Before starting, you need to setup Identity Management for UNIX. If you are using Windows Server prior to 2003 R2, you can use Services for Unix 3.5 which can be downloaded from here.

Setup and Configure LDAP User Information

It is recommended to an Active Directory enabled DNS server, this will ensure that the LDAP lookups and Kerberos authentication will work properly. Also, provide a user account dedicated for the LDAP authentication.

1. Click System, select Administration and click Authentication. This will launch the Authentication Configuration window.

2. Check Enable LDAP Support and click the Configure LDAP button.

3. Fill in the LDAP Search Base DN and LDAP Server fields. Click Ok when you are done.

4. Click the Options tab and check Local authorization is sufficient for local users and Create home directories on the first login. Click Ok when you are done.

4. Edit the file /etc/ldap.conf and add the following lines below.

binddn user account
bindpw password for binddn
nss_map_objectclass posixAccount User
nss_map_objectclass posixGroup Group
nss_map_attribute homeDirectory unixHomeDirectory

nss_map_attribute uid msSFU30Name
nss_map_attribute uidNumber msSFU30UidNumber
nss_map_attribute gidNumber msSFU30GidNumber
nss_map_attribute homeDirectory msSFU30HomeDirectory
nss_map_attribute loginShell msSFU30LoginShell

If you are not using an Active Directory enabled DNS server, you need to add the line referrals no to make this work.

5. Type in getent passwd in a terminal window. You should see your Active Directory user accounts.

6. Type in getent group in a terminal window. You should see your Active Directory groups.

Setup and Configure Kerberos Authentication

The Kerberos network authentication protocol requires the clocks of the involved machines to be synchronized or at least the difference is less than 5 minutes.

1. Launch the Authentication Configuration window. Click the Authentication tab and check the Enable Kerberos Support. Next, click the Configure Kerberos button.

2. In the Kerberos Settings window, fill in the Realm, clear out KDC and Admin Servers and check the Use DNS to locate KDCs for realms. Realm is usually your domain name capitalized, capitalization is important. KDC is your Active Directory server. Click Ok when you’re done.

To make sure that your KDC can be automatically located, type in the command host -t any _kerberos._tcp.acme.local in a terminal window. Replace acme.local with your own realm. If it replies “_kerberos._tcp.acme.local has SRV record …” then it works. This should work if you are using an Active Directory enabled DNS server. Otherwise, you need to manually fill in the KDC field above. You can specify more than one KDC by separating each server with a comma or space.

3. Test Kerberos by typing in kinit username in a terminal window. If you need help in making sense of the kinit error messages, check out Test the Kerberos Authentication.

That’s it, you should now be able to login using Active Directory user accounts.

The version of sudo that comes with RHEL/CentOS 5 does not work with non local user accounts. While this is not yet fixed, use the sudo rpm package for Fedora 8.

Setup and Configure Kerberos

The steps below describes how to configure Kerberos using the GUI tool. You can apply the changes manually by editing the file /etc/krb5.conf.

The Kerberos network authentication protocol requires the clocks of the involved machines to be synchronized or at least the difference is less than 5 minutes.

1. Click System, select Administration and click Authentication. This will launch the Authentication Configuration window.

2. Click the Authentication tab and check the Enable Kerberos Support. Next, click the Configure Kerberos button.

3. In the Kerberos Settings window, fill in the Realm, clear out KDC and Admin Servers and check the Use DNS to locate KDCs for realms. Realm is usually your domain name capitalized, capitalization is important. KDC is your Active Directory server. Click Ok when you’re done.

To make sure that your KDC can be automatically located, type in the command host -t any _kerberos._tcp.acme.local in a terminal window. Replace acme.local with your own realm. If it replies “_kerberos._tcp.acme.local has SRV record …” then it works, otherwise you’ll have to fill in the KDC field above. This is how the Windows workstation is able to find the domain controller during domain logon.

4. Uncheck the Enable Kerberos Support and click Ok. We don’t actually want to use Kerberos authentication in Linux, we just want the tool to setup Kerberos for us.

5. Test Kerberos by typing in kinit username in a terminal window. If you need help in making sense of the kinit error messages, check out Test the Kerberos Authentication.

Configuring Cyrus SASL

1. Edit the file /etc/pam.d/smtp.postfix and replace the content with the lines below.

auth        sufficient   pam_krb5.so no_user_check validate
account     sufficient   pam_permit.so

2. Restart the saslauthd service.

3. Test saslauthd by typing in testsaslauthd -u username -p password -r domain -s smtp in a terminal window.

Cyrus SASL is now configured to authenticate against an Active Directory server. Proceed to Postfix SMTP Authentication for instructions on configuring Postfix. Or restart Postfix or MailScanner and jump directly to the Test Postfix using Telnet part if you have already done so.

