how to Authenticate and Integrate Linux with Windows Active Directory

-

Scope: authenticate windows AD users to linux machine by using thier windows credential

Step:1 Install the samba-winbind and kerberos packages
# yum install samba-winbind samba-winbind-clients samba krb5-libs krb5-workstation pam_krb5

Step:2 Time synchronization
Time of your linux and windows AD should be matched so make it sure first before moving ahead.
Windows AD itself ( primary or parent domain controller) works as a ntp server hence yopu can use windows ad to sync your linux time by using bellow method
# ntpdate <ntp-server-ip-address/dns-name>
To make above configuration permanent edit the file “/etc/ntp.conf” and just replace what's there with one or more NTP servers on your domain, like
server <ntp-server-ip-address/dns-name>

Start the Service :
# /etc/init.d/ntpd start ; chkconfig ntpd on
Step:3 DNS settings
make sure your linux machine has proper fqdn hostname. Make an entry in your dns which you are using for windows ad and linux machine, corresponding entries (A record) should be updated. Though make change in local hosts file for name resolution.
# vi /etc/hosts
<ip-address> ad.mydomain.com ad
<ip-address> linux.mydomain.com linux

Step:4 Edit /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = MYDOMAIN.COM
dns_lookup_realm = true
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
MYDOMAIN.COM = {
kdc = ad.mydomain.com
admin_server = ad.mydomain.com
}
[domain_realm]
.mydomain.com = MYDOMAIN.COM
mydomain.com = MYDOMAIN.COM

Step:5 Now Test the Kerberos Authentication
# kinit <user-name> ( windows AD user name)
If it prompts for the password , enter password , if every thing is ok , then we will get the prompt otherwise re-check krb5.conf file.
Step:6 Now Configure Samba and Winbind

Edit /etc/samba/smb.conf
find [global ] and make or modify entries as bellow
workgroup = MYDOMAIN
password server = ad.mydomain.com
realm = MYDOMAIN.COM
security = ads
idmap uid = 10000-500000
idmap gid = 10000-500000
template shell = /bin/bash
winbind use default domain = true
winbind offline logon = false
winbind nested groups = yes


Step:7 Configure /etc/nsswitch.conf file to handle authentication.
passwd: file winbind
shadow: file winbind
group: file winbind

Step:8 Now restart winbind & Samba services
# /etc/init.d/smb restart
# /etc/init.d/winbind restart

Now join a domain
# net ads join -U <User Name> (note : user name must have priviledges to join a system on domain)
Now enable winbind authentication and automatic home directory  creation for linux machine
# authconfig --enablewinbind --enablewinbindauth --enablemkhomedir --update

If above command reports "Join is OK", then test winbind:
Command to lists all the AD users
# wbinfo -u
Command to lists all the AD groups
# wbinfo -g

Comments

Post a Comment

Popular posts from this blog

Running web ssh client on port 443 /80 with nginx as reverse proxy

-
Package used         : shellinabox , nginx Repository used        : epel-release Linux distro used    : Centos 7.6 nginx reverse proxy server ip : 192.168.1.65 shellinabox web ssh server ip : 192.168.1.111 login to web ssh server first install epel-repo # yum install epel-release -y install shellinabox package # yum -y install shellinabox start and enable shellinaboxd service # systemctl enable shellinaboxd && systemctl start shellinaboxd By default shellinaboxd service starts with ssl port 4200 for us to run this in a reverse proxy environment need to make this as insecure hence the encryption will be done by nginx to end user. edit file /etc/sysconfig/shellinabox  like bellow- USER=shellinabox GROUP=shellinabox CERTDIR=/var/lib/shellinabox PORT=4200 OPTS="--disable-ssl-menu -s /:LOGIN" OPTS="-t -s /:SSH:192.168.1.111" save file exit and restart service # systemctl restart shellinaboxd Now open firewall for listening port 4200 from nginx proxy server only #
Read more

Running cockpit behind nginx reverse proxy with nginx ssl and cockpit non ssl

-
Domain for web access to cockpit : cockpit.mylab.local cockpit server ip : 192.168.1.61 nginx server ip   : 192.168.1.65 Linux distro using is Centos 7.6 Login to cockpit server Create a file [root@repo ~]# vim /etc/cockpit/cockpit.conf content will be like [WebService] Origins = https://cockpit.mylab.local wss://cockpit.mylab.local ProtocolHeader = X-Forwarded-Proto AllowUnencrypted = true save and restart cockpit # systemctl restart cockpit now  login to your nginx webserver and install nginx # yum install nginx -y create a new file vim /etc/nginx/conf.d/cockpit.conf paste content as bellow server {     listen         80;     listen         443 ssl http2;     server_name    cockpit.mylab.local;     ssl_certificate /etc/ssl/certs/cockpit-selfsigned.crt;     ssl_certificate_key  /etc/ssl/private/cockpit-selfsigned.key;     location / {         proxy_pass http://192.168.1.61:9090;         proxy_set_header Host $host;         proxy_http_version 1.1;
Read more

Setup VOD streaming server with nginx using RTMP on Ubuntu 18.04

-
Install required packages for source code nginx build # apt-get install -y build-essential ca-certificates wget curl libpcre3 libpcre3-dev autoconf unzip automake libtool tar git libssl-dev zlib1g-dev uuid-dev lsb-release vim htop sysstat ufw fail2ban makepasswd libgd-dev libgeoip-dev -y create a directory # mkdir /usr/local/src/nginx/ # cd /usr/local/src/nginx/ download and extract nginx tar # wget -qO- http://nginx.org/download/nginx-1.14.2.tar.gz | tar zxf - clone nginx rtmp module # git clone https://github.com/arut/nginx-rtmp-module Download other modules - PCRE version 8.42 # wget https://ftp.pcre.org/pub/pcre/pcre-8.42.tar.gz && tar xzvf pcre-8.42.tar.gz - zlib version 1.2.11 # wget https://www.zlib.net/zlib-1.2.11.tar.gz && tar xzvf zlib-1.2.11.tar.gz - OpenSSL version 1.1.0h # wget https://www.openssl.org/source/openssl-1.1.0h.tar.gz && tar xzvf openssl-1.1.0h.tar.gz # cd nginx-1.14.2/ configure  nginx with modules and options # ./configure --add-modu
Read more