papyri/md/active_directory_with_winbind.md

# Active Directory with Winbind

## Contents

  - [Prerequisites](#prerequisites)
      - [AD Setup Information](#ad-setup-information)
  - [Implementation](#implementation)
      - [Install RPMs](#install-rpms)
      - [DNS Configuration](#dns-configuration)
      - [Configure Kerberos](#configure-kerberos)
          - [Get a Kerberos ticket](#get-a-kerberos-ticket)
          - [List the ticket provided](#list-the-ticket-provided)
          - [Destroy the ticket](#destroy-the-ticket)
      - [Samba Configuration](#samba-configuration)
          - [Join the domain](#join-the-domain)
          - [Configure winbind authentication](#configure-winbind-authentication)
      - [PAM Configuration](#pam-configuration)
          - [RHE5 and RHEL6](#rhel5-and-rhel6)
          - [RHEL6 Only](#rhel6-only)
      - [Parent Home Directory](#parent-home-directory)
  - [Testing](#testing)
  - [Cached Logins](#cached-logins)
  - [User crontabs](#user-crontabs)
  - [References](#references)


## Prerequisites

### AD Setup Information

Needed information:

  - NETBIOS name of one or more domain controllers
  - DNS IPs of same servers that resolve lookups
  - Admin level user already in the AD

Examples used in this article:

  - AD1.DOMAIN.LOCAL, AD2.DOMAIN.LOCAL
  - 192.168.100.10, 192.168.100.20
  - 'admin'


## Implementation

### Install RPMs

Standard YUM install:

```
RHEL6:
# yum install samba-winbind samba-winbind-clients krb5-workstation krb5-libs

RHEL5:
# yum install samba3x-winbind samba3x-client krb5-workstation krb5-libs
```

Notes:

  - krb5-workstation adds `/usr/kerberos/bin` to your `$PATH`, you may need to log in again so that `kinit` and other apps are now found
  - RHEL5 `winbind` is not Windows 2008R2+ friendly. Use `winbind3x` (samba3x) RPMs instead

### DNS Configuration

```
/etc/resolv.conf

nameserver 192.168.100.10
nameserver 192.168.100.20
search DOMAIN.LOCAL
```

### Configure Kerberos

```
/etc/krb5.conf

[logging]
  default = FILE:/var/log/krb5libs.log
  kdc = FILE:/var/log/krb5kdc.log
  admin_server = FILE:/var/log/kadmind.log

 [libdefaults]
  default_realm = DOMAIN.LOCAL
  dns_lookup_realm = false
  dns_lookup_kdc = false
  ticket_lifetime = 24h
  forwardable = yes

 [realms]
  DOMAIN.LOCAL = {
   kdc = AD1.DOMAIN.LOCAL:88
   kdc = AD2.DOMAIN.LOCAL:88
   admin_server = AD1.DOMAIN.LOCAL:749
   admin_server = AD2.DOMAIN.LOCAL:749
  }

 [domain_realm]
  .DOMAIN.local = DOMAIN.LOCAL
  DOMAIN.local = DOMAIN.LOCAL

 [appdefaults]
  pam = {
    debug = false
    ticket_lifetime = 36000
    renew_lifetime = 36000
    forwardable = true
    krb4_convert = false
  }
```

#### Get a Kerberos ticket

```
# kinit admin@DOMAIN.LOCAL
```

#### List the ticket provided

```
# klist
```

#### Destroy the ticket

```
# kdestroy
```


### Samba Configuration

```
/etc/samba/smb.conf

[global]
  workgroup = DOMAIN
  interfaces = 127.0.0.1 eth0
  bind interfaces only = true
  security = ads
  passdb backend = tdbsam
  template shell = /bin/bash
  template homedir = /home/%D/%U
  realm = DOMAIN.LOCAL
  password server = AD1.DOMAIN.LOCAL, AD2.DOMAIN.LOCAL
  winbind use default domain = yes
  winbind enum users = yes
  winbind enum groups = yes
  winbind refresh tickets = yes
  idmap uid = 16777216-33554431
  idmap gid = 16777216-33554431
  printing = cups
  printcap name = cups
  load printers = no
```

If required you can assign a name to the server. This is useful since NT has a limit of 15 chars to the servers. Just add:

```
netbios name = MYNTNAME
```

#### Join the domain

```
# net ads join -U admin
```

Example session:

```
# net ads join -U admin
 Enter admin's password:
 Using short domain name -- DOMAIN
 Joined 'MYSERVER' to realm 'domain.local'
 [2012/03/04 06:06:06.123456,  0] libads/kerberos.c:333(ads_kinit_password)
   kerberos_kinit_password MYSERVER$@DOMAIN.LOCAL failed: Client not found in Kerberos database
 DNS update failed!
```

> This error message is expected, the server joined the domain, but the AD DNS was not updated for your server.