Setup and Configure Kerberos

The steps below describes how to configure Kerberos using the GUI tool. You can apply the changes manually by editing the file /etc/krb5.conf.

The Kerberos network authentication protocol requires the clocks of the involved machines to be synchronized or at least the difference is less than 5 minutes.

1. Click System, select Administration and click Authentication. This will launch the Authentication Configuration window.

2. Click the Authentication tab and check the Enable Kerberos Support. Next, click the Configure Kerberos button.

3. In the Kerberos Settings window, fill in the Realm, clear out KDC and Admin Servers and check the Use DNS to locate KDCs for realms. Realm is usually your domain name capitalized, capitalization is important. KDC is your Active Directory server. Click Ok when you’re done.

To make sure that your KDC can be automatically located, type in the command host -t any _kerberos._tcp.acme.local in a terminal window. Replace acme.local with your own realm. If it replies “_kerberos._tcp.acme.local has SRV record …” then it works. This is how the Windows workstation is able to find the domain controller during domain logon. If it does not work, something is wrong with your DNS setting. You could either fix your DNS settings or manually fill in the KDC field above. You can specify more than one KDC by separating each server with a comma or space.

4. Uncheck the Enable Kerberos Support and click Ok. We don’t actually want to use Kerberos authentication in Linux, we just want the tool to setup Kerberos for us.

5. Test Kerberos by typing in kinit username in a terminal window. If you need help in making sense of the kinit error messages, check out Test the Kerberos Authentication.

Configuring Dovecot PAM

1. Edit the file /etc/pam.d/dovecot and replace the content with the lines below.

auth        sufficient   pam_krb5.so no_user_check validate
account     sufficient   pam_permit.so

2. Edit the file /etc/dovecot.conf and change the value of the following keys below

passdb pam {
}

userdb static {
  args = uid=501 gid=501 home=/home/vmail/%Lu
}

uid, gid and home should contain the user id, group id and home directory respectively of the vmail user account.

3. Restart the dovecot service. Learn how to start and stop services here.

4. You should now be able to login using the user names found in your Active Directory server. See Test Dovecot using Telnet and try using Active Directory user names instead of the system user names.

If you encounter any problems, check the log file at /var/log/maillog.

Launch the terminal window and type in the highlighted items below.

Test the Kerberos authentication

Kerberos is an authentication mechanism used by Active Directory to verify user or host identity. We will use kinit, an executable used to obtain Kerberos access granting ticket, to test the Kerberos authentication mechanism.

[root@mail ~]# kinit bugsbunny

Change bugsbunny to any Active Directory user account.

If it replies

• Cannot resolve network address for KDC in requested realm while getting initial credentials
  

  DNS problem, check the DNS or use ip addresses in the Domain Controllers field of the Winbind Settings.

• Cannot find KDC for requested realm while getting initial credentials
  

  Check the spelling of your Active Directory realm and check the spelling in Winbind Settings. Capitalization is important.

• Client not found in Kerberos database while getting initial credentials
  

  Check the user name you used if it exists in Active Directory.

• Cannot contact any KDC for requested realm while getting initial credentials
  

  Check if the domain controller you specified in Winbind Settings is indeed working is not firewalled.

See Winbind Setting for RHEL/CentOS 5
See Winbind Setting for RHEL/CentOS 4

Password for bugsbunny@ACME.LOCAL: type in the password here

If it replies

• Preauthentication failed while getting initial credentials
  

  It means the password is wrong.

• Password has expired while getting initial credentials
  

  The password is no longer valid and needs to be changed.

• Clock skew too great while getting initial credentials
  

  Synchronize your clocks using NTP. For a quick and temporary fix, use net time set to synchronize time with the domain controller.

  To permanently fix the problem, both the Active Directory server and the Linux server should synchronize their time with an NTP server. See how to synchronize system clock in Linux. For Windows, use the command

  net time /setsntp:"0.pool.ntp.org 1.pool.ntp.org"
  

  Replace “0.pool.ntp.org …” with your preferred NTP server.

• KDC reply did not match expectations while getting initial credentials
  

  Make sure the realm is correct and capitalized in /etc/krb5.conf. If the realm is ACME.LOCAL, this error will appear if ACME, acme, acme.local is used as the realm.

Join the Active Directory Domain

[root@mail ~]# net ads join -U administrator

Replace administrator with any user name having Domain Admin rights. Specify your password when asked. You should be able to join the Active Directory domain now.