Skip to main content

Redhat Linux ssh login using Active Directory Account

DNS infrastructure should work well In order that winbind funcitons properly. So check it first.
# host -t srv _kerberos._tcp.yourdomain.com
_kerberos._tcp.yourdomain.com has SRV record 0 100 88 adsrv1.yourdomain.com. 
_kerberos._tcp.yourdomain.com has SRV record 0 100 88 adsrv2.yourdomain.com. 

Necessary packages should be installed.
# yum install authconfig pam_krb5 samba-common

# chkconfig winbind on

Create AD users home directories container.
# mkdir /home/YOURDOMAIN
# chmod 0777 /home/YOURDOMAIN

Host name should have same FQDN with the AD domain name.
# hostname -f
srv2.yourdomain.com 

Authentication should be enabled and configured.
# authconfig --disablecache --enablewinbind --enablewinbindauth --smbsecurity=ads --smbworkgroup=YOURDOMAIN --smbrealm=YOURDOMAIN.COM --enablewinbindusedefaultdomain --winbindtemplatehomedir=/home/YOURDOMAIN/%U --winbindtemplateshell=/bin/bash --enablekrb5 --krb5realm=YOURDOMAIN.COM --enablekrb5kdcdns --enablekrb5realmdns --enablelocauthorize --enablemkhomedir --enablepamaccess --updateall

# service winbind restart

AD id's should be mapped against local id's. It's done by smb.conf
# vi /etc/samba/smb.conf
                /** Original **/ 
                workgroup = YOURDOMAIN 
                realm = YOURDOMAIN.COM 
                security = ads 
                idmap uid = 16777216-33554431 
                idmap gid = 16777216-33554431 
                template homedir = /home/YOURDOMAIN/%U 
                template shell = /bin/bash 
                winbind use default domain = true 
                winbind offline logon = false

                /** Change with these **/ 
                workgroup = YOURDOMAIN 
                realm = YOURDOMAIN.COM 
                security = ads 
                idmap domains = YOURDOMAIN 
                idmap config YOURDOMAIN:backend = rid 
                idmap config YOURDOMAIN:base_rid = 500 
                idmap config YOURDOMAIN:range = 500-1000000 
                #idmap uid = 16777216-33554431 
                #idmap gid = 16777216-33554431 
                template homedir = /home/YOURDOMAIN/%U 
                template shell = /bin/bash 
                winbind use default domain = true 
                winbind offline logon = false 

To allow members of an AD group to login with ssh PAM should be configured.
# vi /etc/pam.d/system-auth 
                /**  Original  **/ 
                auth required pam_env.so 
                auth sufficient pam_unix.so nullok try_first_pass 
                auth requisite pam_succeed_if.so uid >= 500 quiet 
                auth sufficient pam_krb5.so use_first_pass 
                auth sufficient pam_winbind.so use_first_pass 
                auth required pam_deny.so

                session optional pam_keyinit.so revoke 
                session required pam_limits.so 
                session optional pam_mkhomedir.so 
                session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid 
                session required pam_unix.so 
                session optional pam_krb5.so 

                /**  Change with these  **/ 
                auth required pam_env.so 
                auth sufficient pam_unix.so nullok try_first_pass 
                auth requisite pam_succeed_if.so user ingroup "linuxusers" debug
                auth requisite pam_succeed_if.so uid >= 500 quiet 
                auth sufficient pam_krb5.so use_first_pass 
                auth sufficient pam_winbind.so use_first_pass 
                auth required pam_deny.so 

                session optional pam_keyinit.so revoke 
                session required pam_limits.so 
                session optional pam_mkhomedir.so umask=0077
                session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid 
                session required pam_unix.so 
                session optional pam_krb5.so

# service winbind restart

After these srv2 can be joined to domain.
# net ads join -U aduser
aduser's password: 
Using short domain name -- YOURDOMAIN 
Joined 'srv2' to realm 'YOURDOMAIN.COM' 

# service winbind restart

After joining AD domain. Group info could be listed.
# wbinfo -g

Now you can login ssh session with AD account which is member of the linuxusers group.

Comments

Popular posts from this blog

Find and replace with sed command in Linux

Find and replace feature is always handy. It can turn into a torture when it comes to change or delete a simple constant string in a text file. There is a handy tool in linux for doing these kind of tihngs. Actually sed is not a text editor but it is used outside of the text file to make changes.