Authentication on Linux via Windows Active Directory
Managing a fleet of servers is not an easy task, even when you have a small user base. Passwords and homedirs all have to be managed from server to server. Sysadmins from across the ages have used many different systems to help manage this problem. OpenLDAP and other LDAP systems are useful, but most enterprise’s don’t use OpenLDAP. Here we will review using Active Directory as an authentication LDAP source.
Using your favorite package manager, install the following packages:
It’s possible that some of these aren’t required, or I missed a package. There are some great resources out there if you google “Installing Winbind on Linux”
Important Files - “Gotchas”
When installing and configuring winbindd there are a few utilities and files that will be very important.
This command will give you a text-based interface for configuring the authentication methods on your Linux machine. Note: Running this command will make changes to some of the winbind system files, most notably /etc/pam.d/system-auth-ac if you’re running a new install this shouldn’t be a problem
/etc/pam.d/system-auth-ac as mentioned before this is a very important file for system auth. This is where you will make the majority of your changes when configuring winbind.
Joining the Windows Active Directory Domain
Use the following command to join the AD Domain
# net ads join -S server.address -U Administrator
If you get an error, you can test to see if your join worked with the following command:
# net ads testjoin # net rpc testjoin
If you got OK from those commands, you should be fine, but see below for further troubleshooting.
The following commands with help you get a little bit more incite into what’s going on with your server. Before we get into that, it’s important to note that logs are going to be your best friend when troubleshooting this - or any - linux issue. On CentOS the log you want to look at is /var/log/secure. What I usually do is open two console windows, one to work in, and the other to tail the log. Use this command to watch the log file life (aka “tailing”)
tail -f /var/log/secure
From there you can use the wbinfo command to query information from the winbind daemon.
This will give you a list of domain users.
This will give you a list of domain groups.
net ads info
This gives information about the active directory domain you are joined to.