Skip to main content

Redhat Linux ssh login using Active Directory Account

DNS infrastructure should work well In order that winbind funcitons properly. So check it first.
# host -t srv _kerberos._tcp.yourdomain.com
_kerberos._tcp.yourdomain.com has SRV record 0 100 88 adsrv1.yourdomain.com. 
_kerberos._tcp.yourdomain.com has SRV record 0 100 88 adsrv2.yourdomain.com. 

Necessary packages should be installed.
# yum install authconfig pam_krb5 samba-common

# chkconfig winbind on

Create AD users home directories container.
# mkdir /home/YOURDOMAIN
# chmod 0777 /home/YOURDOMAIN

Host name should have same FQDN with the AD domain name.
# hostname -f
srv2.yourdomain.com 

Authentication should be enabled and configured.
# authconfig --disablecache --enablewinbind --enablewinbindauth --smbsecurity=ads --smbworkgroup=YOURDOMAIN --smbrealm=YOURDOMAIN.COM --enablewinbindusedefaultdomain --winbindtemplatehomedir=/home/YOURDOMAIN/%U --winbindtemplateshell=/bin/bash --enablekrb5 --krb5realm=YOURDOMAIN.COM --enablekrb5kdcdns --enablekrb5realmdns --enablelocauthorize --enablemkhomedir --enablepamaccess --updateall

# service winbind restart

AD id's should be mapped against local id's. It's done by smb.conf
# vi /etc/samba/smb.conf
                /** Original **/ 
                workgroup = YOURDOMAIN 
                realm = YOURDOMAIN.COM 
                security = ads 
                idmap uid = 16777216-33554431 
                idmap gid = 16777216-33554431 
                template homedir = /home/YOURDOMAIN/%U 
                template shell = /bin/bash 
                winbind use default domain = true 
                winbind offline logon = false

                /** Change with these **/ 
                workgroup = YOURDOMAIN 
                realm = YOURDOMAIN.COM 
                security = ads 
                idmap domains = YOURDOMAIN 
                idmap config YOURDOMAIN:backend = rid 
                idmap config YOURDOMAIN:base_rid = 500 
                idmap config YOURDOMAIN:range = 500-1000000 
                #idmap uid = 16777216-33554431 
                #idmap gid = 16777216-33554431 
                template homedir = /home/YOURDOMAIN/%U 
                template shell = /bin/bash 
                winbind use default domain = true 
                winbind offline logon = false 

To allow members of an AD group to login with ssh PAM should be configured.
# vi /etc/pam.d/system-auth 
                /**  Original  **/ 
                auth required pam_env.so 
                auth sufficient pam_unix.so nullok try_first_pass 
                auth requisite pam_succeed_if.so uid >= 500 quiet 
                auth sufficient pam_krb5.so use_first_pass 
                auth sufficient pam_winbind.so use_first_pass 
                auth required pam_deny.so

                session optional pam_keyinit.so revoke 
                session required pam_limits.so 
                session optional pam_mkhomedir.so 
                session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid 
                session required pam_unix.so 
                session optional pam_krb5.so 

                /**  Change with these  **/ 
                auth required pam_env.so 
                auth sufficient pam_unix.so nullok try_first_pass 
                auth requisite pam_succeed_if.so user ingroup "linuxusers" debug
                auth requisite pam_succeed_if.so uid >= 500 quiet 
                auth sufficient pam_krb5.so use_first_pass 
                auth sufficient pam_winbind.so use_first_pass 
                auth required pam_deny.so 

                session optional pam_keyinit.so revoke 
                session required pam_limits.so 
                session optional pam_mkhomedir.so umask=0077
                session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid 
                session required pam_unix.so 
                session optional pam_krb5.so

# service winbind restart

After these srv2 can be joined to domain.
# net ads join -U aduser
aduser's password: 
Using short domain name -- YOURDOMAIN 
Joined 'srv2' to realm 'YOURDOMAIN.COM' 

# service winbind restart

After joining AD domain. Group info could be listed.
# wbinfo -g

Now you can login ssh session with AD account which is member of the linuxusers group.

Comments

Popular posts from this blog

Creating Multiple VLANs over Bonding Interfaces with Proper Routing on a Centos Linux Host

In this post, I am going to explain configuring multiple VLANs on a bond interface. First and foremost, I would like to describe the environment and give details of the infrastructure. The server has 4 Ethernet links to a layer 3 switch with names: enp3s0f0, enp3s0f1, enp4s0f0, enp4s0f1 There are two bond interfaces both configured as active-backup bond0, bond1 enp4s0f0 and enp4s0f1 interfaces are bonded as bond0. Bond0 is for making ssh connections and management only so corresponding switch ports are not configured in trunk mode. enp3s0f0 and enp3s0f1 interfaces are bonded as bond1. Bond1 is for data and corresponding switch ports are configured in trunk mode. Bond0 is the default gateway for the server and has IP address 10.1.10.11 Bond1 has three subinterfaces with VLAN 4, 36, 41. IP addresses are 10.1.3.11, 10.1.35.11, 10.1.40.11 respectively. Proper communication with other servers on the network we should use routing tables. There are three

Sending Jboss Server Logs to Logstash Using Filebeat with Multiline Support

In addition to sending system logs to logstash, it is possible to add a prospector section to the filebeat.yml for jboss server logs. Sometimes jboss server.log has single events made up from several lines of messages. In such cases Filebeat should be configured for a multiline prospector. Filebeat takes lines do not start with a date pattern (look at pattern in the multiline section "^[[:digit:]]{4}-[[:digit:]]{2}-[[:digit:]]{2}" and negate section is set to true ) and combines them with the previous line that starts with a date pattern. server.log file excerpt where DatePattern: yyyy-MM-dd-HH and ConversionPattern: %d %-5p [%c] %m%n Logstash filter: