Active Directory Authentication with CentOS

Active directory authentication for CentOS is quite easy to configure. Active directory is a central authentication system and organisations all over the world have relied on it for years. This is super easy to set up for your Windows and Mac desktops but is sometimes a little harder with a Linux workstation. This is all done on a CentOS 6.5 minimal install with nothing but a LAMP stack installed.

There are is one step you need to take to get your machine ready for configuration. Install the following packages, if they aren’t already.


# yum -y install authconfig krb5-workstation pam_krb5 samba-common oddjob-mkhomedir

This will install everything you need to get up and running. There is two ways you can configure the authentication. From the command line (authconfig) or via a console GUI (authconfig-tui). It all works just depends on which version you are comfortable with.

Authconfig

# authconfig --disablecache --enablewinbind --enablewinbindauth --smbsecurity=ads --smbworkgroup=DOMAIN --smbrealm=DOMAIN.COM.AU --enablewinbindusedefaultdomain --winbindtemplatehomedir=/home/DOMAIN/%U --winbindtemplateshell=/bin/bash --enablekrb5 --krb5realm=DOMAIN.COM.AU --enablekrb5kdcdns --enablekrb5realmdns --enablelocauthorize --enablemkhomedir --enablepamaccess --updateall

This will setup the necessary config files for both Kerberos and Samba. There is more config files to update from here. 

Please Note: When I ran this I got an error with Oddjobd not being able to start. You can read the details in this post. Just make sure that the messagebus service is running.

Kerberos (/etc/krb5.conf

Check that the file was generated and then add the relevant realms and domain_realm for your domain to the file. If you have multiple domain controllers you can add extra kdc lines like below.

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = DOMAIN.COM.AU
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true

[realms]
 EXAMPLE.COM = {
 kdc = kerberos.example.com
 admin_server = kerberos.example.com
 }

DOMAIN.COM.AU = {
admin_server = domain.com.au
kdc = dc1.domain.com.au
kdc = dc2.domain.com.au
}

[domain_realm]
 .example.com = EXAMPLE.COM
 example.com = EXAMPLE.COM
 domain.com.au = DOMAIN.COM.AU
 .domain.com.au = DOMAIN.COM.AU

Save the file and test that it works using the kinit command.


# kinit someaduser

A password prompt will be displayed, type in the active directory password for that user and it should return to the prompt with no messages. You can then check that you have your kerberos ticket by running the klist command. It should output something like the following.


Ticket cache: FILE:/tmp/krb5cc_0
Default principal: someaduser@DOMAIN.COM.AU

Valid starting Expires Service principal
02/27/14 12:23:21 02/27/14 22:23:21 krbtgt/DOMAIN.COM.AU@DOMAIN.COM.AU
 renew until 03/06/14 12:23:19

Join the Domain

You’re now ready to join the machine to the domain. You can use the trusty net command to join the machine to the domain.


# net ads join domain.com.au -U someadadmin

You can test that this worked running the following command


# net ads testjoin
Join is OK

Console GUI

The other option to configure AD authentication is to use the console GUI version of authconfig. This will pop up a familiar looking interface (think console RedHat installer) that is pretty straight forward when it comes to configuration. Start the GUI tool


# authconfig-tui

You will get a screen like the following, make sure that only the items checked are the same as below.

authconfig-tui-1

User Information

  • Use Winbind

Authentication

  • Use Shadow Passwords
  • Use Kerberos
  • Local authorization is enough

Make the above selections then next and you’ll be on the kerberos settings screen

authconfig-tui-2

Settings for this screen are as follows:

Realm: DOMAIN.COM.AU
KDC: dc1.domain.com.au,dc2.domain.com.au
Admin Server: domain.com.au

On the next screen you will find the Winbind Settings

authconfig-tui-3

Settings for this screen are as follows:

Security Model: ads
Domain: DOMAIN
Domain Controllers: dc1.domain.com.au,dc2.domain.com.au
ADS Realm: DOMAIN.COM.AU
Template Shell: /bin/bash (you can change to sh if you’d like)

Select Join Domain

You’ll be prompted to save the details

authconfig-tui-4

This will overwrite any other settings you would have had configured for this machine. You will then be prompted to provide domain admin credentials.

authconfig-tui-5

This will run the following command behind the scenes and then join you to the domain.


/usr/bin/net join -w DOMAIN -S dc1.domain.com.au -U Administrator

Note: If for any reason this doesn’t work in authconfig-tui. Select OK and return to the prompt and manually run the command above.

Home Directories

You don’t really need to do this step but I find it’s a nice clean way to make sure you separate domain users from your local users. Back in the authconfig step for the console configuration  you used the following switch

--winbindtemplatehomedir=/home/DOMAIN/%U --enablemkhomedir

These switches enabled automatic creation of home directories. For this to work with the GUI version you will need to run authconfig with those 2 switches.


authconfig --winbindtemplatehomedir=/home/DOMAIN/%U --enablemkhomedir --update

This is telling oddjobd to put any new home directories at the path /home/yourdomain/username. You will need to create the /home/yourdomain path and make sure you’ve got your permissions correct. I’ll be using ACLs as you’re able to configure much finer grain permissions. ACLs ship with pretty much all modern linux distributions these days.


# mkdir /home/DOMAIN
# setfacl -m group:"Domain Users":rwx /home/DOMAIN

Please Note: There is a bug in oddjobd-mkhomedir that is creating the home directory with the 755 permissions which allows group and world to read every home directory. You can read the bug on Red Hats Bugzilla.

Restrict AD Logins (Optional) 

In my environment I only want to allow the linux admins to use their AD logins to SSH to the servers I have configured. You can restrict which AD groups can login to the machine by adding the AllowGroups directive to the sshd_config and restarting sshd.


# echo 'AllowGroups linuxadmins' >> /etc/ssh/sshd_config
# service sshd restart

This will echo the required groups into the sshd config and then restart the service. This will now restrict ssh logins to those specific groups. If you’d like to configure AD access to more services you will have to check elsewhere. If I find the need to do this myself I’ll update this documentation to include it.