{"id":6533,"date":"2017-03-09T19:25:18","date_gmt":"2017-03-09T11:25:18","guid":{"rendered":"http:\/\/rmohan.com\/?p=6533"},"modified":"2017-03-09T19:29:12","modified_gmt":"2017-03-09T11:29:12","slug":"add-a-red-hat-enterprise-linux-6-system-to-microsoft-active-directory","status":"publish","type":"post","link":"https:\/\/mohan.sg\/?p=6533","title":{"rendered":"Add a Red Hat Enterprise Linux 6 system to Microsoft Active Directory"},"content":{"rendered":"

Add a Red Hat Enterprise Linux 6 system to Microsoft Active Directory<\/p>\n

UPDATE!! .. This article also works perfectly on Windows 2012 Server as well as Windows Server 2008. The process is exactly the same.<\/p>\n

I\u2019ve had countless numbers of people ask me over the years how to add a Linux system to Active Directory.<\/p>\n

Here is a really quick and simple way to do it using Windbind for userlookups, and Kerberos for authentication.<\/p>\n

In this example, I will be using the below details<\/p>\n

Windows Domain Name:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 rmohan.com
\nWindows Domain NetBIOS Name: RMOHAN
\nDomain Controller:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 dc1.rmohan.com
\nClient Server name:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 server01.rmohan.com<\/p>\n

Setup<\/p>\n

1. Firstly, install the necessary components.<\/p>\n

yum install -y samba-winbind samba-winbind-clients oddjob-mkhomedir pam_krb5 krb5-workstation<\/p>\n

2. Make sure OddJobd is running at Startup. This is only for Red Hat Enterprise Linux 6 and other Red Hat based Operating systems.<\/p>\n

Red Hat Enterprise Linux 5 will use pam_mkhomedir. pam_mkhomedir has SELinux issues at present, so oddjobd is the way to go.<\/p>\n

chkconfig oddjobd on<\/p>\n

3. Set authconfig to point to the relevant systems for Authentication.
\nNote: If you do not wish your users to log into your server via a shell, set \u2013winbindtemplateshell to \u2013winbindtemplateshell=\/sbin\/nologin<\/p>\n

authconfig –update –kickstart –enablewinbind –smbsecurity=ads –smbworkgroup=RMOHAN –smbrealm=rmohan.com –winbindtemplatehomedir=\/home\/%U –winbindtemplateshell=\/bin\/bash –enablewinbindusedefaultdomain –enablelocauthorize –enablekrb5 –krb5realm=RMOHAN.COM –enablekrb5kdcdns –enablekrb5realmdns –enablepamaccess<\/p>\n

4. Just like in Windows, Add your system to the domain. Here I have used the Domain Administrator account, but any account with enough rights to add a system to the domain will suffice.<\/p>\n

[root@server ~]# net ads join -U Administrator
\nEnter Administrator’s password:
\nUsing short domain name — RMOHAN
\nJoined ‘server’ to realm ‘rmohan.com’<\/p>\n

Note: As you are now dealing with Active Directory, it now becomes time sensitive. Make sure your system clock is pointing to one of your Domain Controllers as the RMOHANP server.<\/p>\n

Otherwise you will end up with errors like this when you try to add the system to the domain.<\/p>\n

[root@server ~]# net ads join -U Administrator
\nEnter Administrator’s password:
\nUsing short domain name — RMOHAN
\nJoined ‘SERVER’ to realm ‘rmohan.com’
\n[2012\/07\/06 17:24:04.397769,\u00a0 0] libads\/kerberos.c:333(ads_kinit_password)
\nkerberos_kinit_password SERVER$@RMOHAN.EXAMPLE.COM failed: Clock skew too great
\n[root@server ~]#<\/p>\n

5. Configure Winbind Backend
\nThe default Winbind backend is great for single systems being added to Active Directory, however if you are in a very large Linux estate like I usually am, you will need to change the backend to ensure that all UID\u2019s\/GID\u2019s match across all your systems.<\/p>\n

To do this, add the below two lines to your global Samba configuration. Replace \u201cRMOHAN\u201d with your own Domain name.<\/p>\n

idmap config RMOHAN:backend = rid
\nidmap config RMOHAN:range = 10000000-19999999
\nkerberos method = dedicated keytab
\ndedicated keytab file=\/etc\/krb5.keytab<\/p>\n

Just so we are on the same page, my global configuration now looks like this<\/p>\n

workgroup = RMOHAN
\nrealm = RMOHAN.EXAMPLE.COM
\nsecurity = ads
\nidmap uid = 16777216-33554431
\nidmap gid = 16777216-33554431
\nidmap config RMOHAN:backend = rid
\nidmap config RMOHAN:range = 10000000-19999999
\nkerberos method = dedicated keytab
\ndedicated keytab file=\/etc\/krb5.keytab
\ntemplate homedir = \/home\/%U
\ntemplate shell = \/bin\/bash
\nwinbind use default domain = true
\nwinbind offline logon = false<\/p>\n

