There are many guides, cheat sheets, and white papers on authenticating Linux with Active Directory, and many different ways to do it. This iuvo Technologies blog will go through one tried and true method that works on CentOS/RHEL 8. We will also setup a Samba CIFS file share and use AD authentication for connections to that.
In the examples show below the following assumptions are made:
To start we need access to Microsoft Active Directory Domain Controllers. This can be through Azure Active Directory Domain Services, and a working connection (including proper DNS) to the provisioned DCs or with on premises DCs. In our examples we will use on premises DCs that are also providing DNS for the subnet hosting the CentOS/RHEL 8 file server.
In addition to the Microsoft requirements above, we also need the CentOS/RHEL Linux server. This can be either a physical or virtual system. We will use a virtual CentOS 8.3 server with the "Minimal Install" software group loaded. Then always make sure to start out with a full patched system, which can be done with:
dnf update
If there are kernel updates installed from the command above, the server should be rebooted before proceeding further.
With CentOS/RHEL 8 the RC4 encryption cipher has been disabled, so AES must be enabled in Active Directory for the systems to communicate or re-enable RC4 in CentOS/RHEL 8. We recommend using AES rather than RC4, but for this blog we will outline enabling RC4 to keep the focus on setting up the Linux server. If you are interested in AES on the Domain Controllers, please look here:
To enable RC4 in Linux, run this command:
sudo update-crypto-policies --set DEFAULT:AD-SUPPORT
Now reboot again for the above command to take effect.
We need to install the following packages:
sudo dnf install samba samba-common-tools samba-winbind samba-winbind-clients \
samba-winbind-krb5-locator oddjob oddjob-mkhomedir realmd krb5-workstation \
policycoreutils-python-utils
also install any dependencies dnf asks for.
Now we are ready to join the system to AD. This will also update the Samba configuration file in /etc/samba/smb.conf:
sudo realm join --membership-software=samba --client-software=winbind contoso.com
Next, we need to update the /etc/krb5.conf file and update it as follows:
# To opt out of the system crypto-policies configuration of krb5, remove the
# symlink at /etc/krb5.conf.d/crypto-policies which will not be recreated.
includedir /etc/krb5.conf.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
spake_preauth_groups = edwards25519
default_realm = CONTOSO.COM
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
LAB.PERKINSDESIGN.NET = {
kdc = dc1.contoso.com
admin_server = dc1.contoso.com
}
[domain_realm]
.contoso.com = CONTOSO.COM
contoso.com = CONTOSO.COM
[plugins]
localauth = {
module = winbind:/usr/lib64/samba/krb5/winbind_krb5_localauth.so
enable_only = winbind
}
Now start Samba:
sudo systemctl enable --now smb
After Samba is running we can query AD for user information:
sudo getent passwd "CONTOSO\Administrator"
Should return something like:
CONTOSO\administrator:*:2000500:2000513::/home/administrator@CONTOSO:/bin/bash
Now we can test Kerberos (make sure the AD DOMAIN NAME below is in caps):
kinit administrator@CONTOSO.COM
enter password
klist
Output from klist should be similar to:
Ticket cache: KCM:0
Default principal: administrator@CONTOSO.COM
Valid starting Expires Service principal
02/10/2021 17:19:45 02/11/2021 03:19:45 krbtgt/CONTOSO.COM@CONTOSO.COM
renew until 02/17/2021 17:19:38
This shows that Kerberos is working properly.
Now we can configure the file shares. First, we will create our test folder to share out:
sudo mkdir /test
sudo chmod 777 /test
The /etc/samba/smb.conf should look like:
# See smb.conf.example for a more detailed config file or
# read the smb.conf manpage.
# Run 'testparm' to verify the config is correct after
# you modified it.
[global]
log level = 0
workgroup = CONTOSO
security = ads
passdb backend = tdbsam
printing = cups
printcap name = cups
load printers = yes
cups options = raw
kerberos method = secrets and keytab
template homedir = /home/%U
template shell = /bin/bash
realm = CONTOSO.COM
idmap config CONTOSO: range = 2000000-2999999
idmap config CONTOSO : backend = rid
idmap config * : range = 10000-999999
idmap config * : backend = tdb
winbind use default domain = yes
winbind refresh tickets = yes
winbind offline logon = yes
winbind enum groups = no
winbind enum users = no
[homes]
comment = Home Directories
valid users = %S, %D%w%S
browseable = No
read only = No
inherit acls = Yes
[printers]
comment = All Printers
path = /var/tmp
printable = Yes
create mask = 0600
browseable = No
[print$]
comment = Printer Drivers
path = /var/lib/samba/drivers
write list = @printadmin root
force group = @printadmin
create mask = 0664
directory mask = 0775
[test]
comment = Test Share
path = /test
browseable = yes
guest ok = no
writeable = yes
write list = username1 username2
create mode = 0666
directory mode 0777
valid users = username1 username2
Now we should restart Samba:
sudo systemctl restart smb
The firewall also needs to be configured to allow Samba connections through it:
firewall-cmd --permanent --add-service=samba
firewall-cmd --reload
We also need to tell SELINUX to allow the connections:
sudo setsebool -P samba_export_all_ro=1 samba_export_all_rw=1
sudo getsebool -a | grep samba_export
sudo semanage fcontext -at samba_share_t "/test(/.*)?"
sudo restorecon /test
Troubleshooting authentication issues can be particularly frustrating.
If you would like to discuss this more, please contact us. We would be happy to share our experience!
Related Content: