ms_loves_linux

 

 

 

This tutorial covers the different ways to use Microsoft Windows 2008/2012 Active Directory Server as an authentication server to Red Hat Linux. Different methods are used for the different Red Hat Linux versions.

 

Red Hat 7: Direct Integration using Realmd Service

1) You need to have DNS server running on the Active Directory, and add all of your Linux servers in the DNS (A Host)
Make sure DNS works:
# nslookup ad.com
# dig ad.com

2) Then, discover the Active Directory
# realm discover ad.com

3) Then, join the Active Directory
# realm join ad.com
then put your Administrator password

4) Make sure you joined the Active Directory
# realm list

5) Try one of the accounts in ad:
# id account@ad.com

Sometimes SELinux intefreres with the realmd. So set SELinux as permissive

—————–

Red Hat 6: Direct Integration using SSSD/LDAP/Kerberos

If you are running RHEL 7, then it is way easier to do it using realmd, but since realmd does not exist on RHEL6, then you should do it the manual way.
Reference:
https://access.redhat.com/node/216933/40/0

(note that everything in this redhat reference is OK, EXCEPT when you configure SSSD: the ldap_id_mapping should be TRUE)

1) Configure DNS and make sure you can resolve the Active Directory hostname
# dig ad.com
# nslookup ad.com

2) Configure Kerberos
# cat /etc/krb5.conf

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
default_ccache_name = KEYRING:persistent:%{uid}
default_realm = AD.COM

[realms]
AD.COM = {
}

[domain_realm]
ad.com = AD.COM
.ad.com = AD.COM

3) Configure SAMBA
# cat /etc/samba/smb.conf
[global]
workgroup = AD //This is the Windows Workgroup name.
client signing = yes
client use spnego = yes
kerberos method = secrets and keytab
realm = AD.COM
security = ads

4) cat /etc/sssd/sssd.conf

[sssd]
domains = ad.com
config_file_version = 2
services = nss, pam

[domain/ad.com]
ad_domain = ad.com
krb5_realm = AD.COM
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%d/%u
access_provider = ad

5) Get a Kerberos ticket
# kinit Administrator@AD.COM
then put the password

6) Add the machine to the domain using the net command.
# net ads join -k

7) Use authconfig to enable SSSD for system authentication.
# authconfig –update –enablesssd –enablesssdauth –enablemkhomedir

8) Test your connection by using one of the Active Directory Accounts:
# su – account@ad.com

———————

Red Hat 5: Direct Integration using winbind Service

Since Red Hat 5 does not have SSSD above v.1.5, SSSD with “id_provider = ad” cannot be done, where this directive (id_provider = ad) needs SSSD v1.9 minimum.
So your only chance for “direct” Linux integration with AD in Red Hat 5 is winbind

How to do it? use this reference
https://access.redhat.com/node/216933/40/0
or
https://community.spiceworks.com/how_to/445-integrate-linux-with-active-directory-using-samba-winbind-and-kerberos

—–