Joining a CentOS server to Active Directory

As the number of CentOS (or Red Hat) machines in your environment grows, you begin to appreciate the need for a central login mechanism. Most workplaces already have a such a login for their Windows workstations in the form of an Active Directory domain. By joining your CentOS machines to the Active Directory domain, you allow users to login with the same credentials as on their Windows machines. Furthermore you do not need to add or remove users when new people join the team or others drop off the team.

For the purposes of these instructions, we will assume the Active Directory server is ad.example.com and the CentOS server is centos.example.com.

As a first step, we install Samba, kerberos and ntpd.

yum install samba samba-client samba-winbind krb5-workstation ntp chkconfig smb on chkconfig nmb on service smb start service nmb start chkconfig ntpd on ntpdate ad.example.com

We need to install and configure an ntp client because the Kerberos protocol will not work if the two machines' clocks are too far apart. Edit /etc/ntpd.conf remove all the existing server lines and replace them with:

server ad.example.com

Next start the ntpd server with the command service ntpd start.

I have had issues down the road with trying to synchronize the clocks against the Active Directory server; in those cases I configured the two servers to synchronize against the same third-party server. I suspect the problem was a (presumably temporary) issue with time.windows.com, the default Windows NTP server.

Next we want to be able to refer to machines on the local network using their short names. Add the following to /etc/resolv.conf:

search example.com

This may not be necessary depending on how the networking of the CentOS server is configured. For example, I have set up all the servers to use DHCP with reservations to keep all the IP configuration in one place. The DHCP server already is configured to have the clients append .example.com to bare host names so the /etc/resolv.conf already contains this line.

If you are using a static IP, add the following to /etc/hosts, replacing the IP address with the IP for your CentOS server and the host names with the proper values:

192.168.0.10 centos centos.example.com

If you do not have a static IP, add the host entries to the existing line for localhost (127.0.0.1).

Next we need to configure Kerberos by making the following edits to /etc/krb5.conf (note that the capitalization is important in this file):

[libdefaults] default_realm = EXAMPLE.COM dns_lookup_realm = true dns_lookup_kdc = true allow_weak_crypto = yes [realms] EXAMPLE.COM = { default_domain = example.com kdc = ad.EXAMPLE.COM admin-server = ad.EXAMPLE.COM } [domain_realm] .example.com = EXAMPLE.COM example.com = EXAMPLE.COM

Next edit /etc/samba.conf, changing or adding the following:

# Use the value of your workgroup/domain here workgroup = MY_WORKGROUP password server = ad.example.com realm = EXAMPLE.COM security = ads winbind use default domain = true winbind offline logon = false encrypt passwords = yes

Finally we can initialize Kerberos and join the domain. You will need the credentials of a user allowed to make changes in the domain (in the example we use administrator).

kinit administrator@EXAMPLE.COM # Enter the password at the prompt and expect no other output authconfig --update \ --kickstart \ --enablewinbind \ --enablewinbindauth \ --smbsecurity=ads \ --smbrealm=EXAMPLE.COM \ --winbindjoin=administrator@EXAMPLE.COM \ --winbindtemplatehomedir=/home/%U \ --winbindtemplateshell=/bin/bash \ --enablewinbindusedefaultdomain \ --enablelocauthorize \ --smbservers=ad.example.com \ --enablemkhomedir

At this point you should be done. You should be able to log into the machine using your Windows credentials.

Once in a while I find it is necessary to re-join the domain. Use the following commands:

# Restart all relevant services service smb stop service nmb stop service winbind stop service winbind start service nmb start service smb start # Re-join the domain net ads join -S ad.example.com -U administrator # Restart winbind service winbind stop service winbind start # Test the credentials wbinfo -t # List the users wbinfo -u

If the last two tests do not come out the way you expect (wbinfo -t should report success and wbinfo -u should list all the users in your domain), you have some googling to do. Let me know how it turns out.