Skip to main content

Redhat Linux ssh login using Active Directory Account

DNS infrastructure should work well In order that winbind funcitons properly. So check it first.
# host -t srv _kerberos._tcp.yourdomain.com
_kerberos._tcp.yourdomain.com has SRV record 0 100 88 adsrv1.yourdomain.com. 
_kerberos._tcp.yourdomain.com has SRV record 0 100 88 adsrv2.yourdomain.com. 

Necessary packages should be installed.
# yum install authconfig pam_krb5 samba-common

# chkconfig winbind on

Create AD users home directories container.
# mkdir /home/YOURDOMAIN
# chmod 0777 /home/YOURDOMAIN

Host name should have same FQDN with the AD domain name.
# hostname -f
srv2.yourdomain.com 

Authentication should be enabled and configured.
# authconfig --disablecache --enablewinbind --enablewinbindauth --smbsecurity=ads --smbworkgroup=YOURDOMAIN --smbrealm=YOURDOMAIN.COM --enablewinbindusedefaultdomain --winbindtemplatehomedir=/home/YOURDOMAIN/%U --winbindtemplateshell=/bin/bash --enablekrb5 --krb5realm=YOURDOMAIN.COM --enablekrb5kdcdns --enablekrb5realmdns --enablelocauthorize --enablemkhomedir --enablepamaccess --updateall

# service winbind restart

AD id's should be mapped against local id's. It's done by smb.conf
# vi /etc/samba/smb.conf
                /** Original **/ 
                workgroup = YOURDOMAIN 
                realm = YOURDOMAIN.COM 
                security = ads 
                idmap uid = 16777216-33554431 
                idmap gid = 16777216-33554431 
                template homedir = /home/YOURDOMAIN/%U 
                template shell = /bin/bash 
                winbind use default domain = true 
                winbind offline logon = false

                /** Change with these **/ 
                workgroup = YOURDOMAIN 
                realm = YOURDOMAIN.COM 
                security = ads 
                idmap domains = YOURDOMAIN 
                idmap config YOURDOMAIN:backend = rid 
                idmap config YOURDOMAIN:base_rid = 500 
                idmap config YOURDOMAIN:range = 500-1000000 
                #idmap uid = 16777216-33554431 
                #idmap gid = 16777216-33554431 
                template homedir = /home/YOURDOMAIN/%U 
                template shell = /bin/bash 
                winbind use default domain = true 
                winbind offline logon = false 

To allow members of an AD group to login with ssh PAM should be configured.
# vi /etc/pam.d/system-auth 
                /**  Original  **/ 
                auth required pam_env.so 
                auth sufficient pam_unix.so nullok try_first_pass 
                auth requisite pam_succeed_if.so uid >= 500 quiet 
                auth sufficient pam_krb5.so use_first_pass 
                auth sufficient pam_winbind.so use_first_pass 
                auth required pam_deny.so

                session optional pam_keyinit.so revoke 
                session required pam_limits.so 
                session optional pam_mkhomedir.so 
                session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid 
                session required pam_unix.so 
                session optional pam_krb5.so 

                /**  Change with these  **/ 
                auth required pam_env.so 
                auth sufficient pam_unix.so nullok try_first_pass 
                auth requisite pam_succeed_if.so user ingroup "linuxusers" debug
                auth requisite pam_succeed_if.so uid >= 500 quiet 
                auth sufficient pam_krb5.so use_first_pass 
                auth sufficient pam_winbind.so use_first_pass 
                auth required pam_deny.so 

                session optional pam_keyinit.so revoke 
                session required pam_limits.so 
                session optional pam_mkhomedir.so umask=0077
                session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid 
                session required pam_unix.so 
                session optional pam_krb5.so

# service winbind restart

After these srv2 can be joined to domain.
# net ads join -U aduser
aduser's password: 
Using short domain name -- YOURDOMAIN 
Joined 'srv2' to realm 'YOURDOMAIN.COM' 

# service winbind restart

After joining AD domain. Group info could be listed.
# wbinfo -g

Now you can login ssh session with AD account which is member of the linuxusers group.

Comments

Popular posts from this blog