windbind for userlookups, and Kerberos for authentication.
In this example, I will be using the below details
Windows Domain Name: nt.example.com Windows Domain NetBIOS Name: NT Domain Controller: dc01.nt.example.com Client Server name: server01.nt.example.com
Setup
1. Firstly, install the necessary components.
yum install -y samba-winbind samba-winbind-clients oddjob-mkhomedir pam_krb5 krb5-workstation
2. Make sure OddJobd is running at Startup. This is only for Red Hat Enterprise Linux 6 and other Red Hat based Operating systems.
Red Hat Enterprise Linux 5 will use pam_mkhomedir. pam_mkhomedir has SELinux issues at present, so oddjobd is the way to go.
chkconfig oddjobd on
3. Set authconfig to point to the relevant systems for Authentication.
Note: If you do not wish your users to log into your server via a shell, set –winbindtemplateshell to –winbindtemplateshell=/sbin/nologin
authconfig --update --kickstart --enablewinbind --smbsecurity=ads --smbworkgroup=NT --smbrealm=NT.EXAMPLE.COM --winbindtemplatehomedir=/home/%U --winbindtemplateshell=/bin/bash --enablewinbindusedefaultdomain --enablelocauthorize --enablekrb5 --krb5realm=NT.EXAMPLE.COM --enablekrb5kdcdns --enablekrb5realmdns --enablepamaccess
4. Just like in Windows, Add your system to the domain. Here I have used the Domain Administrator account, but any account with enough rights to add a system to the domain will suffice.
[root@server ~]# net ads join -U Administrator Enter Administrator's password: Using short domain name -- NT Joined 'server' to realm 'nt.example.com'
Note: As you are now dealing with Active Directory, it now becomes time sensitive. Make sure your system clock is pointing to one of your Domain Controllers as the NTP server.
Otherwise you will end up with errors like this when you try to add the system to the domain.
[root@server ~]# net ads join -U Administrator Enter Administrator's password: Using short domain name -- NT Joined 'SERVER' to realm 'nt.example.com' [2012/07/06 17:24:04.397769, 0] libads/kerberos.c:333(ads_kinit_password) kerberos_kinit_password SERVER$@NT.EXAMPLE.COM failed: Clock skew too great [root@server ~]#
5. Configure Winbind Backend
The default Winbind backend is great for single systems being added to Active Directory, however if you are in a very large Linux estate like I usually am, you will need to change the backend to ensure that all UID’s/GID’s match across all your systems.
To do this, add the below two lines to your global Samba configuration. Replace “NT” with your own Domain name.
idmap config NT:backend = rid idmap config NT:range = 10000000-19999999 kerberos method = dedicated keytab dedicated keytab file=/etc/krb5.keytab
Just so we are on the same page, my global configuration now looks like this
workgroup = NT realm = NT.EXAMPLE.COM security = ads idmap uid = 16777216-33554431 idmap gid = 16777216-33554431 idmap config NT:backend = rid idmap config NT:range = 10000000-19999999 kerberos method = dedicated keytab dedicated keytab file=/etc/krb5.keytab template homedir = /home/%U template shell = /bin/bash winbind use default domain = true winbind offline logon = false
6. Restart Winbind service
Once you have added your system to the domain, it is important to restart the Winbind service.
[root@server ~]# service winbind restart Shutting down Winbind services: [FAILED] Starting Winbind services: [ OK ] [root@server ~]#
7. Create a Kerberos keytab to enable Single Sign On (SSO)
[root@server ~]# net ads keytab create -U Administrator Enter Administrator's password: [root@server ~]#
8. Test configuration. If you receive no output for a known username, then something is wrong.
[root@server ~]# getent passwd Administrator administrator:*:16777216:16777216:Administrator:/home/administrator:/bin/bash [root@server ~]#
or, if you enabled shell logins,
User@workstation:~$ ssh Administrator@server.nt.example.com Administrator@server.nt.example.com's password: Your password will expire in 11 days. Creating home directory for administrator. [administrator@server ~]$
9. This is optional, your home directory will not exist on the system when a new user logs in, run the below command if you with to have the homedir automatically created on first login.
