Authenticate Linux Red Hat with Microsoft Active Directory

Posted on by

Tested with Active Directory 2003 and RHEL 6.0

What we want to do :

- authentication against AD using Winbind and Kerberos
- allowing local and remote (SSH) authentication to members of a specific AD group (linuxadmin)
- allowing members of linuxadmin to use sudo
- UID/GID mapping against AD
- user homedir will be created at first log using pam_mkhomedir
- still possible to log in using local accounts, in case AD is unavailable

Check if resolution works :

# host -t srv _kerberos._tcp.intranet.example.org
_kerberos._tcp.intranet.example.org has SRV record 0 100 88 ad01.intranet.example.org.
_kerberos._tcp.intranet.example.org has SRV record 0 100 88 ad02.intranet.example.org.
_kerberos._tcp.intranet.example.org has SRV record 0 100 88 ad03.intranet.example.org.

Install necessary packages and enable Winbind at boot :

# yum install samba-common pam_krb5 sudo authconfig
# chkconfig winbind on

Create directory where homedirs will be stored :

# mkdir /home/EXAMPLE
# chmod 0777 /home/EXAMPLE

IMPORTANT : before proceeding, we need to make sure “hostname -f” returns a FQDN, THE SUBDOMAIN MUST MATCH THE AD DOMAIN.

# hostname -f
srv.intranet.example.org

Enable authentication :

# authconfig
--disablecache
--enablewinbind
--enablewinbindauth
--smbsecurity=ads
--smbworkgroup=EXAMPLE
--smbrealm=INTRANET.EXAMPLE.ORG
--enablewinbindusedefaultdomain
--winbindtemplatehomedir=/home/EXAMPLE/%U
--winbindtemplateshell=/bin/bash
--enablekrb5
--krb5realm=INTRANET.EXAMPLE.ORG
--enablekrb5kdcdns
--enablekrb5realmdns
--enablelocauthorize
--enablemkhomedir
--enablepamaccess
--updateall

Under RHEL 5.0, authconfig didn’t have the enablemkhomedir and enablepamaccess options. (you’ll get “authconfig: error: no such option: –enablemkhomedir”)

Winbind should restart by itself, if not :

# service winbind restart

authconfig will modify a couple of files : /etc/samba/smb.conf, /etc/pam.d/system-auth, /etc/nsswitch.conf, etc.

By default, UID/GID will be stored locally, and will differ from one system to another.

In order to always get the same UID/GID for our AD users/groups, we’ll map the ID’s against AD, by modifying /etc/samba/smb.conf :

From :

workgroup = EXAMPLE
realm = INTRANET.EXAMPLE.ORG
security = ads
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
template homedir = /home/EXAMPLE/%U
template shell = /bin/bash
winbind use default domain = true
winbind offline logon = false

To :

workgroup = EXAMPLE
realm = INTRANET.EXAMPLE.ORG
security = ads
idmap domains = EXAMPLE
idmap config EXAMPLE:backend = rid
idmap config EXAMPLE:base_rid = 500
idmap config EXAMPLE:range = 500-1000000
#idmap uid = 16777216-33554431
#idmap gid = 16777216-33554431
template homedir = /home/EXAMPLE/%U
template shell = /bin/bash
winbind use default domain = true
winbind offline logon = false

Now, in order to only allow members of linuxadmin group, edit :

For RHEL5.6 : /etc/pam.d/system-auth
For RHEL6.0 : /etc/pam.d/password-auth

I’ll also change the default homedir creation umask.

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so user ingroup linuxadmin debug
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_krb5.so use_first_pass
auth        sufficient    pam_winbind.so use_first_pass
auth        required      pam_deny.so

account     required      pam_access.so
account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_krb5.so
account     [default=bad success=ok user_unknown=ignore] pam_winbind.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    sufficient    pam_krb5.so use_authtok
password    sufficient    pam_winbind.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     optional      pam_mkhomedir.so umask=0077
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_krb5.so

Restart Winbind :

# service winbind restart

Now, join the machine to the domain, in this example user01 has domain admin permissions.

# net ads join -U user01
user01's password:
Using short domain name -- example
Joined 'SRV' to realm 'INTRANET.EXAMPLE.ORG'

When joining the domain, you could get error about DNS updates (maybe because the record already exists). This is not a problem.

