Lab Notes

Things I want to remember how to do.

Joining a CentOS server to Active Directory

September 8, 2013
Active Directory Red Hat RHEL ntp Windows CentOS

As the number of CentOS (or Red Hat) machines in your environment grows, you begin to appreciate the need for a central login mechanism. Most workplaces already have a such a login for their Windows workstations in the form of an Active Directory domain. By joining your CentOS machines to the Active Directory domain, you allow users to login with the same credentials as on their Windows machines. Furthermore you do not need to add or remove users when new people join the team or others drop off the team.

For the purposes of these instructions, we will assume the Active Directory server is ad.example.com and the CentOS server is centos.example.com.

As a first step, we install Samba, kerberos and ntpd.

yum install samba samba-client samba-winbind krb5-workstation ntp

chkconfig smb on

chkconfig nmb on

service smb start

service nmb start

chkconfig ntpd on

ntpdate ad.example.com

We need to install and configure an ntp client because the Kerberos protocol will not work if the two machines' clocks are too far apart. Edit /etc/ntpd.conf remove all the existing server lines and replace them with:

server ad.example.com

Next start the ntpd server with the command service ntpd start.

I have had issues down the road with trying to synchronize the clocks against the Active Directory server; in those cases I configured the two servers to synchronize against the same third-party server. I suspect the problem was a (presumably temporary) issue with time.windows.com, the default Windows NTP server.

Next we want to be able to refer to machines on the local network using their short names. Add the following to /etc/resolv.conf:

search example.com

This may not be necessary depending on how the networking of the CentOS server is configured. For example, I have set up all the servers to use DHCP with reservations to keep all the IP configuration in one place. The DHCP server already is configured to have the clients append .example.com to bare host names so the /etc/resolv.conf already contains this line.

If you are using a static IP, add the following to /etc/hosts, replacing the IP address with the IP for your CentOS server and the host names with the proper values:

192.168.0.10    centos  centos.example.com

If you do not have a static IP, add the host entries to the existing line for localhost (127.0.0.1).

Next we need to configure Kerberos by making the following edits to /etc/krb5.conf (note that the capitalization is important in this file):

[libdefaults]

 default_realm = EXAMPLE.COM

 dns_lookup_realm = true

 dns_lookup_kdc = true

 allow_weak_crypto = yes



[realms]

 EXAMPLE.COM = {

  default_domain = example.com

  kdc = ad.EXAMPLE.COM

  admin-server = ad.EXAMPLE.COM

 }



[domain_realm]

 .example.com = EXAMPLE.COM

 example.com = EXAMPLE.COM

Next edit /etc/samba.conf, changing or adding the following:

# Use the value of your workgroup/domain here

workgroup = MY_WORKGROUP

password server = ad.example.com

realm = EXAMPLE.COM

security = ads

winbind use default domain = true

winbind offline logon = false

encrypt passwords = yes

Finally we can initialize Kerberos and join the domain. You will need the credentials of a user allowed to make changes in the domain (in the example we use administrator).

kinit administrator@EXAMPLE.COM

# Enter the password at the prompt and expect no other output

authconfig --update \

           --kickstart \

           --enablewinbind \

           --enablewinbindauth \

           --smbsecurity=ads \

           --smbrealm=EXAMPLE.COM \

           --winbindjoin=administrator@EXAMPLE.COM \

           --winbindtemplatehomedir=/home/%U \

           --winbindtemplateshell=/bin/bash \

           --enablewinbindusedefaultdomain \

           --enablelocauthorize \

           --smbservers=ad.example.com \

           --enablemkhomedir

At this point you should be done. You should be able to log into the machine using your Windows credentials.

Once in a while I find it is necessary to re-join the domain. Use the following commands:

# Restart all relevant services

service smb stop

service nmb stop

service winbind stop

service winbind start

service nmb start

service smb start

# Re-join the domain

net ads join -S ad.example.com -U administrator

# Restart winbind

service winbind stop

service winbind start

# Test the credentials

wbinfo -t

# List the users

wbinfo -u

If the last two tests do not come out the way you expect (wbinfo -t should report success and wbinfo -u should list all the users in your domain), you have some googling to do. Let me know how it turns out.