[root@server ~]# authconfig --enablemkhomedir --update Starting Winbind services: [ OK ] Starting oddjobd: [ OK ] [root@server ~]#
Dale, kudos on a simple, straightforward, and well written article. It had been quite a while since I joined a Linux workstation to a Windows domain without using a third party product like PowerBroker Identity Services.
The process you articulated here worked so smoothly, I had to let you know I appreciated it!
Cheers!
Hi Steve
This is the best type of feedback I like to hear. I’m very pleased it has worked for you as expected. If you’re looking for ways to enhance this method, you can look into using access controls and granting sudo access based on Active Directory based groups.
Thanks for the comment.
Dale
Hello Dale,
This is a great tutorial.
I have installed successfully samba4 ( 4.1.9) with roaming profiles on a centos 6.5 (64bit).
Windows 7 Enterprise (64) client joins the new domain and AD users login are authenticated and sign on without issues.
Linux client centos 6.5 (64 bit) joins the samba’s domain and AD user authentication and login works fine but the user’s profile is created on the linux client and not on the server.
I would highly appreciate your assistance to resolve this issue
Thanks
Thanks for the article.
i have a question:
if i implement this does this affect my current domain controller? i have only one DC and i dont want any issues with it.
is configuring samba , making a domain controller on linux? if so i dont want
a DC in linux i just need squid to work with active directory.
Thanks
Hi Hamood
Just to clarify for you, Samba “can” be configured as an old style Domain Controller (Similar to an NT style domain), however winbind is a seperate component of the Samba project.
In short, this article will only join a Linux system to Active Directory. It does not in any way configure itself to be a self managed Domain Controller.
Regarding your objective, I have covered Squid integration with Active Directory which is covered here
https://www.dalemacartney.com/2012/07/06/squid-proxy-integration-with-active-directory-the-quick-and-simple-way/
This article is actually a prerequisite of the above article.
It won’t take you long to implement at all.
Dale
Thanks for the article, it’s very simple and clear. I have a two questions:
1 – With PowerBroke (Likewise) it’s possible to map AD groups on sudo and also control SSH logins by user/group. How can you achieve the same with winbindd?
2 – Say for example you have a virtualized infrastructure and works with templates. What do you think would be the best approach? Join the machines, then create the templates, renaming it every time you deploy a VM, or configure everything and join it after deployment?
Hi Marcos
Believe it or not, I had a client ask me this same thing a few weeks ago. Suggestions below.
1. Have a look at access.conf, you can set up a global configuration to only allow login by specific users/groups. I’ve written a short article here. https://www.dalemacartney.com/2013/01/12/host-based-access-control-with-red-hat-enterprise-linux-6/
2. Cloning an already AD connected server is very messy. The deployed vm’s from the template will never be able to authentication. As an alternative, when you build your template, you could write a startup script (either init or systemd) and set it to start on boot. Once your virtualization manager has deployed the template, given it a hostname/ip/etc, it will power on. When your startup script runs, I would put in your custom configuration there. This could be joining Active Directory, setting up access to Satellite or Puppet or what ever your requirements are..
Once you have finished running what you need, have the last task in the script completely remove itself from the startup config. Either chkconfig the script off or even just delete the script. That way it will only ever run on the first power on. This approach is referred to as “firstboot”.
thanks ……
the config works very well
Thanks for the article . Can you please inform how to unjoin from MS Active Directory without Likewise Open
Thanks
Hi Sham
If you have used this article, and would like to remove a system from Active Directory which is using Winbind, you can do the following:
net ads leave -U domain-admin-user
This will prompt you for the password of your domain admin account. Once this is removed, you can simply uninstall the winbind packages from your local system (yum remove winbind).
Dale
Thanks a lot Dale . Was facing this issue with a Freeradius Cloned VM and used likewise-open . Next time will follow your suggestion .