Restart Winbind again :

# service winbind restart

Check if it works, by listing AD groups :

# wbinfo -g

Now, allow users in the linuxadmin group to use sudo :

# echo "%linuxadmin ALL=(ALL) ALL" >> /etc/sudoers

Test authentication using an AD account (in the linuxadmin group) and access to root account :

On the server check the logs :
tail -f /var/log/secure

On the client :
$ ssh user01@srv.intranet.example.org
user01@srv.intranet.example.org's password:
Creating directory '/home/EXAMPLE/user01'.
[user01@srv ~]$ sudo su -
[sudo] password for user01:
[root@srv ~]#

Test with another account, not being part of linuxadmin group, this time. User should be disconnected.

Logs should look something like this :

Apr 17 17:15:52 x sshd[27114]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.1  user=user-01
Apr 17 17:15:52 x sshd[27114]: pam_krb5[27114]: authentication succeeds for 'user-01' (user-01@INTRANET.EXAMPLE.ORG)
Apr 17 17:15:52 x sshd[27114]: pam_winbind(sshd:account): [pamh: 0x7f6910199390] ENTER: pam_sm_acct_mgmt (flags: 0x0000)
Apr 17 17:15:52 x sshd[27114]: pam_winbind(sshd:account): user 'user-01' granted access
Apr 17 17:15:52 x sshd[27114]: pam_winbind(sshd:account): [pamh: 0x7f6910199390] LEAVE: pam_sm_acct_mgmt returning 0 (PAM_SUCCESS)
Apr 17 17:15:52 x sshd[27114]: pam_succeed_if(sshd:account): requirement "user ingroup linuxadmin" was met by user "user-01"
Apr 17 17:15:52 x sshd[27114]: Accepted password for user-01 from 192.168.1.1 port 59369 ssh2
Apr 17 17:15:53 x sshd[27114]: pam_unix(sshd:session): session opened for user user-01 by (uid=0)

Useful commands :

# wbinfo -n user05
S-1-5-21-x-x-x-1129 User (1)

# getent passwd user05
user05:*:1129:519:John Doe:/home/example/user05:/bin/bash

# getent group linuxadmin
linuxadmin:*:7579:user01,user02,user03,user04

# wbinfo -u
# wbinfo -g

# wbinfo -D EXAMPLE
Name              : EXAMPLE
Alt_Name          : intranet.example.org
SID               : S-1-5-21-x-x-x
Active Directory  : Yes
Native            : Yes
Primary           : Yes
Sequence          : -1

Sources :
http://lanestechblog.blogspot.com/2010/11/ad-authentication-with-rhel-6.html
http://conigliaro.org/2008/12/19/active-directory-authentication-with-winbind-on-red-hat-linux/

15 thoughts on “Authenticate Linux Red Hat with Microsoft Active Directory

  1. Hi!
    I tested with Centos. User not part of linuxadmin group still log in ok….

    • Hi, make sure debug is passed at pam_winbind.so and provide me with the output found in /var/log/secure, when trying to log in. It should say if the user meets the condition, or not.

  2. hi!
    Example: user1 not part of group linuxadmin and below is /var/log/secure when log in:
    Apr 13 13:21:27 linux-1 sshd[11870]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.1 user=user1
    ———————————————————————————————————————————————–
    Apr 13 13:21:27 linux-1 sshd[11870]: pam_krb5[11870]: authentication succeeds for ‘user1′ (user1@LABS.LOCAL)
    Apr 13 13:21:27 linux-1 sshd[11870]: pam_winbind(sshd:account): [pamh: 0x097c3ce8] ENTER: pam_sm_acct_mgmt (flags: 0×0000)
    Apr 13 13:21:27 linux-1 sshd[11870]: pam_winbind(sshd:account): user ‘user1′ OK
    Apr 13 13:21:27 linux-1 sshd[11870]: pam_winbind(sshd:account): user ‘user1′ granted access
    Apr 13 13:21:27 linux-1 sshd[11870]: pam_winbind(sshd:account): [pamh: 0x097c3ce8] LEAVE: pam_sm_acct_mgmt returning 0
    Apr 13 13:21:27 linux-1 sshd[11870]: Accepted password for user1 from 192.168.2.1 port 1681 ssh2
    Apr 13 13:21:27 linux-1 sshd[11870]: pam_unix(sshd:session): session opened for user user1 by (uid=0)
    —————————————————————————————————————————————-
    and another user is part of group linuxadmin is same log!
    My domain is : LABS.LOCAL
    My Linux is : linux-1.labs.local

    Thank in advance!

