Page tree
Skip to end of metadata
Go to start of metadata

 

This feature is supported from EMS V11.01.00R000 and PSX V12.00.00R000 release.

The Active Directory (AD) server supports both Linux-level access plus non-Ribbon Linux accounts for any operational user.

Products on LINTEL platform register with the Microsoft Active Directory server. Any operational users created from the Active Directory server log onto the system using RADIUS authentication.

Ribbon platforms register to the Windows Active Directory domain. Once the registration completes, users created from the active directory log onto the Linux systems where authentication is completed via the Active Directory Server.

Centralized authentication of user accounts at the Linux level occurs on the Microsoft Active Directory using RADIUS authentication using Kerebos.

The feature is not supported for GUI login and Ribbon Linux accounts such as root, ssuser, insight, and so on.

The AD authentication support in the PSX cloud environment is available only when the instance is deployed using the password based authentication. If the instance is deployed using key based authentication and the password based authentication is disabled, the AD authentication is not supported.

The following features are supported:

  • Configuring the AD server domain name and IP in the Linux machine.

  • Resolving the IP address of  AD server from the domain name.

  • The user authentication is enabled from the local database and AD server.
  • All the valid AD users can log on to the Linux machine. The users are authenticated using winbind.
  • Unregistered users cannot log in.

Prerequisites

The prerequisites for integrating Linux systems with the Active Directory Server are as follows:

  • Install Windows Server with the running Radius server.
  • Configure networking in the Windows Server including IP, Netmask, and Gateway.
  • Install the Active Directory Domain Services in the Windows Server.
  • Configure the Domain Name Server (DNS) in the Windows server, The DNS must point to the Active Directory Server (if DNS is hosted in the Domain Controller).
  • Configure the server as a domain controller.
  • Set the domain name for the Active Directory Domain Controller.
  • Ensure the Windows server can ping the Linux machine.
  • Ensure Linux machines can ping the Active Directory Server.
  • Ensure the clock between the Linux machine and AD server is synchronized.
  • Ensure the tools and packages are installed on the Linux machine.
  • Create the operational users from the Active Directory.

    Only the operation users are authenticated via the Active Directory, not the local users.

  • Ensure AD users are given a password from the active directory while adding the users.
  • Ensure application-specific and system accounts do not exist on the AD server.
  • Ensure the host name of the Linux machine is limited to 15 characters.

Procedure

To register a Linux machine in Windows Active Directory:

  1. Log onto the Linux machine as "root" user.

  2. Check whether the following RPMs are installed:
    • samba

    • samba-client

    • samba-winbind

    • samba-winbind-clients

    • samba-common

    rpm -qa | grep samba 
  3. Make sure that you can ping the Windows/AD server IP from the Linux machine:

    ping "Windows Server IP"
  4. Take a backup of the files to modify as part of this procedure:

    mkdir backup
    cp --parents -p /etc/hosts backup
    cp --parents -p /etc/resolv.conf backup
    cp --parents -p /etc/samba/smb.conf backup
    cp --parents -p /etc/sysconfig/authconfig backup
    cp --parents -p /etc/nsswitch.conf backup
    cp --parents -p /etc/pam.d/fingerprint-auth-ac backup
    cp --parents -p /etc/pam.d/smartcard-auth-ac backup
    cp --parents -p /etc/pam.d/password-auth-ac backup
    cp --parents -p /etc/pam.d/system-auth-ac backup
  5. Modify the /etc/hosts file so that Linux machine can resolve the name for Active Directory Domain Controller (ADDC):

    host_IP  "linux-hostname"."Active Directory Domain name"  "linux-hostname"     
    Windows server IP   "Windows Server computer name"  "Windows Server computer name"."Active Directory Domain name"  "Domain netbios name" "Domain netbios name in caps"  "Active Directory Domain name" 

    For Example

    If linux hostname = psx, domain name = testdom.local , Windows Server name= testdc, netbios domain name=testdom, host ip = 10.54.58.52, Windows Server IP= 10.54.58.35

    Append following in the /etc/hosts file:

    10.54.58.52  psx.testdom.local  psx     
    10.54.58.35   testdc  testdc.testdom.local  testdom  TESTDOM  testdom.local 



  6. Try to ping the Windows Server to see the DNS resolution is working properly:

    ping "Windows Server computer name"."Active Directory Domain name"

    Verify the ping and name resolution are successful.

    Ensure the server time offset is minimal or zero. If the offset is not zero, make sure the clock time in the Windows server is correct and that NTP server and time zone are configured properly in the Linux host. Also, ensure the ntpd service is running.

