Attaching a RHEL6 server install to Active Directory for authentication

This guide presumes a clean install of RHEL6.1 with the Basic Server install with no custom packages chosen and the server is registered to RHN already.  This is the basic steps you can take to attach the server to an Active Directory domain.  I also assume that you have a login with the rights to add a workstation to a domain and know how to do that.

First, let’s go ahead and make sure all packages are up to date and install packages needed to configure winbind with the graphical utility, run the following command as root

yum -y update && yum -y install samba-winbind authconfig-gtk xorg-x11-xauth

Second, let’s make sure your clock is in sync with your network’s time server because a skew will cause a domain join to fail.  You can use the following time server if you don’t know your local one.  Run as root:

ntpdate clock.redhat.com

Now, you will want to logout and log back in so that xauth creates the necessary connection to run the graphical utility over ssh.  Then type the following command as root:

authconfig-gtk

AuthConfig

Now, you will want to change User Account Database to Winbind, then set the Winbind Domain to your domain shortname, change Security Model to ads, change Winbind ADS REALM to your domain longname, change Winbind Domain Controllers to your domain controllers fullnames seperated by commas, change Template Shell to the shell you want your users to have, and finally click Join Domain where you will be prompted for your Domain administrator login and password.  Click OK after filling out the login information.

If all goes well, you should see Joined ‘HOSTNAME’ to realm ‘DOMAIN LONGNAME’ and maybe a DNS update failed! message after that.  You can ignore the DNS error though.

AdvanceOption

Next click over to the Advanced Options tab and check “Create home directories on the first login” to have home directories automatically generated with the contents of /etc/skel when users login for the first time.  Otherwise, you will need to pre-create all the home directories, and that isn’t terribly fun if you have more than like 5 users.  After that, click Apply and the window should close.  You might also see some Gtk-Message errors, but those are nothing to worry about either as they are just libraries to open different window themes.

Okay, so to test the Winbind connection is up and working, let’s run the next couple of commands as root.

net ads testjoin

The result should be “Join is OK”

wbinfo -u

This command may take a few minutes to return if you have a lot of users in your domain.  But it should eventually return with a list of all the users in your domain.  If that comes back the way we expect, then next we will try logging in with a user.

ssh aduser@MYDOMAIN@localhost

Right now, all your logins have your domain as part of the login name, your login actually looks like MYDOMAIN\aduser.  It’s really just one in the middle, but you need the second one to tell the shell that the is a literal .  Anyways, it should prompt you for your password and you should be able to login and have your home directory automatically created at /home/MYDOMAIN/aduser, you can test by typing pwd.  You can also test that groups is working by just typing groups to see what groups you are a member of.  You can stop here if you are happy with the way everything is.

Extra Settings for different options:

Now, I will share some extra settings for RHEL6 because the default options are honestly annoying for you and your users trying to log into the server.

Pull UID/GID Numbers from ad instead of local database

Be default, Samba/Winbind authentication is setup to generate it’s own database of UID/GID numbers for users and groups.  If you are setting up a group of computers that mount a shared filesystem and you want to make sure that all users and groups on each workstation have the same UID/GID.  You can change some settings to have those numbers pulled from AD instead of generated locally.  To fix this, we make changes in the /etc/samba/smb.conf file

Below are the settings configured by system-config-authentication:

idmap uid = 16777216-33554431
idmap gid = 16777216-33554431

Here is what I replace them with to get UID/GID numbers pulled from AD.  Change MYDOMAIN to your domain shortname.

idmap backend = idmap_rid:MYDOMAIN=1000-9000000
idmap uid = 1000-9000000
idmap gid = 1000-9000000

After applying that conf change, do the following to clean out the winbind local database caches.

service winbind stop && rm -f /var/lib/samba/*.tdb && service winbind start

remove domain name from username/login and change home directory location

To fix your login names from being something like MYDOMAIN\mylogin or mylogin@MYDOMAIN and instead have it just be mylogin, you will need to change a setting in the /etc/samba/smb.conf file.  Below is the setting and it defaults to false, you just have to change it to true.

winbind use default domain = true

Another helpful setting is the one below for changing the default location where home directories are created.  By default, they are created as /home/DOMAIN/username, this is best added in /etc/samba/smb.conf above the template shell line.

template homedir = /home/%U
Advertisements
This entry was posted in Uncategorized and tagged , , , , , . Bookmark the permalink.

3 Responses to Attaching a RHEL6 server install to Active Directory for authentication

  1. Pingback: Setup a Windows/Mac file server with Samba and Netatalk on RHEL6 in Active Directory | PasswdShadow

  2. This document is great, its working properly. Thanks for sharing this document……. Tapas Karmakar (Oracle DBA)

  3. Pingback: Setup a Windows/Mac file server with Samba and Netatalk on RHEL6 in Active Directory | Mr Robot's Silly Ramblings

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s