Thanks again
Dale,
Thanks for the great article. Appreciate how you cover the configuration.
One question:
In order to get the authentication to work, do we need to modify the schema on the AD server to use “Identity Management for Unix” to supply schema attributes for the home directory, uid, gid, etc?
Thanks for a great article…
– Jamie
Hi Jamie
No you do not need to modify your Active Directory schema at all for this method to work, nor do you need any services for UNIX installed.
Winbind uses its own algorithm to generate unique UID’s/GID’s based on the Active Directory objects. (Step 5 shows the algorithm in use and the ID number ranges).
You would need to use services for UNIX and extend the user attributes in Active Directory if you were to connect your systems using LDAP based methods which is not covered in this article.
This article is a simpler alternative.
Dale
Thank you!!!
Of all the AD setups I’ve read, yours is the only one that worked & was easy to understand
This method works great for me. I’ve been using it for all the RHEL6 machines at my office. Thank you for posting it.
I’m going to check out the HBAC method you posted above. To keep authenticated users in the domain I didn’t want to login I just added an AllowUsers line to my /etc/ssh/sshd_config file. This only permitted specific users to login over ssh.
Two questions:
How I could support offline authentication or cached credentials?
I have child domains within my AD structure. I join my RHEL boxes to the root domain but some times I need to support child domain users authenticating. This tutorial seems to support my root domain users only. Any idea how to get that working?
Thanks!
I have to say it.
thank you.
you cannot imagine how much time I’ve spent to look to a final guide to properly configure authentication to AD from Linux.
I’ve stumble on several solutions; some worked for a short period of time and some others didn’t worked at all.
I really have appreciated your work
grazie
Thanks for the info. I am actually using winbind-tdb. My smb.conf statement “winbind use default domain=yes” does not seem to work. I have defined the domain name using domainname NT, but wbinfo -g still lists it in front of all the group names. Also, if I get that to work, do I need to include the domainname in my chown and chgrp statements? (chown “NT\user” foo or just chown user foo)
Thanks!
hi,
everything worked fine, when windows users are opening the samba servers , user folders are not creating automatically. if login with ssh user folders are created.
pls help in this regard.
thanks
jaany
Dear Dale,
I have configure samba on RHL 5 acting as pdc (nt style). i can safely join windows client on it,but fail to log in via Linux….although i have installed samba on client machine ,when i run net rpc join it says u have joined the domain…but when i take log in on client it fails..
i have generated a machine account on samba pdc ..
I will be thanks full for your help
thanks for the excellent document for samba wit AD integration. working fine.
how to configure SSO with windows client systems. when user opening the file server from windows system , folder for the user need to created automatically .
pls help in this regard.
thanks in advance
jaany
First guide I’ve found that actually gets me somewhere, not quite a result but still great guide.
I am still facing an issue though, RHEL 6.5 > Windows 2003 AD
Followed steps and get:
Joined ‘BFMPC20’ to realm ‘mydomain.local’
DNS Update for bfmpc20.mydomain.local failed: ERROR_DNS_UPDATE_FAILED
DNS update failed: NT_STATUS_UNSUCCESSFUL
All help appreciated…
Great article, Thanks! One question. Does this method update the machine account password in Active directory periodically on its own? If not do you have a recommendation on how to accomplish this?
Hello Dale,
This is a great tutorial.
I have installed successfully samba4 ( 4.1.9) with roaming profiles on a centos 6.5 (64bit).
Windows 7 Enterprise (64) client joins the new domain and AD users login are authenticated and sign on without issues.
Linux client centos 6.5 (64 bit) joins the samba’s domain and AD user authentication and login works fine but the user’s profile is created on the linux client and not on the server.
