Introduction
We have looked at several methods of authenticating the Squid Proxy Server application to Active Directory. Configuring a client workstation to authenticate is much easier using the Realm Daemon.
Keep in mind authentication to Active Directory does not mean integration with it. You will get a centralized account management system and user and group permissions to network resources. But authenticating a Linux workstation to Active Directory does not provide Group Policy management -- one of Active Directory's many strengths. And the applications installed on a Linux Workstation are not often designed to use or automatically pass network authentication, so they typically need to be individually configured.
Install the Realm Daemon, Password Check and Kerberos Client Software
Begin by installing the basic software required for the installation:
#sudo apt-get install realmd cracklib-runtime krb5-userEnter MYDOMAIN.COM at prompt for the default Kerberos domain during the installation.
Obtain a Kerberos Ticket using the kinit command. You may specify any Domain User, but in this case we will use the "Administrator" account.
#kinit AdministratorAt this point, reboot the machine.
Discover and Join the Active Directory Kerberos Realm
Two commands accomplish the task of joining the workstation to the Domain as a Computer Account, required for the machine to initiate the communications with Active Directory needed for subsequent User authentication.#realm discover --verbose mydomain.com
#sudo realm join --client-software=sssd MYDOMAIN.COMThere will be an error due to the /etc/sssd/sssd.conf file. Correct the error by commenting the incorrect statement:
#nano /etc/sssd/sssd.confinsert # to comment out the statement:
use_fully_qualified_names = Trueand then restart the sssd service.
#sudo service sssd restart
Add Active Directory User Accounts Permitted or Denied Logon
Issue the command:
#sudo realm permit --realm domain.example.com --allAlternatively you may specify individual accounts permitted to log on or use the "realm deny" command to deny users the ability to log on to the workstation.
Finally, each user will require a home directory to log on to Linux. The Linux Pluggable Authentication Modules (PAM) specify authentication behavior and can automatically create a home directory for network-authenticated users. Edit the common-session module configuration and add the module mkhomedir:
#nano /etc/pam.d/common-sessionAdd the line:
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022to the end of the file. Make sure it comes after the comment statement declaring the end of the sections controlled by the automatic update command pam-auth-update. Then, create a domain directory under /home. Domain User home directories will be automatically created here.
#sudo mkdir /home/mydomain.comNow log out and test authentication. Check the Domain User's home directory in a file manager window; it will be under the /home/mydomain.com directory. And then try to issue a sudo command; if the domain user is not added to the sudoers file, the account will not be able to execute elevated-privilege tasks.
The video below deomonstrates the entire process, which takes a five to seven minutes.