How do I join RHEL to Active Directory using Winbind?

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux 5
  • Red Hat Enterprise Linux 6
  • Red Hat Enterprise Linux 7
  • Red Hat Enterprise Linux 8
  • Red Hat Enterprise Linux 9
  • Microsoft Windows 2003 R2 / 2008 / 2008 R2 / 2012 / 2016 with Active Directory configured

Issue

  • How do I join a Red Hat Enterprise Linux system to an Active Directory server using Samba Winbind?
  • How do I authenticate my RHEL server against to a Windows 2003 R2 / 2008 / 2008 R2 / 2012/ 2016 AD domain?

Resolution

Video KCS How to join RHEL to Active Directory using Winbind

In order to join Red Hat Enterprise Linux to Active Directory, the following packages need to be installed on the system:

RHEL5

# yum install samba3x-client samba3x-winbind

RHEL6 and RHEL7

# yum install samba samba-client  samba-winbind samba-winbind-clients oddjob-mkhomedir oddjob

RHEL8 and RHEL9

# dnf  install samba samba-client  samba-winbind samba-winbind-clients oddjob-mkhomedir oddjob

Configuration

  1. Configure /etc/samba/smb.conf with the following settings, changing the workgroup to the short domain name(pre 2000 domain) and set the realm to the Active Directory (AD) realm. The idmap config options in the example below will provide a basic mapping for AD users, but may need to be adjusted depending on the configuration of your AD. Use Red Hat's AD Integration Helper to help generate optimal configuration values for connecting to your organizations Active Directory. Using the same idmap config settings across domain member servers will ensure that the UID/GID mapping remains consistent.

    [global]
workgroup = DOMAIN
realm = DOMAIN.LOCAL
security = ads
idmap config * : backend = autorid
idmap config * : range = 1000000-19999999
idmap config * : rangesize = 1000000
template homedir = /home/%D/%U
template shell = /bin/bash
winbind use default domain = no
winbind offline logon = true
log file = /var/log/samba/log.%m
max log size = 50
log level = 0

    Ensure that /etc/resolv.conf is set to a DNS server that can resolve your AD DNS zones, and that the search domain is set to the AD DNS domain. Run the following command to verify that you can resolve the standard SRV records:

    # dig srv _ldap._tcp.dc._msdcs.domain.name
# dig -t SRV _ldap._tcp.domain.name

  2. Join the domain, providing the name of a user with admin rights

    # net ads join -U Administrator

  3. Start winbind and enable it on boot.

    RHEL5, RHEL6 and RHEL7

    # service winbind start
# chkconfig winbind on

    RHEL8 and RHEL9

    # systemctl start winbind
# systemctl enable winbind

  4. Verify the the system can talk to Active Directory.

    Checks whether the trust secret via RPC calls succeeded.

    # wbinfo -t

    Will list AD users.

    # wbinfo -u

    Will list AD groups.

    # wbinfo -g

  5. Use one of the three methods to configure the NSS and PAM stack.

    TUI:

    # authconfig-tui

    select Use Winbind for User Information section and select Use Shadow Passwords, Use Winbind Authentication, and Local authorization is sufficient in the Authentication section. Select Next and on the following screen select OK.
    (The authconfig-tui is deprecated. No new configuration settings will be supported by its text user interface. Use system-config-authentication GUI application or the command line options instead.)

    GUI

    # authconfig-gtk

    In the Identity & authentication tab, select Winbind in the Users Account Database dropbox in the User Account Configuration section. The Authentication Configuration section should be set to winbind. Under the Advanced Options tab select the Create home directory's on the first login option and click apply at the bottom.

    CLI - RHEL6 and RHEL7

    # authconfig --enablewinbind --enablewinbindauth  --enablemkhomedir --update

    CLI - RHEL 8 and RHEL9

    # authselect select winbind with-mkhomedir --force

  6. Ensure that /etc/nsswitch.conf has the following passwd and group entries:

    passwd:     files winbind
group:      files winbind

  7. Test resolving AD users and groups and authentication of users.

    # getent passwd DOMAIN\\aduser
DOMAIN\aduser::1000000:1000000:AD User:/home/DOMAIN/aduser:/bin/bash

id DOMAIN\\aduser
uid=1000000(DOMAIN\aduser) gid=1000000(DOMAIN\domain users) groups=1000000(DOMAIN\domain users),1000001(DOMAIN\group1)

# getent group "DOMAIN\domain users"
DOMAIN\domain users::1000000:

# ssh DOMAIN\\aduser@127.0.0.1
DOMAIN\aduser@127.0.0.1's password: 
Creating home directory for DOMAIN\aduser.
[DOMAIN\aduser@rhel ~]$

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments