Wednesday, 2 July 2014

Adding Red Hat Enterprise Linux 6 System to Microsoft Active Directory



  • This article works perfectly with CentOS 6.5 and Microsoft Windows Server 2012 R2.
  • Here is a quick and simple way for adding RHEL 6 system to Microsoft AD.


1) Firstly, configure your system according to your need along with proper internet connection or proxy settings and verify that your system is reaching the AD. 

2) Install the prerequisites.
yum install -y samba-winbind samba-winbind-clients oddjob-mkhomedir pam_krb5 krb5-workstation nscd.x86_64

3) Make sure OddJobd is running at Startup. This is only for Red Hat Enterprise Linux 6 and other Red Hat based Operating systems.
Red Hat Enterprise Linux 5 will use pam_mkhomedir. pam_mkhomedir has SELinux issues at present, so oddjobd is the way to go.
chkconfig oddjobd on

4) Set authconfig to point to the relevant systems for Authentication.
Note: If you do not wish your users to log into your server via a shell, set –winbindtemplateshell to –winbindtemplateshell=/sbin/nologin

authconfig --update --kickstart --enablewinbind --smbsecurity=ads --smbworkgroup=<domain> --smbrealm=<domain.example.com or FQDN> --winbindtemplatehomedir=/home/%U --winbindtemplateshell=/bin/bash --enablewinbindusedefaultdomain --enablelocauthorize --enablekrb5 --krb5realm=<domain.example.com or FQDN> --enablekrb5kdcdns --enablekrb5realmdns --enablepamaccess

5) Just like in Windows, Add your system to the domain. Here I have used the Domain Administrator account, but any account with enough rights to add a system to the domain will suffice.
[root@server ~]# net ads join -U Administrator
Enter Administrator's password:
Using short domain name -- <domain>
Joined 'server' to realm 'domain.example.com or FQDN'
Note: As you are now dealing with Active Directory, it now becomes time sensitive. Make sure your system clock is pointing to one of your Domain Controllers as the NTP server.
Otherwise you will end up with errors like this when you try to add the system to the domain.
[root@server ~]# net ads join -U Administrator
Enter Administrator's password:
Using short domain name -- NT
Joined 'SERVER' to realm 'nt.example.com'
[2012/07/06 17:24:04.397769,  0] libads/kerberos.c:333(ads_kinit_password)
  kerberos_kinit_password SERVER$@NT.EXAMPLE.COM failed: Clock skew too great
[root@server ~]#

6) Configure Winbind Backend
The default Winbind backend is great for single systems being added to Active Directory, however if you are in a very large Linux estate, you will need to change the backend to ensure that all UID’s/GID’s match across all your systems.
To do this, add the below lines to your global Samba configuration. Replace <domain> with your own Domain name.
idmap config <domain>:backend = rid
idmap config <domain>:range = 10000000-19999999
kerberos method = dedicated keytab
dedicated keytab file=/etc/krb5.keytab 

7) Restart Winbind and nscd services
Once you have added your system to the domain, it is important to restart the Winbind and nscd service.
[root@server ~]# service winbind restart
Shutting down Winbind services:                       [FAILED]
Starting Winbind services:                                 [  OK  ]
[root@server ~]# service nscd restart
Shutting down nscd services:                            [FAILED]
Starting nscd services:                                      [  OK  ]

8) Create a Kerberos keytab to enable Single Sign On (SSO)
[root@server ~]# net ads keytab create -U Administrator
Enter Administrator's password:
[root@server ~]#

9) Test configuration. If you receive no output for a known username, then something is wrong.
[root@server ~]# getent passwd Administrator
administrator:*:16777216:16777216:Administrator:/home/administrator:/bin/bash
[root@server ~]#
or, if you enabled shell logins,
User@workstation:~$ ssh Administrator@<fqdm>
Administrator@<fqdn>'s password: 
Your password will expire in 11 days.

Creating home directory for administrator.
[administrator@server ~]$

10) This is optional, your home directory will not exist on the system when a new user logs in, run the below command if you with to have the homedir automatically created on first login.
[root@server ~]# authconfig --enablemkhomedir --update
Starting Winbind services:                             [  OK  ]
Starting oddjobd:                                          [  OK  ]
[root@server ~]#

No comments:

Post a Comment