    • Hmm

      should see something like :
      secure-20110410:Apr 7 16:05:58 rhel6test sshd[5633]: pam_succeed_if(sshd:account): requirement “user ingroup linuxadmin” not met by user “user-01″
      secure-20110410:Apr 7 16:05:58 rhel6test sshd[5634]: fatal: Access denied for user user-01 by PAM account configuration

      I’m investigating as I’m getting pretty similar problems on CentOS 5.5

      I’m getting back to you

  4. OK, there are minor differences between CentOS and RHEL apparently.
    I fully tested this on RHEL 6.0 and ported back to CentOS 5.x, but I didn’t notice the lack of group membership checks..

    I’ll try on RHEL 5.x and let you know if this issue is CentOS specific or 5.x branch specific.

  5. I confirm this is not working on RHEL 5.x either.
    My bad, sorry for the mistake. Thanks for reporting.

    I need this to work anyway, so I’ll update the post as soon as I get this working on RHEL/CentOS 5.x

  7. What about allowing multiple groups with Rhel6/CentOS6. Seems this should be done through pam.d/sshd?

  9. Hey, very Nice, but I have some error in my secure log, look:

    Feb 2 18:00:37 proxy01 sshd[15322]: pam_krb5[15322]: authentication fails for ‘my_user’ (my_user@DOMAIN.COM): Authentication failure (Cannot read password)
    Feb 2 18:00:37 proxy01 sshd[15322]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.20.65.205 user=my_user
    Feb 2 18:00:37 proxy01 sshd[15322]: pam_succeed_if(sshd:auth): ‘user’ resolves to ‘my_user’
    Feb 2 18:00:37 proxy01 sshd[15322]: pam_succeed_if(sshd:auth): requirement “user ingroup linux” was met by user “my_user”
    Feb 2 18:00:38 proxy01 sshd[15322]: pam_krb5[15322]: error reading keytab ‘FILE:/etc/krb5.keytab’
    Feb 2 18:00:38 proxy01 sshd[15322]: pam_krb5[15322]: TGT verified
    Feb 2 18:00:38 proxy01 sshd[15322]: pam_krb5[15322]: authentication succeeds for ‘my_user’ (my_user@CECRED.COOP.BR)
    Feb 2 18:00:38 proxy01 sshd[15322]: pam_winbind(sshd:account): user ‘my_user’ granted access
    Feb 2 18:00:38 proxy01 sshd[15322]: Accepted password for my_user from 172.20.65.205 port 32998 ssh2
    Feb 2 18:00:38 proxy01 sshd[15322]: pam_unix(sshd:session): session opened for user my_user by (uid=0)

  10. Hi there,

    Thanks for the detailed howto. I’m having a problem getting this working correctly (CentOS 6.2). I am not concerned with the group membership bit, so I skipped that part.

    wbinfo works fine, but getent passwd username returns no output. id username produces No such user

    When attempting to login using ssh /var/log/secure says:

    Invalid user sername from…
    check pass; user unknown
    auth failed

    Any ideas?

    Many thanks,

    Eddy

    • Wow. I just went back to the top of this post to review it and try to figure out why my system wasn’t working. Very first instruction was to use `host` to test DNS. I had skipped this previously because I knew that our DNS and Kerberos infrastructures were both sound.

      So, I went ahead and tried to do that host lookup as described above, guess what? host: command not found (I had installed a minimal CentOS distro). So, yum install bind-utils and voila! Everything works fine.

      Thanks for the great howto.

  11. Hi All,

    I am trying to Authenticate linux servers through AD, I am using CentOS5.5 and configured step by step as per mentioned above. But when I try to login with my AD user it not accepting password. see login below details.

    ssh srinivas.kamani@192.168.6.20
    srinivas.kamani@192.168.6.20‘s password:
    Permission denied, please try again.
    srinivas.kamani@192.168.6.20‘s password:

    /var/log/secure detials:-
    May 15 12:27:06 192.168.6.20 sshd[22455]: Invalid user srinivas.kamani from 127.0.0.1
    May 15 12:27:06 192.168.6.20 sshd[22456]: input_userauth_request: invalid user srinivas.kamani
    May 15 12:27:08 192.168.6.20 sshd[22455]: pam_unix(sshd:auth): check pass; user unknown
    May 15 12:27:08 192.168.6.20 sshd[22455]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=dummy6020.zycus.net
    May 15 12:27:08 192.168.6.20 sshd[22455]: pam_succeed_if(sshd:auth): error retrieving information about user srinivas.kamani
    May 15 12:27:10 192.168.6.20 sshd[22455]: Failed password for invalid user srinivas.kamani from 127.0.0.1 port 37057 ssh2

    Is there any other setting where we need to provide AD admin credential to get authenticate?.

    My basic requirement is to bring all Linux servers under AD (single sign on)

    Thanks & Regards
    Srinivas

Comments are closed.