7.14. Active Directory Authentication Server Configuration

In environments where domain authentication is performed (such as MSCHAPv2), it is necessary for OpenNAC to be registered in the domain so that it can perform these authentications.

If there is only one domain server, those authentications are carried out against that single server. However, if there are several domain servers, authentications can be performed on different servers based on the Samba and Kerberos configuration.

Sometimes it is necessary to configure which servers we want to perform authentications within the domain. This is often useful in environments where some domain controllers may be in different locations than others so the latency can affect the authentication process.

In these cases we can perform a manual configuration to prioritize some servers over others. This will allow us to follow a “fail-over” style format where, in order, when one server fails we will jump to the next one successively.

7.14.1. Samba Configuration

To carry out this configuration, edit the file /etc/samba/smb.conf.

Inside this file, look for the variable “password server”

Warning

Ideally, this option should not be used, as the default * indicates to Samba to determine the best DC to contact dynamically, just as all other hosts in an AD domain do.

This allows the domain to be maintained (addition and removal of domain controllers) without modification to the smb.conf file. The cryptographic protection on the authenticated RPC calls used to verify passwords ensures that this default is safe.

If in your particular environment you have reasons to specify a particular DC list, then the list of machines in this option must be a list of names or IP addresses of Domain controllers for the Domain. If you use the default of *, or list several hosts in the password server option then smbd will try each in turn till it finds one that responds. This is useful in case your primary server goes down.

Note

The server names on the list can be an IP, standard hostname (to use /etc/hosts file or a DNS resolution) or a NetBIOS name (to use lmhost file or NetBIOS resolution)

Examples:

  • Default (recommended):

This method leverages DNS SRV records and other discovery mechanisms to ensure that user authentication requests are directed to available and optimal domain controllers based on the current network conditions and configurations.

password server = *

  • Single Server:

This configuration tells Samba to authenticate users against the domain controller at mydc.example.com :

password server = dc1.example.com

Same example using IP address:

password server = 192.168.43.5

  • Multiple Servers:

This setup allows Samba to try dc1.example.com first and, if it fails, fall back to dc2.example.com.

password server = dc1.example.com, dc2.example.com

Same example using IP address:

password server = NT-PDC, NT-BDC1

  • Multiple Servers + * :

If the list of servers contains both names/IP’s and the ‘*’ character, the list is treated as a list of preferred domain controllers, but an auto lookup of all remaining DC’s will be added to the list as well. Samba will not attempt to optimize this list by locating the closest DC.

password server = dc1.example.com, dc2.example.com *

Same example using hostname (with specified port) and IP address:

password server = windc.mydomain.com:389 192.168.1.101 *

7.14.2. Kerberos Configuration

To carry out this configuration we, edit the file /etc/krb5.conf.

Inside this file, look for the variables “kdc” and “admin_server” inside our REALM. We can use IP or hostname for the configuration of these servers.

When you specify multiple Key Distribution Centers (KDCs) in the krb5.conf file, Kerberos clients (including Samba in an Active Directory environment) will use them in a sequential manner, typically one after the other. This sequential usage allows for redundancy and failover capabilities, ensuring that authentication can proceed even if one KDC is temporarily unavailable.

Warning

Ideally, this option should not be used, as the default (with domain name resolving all the servers) indicates to determine the best DC to contact, just as all other hosts in an AD domain do.

Example:

[realms]
  MYCOMPANY.COM = {
  kdc = dc1.example.com
  kdc = 192.168.43.5
  admin_server = dc1.example.com
  admin_server = 192.168.43.5
  }

7.14.3. DNS resolution configuration

To correctly resolve the hostnames defined in the previous configurations, it is necessary to have our name resolution servers correctly defined in the /etc/resolv.conf file.

Example:

nameserver 192.168.1.7
nameserver 10.21.36.12
options timeout:1

Note

It is also important that the resolution timeout be short and not too long. This ensures that if any servers are not responding well, we can quickly move to the next one. Generally, a timeout of 1 second is sufficient. However, if necessary, this can be extended to a longer duration.

7.14.4. Restart the Services

After you made the necessary configuration changes for each service, execute the three commands in sequence to restart the services:

systemctl restart smb
systemctl restart winbind
systemctl restart krb5kdc