6. Restart Winbind service
\nOnce you have added your system to the domain, it is important to restart the Winbind service.<\/p>\n

[root@server ~]# service winbind restart
\nShutting down Winbind services:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 [FAILED]
\nStarting Winbind services:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 [\u00a0 OK\u00a0 ]
\n[root@server ~]#<\/p>\n

7. Create a Kerberos keytab to enable Single Sign On (SSO)<\/p>\n

[root@server ~]# net ads keytab create -U Administrator
\nEnter Administrator’s password:
\n[root@server ~]#<\/p>\n

8. Test configuration. If you receive no output for a known username, then something is wrong.<\/p>\n

[root@server ~]# getent passwd Administrator
\nadministrator:*:16777216:16777216:Administrator:\/home\/administrator:\/bin\/bash
\n[root@server ~]#<\/p>\n

or, if you enabled shell logins,<\/p>\n

User@workstation:~$ ssh Administrator@server.rmohan.com
\nAdministrator@server.rmohan.com’s password:
\nYour password will expire in 11 days.<\/p>\n

Creating home directory for administrator.
\n[administrator@server ~]$<\/p>\n

9. This is optional, your home directory will not exist on the system when a new user logs in, run the below command if you with to have the homedir automatically created on first login.<\/p>\n

[root@server ~]# authconfig –enablemkhomedir –update
\nStarting Winbind services:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 [\u00a0 OK\u00a0 ]
\nStarting oddjobd:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 [\u00a0 OK\u00a0 ]
\n[root@server ~]#<\/p>\n

 <\/p>\n

authconfig –enablemkhomedir –update<\/p>\n

service messagebus restart<\/p>\n

\/etc\/init.d\/oddjobd restart<\/p>\n

service winbind restart<\/p>\n

 <\/p>\n

 <\/p>\n

\n

Oddjobd fails to start [FIXED]<\/h1>\n

\n<\/header>\n

\n

I was configuring a new CentOS 6.5 machine to accept Active Directory logins and up until recently you could use the trust pam_mkhomedir.so to auto create home directories on login. This has since been replaced by a new system called Oddjobd and after the standard authconfig tool I enabled the auto create home directories and then Oddjobd fails to start.<\/p>\n

\n
\n\n\n\n
\n
1<\/div>\n
2<\/div>\n<\/td>\n
\n
\n
[root@host ~]# service oddjobd start<\/code><\/div>\n
Starting oddjobd:\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 [ FAILED ]<\/code><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n

I did a bit of searching and couldn\u2019t find anything in the logs on the machine or on the net with regards to this. So here is the post. Oddjobd requires access to the system message bus (dbus) and when trying to login to the machine with an AD account I got an error message.<\/p>\n

\n
\n\n\n\n
\n
1<\/div>\n<\/td>\n
\n
\n
org.freedesktop.DBus.Error.FileNotFound: Failed to connect to socket \/var\/run\/dbus\/system_bus_socket: No such file or directory<\/code><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n

This pointed out that the message bus wasn\u2019t working or was broken. So first thing I did was check the status of the messagebus and it wasn\u2019t running. I started up messagebus service and then oddjobd started fine.<\/p>\n

\n
\n\n\n\n
\n
1<\/div>\n
2<\/div>\n
3<\/div>\n
4<\/div>\n
5<\/div>\n
6<\/div>\n<\/td>\n
\n
\n
[root@host ~]# service messagebus restart<\/code><\/div>\n
Stopping system message bus: \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 [ FAILED ]<\/code><\/div>\n
Starting system message bus: \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 [ OK ]<\/code><\/div>\n
[root@host ~]# service oddjobd start<\/code><\/div>\n
Starting oddjobd: \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0[\u00a0OK\u00a0]<\/code><\/div>\n
[root@host ~]#<\/code><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n

I was then able to login with my AD user and it auto created the home directory as required .<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

Add a Red Hat Enterprise Linux 6 system to Microsoft Active Directory<\/p>\n

UPDATE!! .. This article also works perfectly on Windows 2012 Server as well as Windows Server 2008. The process is exactly the same.<\/p>\n

I\u2019ve had countless numbers of people ask me over the years how to add a Linux system to Active Directory.<\/p>\n

[…]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5],"tags":[],"_links":{"self":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/6533"}],"collection":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=6533"}],"version-history":[{"count":3,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/6533\/revisions"}],"predecessor-version":[{"id":6536,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/6533\/revisions\/6536"}],"wp:attachment":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=6533"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=6533"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=6533"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}