In this tutorial, we will discuss how to integrate Linux Servers(Centos/RHEL) with Windows Active Directory for authentication purposes. In my case, I have Centos/RHEL 6 servers. Follow the below steps to integrate these servers with AD using samba, winbind, and Kerberos.

Step 1: Install the samba-winbind and kerberos packages.

# yum install samba-winbind samba-winbind-clients samba krb5-libs  krb5-workstation pam_krb5

Step 2: Time synchronization.

AD is very picky about the time matching during authentication. So linux server and AD server time should be synchronized to the ntp server. Use the below command to sync the time of the Linux server with ntp server.

# ntpdate [ntp-server-ip-address/dns-name]

To make above configuration permanent edit the file “/etc/ntp.conf” and just replace what’s there with one or more NTP servers on your domain, like:

# vi /etc/ntp.conf
server [ntp-server-ip-address/dns-name]

Start the Service:

# /etc/init.d/ntpd start
# chkconfig ntpd on

Step 3: Edit the /etc/hosts file.

# vi /etc/hosts
[ip-address]  adserver.yourdomain adserver

Step 4: Edit /etc/krb5.conf.

# vi /etc/krb5.conf
[domain_realm]
yourdomain = YOURDOMAIN
[libdefaults]
    ticket_lifetime = 24000
    default_realm = YOURDOMAIN
    dns_lookup_realm = true
    dns_lookup_kdc = false
    cache_type = 1
    forwardable = true
    proxiable = true
    default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
    permitted_enctypes = des3-hmac-sha1 des-cbc-crc
    allow_weak_crypto = no
[realms] 
    YOURDOMAIN = {
    kdc = [ip address of AD server:Port]
    admin_server = [ip address of AD server:Port]
    default_domain = yourdomain
  }
[appdefaults]
  pam = {
    debug = true
    ticket_lifetime = 36000
    renew_lifetime = 36000
    forwardable = true
    krb4_convert = false
  }
[logging]
  default = FILE:/var/krb5/kdc.log
  kdc = FILE:/var/krb5/kdc.log
  admin_server = FILE:/var/log/kadmind.log

Step 5: Now Test the Kerberos Authentication.

If it prompts for the password, enter your user ad password, if everything is ok, then we will get the prompt otherwise re-check krb5.conf file.

Step 6: Now Configure Samba and Winbind.

Edit /etc/samba/smb.conf.

# vi /etc/samba/smb.conf
[global]
    workgroup = [Workgroup-Name]
    netbios name = site2       ## replace the site2 with hostname
    realm = 
    security = ADS
    template shell = /bin/bash
    idmap backend = tdb
    idmap uid = 1-100000000
    idmap gid = 1-100000000
    winbind use default domain = Yes
    winbind nested groups = Yes
    winbind enum users = Yes
    winbind enum groups = Yes
    template shell = /bin/bash
    template homedir = /home/%D/%U
    winbind separator = /
    winbind nss info = sfu
    winbind offline logon = true
    hosts allow = 127.0.0.1 0.0.0.0/0
    obey pam restrictions = yes
    socket options = TCP_NODELAY
    max log size = 150
    passdb backend = tdbsam
    printing = cups
    load printers = yes
    cups options = raw
    printcap name = cups
    disable spoolss = Yes
    show add printer wizard = No
    interfaces = eth0 lo
    bind interfaces only = yes
    winbind refresh tickets = true
    log file = /var/log/samba/log.%m
    max log size = 50
    log level = 3
    encrypt passwords = yes
    #map untrusted to domain = yes
    #auth methods = winbind guest sam
    map untrusted to domain = Yes
[printers]
    comment = All Printers
    path = /var/spool/samba
    browseable = yes
    public = yes
    guest ok = yes
    writable = no
    printable = yes

Step 7: Configure /etc/nsswitch.conf file to handle authentication.

# vi /etc/nsswitch.conf
passwd:   compat winbind
shadow:   winbind
group:      compat winbind

Step 8: Now restart winbind & Samba services.

# /etc/init.d/smb restart
# /etc/init.d/winbind restart

Now join a domain:

# net ads join -U [User Name]

If the above command reports “Join is OK”, then test winbind:

Command to lists all the AD users:

Step 9: Now do the testing & try to login to linux server via AD user credentials.

# ssh [username]@[ipaddress or hostname of linux server]