Monday, May 5, 2014

9 Centos 6.5 join Windows Domain and Kerberos authentication

This is my note for configure Linux intergrade windows domain authentication with Kerberos


Package Require

  • yum install samba
  • yum install krb5-server
  • yum install krb5-workstation
  • yum install samba-winbind
  • yum install ntpdate    --> This is required for sync time
  • yum install cifs-utils


Setup the Host Name on Linux

Setup the host name in /etc/sysconfig/network


Setup network connection on Linux

Setup the host name in /etc/sysconfig/network-scripts/ifcfg-eth0


setup hostname /etc/hosts


This is the Linux network looks like


Before we start configuration, we need to make sure the Linux and Windows can ping each other


IP :

Hostname : NOSQL1


IP :

Hostname : SGC



Configure Samba

configure /etc/samba/smb.conf

   workgroup = STARGATE  # For Win2000 and older
   password server = # DC hostname
   realm = STARGATE.COM # Domain
   security = ads # Activity Directory
   idmap config * : range = 16777216-33554431
   template shell = /bin/bash  # Default Shell
   winbind use default domain = true # When set true, we can log in as loginname, when set false, we need to login as loginid@domainname
   winbind offline logon = false
   template homedir = /mnt/samba/%u
   server string = stargate Samba Server Version %v
   netbios name = NOSQL1
  # Below are all default value
   log file = /var/log/samba/log.%m
   max log size = 50
   passdb backend = tdbsam
   encrypt passwords = yes
   load printers = yes
   cups options = raw
        comment = Home Directories
        browseable = no
        writable = yes
        comment = All Printers
        path = /var/spool/samba
        browseable = no
        guest ok = no
        writable = no
        printable = yes

mkdir /mnt/samba

update /etc/fstab

//sgc/C$/Users /mnt/samba cifs sec=krb5i,noserverino,nounix,iocharset=utf8,rw,dir_mode=0777,file_mode=0666


Configure KDC

configure /etc/krb5.conf  Configure file is case sensitive

 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log
 default_realm = STARGATE.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
  admin_server = SGC.STARGATE.COM:749
  default_domain = STARGATE.COM
  kdc =


configure /var/kerberos/krb5kdc/kdc.conf

 kdc_ports = 88
 kdc_tcp_ports = 88
  #master_key_type = aes256-cts
  acl_file = /var/kerberos/krb5kdc/kadm5.acl
  dict_file = /usr/share/dict/words
  admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
  supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal


Restart samba

service smb start
chkconfig smb on


Sync time

ntpdate  sgc




Join Domain

net rpc join –U PO


After join the domain, you can see the host show up in the windows AD.


If you encounter the error :  Unable to find a suitable server for domain
That is because the iptables


We can temporary stop the iptables.


Configure Winbind authentication

configure /etc/nsswitch.conf


Configure PAM

configure /etc/pam.d/system-auth

Log path for trouble shooting authentication error /var/log/audit/audit.log

auth         sufficient
account      sufficient
password     sufficient
session      sufficient

After the pam setting is complete  we need to restart winbind

service winbind start
chkconfig winbind on

We can also use authconfig-tui to configure the PAM .

This is what my system-auth looks like after authconfig-tui

auth        required
auth        sufficient nullok try_first_pass
auth        requisite uid >= 500 quiet
auth        sufficient use_first_pass
auth        required
account     required broken_shadow
account     sufficient uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore]
account     required
password    requisite try_first_pass retry=3 type=
password    sufficient md5 shadow nullok try_first_pass use_authtok
password    sufficient use_authtok
password    required
session     optional revoke
session     required
session     [success=1 default=ignore] service in crond quiet use_uid
session     required

Test AD login

List all the account on the AD:  wbinfo -u


Check the user : id

You can see the id belong to the domain group


Login as domain account


Other errors

No DNS domain configured for nosql2. Unable to perform DNS Update.
DNS update failed!


To fix this, add the nosql2 in the DC’s DNS record:




  1. WARNING: Ignoring invalid value 'ads # Activity Directory' for parameter 'security'
    cannot join as standalone machine

  2. This is cool post and i enjoy to read this post. your blog is fantastic and you have good staff in your blog. nice sharing keep it up. thebestvpn

  3. Thank you again for all the knowledge you distribute,Good post. I was very interested in the article, it's quite inspiring I should admit. I like visiting you site since I always come across interesting articles like this one.Great Job, I greatly appreciate that.Do Keep sharing! Regards, Klick für mehr

  4. pleasant post, stay aware of this fascinating work. It truly regards realize that this subject is being secured likewise on this site so cheers for setting aside time to talk about this! gizlilikveguvenlik

  5. Intriguing post. I Have Been pondering about this issue, so much obliged for posting. Really cool post.It "s truly extremely pleasant and Useful post.Thanks

  6. I'm impressed, I must say. Very rarely do I come across a blog thats both informative and entertaining, and let me tell you, you ve hit the nail on the head. Your blog is important.. vpnveteran

  7. Thank you again for all the knowledge you distribute,Good post. I was very interested in the article, it's quite inspiring I should admit. I like visiting you site since I always come across interesting articles like this one.Great Job, I greatly appreciate that.Do Keep sharing! Regards, Privacy in the network

  8. I was surfing net and fortunately came across this site and found very interesting stuff here. Its really fun to read. I enjoyed a lot. Thanks for sharing this wonderful information. deze website

  9. Such a very useful article. Very interesting to read this article.I would like to thank you for the efforts you had made for writing this awesome article.



SQL Panda Copyright © 2011 - |- Template created by O Pregador - |- Powered by Blogger Templates