Search

September 8, 2013

Joining a CentOS server to Active Directory

As the number of CentOS (or Red Hat) machines in your environment grows, you begin to appreciate the need for a central login mechanism. Most workplaces already have a such a login for their Windows workstations in the form of an Active Directory domain. By joining your CentOS machines to the Active Directory domain, you allow users to login with the same credentials as on their Windows machines. Furthermore you do not need to add or remove users when new people join the team or others drop off the team.

For the purposes of these instructions, we will assume the Active Directory server is ad.example.com and the CentOS server is centos.example.com.

As a first step, we install Samba, kerberos and ntpd.

yum install samba samba-client samba-winbind krb5-workstation ntp
chkconfig smb on
chkconfig nmb on
service smb start
service nmb start
chkconfig ntpd on
ntpdate ad.example.com

We need to install and configure an ntp client because the Kerberos protocol will not work if the two machines' clocks are too far apart. Edit /etc/ntpd.conf remove all the existing server lines and replace them with:

server ad.example.com

Next start the ntpd server with the command service ntpd start.

I have had issues down the road with trying to synchronize the clocks against the Active Directory server; in those cases I configured the two servers to synchronize against the same third-party server. I suspect the problem was a (presumably temporary) issue with time.windows.com, the default Windows NTP server.

Next we want to be able to refer to machines on the local network using their short names. Add the following to /etc/resolv.conf:

search example.com

This may not be necessary depending on how the networking of the CentOS server is configured. For example, I have set up all the servers to use DHCP with reservations to keep all the IP configuration in one place. The DHCP server already is configured to have the clients append .example.com to bare host names so the /etc/resolv.conf already contains this line.

If you are using a static IP, add the following to /etc/hosts, replacing the IP address with the IP for your CentOS server and the host names with the proper values:

192.168.0.10    centos  centos.example.com

If you do not have a static IP, add the host entries to the existing line for localhost (127.0.0.1).

Next we need to configure Kerberos by making the following edits to /etc/krb5.conf (note that the capitalization is important in this file):

[libdefaults]
 default_realm = EXAMPLE.COM
 dns_lookup_realm = true
 dns_lookup_kdc = true
 allow_weak_crypto = yes

[realms]
 EXAMPLE.COM = {
  default_domain = example.com
  kdc = ad.EXAMPLE.COM
  admin-server = ad.EXAMPLE.COM
 }

[domain_realm]
 .example.com = EXAMPLE.COM
 example.com = EXAMPLE.COM

Next edit /etc/samba.conf, changing or adding the following:

# Use the value of your workgroup/domain here
workgroup = MY_WORKGROUP
password server = ad.example.com
realm = EXAMPLE.COM
security = ads
winbind use default domain = true
winbind offline logon = false
encrypt passwords = yes

Finally we can initialize Kerberos and join the domain. You will need the credentials of a user allowed to make changes in the domain (in the example we use administrator).

kinit administrator@EXAMPLE.COM
# Enter the password at the prompt and expect no other output
authconfig --update \
           --kickstart \
           --enablewinbind \
           --enablewinbindauth \
           --smbsecurity=ads \
           --smbrealm=EXAMPLE.COM \
           --winbindjoin=administrator@EXAMPLE.COM \
           --winbindtemplatehomedir=/home/%U \
           --winbindtemplateshell=/bin/bash \
           --enablewinbindusedefaultdomain \
           --enablelocauthorize \
           --smbservers=ad.example.com \
           --enablemkhomedir

At this point you should be done. You should be able to log into the machine using your Windows credentials.

Once in a while I find it is necessary to re-join the domain. Use the following commands:

# Restart all relevant services
service smb stop
service nmb stop
service winbind stop
service winbind start
service nmb start
service smb start
# Re-join the domain
net ads join -S ad.example.com -U administrator
# Restart winbind
service winbind stop
service winbind start
# Test the credentials
wbinfo -t
# List the users
wbinfo -u

If the last two tests do not come out the way you expect (wbinfo -t should report success and wbinfo -u should list all the users in your domain), you have some googling to do. Let me know how it turns out.