Active Directory authentication on UNIX-likes

Using Red Hat/CentOS/Fedora? Then you may prefer configuring Active Directory authentication using authconfig, which is a lot easier and faster.

Introduction

Active Directory is a Microsoft standard for user management and AAA. By using Samba, it is possible to map AD users to UNIX users and authenticate them against AD.

In this guide I'll assume you already have a working Active Directory setup. It doesn't matter if your AD setup runs on Windows Server or Samba.

Installing Samba

FreeBSD

pkg install samba46

Alternatively, you can use anything down to samba42. Also, a newer version than samba46 may be available.

Red Hat/CentOS/Fedora

yum install samba-common samba-winbind samba-winbind-clients

Debian/Ubuntu

apt-get update
apt-get install samba-common

Configuring Samba on RedHat/CentOS/Fedora

You have made life easy for yourself by choosing a RedHat-based distro if you want to connect to Active Directory.

yum install samba-common samba-winbind samba-winbind-clients
authconfig \
	--update \
	--kickstart \
	--enablewinbind \
	--enablewinbindauth \
	--smbsecurity=ads \
	--smbworkgroup=FYRKAT \
	--smbrealm=AD.FYRKAT.NO \
	--winbindjoin=Administrator \
	--winbindtemplatehomedir=/home/%D/%U \
	--winbindtemplateshell=/bin/bash \
	--enablewinbindusedefaultdomain \
	--enablelocauthorize \
	--enablemkhomedir \
	--enablerfc2307bis

You are prompted for the password of the user you are using for the join.

When you're done, make the following changes to /etc/samba/smb.conf. Find the following line:

	passdb backend = tdbsam

And replace it with:

	idmap config * : range = 16777216 - 33554431
	idmap config * : backend = tdb
	idmap config FYRKAT : range = 33554432 - 50331647
	idmap config FYRKAT : backend = rid

This will make sure that AD user IDs are reliably mapped to UNIX user IDs. This is useful if you want to share filesystems via NFS between hosts.

Because of a bug in pam_mkhomedir, it's wise to create the parent for home directories beforehand. If pam_mkhomedir does it, it has the wrong SElinux context, preventing users from logging in with SSH keys from ~/authorized_keys.

mkdir /home/FYRKAT
restorecon -R /home/FYRKAT

Configuring Samba on other systems

Samba must be able to find your domain, and it must know how to map AD users to UNIX users. A good default configuration file is below.

[global]
	workgroup = FYRKAT
	realm = AD.FYRKAT.NO
	template shell = /bin/tcsh
	template homedir = /home/%D/%U
	security = ADS
	winbind nss info = rfc2307
	log file = /var/log/samba/log.%m
	max log size = 50
	winbind use default domain = Yes
	idmap config * : range = 16777216 - 33554431
	idmap config * : backend = tdb
	idmap config FYRKAT : range = 33554432 - 50331647
	idmap config FYRKAT : backend = rid
	cups options = raw
	delete veto files = Yes
	veto files = /Thumbs.db/.DS_Store/.AppleDB/.AppleDesktop/.AppleDouble/.TemporaryItems/.Trashes/
	hide files = /.*/desktop.ini/$RECYCLE.BIN/*.desktop/~$*/

	server signing = mandatory
	server min protocol = SMB2_10

[homes]
	comment = Home Directories
	browseable = no
	writable = yes
	valid users = @"domain users"
	invalid users = root administrator

[pub]
	comment = Public Stuff
	path = /pub
	writable = yes

Additionally, the operating system must know where to get user information. In /etc/nsswitch.conf, add winbind to the lines starting with group: and passwd:. Typically, these lines contain files or compat. Usually, compat is not needed, so you can change the lines to look like this:

group: files winbind
passwd: files winbind

PAM configuration

Be sure to check that you edit the correct PAM configuration file. Not all operating systems use the default PAM configuration file for all services. If you're puzzled why a service doesn't accept AD users while it should, check that service's PAM file as well.

PAM is a bit magical, as settings are done slightly different on every operating system. Generally, a line has to be added to one or more files in /etc/pam.d (and in some cases also /usr/local/etc/pam.d).

