This article describes how to achieve single sign on with Active Directory using Identity Management for Unix (available in Windows 2003 R2 and above) or Services for Unix 3.5.

Before starting, you need to setup Identity Management for UNIX. If you are using Windows Server prior to 2003 R2, you can use Services for Unix 3.5 which can be downloaded from here.

Setup and Configure LDAP User Information

It is recommended to an Active Directory enabled DNS server, this will ensure that the LDAP lookups and Kerberos authentication will work properly. Also, provide a user account dedicated for the LDAP authentication.

Authentication1. Click System, select Administration and click Authentication. This will launch the Authentication Configuration window.
Authentication Configuration2. Check Enable LDAP Support and click the Configure LDAP button.
LDAP Settings3. Fill in the LDAP Search Base DN and LDAP Server fields. Click Ok when you are done.
LDAP Settings4. Click the Options tab and check Local authorization is sufficient for local users and Create home directories on the first login. Click Ok when you are done.
Edit ldap.conf4. Edit the file /etc/ldap.conf and add the following lines below.
binddn user account
bindpw password for binddn
nss_map_objectclass posixAccount User
nss_map_objectclass posixGroup Group
nss_map_attribute homeDirectory unixHomeDirectory
If you are using Services for Unix 3.5, remove the homeDirectory mapping above and add the lines below.
nss_map_attribute uid msSFU30Name
nss_map_attribute uidNumber msSFU30UidNumber
nss_map_attribute gidNumber msSFU30GidNumber
nss_map_attribute homeDirectory msSFU30HomeDirectory
nss_map_attribute loginShell msSFU30LoginShell
NoteIf you are not using an Active Directory enabled DNS server, you need to add the line referrals no to make this work.
getent passwd5. Type in getent passwd in a terminal window. You should see your Active Directory user accounts.
getent passwd6. Type in getent group in a terminal window. You should see your Active Directory groups.

Setup and Configure Kerberos Authentication

The Kerberos network authentication protocol requires the clocks of the involved machines to be synchronized or at least the difference is less than 5 minutes.

Authentication1. Launch the Authentication Configuration window. Click the Authentication tab and check the Enable Kerberos Support. Next, click the Configure Kerberos button.
Kerberos Settings2. In the Kerberos Settings window, fill in the Realm, clear out KDC and Admin Servers and check the Use DNS to locate KDCs for realms. Realm is usually your domain name capitalized, capitalization is important. KDC is your Active Directory server. Click Ok when you’re done.

NoteTo make sure that your KDC can be automatically located, type in the command host -t any _kerberos._tcp.acme.local in a terminal window. Replace acme.local with your own realm. If it replies “_kerberos._tcp.acme.local has SRV record …” then it works. This should work if you are using an Active Directory enabled DNS server. Otherwise, you need to manually fill in the KDC field above. You can specify more than one KDC by separating each server with a comma or space.

Terminal3. Test Kerberos by typing in kinit username in a terminal window. If you need help in making sense of the kinit error messages, check out Test the Kerberos Authentication.

That’s it, you should now be able to login using Active Directory user accounts.

ImportantThe version of sudo that comes with RHEL/CentOS 5 does not work with non local user accounts. While this is not yet fixed, use the sudo rpm package for Fedora 8.

Visit the forum to ask for help or to give a comment.

***
Posted on 11/29/2008 and last updated on 11/6/2009
Filed under Active Directory , CentOS 5 , Kerberos , LDAP , Red Hat Enterprise Linux 5