I would highly appreciate your assistance to resolve this issue
Thanks
I followed this tuto and I’m blocked when joining the server to the domain, find below my error :
Failed to join domain: failed to lookup DC info for domain ‘XXXX.xxxxx.COM’ over rpc: Logon failure
Thank you for the posting. Still not working for me 🙁
OEL6.5 with 2008 AD. Everything is fine until the
getent passwd command, i can see the information for each user, I can list AD groups, but not ssh to the box , i always receive a permission denied.
The only error I can see is in samba logs
lib/util_sock.c:628(open_socket_in) open_socket_in(): setsockopt: SO_REUSEPORT = true on port 445 failed with error = Protocol not available
Thanks
Ileana
Are these still valid configuration –
workgroup = NT
realm = NT.EXAMPLE.COM
security = ads
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
idmap config NT:backend = rid
idmap config NT:range = 10000000-19999999
kerberos method = dedicated keytab
dedicated keytab file=/etc/krb5.keytab
template homedir = /home/%U
template shell = /bin/bash
winbind use default domain = true
winbind offline logon = false
I suppose
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
have been removed from RHEL 6.5 .
Please suggest and if possible let me know the alternative.
Hi Dale,
This is a very straight forward article to integrate RHEL system with AD. I have tested it on Red Hat Enterprise Linux 6.5 and works absolutely fine.
One question I am having over this topic is that, how can I add trusted domains to the configuration, so that users from those trusted domains can also be authorized access to the server?
Thanks.
Im able to join the server to AD, even see my username in getent, but I cant log in with the name. It just comes back with access denied. I am able to su – username and it creates my username home dir. Note that I didnt do the krb5 tab stuff. Do you think I need to? How will I know if I need to? Thanks!
Hello Dale
thanks for shairing such an easy way to join windows domain. i complete all steps as u said. i ve a few questions if you plz answer.
1) how do i UNJOIN linux machine from windows domain after doing all above config successfully.
2) i want to block some users in active directory to login or SSH to linux server(which is on domain). i applied ‘LOGON TO’ restriction for a certain user , that user can’t login on all windows machines except ones in the list, but this policy is not working for linux server, that user can still logon to linux.
awaited for you reply
Thank you
Farhad Jamali
Hi I am a beginner to Linux. I am trying to integrate AD with Linux server. And after I run the “net ads join -U administrator” I am getting an Operations error. Any tips on how I could resolve this error.
Installed:
krb5-workstation.x86_64 0:1.10.3-33.el6 oddjob-mkhomedir.x86_64 0:0.30-5.el6
pam_krb5.x86_64 0:2.3.11-9.el6
Complete!
[root@501server ~]# chkconfig oddjobd on
[root@501server ~]# authconfig –update –kickstart –enablewinbind –smbsecurity=ads –smbworkgroup=ADNETBIOS –smbrealm=research.name.org –winbindtemplatehomedir=/home/%U –winbindtemplateshell=/bin/bash –enablewinbindusedefaultdomain –enablelocauthorize –enablekrb5 –krb5realm=research.name.org –enablekrb5kdcdns –enablekrb5realmdns –enablepamaccess
Starting Winbind services: [ OK ]
[root@501server ~]# net ads join -U administrator
Enter administrator’s password:
Failed to join domain: failed to connect to AD: Operations error
can anybody tell me how to remove AD user in linux?
Is active directory group policy will apply to Linux desktop ? i.e. Password policy, system lock policy etc…
hai,
when i try these , in step 4 i got error message :
FAILED TO JOIN DOMAIN:FAILED TO FIND DC FOR DOMAIN XXX
i am stuck with this error .please help me .
You made my day!
Thank you 🙂
Dale, thanks for a great jumpstart article. I am a long time linux user, but total noob on SSO and central management. I have 20 CentOS 6.7 (stand-alone) systems to join to AD, would it be better to setup a CentOS central SSO (realm or other) or do each one individually. OBTW, after AD integration comes SmartCard from the Windows AD into the Linux world. Does that change the answer or advice ?? Thanks again for sharing your experience so succinctly. Niel
Hi, anyone done this on windows server 2003 r2?
Thanks for the article… 🙂