As hybrid Windows/Linux environments become standard in software development, Active Directory (AD) authentication for Linux servers has evolved from theoretical possibility to production-ready solution. The key components we'll examine are:
- SSSD (System Security Services Daemon) for core authentication
- Kerberos for ticket-based authentication
- PAM (Pluggable Authentication Modules) integration
- Samba winbind for legacy AD compatibility
First, install required packages on CentOS/RHEL:
sudo yum install realmd sssd krb5-workstation oddjob oddjob-mkhomedir adcli samba-common
For Debian/Ubuntu:
sudo apt-get install realmd sssd libnss-sss libpam-sss krb5-user adcli samba-common-bin
Then join the domain:
sudo realm discover DOMAIN.COM
sudo realm join -U admin_user DOMAIN.COM
Configure /etc/ssh/sshd_config:
ChallengeResponseAuthentication no
PasswordAuthentication yes
UsePAM yes
Modify /etc/pam.d/sshd:
auth required pam_sss.so
account required pam_sss.so
Instead of .htaccess, use mod_auth_kerb:
<Location /protected>
AuthType Kerberos
AuthName "AD Authentication"
KrbAuthRealms DOMAIN.COM
KrbServiceName HTTP/server.domain.com
Krb5Keytab /etc/httpd/conf/httpd.keytab
Require valid-user
</Location>
Modify /etc/samba/smb.conf:
[global]
workgroup = DOMAIN
security = ads
realm = DOMAIN.COM
idmap config * : backend = tdb
idmap config * : range = 10000-999999
winbind use default domain = yes
winbind offline logon = false
[shared]
path = /srv/shared
read only = no
valid users = @"DOMAIN\Domain Users"
For SMTP authentication, configure /etc/mail/sendmail.mc:
TRUST_AUTH_MECH(EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')
define(confAUTH_MECHANISMS', EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')
FEATURE(authinfo', hash -o /etc/mail/authinfo.db')
- Time Synchronization: Ensure NTP is properly configured (<5min difference with DC)
- DNS Resolution: AD requires proper forward/reverse DNS records
- Firewall Rules: Open TCP/UDP 88 (Kerberos), 389/636 (LDAP), 445 (SMB)
- Home Directories: Configure
pam_mkhomedirto auto-create user directories
Integrating Linux servers with Active Directory (AD) is not just possible but increasingly common in mixed environments. At our shop, we've successfully implemented this across 50+ servers with 99.8% uptime over 18 months.
Here's what makes the magic happen:
sssd(System Security Services Daemon)realmdfor domain joiningkrb5-workstationfor Kerberossamba-winbindfor legacy AD support
First, install required packages:
sudo yum install -y realmd sssd oddjob oddjob-mkhomedir adcli samba-common samba-common-tools krb5-workstation
Discover your AD domain:
sudo realm discover example.com
Join the domain (replace with your admin credentials):
sudo realm join --user=admin@EXAMPLE.COM example.com
Configure /etc/ssh/sshd_config:
ChallengeResponseAuthentication no
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
UsePAM yes
For git server access, create /etc/sssd/sssd.conf:
[domain/example.com]
id_provider = ad
access_provider = ad
override_homedir = /home/%u
default_shell = /bin/bash
krb5_store_password_if_offline = True
cache_credentials = True
Replace .htaccess with mod_auth_kerb:
<Location /secure>
AuthType Kerberos
AuthName "Kerberos Login"
KrbMethodNegotiate on
KrbMethodK5Passwd on
KrbAuthRealms EXAMPLE.COM
Krb5KeyTab /etc/httpd/conf/httpd.keytab
Require valid-user
</Location>
Sample /etc/samba/smb.conf section:
[global]
workgroup = EXAMPLE
security = ads
realm = EXAMPLE.COM
encrypt passwords = yes
kerberos method = secrets and keytab
idmap config * : backend = tdb
idmap config * : range = 10000-20000
winbind use default domain = yes
Common issues and fixes:
- Kerberos ticket renewal:
kinit administrator@EXAMPLE.COM - SSSD cache reset:
sudo systemctl restart sssd - SAMBA domain rejoin:
net ads join -U administrator