Linux VDA – Joining the server to Active Directory

Linux VDA – Joining the server to Active Directory

This article in the series will explain how to join the CentOS server to an Active Directory Domain using Samba and Winbind.  There are several other supported methods for joining the machine to an Active Directory Domain which are listed on the Citrix documentation page Install Linux Virtual Delivery Agent for RHEL/CentOS with instructions for each.

Install the required packages and configure Winbind daemon startup

The first step is to install the required packages for Samba and Winbind on to the server and then ensure that the winbind daemon is enabled to start at boot.

To install the required packages and enable the winbind daemon to start at boot perform the following steps in a terminal session as root:

  • Install the packages by executing the following command:
yum -y install samba-winbind samba-winbind-clients krb5-workstation authconfig oddjob-mkhomedir
  • Once installed configure the winbind daemon to start at boot by executing the following command:
chkconfig winbind on

Configure Winbind authentication

The next step is to configure authentication using kerberos with Winbind.

To configure authentication using kerberos with Winbind perform the following steps in a terminal session as root:

  • Execute the authconfig command below substituting domain with your NetBIOS Domain Name, REALM with your Kerberos realm name in UPPER CASE, and fqdn-of-domain-controller with the FQDN of your Domain Controller:
authconfig --disablecache --disablesssd --disablesssdauth --enablewinbind --enablewinbindauth --disablewinbindoffline --smbsecurity=ads --smbworkgroup=domain --smbrealm=REALM --krb5realm=REALM --krb5kdc=fqdn-of-domain-controller --winbindtemplateshell=/bin/bash --enablemkhomedir --updateall

Example: As an example my test Domain name is NWO.Local, it’s NetBIOS name is NWO, the Kerberos Realm is NWO.LOCAL, and  my Domain Controller is 2K12-Lokse.NWO.Local. Therefore I ran the command below to configure the authentication to my Domain:

authconfig --disablecache --disablesssd --disablesssdauth --enablewinbind --enablewinbindauth --disablewinbindoffline --smbsecurity=ads --smbworkgroup=NWO --smbrealm=NWO.LOCAL --krb5realm=NWO.LOCAL --krb5kdc=2K12-Lokse.NWO.Local --winbindtemplateshell=/bin/bash --enablemkhomedir --updateall

Note: Ignore any errors returned from the authconfig command about the winbind service failing to start. The errors can occur when authconfig tries to start the winbind service without the machine yet being joined to the domain.

  • Edit the /etc/samba/smb.conf file and add the two lines below the line #–authconfig–end-line– as shown below:
#--authconfig--end-line--
kerberos method = secrets and keytab
winbind refresh tickets = true
  • Save and exit the file.

Join the Domain

The next step is to join the computer to Active Directory and to perform this execute the steps below in a terminal session as root:

  • Execute the net ads join command below substituting REALM for your Kerberos Realm in UPPER CASE and user with an account with privileges to add the machine to Active Directory:
net ads join REALM -U user

Example: As an example my test Domain name Kerberos Realm is NWO.LOCAL and  I use the administrator account to add machines to the Domain. Therefore I ran the command below to join my Domain:

net ads join NWO.LOCAL -u administrator

Note: If successful the machine will be listed in the Computers OU of your Domain.

Configure Kerberos for PAM

Once the machine has been successfully joined to the Domain the next step is to configure Kerberos for PAM to allow ticket caching and home directory creation.

To configure Kerberos for PAM perform the following steps in a terminal as the root user:

  • Edit the /etc/security/pam_winbind.conf file and add or change the following entries under the [Global] section:
krb5_auth = yes
krb5_ccache_type = FILE
mkhomedir = yes
  • Save and exit the file
  • Restart the Winbind daemon by executing the following:
service winbind restart
  • Edit the /etc/krb5.conf file change the following setting under the [libdefaults] section from KEYRING to FILE type:
default_ccache_name = FILE:/tmp/krb5cc_%{uid}
  • Save and exit the file

Previous Page                                                                                                                                         Next Page

Leave a Reply

Your email address will not be published.