The Active Directory (AD) server supports both Linux-level access plus non-Ribbon Linux accounts for any operational user.
Products on LINTEL platform register with the Microsoft Active Directory server. Any operational users created from the Active Directory server log onto the system using RADIUS authentication.
Ribbon platforms register to the Windows Active Directory domain. Once the registration completes, users created from the active directory log onto the Linux systems where authentication is completed via the Active Directory Server.
Centralized authentication of user accounts at the Linux level occurs on the Microsoft Active Directory using RADIUS authentication using Kerebos.
The feature is not supported for GUI login and Ribbon Linux accounts such as root, ssuser, insight, and so on.
The AD authentication support in the PSX cloud environment is available only when the instance is deployed using the password based authentication. If the instance is deployed using key based authentication and the password based authentication is disabled, the AD authentication is not supported.
The following features are supported:
Configuring the AD server domain name and IP in the Linux machine.
Resolving the IP address of AD server from the domain name.
- The user authentication is enabled from the local database and AD server.
- All the valid AD users can log on to the Linux machine. The users are authenticated using
- Unregistered users cannot log in.
The prerequisites for integrating Linux systems with the Active Directory Server are as follows:
- Install Windows Server with the running Radius server.
- Configure networking in the Windows Server including IP, Netmask, and Gateway.
- Install the Active Directory Domain Services in the Windows Server.
- Configure the Domain Name Server (DNS) in the Windows server, The DNS must point to the Active Directory Server (if DNS is hosted in the Domain Controller).
- Configure the server as a domain controller.
- Set the domain name for the Active Directory Domain Controller.
- Ensure the Windows server can ping the Linux machine.
- Ensure Linux machines can ping the Active Directory Server.
- Ensure the clock between the Linux machine and AD server is synchronized.
- Ensure the tools and packages are installed on the Linux machine.
Create the operational users from the Active Directory.
Only the operation users are authenticated via the Active Directory, not the local users.
- Ensure AD users are given a password from the active directory while adding the users.
- Ensure application-specific and system accounts do not exist on the AD server.
- Ensure the host name of the Linux machine is limited to 15 characters.
To register a Linux machine in Windows Active Directory:
Log onto the Linux machine as "root" user.
- Check whether the following RPMs are installed:
Make sure that you can ping the Windows/AD server IP from the Linux machine:
Take a backup of the files to modify as part of this procedure:
Modify the /etc/hosts file so that Linux machine can resolve the name for Active Directory Domain Controller (ADDC):
If linux hostname = psx, domain name = testdom.local , Windows Server name= testdc, netbios domain name=testdom, host ip = 10.54.58.52, Windows Server IP= 10.54.58.35
Append following in the /etc/hosts file:
Try to ping the Windows Server to see the DNS resolution is working properly:
Verify the ping and name resolution are successful.
Ensure the server time offset is minimal or zero. If the offset is not zero, make sure the clock time in the Windows server is correct and that NTP server and time zone are configured properly in the Linux host. Also, ensure the ntpd service is running.
Configure AD domain name, realm and UID mapping in SAMBA in the file /etc/samba/smb.conf.
To configure, replace workgroup and realm and execute the following command:
Parameter Description Workgroup Specifies the workgroup for the client, You can specify the Netbios name of the domain or a short domain name. realm Specifies the domain the client is a part of. You must provide a full domain name. client user spnego To enable Simple and Protected NEGOciation. winbind enum users If the winbind enum users parameter is No, calls to the getpwent system call do not return any data. If set to Yes, a query such as "getent passwd" lists all users (including AD users). winbind enum groups To return all groups (including AD group) when queried using "getent group". winbind use default domain If set to No (Recommended), you must specify AD users along with the domain name at all times, for example "DOMAIN_NAME+ADusername". winbind separator + , Separator for winbind between DOMAIN_NAME and AD_USERNAME.Example "DOMAIN_NAME+ADusername" idmap config * : backend The mapping mechanism between User id (UID) and Test DB is Test DB. It enables to allocate the user IDs of the new AD users. idmap config * : range Specifies the UID range allocated to the AD users. In Lintel systems, the UID range for normal users is (1000-60000) specified in /etc/login.defs. Adjust the range according to use. Range is 1500-2000. template shell Specifies the shell to allocate for a new user:
Join the Domain (testdom.local) by executing following command from the Linux machine:
Only a user with administrative privilege on the Windows Server can join the Linux machine to the Active Directory domain.
This prompts the user for a password: enter the password for Windows server user "administrator".
The following output displays:
To test that join is successful:
The following output displays:
Validate all the information:
Start and enable the winbind service:
Verify the system can talk to the Active Directory:
Ensure that the Name Service Switch (NSS) configuration file /etc/nsswitch.conf has an entry that points to "winbind" for the password, group, and shadow database by adding "winbind" database for the password, group, and shadow. Make sure that /etc/nsswitch.conf file includes the following entries
The order of the database in the file is important. In the example, it specifies first to go for local authentication if it fails then try winbind authentication from AD.
Enable winbind authentication and creation of user's home directory:
Test resolving AD users and groups:
Test whether authentication for AD user is successful: