IntroductionI've been curious from some time to see how Active Directory users could natively authenticate to Linux, or said in a different way, how to configure Linux to allow AD users to log in without the need to have those users in each and every Linux box manually.
Although there are several different ways to accomplish this, I found that the easiest and less time consuming way to do it is with the use of Samba WinBind. Later I will show how to use Oracle Internet Directory (OID) to accomplish the same feat.
Using an IdM solution (AD, OID) can help to reduce the time to deploy users, you can centrally manage access to linux servers from Active Directory Users and Computers (ADUC) app, and can allow administrative tasks thru sudo depending on the group the users belong to.
For my Proof of Concept I created two virtual machines, one with Windows 2012 Server Essentials, and another one with Oracle Linux 7.1.
In AD I created 1 group named osd-linux-oretail, and several test users, of which some belong to this group.
Installing PrerequisitesThe following linux packages are needed to enable Oracle Linux to authenticate user to Windows AD.
Configure Authentication ServicesOnce all the packages are in place, now you need configure WinBind to connect to your AD controller. for this we use authconfig-tui command as root.
When the application is open for the first time, you’ll get some preselected options, such as below:
[sourcecode language="shell"]sudo authconfig-tui[/sourcecode]
- Domain is the AD domain name.
- Domain controller is the host(s) that belong to this Domain.
- ADS Realm is the Qualified Domain Name (FQDN).
You can now close the application. If everything went fine, you'll see something like this:
(in the format user@domain), I really don't like that, so I updated smb.conf with the changes listed below.
#Generated by authconfig on 2015/08/12 16:29:41
#DO NOT EDIT THIS SECTION (delimited by --start-line--/--end-line--)
#Any modification may be deleted or altered by authconfig in future
workgroup = OSDTST
password server = osdtstad
realm = OSDTST.LOCAL
security = ads
idmap config * : range = 16777216-33554431
template shell = /bin/bash
kerberos method = secrets only
winbind use default domain = false
winbind offline logon = false
template homedir = /home/%D/%U
client use spnego = yes
client ntlmv2 auth = yes
encrypt passwords = yes
winbind use default domain = yes
restrict anonymous = 2
Enable linux to autocreate home directory for new usersThe other thing that you may have noticed, is that after logging in, it complains that it couldn't create the home directory. You have the option to manually create the home directories for the users, but I rather prefer to let windbind/linux to automatically create the home directory when the user logs in the first time. To enable this, you'll need to run the following command as root:
[sourcecode language="shell"]authconfig --enablemkhomedir --update[/sourcecode]
After this, when the user logs in for the first time, the home directory will be automatically created.
Restricting/Granting access to active directory usersNow the last step of this POC is to grant or restrict access to users based on an AD group. For this test I created two users, test01 and 02 (very original), test01 belongs to osd-linux-oretail, test02 does not. My test is very simple, I will grant the group osd-linux-oretail users to be able to sudo to any user and execute any command the want. For this I simply add the following line to the sudoers file (remember to use visudo for this action).
[sourcecode language="plain"]## Allows people in group wheel to run all commands
%wheel ALL=(ALL) ALL
%osd-linux-oretail ALL=(ALL) ALL
There are plenty of guides to setup sudoers file, this is just a silly setup.
The test came out working as designed, test01 was able to sudo to root: