Description of the solution
Kerberos authentication can log in to the Linux host with Samba, Winbind and Kerberos client.Configure Linux host
1. Install Kerberos client, Winbind, samba, sudo and ntp package:
apt-get install krb5-user krb5-config libpam-krb5 winbind samba samba-common-bin libnss-winbind libpam-winbind sudo ntp ntpdate
yum install krb5-workstation samba samba-common samba-winbind samba-winbind-clients pam_krb5 oddjob-mkhomedir sudo net-tools ntp ntpdate
2. Set hostname:
hostname <name_of_localhost>echo <name_of_localhost> > /etc/hostname 3. Set time sync:
vi /etc/ntp.conf server <IP-address_of_NTP_server>ntpdate –d <IP-address_of_NTP_server>
4. Set domainname and DC server in KRB5:
dpkg-reconfigure krb5-config
–
Default Kerberos version 5 realm: <Domainname>–
Add locations of default Kerberos servers to /etc/krb5.conf: Yes–
Kerberos servers for your realm: <IP-address_of_DC_sserveres>–
Administrative server for your Kerberos realm: <IP-address_of_admin_server>vi /etc/krb5.conf [libdefaults] default_realm = <domainname> ... [realms] <domainname> = { kdc = <IP-address_of_DC_server> admin_server = <IP-address_of_admin_server> } ... [domain_realm] <.domainname> = <DOMAINNAME> <domainname> = <DOMAINNAME>...
5. Configure workgroup, domainname and Winbind, and share of home directories in SAMBA:
vi /etc/samba/smb.conf [global] workgroup = <name_of_workgroup_or_organization> security = ads realm = domainname netbios name = <name_of_localhost> idmap config * : backend = rid idmap config * : range = 5000-100000000 idmap config * : base_rid = 0 template shell = /bin/bash template homedir = /home/%D/%U winbind use default domain = yes winbind enum users = yes winbind enum groups = yes winbind nested groups = yes winbind refresh tickets = yes allow trusted domains = no client use spnego = yes auth methods = winbind ... [homes] comment = Home Directories read only = no browseable = no valid users = %S create mask = 0700 directory mask = 0700 ...
6. Test Samba file:
testparm
7. Add Winbind name search:
vi /etc/nsswitch.conf ... passwd: compat winbind group: compat winbind shadow: compat winbind ...
vi /etc/nsswitch.conf ... passwd: files sss winbind group: files sss winbind shadow: files sss winbind ...
8. Enable sudo command to AD groups or users:
vi /etc/sudoers ... %<Name_of_AD_group_or_user_1> ALL=(ALL:ALL) ALL %<Name_of_AD_group_or_user_2> ALL=(ALL:ALL) ALL ...
9. Configure atomatic create of AD users home directories in PAM:
vi /etc/pam.d/common-session ... session required pam_mkhomedir.so umask=0077 skel=/etc/skel
authconfig --update --enablemkhomedir
10. Configure local and AD autentication in PAM:
vi /etc/pam.d/common-auth ... #auth [success=3 default=ignore] pam_krb5.so minimum_uid=1000 auth [success=3 default=ignore] pam_localuser.so try_first_pass #auth [success=1 default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass auth [success=1 default=ignore] pam_winbind.so require_membership_of=„%<Name_of_AD_group_or_user_1>”,„%<Name_of_AD_group_or_user_2>” krb5_auth krb5_ccache_type=FILE cached_login try_first_pass debug ...
vi /etc/pam.d/system-auth ... auth sufficient pam_localuser.so try_first_pass auth sufficient pam_winbind.so use_first_pass auth required pam_deny.so ...vi /etc/pam.d/sshd auth include system-auth ...vi /etc/security/pam_winbind.conf [global] debug = yes debug_state = yes cached_login = yes krb5_auth = yes require_membership_of = „Name_of_AD_group_or_user_1”,”Name_of_AD_group_or_user_2”
11. Restart Winbind and Samba:
/etc/init.d/winbind stop/etc/init.d/samba restart/etc/init.d/winbind start
systemctl restart winbindsystemctl restart smbsystemctl enable winbind
12. Testing of Kerberos ticket create:
kinit -p <AD_user>klistkdestroy
13. Add Linux host to AD with AD admin user:
net ads join -U <AD_admin_user>
14. Restart Winbind and Samba:
/etc/init.d/winbind stop/etc/init.d/samba restart/etc/init.d/winbind start
systemctl restart winbindsystemctl restart smbsystemctl enable winbind
15. Login test of local and AD authentication, and authentication log check:
tail -f /var/log/auth.log
16. If error, then test of Kerberos, Winbind and nsswitch:
wbinfo -uwbinfo -g
getent passwdgetent group
Restore Kerberos authentication to default authentication
1. Remove Kerberos client, Winbind and Samba packages:
apt-get purge krb5-user krb5-config libpam-krb5 winbind samba samba-common-bin libnss-winbind libpam-winbind
yum remove krb5-workstation samba samba-common samba-winbind samba-winbind-clients pam_krb5 oddjob-mkhomedir
2. Restore PAM:
pam-auth-update --force
Restore files in /etc/pam.d/.