Linux VDA – Joining the server to Active Directory

Linux VDA – Joining the server to Active Directory

  • Linux VDA – Introduction and prerequisites
  • Linux VDA – Building the base CentOS virtual machine
  • Linux VDA – Post build tasks and Linux VDA 1912 preparation
  • Linux VDA – Joining the server to Active Directory
  • Linux VDA – VDA software installation and configuration
  • Linux VDA – Creating the MCS master target
  • Sections

    This article in the series will explain how to join the CentOS server to an Active Directory Domain using Samba and Winbind.  There are several other supported methods for joining the machine to an Active Directory Domain which are listed on the Citrix documentation page Install Linux Virtual Delivery Agent for RHEL/CentOS with instructions for each.

    Install the required packages and configure Winbind daemon startup

    The first step is to install the required packages for Samba and Winbind on to the server and then ensure that the winbind daemon is enabled to start at boot.

    To install the required packages and enable the winbind daemon to start at boot perform the following steps in a terminal session as root:

    • Install the packages by executing the following command:
    yum -y install samba-winbind samba-winbind-clients krb5-workstation authconfig oddjob-mkhomedir
    • Once installed configure the winbind daemon to start at boot by executing the following command:
    chkconfig winbind on

    Configure Winbind authentication

    The next step is to configure authentication using kerberos with Winbind.

    To configure authentication using kerberos with Winbind perform the following steps in a terminal session as root:

    • Execute the authconfig command below substituting domain with your NetBIOS Domain Name, REALM with your Kerberos realm name in UPPER CASE, and fqdn-of-domain-controller with the FQDN of your Domain Controller:
    authconfig --disablecache --disablesssd --disablesssdauth --enablewinbind --enablewinbindauth --disablewinbindoffline --smbsecurity=ads --smbworkgroup=domain --smbrealm=REALM --krb5realm=REALM --krb5kdc=fqdn-of-domain-controller --winbindtemplateshell=/bin/bash --enablemkhomedir --updateall

    Example: As an example my test Domain name is NWO.Local, it’s NetBIOS name is NWO, the Kerberos Realm is NWO.LOCAL, and  my Domain Controller is 2K12-Lokse.NWO.Local. Therefore I ran the command below to configure the authentication to my Domain:

    authconfig --disablecache --disablesssd --disablesssdauth --enablewinbind --enablewinbindauth --disablewinbindoffline --smbsecurity=ads --smbworkgroup=NWO --smbrealm=NWO.LOCAL --krb5realm=NWO.LOCAL --krb5kdc=2K12-Lokse.NWO.Local --winbindtemplateshell=/bin/bash --enablemkhomedir --updateall

    Note: Ignore any errors returned from the authconfig command about the winbind service failing to start. The errors can occur when authconfig tries to start the winbind service without the machine yet being joined to the domain.

    • Edit the /etc/samba/smb.conf file and add the two lines below the line #–authconfig–end-line– as shown below:
    #--authconfig--end-line--
    kerberos method = secrets and keytab
    winbind refresh tickets = true
    • Save and exit the file.

    Join the Domain

    The next step is to join the computer to Active Directory and to perform this execute the steps below in a terminal session as root:

    • Execute the net ads join command below substituting REALM for your Kerberos Realm in UPPER CASE and user with an account with privileges to add the machine to Active Directory:
    net ads join REALM -U user

    Example: As an example my test Domain name Kerberos Realm is NWO.LOCAL and  I use the administrator account to add machines to the Domain. Therefore I ran the command below to join my Domain:

    net ads join NWO.LOCAL -u administrator

    Note: If successful the machine will be listed in the Computers OU of your Domain.

    Configure PAM for Winbind

    Once the machine has been successfully joined to the Domain the next step is to configure Kerberos for PAM to allow ticket caching and home directory creation.

    To configure Kerberos for PAM perform the following steps in a terminal as the root user:

    • Edit the /etc/security/pam_winbind.conf file and add or change the following entries under the [Global] section:
    krb5_auth = yes
    krb5_ccache_type = FILE
    mkhomedir = yes
    • Save and exit the file
    • Restart the Winbind daemon by executing the following:
    service winbind restart
    • Edit the /etc/krb5.conf file change the following setting under the [libdefaults] section from KEYRING to FILE type:
    default_ccache_name = FILE:/tmp/krb5cc_%{uid}
    • Save and exit the file

    3 thoughts on “Linux VDA – Joining the server to Active Directory

    1. Brilliant Articles on CentOS Linux VDA and Citrix World. You are awesome , can’t wait to follow along with next article on this!! Cheers!

    Leave a Reply

    Your email address will not be published.