How do I authenticate against Active Directory Using SAMBA/WINBIND?

There are a lot of ways to do this.  How Do I Integrate Bright With Active Directory using the native AD provider of SSSD? (https://kb.brightcomputing.com/knowledge-base/how-do-i-integrate-bright-with-ad-provider-from-sssd/) discusses a way using SSSD/AD_provider authentication with multiple RHEL servers integrated to an AD domain or forest, and is recommended for most purposes.

A different way, with a single RHEL server integrated to an AD domain or forest, uses the following steps to allow a Bright Cluster to authenticate against a Windows AD Server while maintaining the user information in Bright’s LDAP. These instructions were tested on Windows Server 2008 and 2012.

1. Configure smb.conf

Edit /etc/samba/smb.conf and fill in the Windows AD Server information (workgroup, password server, and realm) under the [global] section. In this example, bright is used as workgroup, bcm.bright.local is used as password server, and BRIGHT.LOCAL is used as an Active Directory realm. The rest of the parameters should be kept the same.

[global]
   workgroup = bright
   password server = bcm.bright.local
   realm = BRIGHT.LOCAL
   encrypt passwords = yes
   winbind enum groups = yes
   winbind enum users = yes
   winbind use default domain = yes
   security = ADS
   debuglevel = 2
   wins support = no
   idmap uid = 10000-20000
   idmap gid = 10000-20000
   template shell = /bin/false
   winbind offline logon = false

Tip:

Type “net config workstation” on the command line of the Windows AD Server to get the workgroup, password server and AD realm.

Logon Domain = workgroup
FQDN = password server
FQDN – Computer Name = realm

2. Configure krb5.conf

Edit /etc/krb5.conf and change the following sections to match the Windows AD Server Settings. Here,

• port 88 is the default port that is used for authentication in the forest level trusts (the underlying technology by which secured Active Directory communications occur)
• port 749 is the default port that is used for kadmin utilities.

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = BRIGHT.LOCAL
 dns_lookup_realm = true
 dns_lookup_kdc = true
 ticket_lifetime = 24h
 forwardable = true

[realms]
 BRIGHT.LOCAL = {
  kdc = bcm.bright.local:88
  admin_server = bcm.bright.local:749
 }

[domain_realm]
 .bright.local = BRIGHT.LOCAL
 bright.local = BRIGHT.LOCAL

3. Configure Authentication Method

/etc/pam.d/system-auth-ac:

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_winbind.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_winbind.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so nullok try_first_pass use_authtok
password    sufficient    pam_winbind.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so

/etc/pam.d/password-auth-ac:

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_winbind.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_winbind.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so nullok try_first_pass use_authtok
password    sufficient    pam_winbind.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so

/etc/pam.d/php

auth sufficient pam_winbind.so
account sufficient pam_winbind.so

Tip:

If you’re using Red Hat based distributions, you may use “authconfig-tui” tool to autogenerate system-auth-ac and password-auth-ac, but then you’ll have to check that the smb.conf still has the correct configurations.

4. Test The Connectivity to Windows Active Directory Server

Add an entry for the AD server “bcm.bright.local” into /etc/hosts.
/etc/hosts:

10.2.184.194 bcm.bright.local bright bright.local

Run the following command, which fetches the domain Security Identifier (SID) and stores it in the local secrets.tdb:

# net rpc getsid -S bcm.bright.local
Storing SID S-1-5-21-547601799-235048094-3373437802 for Domain BRIGHT in secrets.tdb

Make sure that the winbind service can start successfully

# /etc/init.d/winbind restart
# /etc/init.d/winbind status
winbindd (pid 17966) is running...

4. Join the Windows AD Domain

# net ads join -U Administrator -S bcm.bright.local
Enter Administrator's password:
Using short domain name -- BRIGHT
Joined 'AD-TEST' to dns domain 'bright.local'

5. Verify Authentication

a. Add user in Bright:

# cmsh 
% user 
% add user adel
%set password 
% commit

b. Add user in Windows AD Server with different password.

c. At this stage:

* a log in attempt with the password that is stored in Bright’s LDAP should be denied, and

* a log in with the password that is stored in Windows AD Server should be allowed.

6. Configuring Userportal Authentication Method

Edit /etc/pam.d/php to include the following lines:

auth sufficient pam_winbind.so
account sufficient pam_winbind.so

Restart the httpd service:

# /etc/init.d/httpd restart

Troubleshooting

Issue

# net rpc getsid -S bcm.bright.local
Unable to find a suitable server for domain BRIGHT.LOCAL

Resolution
smb.conf and krb5.conf need to be reconfigured

Issue

# net join -U Administrator -S bcm.bright.local
Enter Administrator's password:
Failed to join domain: failed to find DC for domain BRIGHT.LOCAL
ADS join did not work, falling back to RPC...
Unable to find a suitable server for domain BRIGHT.LOCAL
Unable to find a suitable server for domain BRIGHT.LOCAL

Resolution
samba.conf and krb5.conf need to be reconfigured

Issue

# net ads join -U Administrator -S bcm.bright.local
Enter Administrator's password:
Using short domain name -- BRIGHT
Joined 'AD-TEST' to dns domain 'bright.local'
kerberos_kinit_password AD-TEST$@BRIGHT.LOCAL failed: Clock skew too great

Resolution
Timezone between the AD server and Bright Cluster differs. Fix that.

Issue

# net join -U Administrator -S bcm.bright.local
Enter Administrator's password:
Using short domain name -- BRIGHT
Joined 'AD-TEST' to dns domain 'bright.local'
DNS Update for ad-test.cm.cluster failed: ERROR_DNS_GSS_ERROR
DNS update failed!

Resolution
A DNS error is normal if the server is not a domain DNS server. This is because the DNS record of the server cannot be updated. This error will not block joining the AD domain. It’s related to the Windows DNS Server in which the AD is registered. To test that the join was successful:

# net ads testjoin
Join is OK

Issue

# net ads join -U Administrator -S bcm.bright.local
Enter Administrator's password:
kinit succeeded but ads_sasl_spnego_krb5_bind failed: Server not found in Kerberos database
Failed to join domain: failed to connect to AD: Server not found in Kerberos database

Resolution
re-issue “net rpc getsid -S bright.bcm.local”