Home

Follow Skinkers.

 

Blog.

3

How to use Winbind to authenticate against AD on RHEL/CentOS 5.x (Automated scripts)

  July 28th, 2010 | Linux | Max Sanna

CAN HAS EASIR AD LOGIN PLZ?

In this short blog post we’ll provide an easy and quick way to automate the binding to Active Directory of a RHEL/CentOS box, while restricting the login only to certain Active Directory groups.

If you ever had to do this before you’ll know it involves quite a large number of steps and it’s very prone to configuration errors that may even lock you out from the server.

The process is divided in two parts, the first script installs the necessary components, sets up NTP, and a few hosts entries, then it will give you instructions on how to use the GUI authconfig-tui.


CentOS installation

  • Simply perform a standard installation of CentOS, eventually taking out Desktop Gnome from the package selection, and let it finish.
  • After the first reboot, leave alone the Authentication menu
  • Select Firewall and disable the firewall and set SELinux to disabled (we assume the box is on the internal network and no firewall will be required)
  • Make sure the networking is set up and the box is using the domain controllers as DNS.
  • Run yum update
  • Reboot

The preparation script – ad-prep.sh

Create a file with vi and paste the content of the following snippet in it. Call the file ad-prep.sh and use chmod +x ad-prep.sh to make it executable.

#!/bin/sh

# ad-prep.sh - Phase 1
# Author: Max Sanna
# Description: This script automates the process of joining a linux box
# to an AD domain. The process is divided in two parts.
#
# Please edit the relevant parts of the script below prior running it

yum install samba samba-common samba-client ntp
chkconfig ntp on

# Replace 10.10.0.1 and 10.10.0.2 with the IP addresses of your DCs, which provide NTP as well
sed -i 's%server 0.centos.pool.ntp.org%server 10.10.0.1%g' /etc/ntp.conf
sed -i 's%server 1.centos.pool.ntp.org%server 10.10.0.2%g' /etc/ntp.conf
sed -i 's%server 2.centos.pool.ntp.org%%g' /etc/ntp.conf
ntpdate 10.10.0.1
service ntpd restart

# Replace the following entry with the FQDN of your DC and its hostname, so we don't depend on DNS
echo "10.10.0.1              dc1.example.com dc1" >> /etc/hosts

# Replace the following lines with the relevant parameters for your domain, they're just instructions
echo "Now run authconfig-tui with following settings:"
echo "Select Cache Information, Use Winbind, Use MD5 Passwords, Use Shadow Passwords, Use Winbind Authentication"
echo "Press Next"
echo "Insert the following:"
echo "Domain: EXAMPLE"
echo "Server: dc1.example,com, dc2.example.com, dc3.example.com"
echo "Realm: DC1.EXAMPLE.COM"
echo "Shell: /bin/bash"
echo "Press join domain"
echo "Now create the file /usr/local/bin/bash-wrapper and paste its content in it"
echo "Launch ad-phase2.sh"

Configuring authconfig-tui

Now that we installed the necessary bits, we can finally run authconfig-tui, and join the domain. You’ll want to customise the fields as specified in ad-prep.sh. After you complete the procedure and return to the command prompt you should see if the net command managed to join the domain or not. If it didn’t you should check if the domain settings are correct with your Windows administrator.

authconfig-tui screen 1

First configuration screen of authconfig-tui

Once you’ll press next you’ll be asked to fill in the field as specified in ad-prep.sh.

Domain settings in authconfig-tui

Domain settings screen in authconfig-tui

After this, press Join domain, and enter the credentials of a domain administrator to join the machine into the domain.

Creating the bash wrapper

Before proceeding with the next step we need to create the bash wrapper, this file will basically restrict the logon only to users belonging to a specific group. In this way it’s easy to create multiple groups, for each linux server, and define who’s got access to them. For simplicity we’ll just restrict access to the domain administrators here, but if we replace the line that says “domain\ admins\” with “domain\ users\”, every user in the domain could log onto the box.

Create a file in /usr/local/bin/bash-wrapper, paste the following content and chmod +x it in order to make it executable:

#!/bin/sh

# This script restricts shell access to privileged users. The "template shell"
# option in the '/etc/samba/smb.conf' file should be set to call this wrapper.

# Get group memberships for this user.
BFN_ID=$(/usr/bin/id)

# Grant shell access to users that are in the local wheel group.
if /bin/echo "$BFN_ID" | /bin/grep -P '[=,][0-9]{1,8}\(wheel\)' > /dev/null
then
exec /bin/bash --login "$@"
fi

# Grant shell access to users that are in the domain administrators group.
if /bin/echo "$BFN_ID" | /bin/grep -P '[=,][0-9]{1,8}\(domain\ admins\)' > /dev/null
then
exec /bin/bash --login "$@"
fi

# Else print a notice and just exit.
echo "Shell access to this computer is disabled."

# eof

Setting up the final parameters – ad-phase2.sh

Once again, create a new file on the linux box, called ad-phase2.sh, paste the following content in it, and chmod +x it so that it’s executable.