     

    1. Configure AD domain name, realm and UID mapping in SAMBA in the file /etc/samba/smb.conf.

      To configure, replace workgroup and realm and execute the following command: 

      cat >/etc/samba/smb.conf << EOF
         [global]
         workgroup = "Domain Netbios name"
         realm = "Active Directory Domain name"
         security = ADS
         client use spnego = yes 
         server signing = auto 
         server string = Samba Server 
         winbind enum users = yes
         winbind enum groups = yes
         winbind use default domain = no
         winbind separator = +
       
         idmap config * : backend = tdb
         idmap config * : range = 1500-2000
       
         template shell = /bin/bash
      EOF
      

      Table : Parameters

      ParameterDescription
      WorkgroupSpecifies the workgroup for the client, You can specify the Netbios name of the domain or a short domain name.
      realmSpecifies the domain the client is a part of. You must provide a full domain name.
      client user spnegoTo enable Simple and Protected NEGOciation.
      winbind enum usersIf the winbind enum users parameter is No, calls to the getpwent system call do not return any data. If set to Yes, a query such as "getent passwd" lists all users (including AD users).
      winbind enum groupsTo return all groups (including AD group) when queried using "getent group".
      winbind use default domainIf set to No (Recommended), you must specify AD users along with the domain name at all times, for example "DOMAIN_NAME+ADusername".
      winbind separator+ , Separator for winbind between DOMAIN_NAME and AD_USERNAME.Example "DOMAIN_NAME+ADusername"
      idmap config * : backendThe mapping mechanism between User id (UID) and Test DB is Test DB. It enables to allocate the user IDs of the new AD users.
      idmap config * : rangeSpecifies the UID range allocated to the AD users. In Lintel systems, the UID range for normal users is (1000-60000) specified in /etc/login.defs. Adjust the range according to use. Range is 1500-2000.
      template shellSpecifies the shell to allocate for a new user: /bin/bash

  7. Join the Domain (testdom.local) by executing following command from the Linux machine:

    Only a user with administrative privilege on the Windows Server can join the Linux machine to the Active Directory domain.

    net ads join -S testdc.testdom.local -U administrator 
    

    This prompts the user for a password: enter the password for Windows server user "administrator".

    The following output displays: 

    ##Using short domain name -- TESTDOM
    ##Joined 'PSX' to dns domain 'testdom.local'
    ##DNS update failed: NT_STATUS_UNSUCCESSFUL  (This warning is expected, can be ignored.)
  8. To test that join is successful:

    net ads testjoin

     The following output displays: 

    Join is OK
  9. Validate all the information:

    net ads info
  10. Start and enable the winbind service:

    systemctl enable winbind
    systemctl start winbind
    systemctl status winbind
  11.  Verify the system can talk to the Active Directory:

    1. Checks whether the trust secret via RPC calls succeeded.
    
    wbinfo -t
    
    Sample O/P - checking the trust secret for domain TESTDOM via RPC calls succeeded
    
    2. To list AD suers 
    
    wbinfo -u
    
    3. To list AD groups 
    
    wbinfo -g
     
    4. To get info of a particular AD user
    
    wbinfo -i "DOMAINNAME+username"
    
    Sample O/P for user test- test:*:1506:1500:test test:/home/TESTDOM/test:/bin/bash
  12. Ensure that the Name Service Switch (NSS) configuration file /etc/nsswitch.conf has an entry that points to "winbind" for the password, group, and shadow database by adding "winbind" database for the password, group, and shadow. Make sure that /etc/nsswitch.conf file includes the following entries

    passwd:     files  winbind
    shadow:     files  winbind
    group:      files  winbind

     The order of the database in the file is important. In the example, it specifies first to go for local authentication if it fails then try winbind authentication from AD.

  13. Enable winbind authentication and creation of user's home directory:

    authconfig --enablewinbindauth  --enablemkhomedir --update
  14. Test resolving AD users and groups:

    ##To list all the users, local and Active Directory users
    
    getent passwd
    
    ##To list all groups , local + AD groups
    
    getent group
    
    ## Query for a particular AD user 
    
    id "DOMAIN_NAME"+"username"
  15. Test whether authentication for AD user is successful:

    ## Switch user to Active Directory user
    
    ssh DOMAIN_NAME+ADuser_name@127.0.0.1
    DOMAIN_NAME+ADaduser_name@127.0.0.1's password: 
    Creating home directory for DOMAIN_NAME+ADuser_name.