Sep 212011
 

For the past few weeks, I’ve been spinning my wheels trying to get CentOS 6 to use Active Directory (Windows 2008 R2-based) for user information and authentication. I currently am using LDAP for these purposes, but in the interest of moving towards a more centralized environment am working towards having all of the UNIX and Linux hosts use AD as a central repository for user information and authentication. This is can be done relatively easily and can be done a couple of different ways that I will outline for you here.

First off, since the attributes are already in AD, there were two ways I could go with this: I could either use winbind to join the CentOS host to the directory, or I could use the LDAP interface into AD. I started out with LDAP since I am more familiar with LDAP and had had some not so good experiences with winbind in the past. I’ll present my LDAP authentication configuration here in Part 1 and discuss winbind in Part 2. To begin with, I started with a group called ‘unixgrp’ and added the necessary POSIX attributes to the object, so I had something looked like this:

I then created a user, whose object looked something like this:

That being done, I created some minimalist configuration files. Keeping in mind that these steps can be mostly completed with the authconfig command (you will most certainly need to tweak the ldap.conf afterwards), the configuration files look something like this: /etc/pam_ldap.conf (/etc/ldap.conf on CentOS 5)

CentOS 6 brings us a new subsystem that is required to use LDAP, nslcd.  The configuration for nslcd is almost identical to pam_ldap.conf:

/etc/nslcd.conf

Set nslcd to start on boot and set it running now.

/etc/openldap/ldap.conf

/etc/nsswitch.conf (snippet)

That’s good enough to get user information working:

Fantastic. Now for authentication. Again, this can be completed by using the authconfig command, but this is what results: /etc/pam.d/system-auth

And that’s it!  After all this, you should be able to authenticate all day long with Active Directory on your CentOS or RHEL 6 host.

  30 Responses to “CentOS 6 Authentication to Active Directory – Part 1”

  1. Good to know that CentOS-6 has changed some config files for AD authentication. I tried to config a new server with CentOS-6 in terms of this article. The AD authentication works but the username has to be exactly as in the AD; however the lowercase username works on my CentOS-5 servers. Is there any options to enable the case-insensitive username?

    • I did a verification of the problem you pose and have found that this is indeed the case – CentOS/RHEL 5 are case insensitive whereas CentOS/RHEL 6 are case sensitive for similar setups. I did a little digging and found that the issue is actually caused by design. CentOS and RHEL 5 use PADL’s pam_ldap and nss_ldap. CentOS/RHEL 6 utilize nss-pam-ldapd bundle by Arther De Jong, and on his website, he mentions that the PADL bug is addressed as of 2009-11-22.

      That being said, there are a couple ways to fix this. If you’re mapping uid to sAMAccountName, you can populate the uid attribute with the appropriate (lowercase) userid. If not, it shouldn’t be too much trouble to write a script that crawls the entire LDAP store, gets each object’s uid, runs it through an lc() function, then modifies it for that object.

      Hope this helps!

  2. Thank you very much for putting up the guide but I’ve been having a bit of a problem getting your config to run here on my RHEL6 box.

    After making all the above changes and tripple checking eveything I get no output from “getent passwd testuser” it simply returns back instantly.

    I’ve made sure all my packages are installed and updated and the firewall is off. Ports are open as ldapsearch works fine. Both the user and group have the correct attributes (2003R2).

    Is there any logs generated that I can have a look through to see what’s up?

    Thanks

    • It looks like I’ve left out a step. I’ve corrected the article to reflect the changes, but it’s possible your issue is caused by nslcd not running. A simple service nslcd start should do the trick!

  3. Hi Greg,

    Great article. Would this also allow SSH authentication? If so, I haven’t been able to authenticate with my AD user successfully. Though, getent username works beautifully, and I’m able to su – username on the console.

    Any thoughts?

    • Hi Will,

      Thanks for checking us out!

      First of all, check to see if anything useful is being written to /var/log/secure. sshd will post almost all of it’s error messages there in a default Cent/RHEL install and they’re usually pretty helpful. A couple things off the top of my head though:
      – Check your /etc/pam.d/sshd. It should include lies for password, account and session that include password-auth.
      – After that check that /etc/pam.d/password-auth includes a pam_ldap.so line.

      You may want to run authconfig-tui and ensure that Use LDAP is set on the User Information side and that Use LDAP Authentication is checked on the Authentication side and that all of the settings are correct for your environment.

      Hope it helps!

      • One last item, bindpw should be stored under /etc/pam_ldap.secret

        • I think you’re correct – BUT that particular option goes hand-in-hand with the rootbinddn option. binddn and bindpw both belong in /etc/pam_ldap.conf. rootbinddn is slightly different and the password is indeed stored in /etc/pam_ldap.secret.

  4. Great article Greg!

    Is part 2 discussing winbind yet to be completed?

    • It’s not completed yet. I ran into some issues with testing the configuration I was working with and then Real Life™ got in the way for a bit. I’ll finish up my testing and get the results posted this week!

  5. Thanks for the info.

    In case if anyone having issues login through SSH. You have do below change.

