I wanted to share a small recipe on how to setup CentOS 5.6 to authenticate Linux users against Windows 2003 Server (Not R2).
There are basically two ways to authenticate against a Windows Active Directory:
Next we want to limit the login to the unix_user group and make the unix_admin group sudo capable:
Have fun!
There are basically two ways to authenticate against a Windows Active Directory:
- Using pure LDAP authentication OR
- Using Samba/Winbind.
LDAP authentication basically requires installation of some additional tools on to the Windows AD Server (as mentioned e.g. here http://www.linux.com/learn/tutorials/442411-unite-your-linux-and-active-directory-authentication). Since I wanted to keep my fingers away from the AD server, I wanted to try the second approach.
After reading a few articles about it e.g. http://wiki.centos.org/TipsAndTricks/WinbindADS and tinkering with it for a day or two, I found a configuration that works:
Prerequisites:
- FQDN hostname of the Linux host contains the domain name (e.g. pluto.workgroup.local)
- DNS setting in /etc/resolv.conf points to AD
- You have enough CALs (Client Access Licenses, http://www.microsoft.com/licensing/about-licensing/client-access-license.aspx) free on your AD server for your new Linux server(s) or workstation(s).
- There is a user account set up in the AD for the Winbind connection. In our case it's called unixauth with password mypassword.- Workgroup in our example is named WORKGROUP and the server is called ADSERVER1. Realm is called WORKGROUP.LOCAL.
- Your Linux users in AD will belong to a group unix_user and your sudoers will belong in addition to a group called unix_admin.
On the CentOS 5.6 machine make sure your /etc/hosts contains a row similar to this:
192.168.0.30 pluto pluto.workgroup.local
Then you go and execute a few nice commands (as a super user) to enable the authentication:
# yum install -y samba3x-winbind
# authconfig --update --kickstart --enablewinbind --enablewinbindauth --smbsecurity=ads
--smbworkgroup=WORKGROUP --smbrealm=WORKGROUP.LOCAL --smbservers=ADSERVER1
--winbindjoin=unixauth%mypassword --winbindtemplatehomedir=/home/%U
--winbindtemplateshell=/bin/bash --enablewinbindusedefaultdomain --enablelocauthorize
--enablemkhomedir
--smbworkgroup=WORKGROUP --smbrealm=WORKGROUP.LOCAL --smbservers=ADSERVER1
--winbindjoin=unixauth%mypassword --winbindtemplatehomedir=/home/%U
--winbindtemplateshell=/bin/bash --enablewinbindusedefaultdomain --enablelocauthorize
--enablemkhomedir
Further info about authconfig parameters can be found here.
Next we want to limit the login to the unix_user group and make the unix_admin group sudo capable:
# sed -i -e 's/;*require_membership_of =.*$/require_membership_of = unix_user/g' /etc/security/pam_winbind.conf
# grep -q unix_admin /etc/sudoers || echo %unix_admin ALL=\(ALL\) ALL >> /etc/sudoers
# /etc/init.d/winbind restart
The following makes your Linux box cache the authentication so that if the connection happens to be down, the authentication information is cached locally. Then for example the SSH login will keep working:
# sed -i -e 's/winbind offline logon = false/winbind offline logon = yes/g' /etc/samba/smb.conf
# sed -i -e 's/;cached_login = yes/cached_login = yes/g' /etc/security/pam_winbind.conf
# /etc/init.d/winbind restart
Have fun!
