RHEL 6 clients with Active Directory 2008r2
Environment:
- Windows Server 2008r2 running AD with Identity Management for UNIX and DNS
- IP: 192.168.1.80
- Hostname: ad.zews-ad.org
- Domain: ZEWS-AD.ORG
- RHEL 6.2
- IP: 192.168.1.81
- Hostname: rhel6.zews-ad.org
Kerberos config
/etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = ZEWS-AD.ORG
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
default_tgs_enctypes = rc4-hmac aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
default_tkt_enctypes = rc4-hmac aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
permitted_enctypes = rc4-hmac aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
[realms]
ZEWS-AD.ORG = {
kdc = ad.zews-ad.org
admin_server = ad.zews-ad.org
default_domain = zews-ad.org
}
[domain_realm]
zews-ad.org = ZEWS-AD.ORG
.zews-ad.org = ZEWS-AD.ORG
[appdefaults]
pam = {
debug = true
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
Samba configuration
Samba has to have a minimal configuration to join the host to you AD domain. Make the following changes to the [global] section. The kerberos method is important becasue it will auto generate the keytab file and allow the host to automatically authenticate to AD which will be needed for the sssd configuration.
/etc/samba/smb.conf
workgroup = ZEWS-AD
server string = rhel6 Linux Server
netbios name = RHEL6
log file = /var/log/samba/log.%m
max log size = 50
security = ads
dedicated keytab file = /etc/krb5.keytab
kerberos method = system keytab
realm = zews-ad.org
passdb backend = tdbsam
Join the Domain
net ads join osName=RHEL osVer=6 -U Administrator
Enter your AD administrator password. This can also be done with any account that has the ability to join a host to the domain.
List entries in your krb5.keytab
klist -ke
Keytab name: WRFILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
2 host/rhel6.zews-ad.org@ZEWS-AD.ORG (des-cbc-crc)
2 host/rhel6.zews-ad.org@ZEWS-AD.ORG (des-cbc-md5)
2 host/rhel6.zews-ad.org@ZEWS-AD.ORG (arcfour-hmac)
2 host/rhel6@ZEWS-AD.ORG (des-cbc-crc)
2 host/rhel6@ZEWS-AD.ORG (des-cbc-md5)
2 host/rhel6@ZEWS-AD.ORG (arcfour-hmac)
2 RHEL6$@ZEWS-AD.ORG (des-cbc-crc)
2 RHEL6$@ZEWS-AD.ORG (des-cbc-md5)
2 RHEL6$@ZEWS-AD.ORG (arcfour-hmac)
Test kerberos keys:
kinit -k RHEL6$
The command should return to a prompt with no errors. nsswitch
Edit /etc/nsswitch.conf
passwd: files sss
shadow: files
group: files sss
Adding sss to the passwd and group lines will allows you system to use sssd for password and group entires.
Configure SSSD
Here is my working /etc/sssd/sssd.conf file. Make the appropriate changes for your environment.
/etc/sssd/sssd.conf
[sssd]
config_file_version = 2
services = nss, pam
domains = default
[nss]
[pam]
[domain/default]
debug_level=10
enumerate = true
id_provider = ldap
chpass_provider = krb5
ldap_uri = ldap://ad.zews-ad.org
ldap_search_base = dc=zews-ad, dc=org
ldap_id_use_start_tls = False
ldap_user_search_base = dc=zews-ad,dc=org
ldap_group_search_base = dc=zews-ad,dc=org
ldap_schema = rfc2307bis
ldap_sasl_mech = GSSAPI
ldap_force_upper_case_realm = true
ldap_krb5_keytab = /etc/krb5.keytab
ldap_sasl_authid = RHEL6$@ZEWS-AD.ORG
auth_provider = krb5
cache_credentials = true
krb5_server = ad.zews-ad.org
krb5_realm = ZEWS-AD.ORG
krb5_ccachedir = /tmp
krb5_auth_timeout = 15
ldap_user_object_class = person
ldap_user_modify_timestamp = whenChanged
ldap_user_home_directory = unixHomeDirectory
ldap_user_shell = loginShell
ldap_user_principal = userPrincipalName
ldap_user_name = sAMAccountName
ldap_user_uid_number = uidNumber
ldap_user_gid_number = gidNumber
ldap_user_home_directory = unixHomeDirectory
ldap_user_shell = loginShell
ldap_user_principal = userPrincipalName
ldap_group_object_class = group
ldap_group_modify_timestamp = whenChanged
ldap_group_object_class = group
ldap_group_name = sAMAccountName
ldap_group_gid_number = gidNumber
ldap_force_upper_case_realm = True
Restart SSSD:
/etc/init.d/sssd restart
You can check the /var/log/sssd/sssd_default.log file to verify that your LDAP directory was successfully loaded.
Pam configuration
Add pam_sss.so lines to /etc/pam.d/system-auth
/etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_fprintd.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_sss.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
You can also add the following line to the session section for automatic creation of home directories:
session required pam_mkhomedir.so umask=0022 skel=/etc/skel/
There you have it, full integration of authentication and directory services from a RHEL 6 host to Active Directory with no need for any 3rd party software.
Thank you to Maxim Burgerhout for his awesome howto here: http://www.wzzrd.com/2011/10/linux-in-windows-2008-active-directory.html