CentOS 7 authentication using Active Directory


Though Linux hosts has its own local authentication mechanism, as times requirements will arise where Windows Active Directory authentication will be required. For example, if a Linux host needs access to the NTFS folders shared by a Windows host in a Windows domain, Active Directory authentication will be required.


The following lists the steps required to enable a CentOS 7 host use Active Directory for authentication. Here the Windows AD domain name used is myntp.local

Add the Linux host in windows AD via the AD Users and Computers management tool.

#] yum -y install authconfig krb5-workstation pam_krb5 samba-common oddjob-mkhomedir sudo ntp samba-winbind-modules

#] mkdir /home/myntp.local

[NOTE: In the below command all flags are defined using “- -” and not “-“]

#] authconfig --disablecache --enablewinbind --enablewinbindauth --smbsecurity=ads --smbworkgroup=MYNTP --smbrealm=MYNTP.LOCAL --enablewinbindusedefaultdomain --winbindtemplatehomedir=/home/myntp.local/%U --winbindtemplateshell=/bin/bash --enablekrb5 --krb5realm=MYNTP.LOCAL --enablekrb5kdcdns --enablekrb5realmdns --enablelocauthorize --enablemkhomedir --enablepamaccess --updateall


Note: In the above command the parameters after authconfig is “- -” instead of ‘-‘

Verify and ensure the /etc/krb5.conf looks as below:

#] cat /etc/krb5.conf

default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

default_realm = MYNTP.LOCAL
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true

admin_server = pdc.myntp.local
kdc_server = pdc.myntp.local

myntp.local = {

myntp.local = MYNTP.LOCAL
.myntp.local = MYNTP.LOCAL


Note: Ensure youo can ping the domian name.

#] kinit domain_admin
#] ntpdate pdc.myntp.local
#] net ads join myntp.local -U domain_admin
#] net ads testjoin
#] chmod 777 /home/myntp.local/

#] chkconfig oddjobd on
#] chkconfig winbind on
#] chkconfig messagebus on


#] useradd <domain user>

Reboot the host, and try logging with <domain user> name now.