    1. Need to configure krb5.conf (/etc/krb5.conf)

    [logging]
    default = FILE:/var/log/krb5libs.log
    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmind.log

    [libdefaults]
    default_realm = TEKNOK.COM
    dns_lookup_realm = true
    dns_lookup_kdc = true

    [domain_realm]
    .teknok.com = TEKNOK.COM
    teknok.com = TEKNOK.COM

    [appdefaults]
    pam = {
    debug = false
    ticket_lifetime = 36000
    renew_lifetime = 36000
    forwardable = true
    krb4_convert = false
    validate = false
    }
    [realms]
    TEKNOK.COM = {
    }

    TEKNOK.COM = {
    }

    2. Change /etc/pam.d/password.auth

    Remove all the line which has pam_ldap.so ( if this line is not removed ssh authentication will not work)

    3. Edit /etc/sysconfig/authconfig
    Change NO to YES:
    USEKERBEROS=yes
    Run this command: authconfig –updateall

  6. [...] while back, I described a method for authenticating CentOS and RHEL servers to Active Directory using LDAP.  While this approach is easy to set up and works right out of the gate, there are a [...]

  7. How did you create those group and user ids on the windos 2008 server. Did you have to install NIS server on windows?

    • Nope! I was using 2008 R2. I created the users and groups like normal through Active Directory Users and Groups. You have to enable Advanced Features under View and then bring up the properties of the user or group. You’ll see an Attribute Editor tab where you can set all the available attributes of the object.

      This is appropriate for testing, but if you want to set it on several users or automate it, you’ll have to learn how to use ldif files.

  8. I’ve gotten the configuration to work using your steps – but i have an additional challenge.

    In windows – i can add users in a “root” domain (ie – user@domain.local) into the Administrators group of a “child” domain server (server1.ops.domain.local) and be able to authenticate and logon to the server.

    In CentOS – i’m having an issue adjusting your configuration to allow users in both the root and child domain to logon to a server that is a member of the “child” domain.

    users in the child domain can logon just fine. What needs to be modified to allow users in the root domain to logon to this server as well???

    Thank you for the help.

  9. Great writeup. Any updates on the Winbind integration ?

  10. +1. Thanks for this! I was having issues hitting my AD server with the LDAP client on CentOS 6.2, but turns out it was the /etc/nslcd.conf configuration giving me problems. Using yours as a template helped big time.

  11. Hi

    need to set the time ntp

    Dinçer

  12. No need to specify your kerberos realm in this config file. You have a line to do the lookup in AD.
    dns_lookup_realm = true

    [logging]
    default = FILE:/var/log/krb5libs.log
    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmind.log

    [libdefaults]
    dns_lookup_realm = true
    dns_lookup_kdc = true

    [domain_realm]

    [realms]

    [appdefaults]
    pam = {
    debug = false
    ticket_lifetime = 36000
    renew_lifetime = 36000
    forwardable = true
    krb4_convert = false
    validate = false
    }

    Similarly, in ldap config files set your uri lap up as

    uri ldap://techrockdo.com/

    and you will use what MS call serverlesss binding to locate working AD servers.

    • Libdefaults should still specify the default realm to use.

      [libdefaults]
      default_realm = TEKNOK.COM
      dns_lookup_realm = true
      dns_lookup_kdc = true

  13. I have this mostly working, however, requests to login (ssh or GDM console) don’t work. They are specifying a realm/domain of “EXAMPLE.COM”. I don’t have EXAMKLE.COM in any of my config files. I’ve successfully run the following commands: kinit, id, getent passwd, etc. Even su to a username in AD works. Any ideas?

    • I’m not really sure where that would be coming from. Are you trying to configure Kerberos or Samba? The two places I can think that might be coming from would be in /etc/krb5.conf and/or /etc/samba/smb.conf. You might also check that /etc/pam.d/sshd and /etc/pam.d/gdm are including system-auth or are explicitly trying pam_ldap.so somewhere in the pam stack.

  14. [...] I left you with my last pearl of wisdom.  A couple months ago, I presented a couple methods for authenticating to Active Directory using winbind and for authenticating using the LDAP interface.  In more recent versions of CentOS and RHEL, [...]

  15. so im trying to set this up now on a rhel 6.4 box, and i can get the system to

    “see” my ldap user on the system.. when I do and   id userid, i get back the appropriate response.

    But when I try to ssh into the server as that userid, I keep getting :

    sshd[11996]: pam_ldap: ldap_search_s Bad search filter.

    I assume its the

    pam_filter objectclass=user

    in my /etc/pam_ldap.conf

    that needs fixing?

     

    -db

  16. Why people still use to read news papers when in this technological globe everything
    is existing on web?

  17. Really when someone doesn’t be aware of afterward its up to other users
    that they will help, so here it takes place.

  18. Hi everyone, it’s my first go to see at this web page,
    and post is actually fruitful in favor of me, keep up posting these articles or reviews.

  19. That is very interesting, You’re a very skilled blogger.
    I have joined your rss feed and look ahead to in the
    hunt for more of your excellent post. Additionally, I’ve shared your site in my social networks

 Leave a Reply

(required)

(required)

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code class="" title="" data-url=""> <del datetime=""> <em> <i> <q cite=""> <strike> <strong> <pre class="" title="" data-url=""> <span class="" title="" data-url="">