RedHat Enterprise Linux 5 Microsoft Active Directory Authentication

Today I set out to get RHEL 5.x (Specifically 5.5) to authenticate from a Windows 2003 R2 Active Directory. I used plenty of web pages, none of which were 100% correct for my setup, so I thought I’d document exactly what I did here for my own future reference, if anybody else finds it useful, so much the better. To start with, thanks to the following pages, between them, they got me about 80% of the way there:

  • Scott Lowe has a useful howto here. It is version 4 currently, click around his site to ensure he hasnt updated it before you use it as a reference.
  • The second resource I used is here.

Required RPMs

You need a few packages installed, some of which are likely to be installed already, some not. The ones I have, with their versions are:

  • nss_ldap-253-25.el5
  • krb5-libs-1.6.1-36.el5_5.6
  • openldap-2.3.43-12.el5_5.3
  • ntp-4.2.2p1-9.el5.centos.2.1

I also found it useful to have openldap-clients-2.3.43-12.el5_5.3 installed as well, because that gives you ldapsearch, which is handy for debugging and testing things.

Names

In all of the following these names have been used:

  • bindaccount – The name of the simple account inside AD for binding
  • 112.riviera.org.uk – The DNS name of my domain
  • ONEONETWO – The other (windows!?) name of my domain
  • adserver.112.riviera.org.uk – the fqdn of my AD
  • dc=112,dc=riviera,dc=org,dc=uk – My BaseDN, (I used the handy ldp.exe to find this, from this KB Article)

Active Directory

The blog post from Scott Lowe, explains about adding in the “Server for NIS” stuff into Windows, so I wont go into that here. Suffice to say, in any practical sense, you need it installed. One other thing to note is that the DNS service on the AD machines really likes to know about your new linux client. I created a A record with the associated PTR record for all the new Linux clients which were going to join the domain. Doing this before you start makes life easier later. I added a couple of test users into AD before starting to configure the Linux end too, the settings on ‘UNIX Attributes’ tab are shown below

Linux Setup

Before touching any config files make sure your client has its own IP and FQDN listed in /etc/hosts. Also make sure time is syncronised with AD, a default AD install puts a time server up for you, so you could use that, whatever you use, make sure they are in sync. The files I modified and what they ended up looking like are as follows, in all cases except for nsswitch.conf these are the entire files, so feel free to copy and paste and kill what is already there.

/etc/openldap/ldap.conf

This file configures the openldap clients, not strictly neccerssary, but useful to ensure you can talk ldap to your AD. Once this file is written you should be able to query AD with the following command

ldapsearch -x -LLL -E pr=200/noprompt -D "bindaccount@112.riviera.org.uk" -w $PASSWORD -s sub "(cn=*)" cn mail sn

I’ve put my password in a bash variable, just replace $PASSWORD with yours, if this fails then try the full command, which wont be using any defaults from /etc/openldap/ldap.conf:

ldapsearch -x -LLL -E pr=200/noprompt -h adserver.112.riviera.org.uk -D "bindaccount@112.riviera.org.uk" -w $PASSWORD -b "dc=112,dc=riviera,dc=org,dc=uk" -s sub "(cn=*)" cn mail sn

If that also fails you might want to try telneting to the LDAP port on the AD box, to see if that is open

My ldap.conf only has the following in it:


URI ldap://adserver.112.riviera.org.uk
BASE dc=112,dc=riviera,dc=org,dc=uk

/etc/krb5.conf


[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = 112.RIVIERA.ORG.UK
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes

[realms]
112.RIVIERA.ORG.UK = {
kdc = adserver.112.riviera.org.uk
admin_server = adserver.112.riviera.org.uk
default_domain = 112.riviera.org.uk
}

[domain_realm]
.112.riviera.org.uk = 112.RIVIERA.ORG.UK
112.riviera.org.uk = 112.RIVIERA.ORG.UK

[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}

/etc/ldap.conf


host 192.168.254.14
base dc=112,dc=riviera,dc=org,dc=uk
binddn bindaccount@112.riviera.org.uk
bindpw $BINDPASSWORD
scope sub
ssl no
timelimit 10
bind_timelimit 10
idle_timelimit 3600
nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm
nss_base_passwd dc=112,dc=riviera,dc=org,dc=uk?sub
nss_base_shadow dc=112,dc=riviera,dc=org,dc=uk?sub
nss_base_group dc=112,dc=riviera,dc=org,dc=uk?sub?&(objectCategory=group)(gidnumber=*)
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_objectclass posixGroup group
nss_map_attribute gecos cn
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute uniqueMember member

/etc/pam.d/system-auth


#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_krb5.so use_first_pass
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so

account required pam_unix.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_krb5.so
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so

password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password sufficient pam_krb5.so use_authtok
password sufficient pam_ldap.so use_authtok
password required pam_deny.so

session required /lib/security/pam_mkhomedir.so skel=/etc/skel/ umask=0022
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_krb5.so
session optional pam_ldap.so

/etc/nsswitch.conf

I have not included all of nsswitch.conf here because I only changed the following three lines. Simply add ldap after files for each.


passwd: files ldap
shadow: files ldap
group: files ldap

/etc/samba/smb.conf


workgroup = ONEONETWO
security = ads
realm = 112.riviera.org.uk
use kerberos keytab = true
password server = adserver.112.riviera.org.uk

Finished!

When all that is done and working you should be able to run ‘getent passwd ‘ and have it return your passwd file entry from AD. You should also be able to su to the user, and login via either console or SSH. If the users home directory isnt created, pam should create it for you.

Next on my list is to make all this work with encrypted LDAP.


7 Comments

  1. Timbo says:

    Nice guide dude, I could have also helped you with this. All our RHEL boxes at work authenticate via AD. It’s great… once you go through the pain of getting it working as you have discovered. :)

    Let me know when you get round to RHEL6, it uses “sssd” instead of krb5/pam/ldap. Different setup but I have it all working, except for properly enumerating auxillary groups but that’s fixed in SSSD 1.2.2. I had to create my own RPM for that, Red Hat said the fix will come out in a future release though.

  2. robin says:

    Aha, I should have popped you a mail, oh well its all working now. Thankfully we are holding off on RHEL6 for a while, so I wont have that headache to deal with.

    The next step is getting SSL LDAP to work, but for that I need to enable it on my AD, which is proving tricky, makes me realise how much I dont know about Windows !

  3. Yuval says:

    Timbo/robin –

    I`ve been straggling with rhel6 + sssd with no success.
    Can you post (or mail me) a guide for authenticating rhel6 with AD using sssd?

    MG

    Yuval

  4. robin says:

    Yuval, I’m sorry but I have no experience with RHEL6 as yet. If and when I get it and need to connect it to AD I’ll write an updated post.

  5. [...] Things I’ve found useful » Blog Archive » RedHat Enterprise Linux 5 Microsoft Acti… – July 7th ( tags: ad kerberos rhel5 centos5 linux setup howto activedirectory guide tutorial ) [...]

  6. Nick DeRoo says:

    @ Timbo,
    I have followed this guid but I am using RHEL 6.1 so I was wondering what I need to do to incorperate SSSD to get my Redhat Server working with our AD Domain controler…
    Thanks In advance.
    Nick

  7. E says:

    Want this to run encrypted?
    Change ssl no to ssl start_tls
    Start TLS will setup connection over tcp/389 but will start encrypting data whenever required (i.e. changing data).

    Nothing besides this minor change needs to be done.

    If LDAP connection times out, then at least restart nscd. Possibly you would actually need to run authconfig-tui to set up everything straight. With that done, it should be straightforward to alter configs as described above and get encryption running.

Leave a Reply