#### Configure winbind authentication

```
# authconfig-tui
```

1. Select **Use Winbind** under the User Information section
2. Select **Use MD5 Passwords** under the Authentication section
3. Select **Use Shadow Passwords** under the Authentication section
4. Select **Use Winbind Authentication** under the Authentication section
5. Select **Local Authentication is sufficient** under the Authentication section
6. Click **Next**
7. Click **OK** (*not* Join Domain\!)


### PAM Configuration

The system may need to be updated to make two configuration changes; it's possible one or both of these are already taken care of however. The first change is to update the existing line for `pam_winbind.so` and add extra config; the second is to add/update the `pam_mkhomedir.so` line to have the user's home directory create itself.

> Whenever editing PAM config files, ALWAYS test logins in a second terminal before you log out of the editing session. Breaking a PAM config file can cause _root_ to be locked out and require single-user mode to rescue.

#### RHEL5 and RHEL6

This is a pseudo diff of the changes to be made; examine the existing file and apply only the needed values as shown.

```
/etc/pam.d/system-auth

< auth        sufficient    pam_winbind.so use_first_pass
---
> auth        sufficient    pam_winbind.so krb5_auth krb5_ccache_type=FILE use_first_pass

> session     required      pam_mkhomedir.so skel=/etc/skel umask=0022
```

#### RHEL6 Only

**Configure**

In RHEL5/CentOS5 all the various other PAM configuration files _sub-include_ system-auth; in RHEL6 this was split out into two different files; some sub-include `system-auth` (like sudo), some sub-include `password-auth` (like sshd). Changing both files is required.

```
/etc/pam.d/password-auth

make the exact same changes as outlined above
```

### Parent Home Directory

All DOMAIN homedirs will be created below this dir by pam\_mkhomedir.so (via smb.conf `template homedir` variable):

```
# mkdir /home/DOMAIN
# chcon --reference=/home /home/DOMAIN
```


## Testing

Test the basics:

```
# wbinfo -u
# wbinfo -g
# ssh DOMAIN\\admin@localhost
```

> Due to an interesting conflict between the presence of local user 'admin' in `/etc/passwd` (with /home/admin defined) and the attempt to use /home/DOMAIN/admin during a DOMAIN login you can get curious permission denied results. It's best to test DOMAIN logins with a username _other_ than one that exists in /etc/passwd on the local machine to avoid the DOMAIN login conflict with pam\_mkhomedir.


## Cached Logins

The pam\_winbind.so module supports cached logins - this can be handy if the Active Directory server(s) become unavailable, you'll still be able to log into Linux. It is very useful to include a cache time otherwise the cache seems _not_ to be updated regardless of the default value(300 secs). This parameter specifies the number of seconds the winbindd will cache user and group information before querying an AD server again.

In the same global section as defined above, add a new directive as shown:

```
/etc/samba/smb.conf

[global]
  ...
  winbind offline logon = yes
  winbind cache time = 600
  ...
```

It's possible that this file may not exist; create it if needed:

```
/etc/security/pam_winbind.conf

[global]
 cached_login = yes
```

Perform a standard Winbind restart and test things out:

```
# service winbind restart
# smbcontrol winbind offline

# wbinfo --online-status
 BUILTIN : online
 MYSERVER : online
 DOMAIN : offline

# ssh DOMAIN\\username@localhost
 Domain Controller unreachable, using cached credentials instead. Network resources may be unavailable
 ...

# smbcontrol winbind online
```

Some items - such as groups - don't get added to the cache until there is a successful login when things are in online mode; this may affect tools like sudo or sshd if they are configured to allow/restrict access based on group level membership. Your exact situation will determine any further tweaks needed to fully support offline access in an emergency. This can be fixed with the use of winbind cache time as noted above. If required, the cache can be deleted by removing the `/var/lib/samba/*.tdb` files.


## User crontabs

There is a problem with the vixie-cron (RHEL5) and cronie \<= 1.4.7 (RHEL6) packages and crontabs which belong to remote network users; when CROND starts up at boot it cannot "see" these remote users when scanning the `/var/spool/cron/` crontabs as networking is not online yet; as a consequence it places each unmatched crontab in an "Orphan" list and never checks again. Restarting CROND after Winbind/LDAP/NIS/etc. are up will work correctly, so one possible solution if this is needed is to place a 'service crond restart' in `/etc/rc.d/rc.local` if you must use this type of crontab.

This issue was fixed in 1.4.8 release of cronie; if it is not yet available any RPM upgrade will have to be manually rebuilt from the Koji system (Fedora packaging) to obtain a newer release.

  - Git commit: <https://git.fedorahosted.org/cgit/cronie.git/commit/?id=8b407876f276f96914111bd9954f21f627db7b11>
  - Koji package: <http://koji.fedoraproject.org/koji/packageinfo?packageID=5724>

The cronie package in RHEL6 replaces the vixie-cron and anacron packages from RHEL5. Compiling (rebuilding) cronie for RHEL5 and doing a manual package swap may work but is untested. It would be best to create a local user account to run the crontabs instead of using a remote network user until (and if) Red Hat releases packages which address this issue.


## References

  - <https://wiki.samba.org/index.php/PAM_Offline_Authentication>