Monday, March 31, 2014

Add AD authentication to CentOS in four easy steps

Many businesses use Microsoft Active Directory (AD) to manage their Windows server infrastructure. You can take advantage of AD's directory services and maintain a single service to authenticate users on all platforms. The alternatives – setting up LDAP directory servers for user management on Linux servers, or worse still, using local accounts on every machine – would be a management nightmare, and would make meeting audit requirements a lot harder. Here's how to integrate a vanilla CentOS 6.x host into AD for user management, and how to use AD-based credentials to manage a Linux server.

Step 1: Pre-installation checks

Before setting up a CentOS host to use AD authentication, ensure that it can see the AD network and get a response from the AD DNS server. Configure the CentOS DNS client to use the AD-based DNS servers by using system-config-network-tui and selecting DNS configuration rather than device configuration. As a minimum the CentOS DNS client should be able to ping the AD server, using both the hostname and the fully qualified domain name (FQDN).
If you have issues trying to resolve the AD domain servers, check that the CentOS host is using the same DNS servers as the Windows domain. If necessary, use system-config-network-tui to edit /etc/resolv.conf to correct the issue. (This is the official Red Hat/CentOS method.) It may also be worth checking your firewall settings with the command iptables -L -n -v to ensure that the ports required for AD authentication are open, as they are in a fresh installation of CentOS.

Step 2: Install AD requirements

Once you have confirmed that the CentOS host is using the correct AD DNS, install three new packages to enable AD integration. Log in to the CentOS host as root and issue the command:
yum -y install nscd.x86_64 pam_krb5.x86_64 samba-winbind.x86_64
NSCD stands for name server caching daemon. As you might imagine, it caches requests made to the server. Pam_krb5 is the Kerberos authentication plugin, which is required when you want to "speak AD." Samba-winbind provides the tools required to allow a Linux host to become a full member of an AD domain.

Step 3: Configure settings

After the packages are installed, run authconfig-tui as root. This utility provides a text-mode GUI that you can use to configure the authorization mechanisms on your CentOS host. If you encounter any errors or the command fails to run, ensure that all the prerequisites as detailed in step 2 are installed.
Authorization setup
In the GUI select "Cache Information" and "Use Winbind" from the User Information list. Among the Authentication components, select "Use MD5 Passwords" and "Use Winbind Authentication." Deselect "Local authentication is sufficient," then click Next.
On the Winbind settings screen you need to enter the settings and credentials required to join the AD domain. For the security model to use, you must select ADS for Active Directory integration. Enter the domain details and the specific domain controllers using the FQDN. Fill in the ADS realm, which for small installations will more than likely be the Primary Domain Controller. Change the template shell option to reflect your preferred login shell. Leaving it at the default, nologin, will prevent the account from logging in to the server. Once you've entered all the settings, press "Join Domain."
You may see a screen warning you that some of the information needs to be saved to disk. If so, select Yes.
On the next screen you should be able to join the CentOS host to the AD domain via your domain admin username and password. You can configure authentication to use other accounts, substituting the administrator account for other domain administrator accounts, but for this example, I am using the domain administrator.
Once the configuration is complete, click "Ok" to return to the command line. If you encounter any errors when installing using authconfig, check the /var/log/secure log file, or perhaps more easily the console, for username/password errors. If not, reboot to make the setting changes take effect.
At this point, barring any configuration issues, an AD domain user should be able to log in to the CentOS host using your domain administrator credentials. On my system, I used test\administrator, as in the figure below. Notice that there is no home directory. This is to be expected, as the administrator does not have a local account and therefore no home directory.
Administration login Rather than using the domain admin account for authentication, I suggest enhancing security by creating a custom user who is a member of the Domains Admins group. On the Windows AD controller, go to Administrative Tools -> Active Directory Users and Computers. Expand the domain, select the Users folder, and click Create New Users. Fill in the details as required. Add the user to the Domain Admins group by clicking "Member of" and adding "Domain Admins". Click OK, and the user is ready.

Step 4: Allowing AD users to manage CentOS servers

Users who log in to the CentOS host at this point using AD credentials lack admin rights. You can test this by trying to shut down the CentOS host when you're connected as test\administrator (on a non-production host!). The command should fail because you don't have sufficient rights.
To enable a group of users to run admin commands, modify the /etc/sudoers file. To allow any AD user to reboot the host, log in as root. Modify the sudoers file either manually, or more correctly, using the visudo command, adding the line @test\administrator shutdown -h now. Domain users in the sudoers file are referenced on Linux servers using @ in front of the groups.
To work with a group rather than a single user, as we did above, use % instead. For example, to allow members of the group linuxadmins to have all rights in sudo, assuming that group has already been created in AD, add to the sudoers file the line:
%linuxadmins ALL=(ALL) ALL
To use groups with spaces, such as "Domain Users," use "\" to delimit the spaces. Thus "Domain Users" is referenced as "Domain\Users."
At this point, any AD user should be able to authenticate against the AD infrastructure. You will need to authenticate using the "old" Windows format of Domain\User rather than the newer user@domain. format, so log in as test\administrator rather than administrator@test.

Closing tips and tricks

Before you consider the process finished, thoroughly test your configuration. Ensure that administrators can log in and perform any actions required on the CentOS server.
In many companies, Linux and Windows admins are separate groups. Rather than work with AD's default Domain Admins group, I suggest creating a distinct AD group for Linux admins, such as the linuxadmins group I referenced above. This lets you limit the remit of the group to managing only Linux servers, with no admin rights to Windows servers.
Having a single authentication system for all network administrators and users eases the administrative burden of the administrator. Such a system is a key component in automation of server provisioning, and used effectively can also help reduce your IT costs.

No comments:

Post a Comment