#!/bin/sh
# ad-phase2.sh - Phase 2
# Author: Max Sanna
# Description: This script automates the process of joining a linux box
# to an AD domain. The process is divided in two parts.
#
# Please edit the relevant parts of the script below prior running it

# This block doesn't need to be edited
sed -i 's%protocols:  files%protocols:  files winbind%g' /etc/nsswitch.conf
sed -i 's%rpc:        files%rpc:        files winbind%g' /etc/nsswitch.conf
sed -i 's%netgroup:   files%netgroup:   files winbind%g' /etc/nsswitch.conf
sed -i 's%automount:  files%automount:  files winbind%g' /etc/nsswitch.conf

# The following line allows users to logon without the ugly EXAMPLE\user syntax
sed -i 's%winbind use default domain = false%winbind use default domain = true%g' /etc/samba/smb.conf

# More parameters to make life easier with UID and GID correspondances
sed -i 's%   template shell = /bin/bash%   template shell = /usr/local/bin/bash-wrapper%g' /etc/samba/smb.conf
sed -i '/   winbind offline logon = false/a   winbind enum users = true' /etc/samba/smb.conf
sed -i '/winbind enum users = true/a   winbind enum groups = true' /etc/samba/smb.conf
sed -i '/winbind enum groups = true/a   winbind cache time = 5' /etc/samba/smb.conf
sed -i '/winbind cache time = 5/a    winbind nested groups = true' /etc/samba/smb.conf

# This line will allow for home folders to be created in /home/DOMAIN/username upon first login
echo "session     optional      pam_mkhomedir.so skel=/etc/skel/ umask=0022" >> /etc/pam.d/system-auth

# The following line will allow all the users within the Domain Admins group to sudo on the server
echo "%domain\ admins ALL=(ALL)       ALL" >> /etc/sudoers

# Replace "base OU=Users,DC=example,DC=com" with the container of the users you want to allow on the box
sed -i 's%base dc=example,dc=com%base OU=Users,DC=example,DC=com%g' /etc/ldap.conf

service winbind restart
service nscd restart

# We disable root login on the box remotely
sed -i 's%#PermitRootLogin yes%PermitRootLogin no%g' /etc/ssh/sshd_config

# We add a sysadmin user for emergency purposes, create a password for him and add him to the sudoers
adduser -g sysadmin sysadmin
passwd sysadmin
echo "sysadmin ALL=(ALL)       ALL" >> /etc/sudoers

Please pay attention to the base LDAP search line in ad-phase2.sh: in this line you’re specifying the container which contains the users allowed to log on the box.

Some organisations with a lot of employees prefer to divide them in departmental OUs, so you should find the base one that contains all the users and add it there.

How to find the LDAP path of your Users OU

  • Log onto your main domain controller via Remote Desktop
  • Start -> Run -> ldp.exe (this is the bundled LDAP browser for AD)
  • Connection -> Bind -> Leave everything as it is (assuming you’re connected as a domain admin) with Bind as currently logged user and press Ok
  • View -> Tree
  • Open up the root on the left, e.g. DC=example, DC=com
  • Now navigate the structure by double-clicking the various entries until you find the organisational unit you were looking for
  • Right click on it -> Copy DN
  • Paste it into ad-phase2.sh

Final steps

Now reboot the server, just to make sure that everything comes up properly, and try to login with a user within the group you specified in bash-wrapper, it should let you in, and if you’re also member of domain admins it will allow you to sudo.

If you login with users not in the proper group it should just close the connection.

As a safety measure make sure you can logon with the sysadmin user we created before, in case the DC is unavailable for some reason.

Hope you will find this useful!

Max

3 Responses to “How to use Winbind to authenticate against AD on RHEL/CentOS 5.x (Automated scripts)”

  1. Mark Jones says:

    FYI on RHEL 5 and CENTOS servers you can restrict group login access in the below file:

    /etc/pam_winbind.conf

    just add line with comma delimited

    require_membership_of = groupname1,groupname2

  2. Ben says:

    Hi, you should mention that the SAMBA client will need to be updated from the stock version to 3.5.6 when authenticating against a Windows 2008 DC..

    Everything else seems to work great, but spent hours trying to troubleshoot why it wasn’t working… great guide though!

  3. mharrigan says:

    Thank you. Just what I needed! Works beautifully. :)

Leave a Reply

*