In order to authenticate against Active Directory, PAM should authenticate against either Winbind or Kerberos. Which one to choose is entirely up to you. In most situations it doesn't really matter which one you choose, but as a rule of thumb, you might want to choose the one that requires the least amount of tinkering in PAM files. The sections below describe how to configure both Winbind and Kerberos, read both of them and take the one you think is easiest.

If your setup has use-cases for using Kerberos beside UNIX-authentication, you should probably use Kerberos. If you don't know, you can choose either. Don't be scared to make a wrong choice, since it's trivial to switch later on.

OS Winbind Kerberos Central PAM file
FreeBSD /usr/local/lib/pam_winbind.so 1) pam_krb5.so /etc/pam.d/system 2)
Red Hat/CentOS/Fedora pam_winbind.so 3) pam_krb5.so 4) /etc/pam.d/*-auth-ac
Debian/Ubuntu-based pam_winbind.so 5) pam_krb5.so 6) /etc/pam.d/common-*
  1. Part of samba4X package
  2. Not used by all services, for example sshd and sudo
  3. Part of samba-common package
  4. Part of pam_krb5 package, located in /lib64/security
  5. Part of libpam-winbind package
  6. Part of libpam-krb5 package, located in /lib/x86_64-linux-gnu/security

Either update the distribution's own Central PAM file or update the files per-service.

Winbind instead of Kerberos

Add the following lines to the relevant PAM files.

auth	sufficient	pam_winbind.so		try_first_pass

Make sure that there are no lines with auth required pam_unix.so before this line.

NOTE: If using FreeBSD, make sure to either symlink /usr/local/lib/pam_winbind.so to /lib, or put the entire path in the PAM file.

Kerberos instead of Winbind

Create a file /etc/krb5.conf with the following contents:

[libdefaults]
	default_realm = AD.FYRKAT.NO
	dns_lookup_realm = false
	dns_lookup_kdc = true

Test that Kerberos is working correctly:

kinit jornane@AD.FYRKAT.NO

This will ask for the user's password. If no error is returned after entering the password, Kerberos is working OK.

Now, to the relevant PAM configurtion file, add a line similar to:

auth	sufficient	pam_krb5.so

Make sure that there are no lines with auth required pam_unix.so before this line.

On some operating systems, such as FreeBSD, a proposed line is already in the file and you only have to remove the # commenting it out.

Configuring Winbind

You must configure this part of Winbind even if you choose Kerberos in the previous section.

It is important that the winbind daemon is started. How this is accomplished, depends greatly on the operating system. On some operating systems, winbind is a separate service which must be enabled and started. On other operating systems, a configuration flag must be set to enable it.

FreeBSD

Enable the samba service.

sysrc samba_server_enable=YES

Create /etc/rc.conf.d/samba_server and put the following contents:

nmbd_enable="NO"
smbd_enable="NO"
winbindd_enable="YES"

If you want this server to also serve files, change NO to YES.

Start the Samba service.

service samba_server start

systemd (GNU/Linux)

Enable the smbd and winbind services.

systemctl enable smbd.service
systemctl enable winbind.service

Start the Samba service.

systemctl start smbd.service
systemctl start winbind.service

Joining the domain

Now that everything is set up, it is time to join the machine to the domain.

net ads join -U Administrator

Testing

These steps will confirm that you have a working setup, but you may skip them if you're confident enough.

Check if the join is still valid. If this fails, it is safe to attempt to join again.

This command tests the connection to the AD server, but not winbind(8).

net ads testjoin

Check that the local winbind service is running and behaving as expected. If this fails, verify that winbind is running.

This command tests winbindd(8).

wbinfo -p

Check that the trust relationship is still OK. If this fails, it is safe to attempt to join again.

This command tests winbindd(8) and the connection to the AD server.

wbinfo -t

Get a list of all users that winbind can authenticate. This may take a while on larger AD installations.

This command tests winbindd(8) and the connection to the AD server.

wbinfo -u

Show all winbind users in the same format they would have if they where in passwd(5). This may take a really long time on larger AD installations.

This command tests winbindd(8), nsswitch.conf(5) and the connection to the AD server.

wbinfo -u | xargs getent passwd

Get a list of all winbind groups. This may take a while on larger AD installations.

This command tests winbindd(8).

wbinfo -g

Show all winbind groups in the same format they would have if they where in group(5). This may take a really long time on larger AD installations.

This command tests winbindd(8) and nsswitch.conf(5).

wbinfo -g | xargs getent group