Joining a Linux Red Hat server to AD (Active Directory)

Disclaimer: These steps worked for my environment, this procedure is to give you an idea of what needs to be done to authenticate via AD.

Change the EXAMPLE.NET to whatever fits your needs

As first step the box needs to be upgraded to 6.4, to correct all bugs documented

as root type:

  yum update all

Reboot the system

Add the following line to /etc/init.d/sssd
export NSS_HASH_ALG_SUPPORT=+MD5



the /etc/samba/smb.conf needs to look like this:

 [global]
security = ads
realm = EXAMPLE.NET
password server = EXAMPLE.NET
workgroup = EXAMPLE -netbios name provided by the AD
winbind enum users = yes
winbind enum groups = yes
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
idmap config EXAMPLE:backend = rid
idmap config EXAMPLE:range = 10000000-19999999
template homedir = /home/%D/%U
template shell = /bin/bash
client use spnego = yes
client ntlmv2 auth = yes
encrypt passwords = yes
winbind use default domain = yes
restrict anonymous = yes
kerberos method = system keytab

/etc/krb5.conf should look like this:

cat /etc/krb5.conf

[logging]

default = FILE:/var/log/krb5libs.log

kdc = FILE:/var/log/krb5kdc.log

admin_server = FILE:/var/log/kadmind.log

[libdefaults]

default_realm = example.net

dns_lookup_realm = true

dns_lookup_kdc = true

ticket_lifetime = 24h

renew_lifetime = 7d

forwardable = true

[realms]

#EXAMPLE.COM = {

# kdc = kerberos.example.com

# admin_server = kerberos.example.com

#}

americas.ad.flextronics.test = {

  kdc = T_SERVER.EXAMPLE.NET

  admin_server = T_SERVER.EXAMPLE.NET

}

[domain_realm]

#.example.com = EXAMPLE.COM

# example.com = EXAMPLE.COM

example.net = EXAMPLE.NET

The /etc/sssd/sssd.conf

[domain/default]

ldap_id_use_start_tls = False

ldap_schema = rfc2307bis

ldap_search_base = dc=users,dc=ad,dc=example,dc=net

ldap_user_object_class = user

krb5_realm = EXAMPLE.NET

id_provider = ldap

auth_provider = krb5

chpass_provider = krb5

access_provider = ldap

ldap_uri = ldap://example.net

krb5_kdcip = example.net

cache_credentials = True

 [domain/example.net]

id_provider = ad

ad_server = Example.net

ldap_id_mapping = False

ldap_schema = ad

[sssd]

services = nss, pam

config_file_version = 2

domains = default, example.net

[nss]

Create the keytab  (replace the entries with you username and domain name)

you can check this link: http://kb.iu.edu/data/aumh.html

copy the key to /etc/krb5.keytab

as root type:

kinit user@EXAMPLE.NET

Type your password

Now we need to join the server to the domain

# net  ads join -U user@EXAMPLE.NET

Type your password

Modify the /etc/nsswitch.con

 modify the nsswitch.conf so passwd, shadow and group should look like this

   #passwd:     files sss

passwd:     compat winbind

#shadow:     files sss

shadow:     compat

#group:      files sss

group:      compat winbind

Start the samba and winbind services

As root: 

#service smb start

#service winbind start      

Check that winbind is able to talk to the AD

wbinfo -u

you should get the domain users, if you don't get that info something is wrong

Test the getent passwd you should see something like

#getent passwd

EXAMPLE\the_cisco

EXAMPLE\el_marrano

Test winbind authentication

    wbinfo -a EXAMPLE.NET\\user%password

plaintext password authentication succeeded

challenge/response password authentication succeeded

Add this entry to /etc/pam.d/password-auth and /etc/pam.d/sshd

auth       sufficient   pam_winbind.so

You should be able to log in using ssh