How to join CentOS7/RHEL7 to Active Directory using Winbind

We can integrate a Linux host with Windows Active Directory domain controller for authentication purpose. To complete the scenario, we have Centos / RHEL 7 servers and existing Active Directory domain controller. Also required AD administrator account or user has sufficient rights to join AD.

To join RHEL/CentOS7 to Active Directory, the following packages need to be installed on the system:

[root@linuxcnf ~]#  yum install authconfig samba-client  samba-winbind samba-winbind-clients ntp pam_krb5 krb5-workstation

Configuration:

Sync the time with site NTP server and add the below entry in /etc/ntp.conf:

[root@linuxcnf ~]#  ntpdate –u 192.168.43.14 [root@linuxcnf ~]#  vi /etc/ntp.conf server 192.168.43.14 iburst

Start ntpd and enable it on boot:

[root@linuxcnf ~]#  service ntpd start [root@linuxcnf ~]#  chkconfig ntpd on [root@linuxcnf ~]#  ntpstat

Add the below entry in /etc/resolve.conf file:

[root@linuxcnf ~]#  vi /etc/resolv.conf nameserver 192.162.43.14

Add the below entry in /etc/hosts file:

[root@linuxcnf ~]#  vi /etc/hosts 127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1         localhost localhost.localdomain localhost6 localhost6.localdomain6 192.162.43.14 adauth.linuxcnf.com

Add the below entry in last of respective sections in /etc/krb5.conf file:

[root@linuxcnf ~]#  ~]# vi /etc/krb5.conf … [libdefaults] … default_realm = LinuxCNF.com  [realms] …  LinuxCNF.com = {   kdc = adauth.LinuxCNF.com  }

Add the below entry in /etc/samba/smb.conf file:

[root@linuxcnf ~]#  vi /etc/samba/smb.conf [global]    …    workgroup = LinuxCNF    password server = adauth.linuxcnf.com    realm = LinuxCNF.com    security = ads

idmap config * : range = 16777216-33554431    template homedir = /home/%U    template shell = /bin/bash    kerberos method = secrets only    winbind use default domain = true    winbind offline logon = false

Join the domain, providing the name of a user with admin rights:

[root@linuxcnf ~]#  net ads join -U administrator Enter administrator's password:

Start winbind and enable it on boot:

[root@linuxcnf ~]#  service winbind start [root@linuxcnf ~]#  chkconfig winbind on

To verify/test the active directory AD join status:

[root@linuxcnf ~]#  net ads testjoin Join is OK

To verify the system can talk to Active Directory:

[root@linuxcnf ~]#  wbinfo -t checking the trust secret for domain LinuxCNF via RPC calls succeeded

To list all AD users:

[root@linuxcnf ~]#  wbinfo -u administrator guest linuxcnf

To list all AD groups:

[root@linuxcnf ~]#  wbinfo -g domain computers domain users domain guests

Use below command to configure the NSS and PAM stack:

[root@linuxcnf ~]#  authconfig --enablewinbindauth  --enablemkhomedir --update

Ensure that /etc/nsswitch.conf has the following passwd and group entries:

[root@linuxcnf ~]#   cat /etc/nsswitch.conf passwd:     files sss winbind group:      files sss winbind

Test resolving AD users and groups and authentication of AD users:

[root@linuxcnf ~]#  getent passwd aduser aduser:*:16777220:16777216:AD User:/home/aduser:/bin/bash

[root@linuxcnf ~]#  id aduser uid=16777220(aduser) gid=16777216(domain users) groups=16777216(domain users)

Test SSH authentication through AD user and password:

[root@linuxcnf ~]#  ssh aduser@127.0.0.1 aduser@127.0.0.1's password: Creating home directory for aduser. [aduser@linuxcnf ~]$