This article describes how to achieve single sign on with Active Directory using Identity Management for Unix (available in Windows 2003 R2 and above) or Services for Unix 3.5.
Before starting, you need to setup Identity Management for UNIX. If you are using Windows Server prior to 2003 R2, you can use Services for Unix 3.5 which can be downloaded from here.
Setup and Configure LDAP User Information
It is recommended to an Active Directory enabled DNS server, this will ensure that the LDAP lookups and Kerberos authentication will work properly. Also, provide a user account dedicated for the LDAP authentication.
1. Click System
, select Administration
and click Authentication
. This will launch the Authentication Configuration
2. Check Enable LDAP Support
and click the Configure LDAP
3. Fill in the LDAP Search Base DN
and LDAP Server
fields. Click Ok
when you are done.
4. Click the Options
tab and check Local authorization is sufficient for local users
and Create home directories on the first login
. Click Ok
when you are done.
4. Edit the file /etc/ldap.conf
and add the following lines below.
binddn user account
bindpw password for binddn
nss_map_objectclass posixAccount User
nss_map_objectclass posixGroup Group
nss_map_attribute homeDirectory unixHomeDirectory
If you are using Services for Unix 3.5, remove the homeDirectory mapping above and add the lines below.
nss_map_attribute uid msSFU30Name
nss_map_attribute uidNumber msSFU30UidNumber
nss_map_attribute gidNumber msSFU30GidNumber
nss_map_attribute homeDirectory msSFU30HomeDirectory
nss_map_attribute loginShell msSFU30LoginShell
If you are not using an Active Directory enabled DNS server, you need to add the line referrals no
to make this work.
5. Type in getent passwd
in a terminal window. You should see your Active Directory user accounts.
6. Type in getent group
in a terminal window. You should see your Active Directory groups.
Setup and Configure Kerberos Authentication
The Kerberos network authentication protocol requires the clocks of the involved machines to be synchronized or at least the difference is less than 5 minutes.
1. Launch the Authentication Configuration
window. Click the Authentication
tab and check the Enable Kerberos Support
. Next, click the Configure Kerberos
2. In the Kerberos Settings
window, fill in the Realm
, clear out KDC
and Admin Servers
and check the Use DNS to locate KDCs for realms
. Realm is usually your domain name capitalized, capitalization is important.
KDC is your Active Directory server. Click Ok
when you’re done.
To make sure that your KDC can be automatically located, type in the command host -t any _kerberos._tcp.acme.local in a terminal window. Replace acme.local with your own realm. If it replies “_kerberos._tcp.acme.local has SRV record …” then it works. This should work if you are using an Active Directory enabled DNS server. Otherwise, you need to manually fill in the KDC field above. You can specify more than one KDC by separating each server with a comma or space.
3. Test Kerberos by typing in kinit username
in a terminal window. If you need help in making sense of the kinit error messages, check out Test the Kerberos Authentication
That’s it, you should now be able to login using Active Directory user accounts.
The version of sudo
that comes with RHEL/CentOS 5 does not work with non local user accounts. While this is not yet fixed, use the sudo rpm package for Fedora 8
Visit the forum to ask for help or to give a comment.
Posted on 11/29/2008 and last updated on 11/6/2009
Filed under Active Directory , CentOS 5 , Kerberos , LDAP , Red Hat Enterprise Linux 5