Project Linux Access Thru AD Authentication
--------------------------------------------------------
AD OS : Windows 2008 R2
Linux CLIENT OS : CentOS release 6.5
DOMAIN : autobots.com
AD HOSTNAME : ad1.autobots.com
LBOX HOSTNAME: lbox1.autobots.com
--------------------------------------------------------
Step 1. Configure proper Networking so that you can reach you AD Server.
Step 2. Configure DNS on LBOX, so it can resolve AD server with domain name.
Make entries in /etc/resolve.conf
[root@lbox1 Desktop]# cat /etc/resolv.conf
# Generated by NetworkManager
search autobots.com
nameserver 10.0.0.10
nameserver 10.0.0.11
Also make entry of Linux Box in DNS Server forward as well as reverse
check with below commands
#dig ad1.autobots.com
#dig lbox1.autobots.com
Step 3. Configure NTP on LBOX, so its time matches with AD Server..
Note: Time Difference should not be more than 5 min
Step 4. Install and configure SAMBA and KERBEROS
#yum -y install samba samba-client samba-common samba-winbind \
samba-winbind-clients krb5* pam_krb5-2.3.11-9.el6.x86_64 oddjob-mkhomedir-0.30-5.el6.x86_64
...output abbreviated...
Installed:
samba.x86_64 0:3.5.10-114.el6_0.2
samba-client.x86_64 0:3.5.10-114.el6_0.2
samba-common.x86_64 0:3.5.10-114.el6_0.2
samba-winbind.x86_64 0:3.5.10-114.el6_0.2
samba-winbind-clients.x86_64 0:3.5.10-114.el6_0.2
...output abbreviated...
Step 5. Now, edit and add below lines to /etc/samba/smb.conf
[global]
workgroup = AUTOBOTS
password server = AD1.AUTOBOTS.COM
realm = AUTOBOTS.COM
security = ads
idmap uid = 10000-19999
idmap gid = 10000-19999
idmap config AUTOBOTS:backend = rid
idmap config AUTOBOTS:range = 10000000-19999999
winbind enum users = no
winbind enum groups = no
winbind separator = +
winbind use default domain = yes
template homedir = /home/%D/%U
template shell = /bin/bash
Restart the samba and winbind services
#/etc/init.d/smb restart
#/etc/init.d/winbind restart
#chkconfig on smb
#chkconfig on winbind
Step 6. Now configure KERBEROS Client..
Edit /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = AUTOBOTS.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
AUTOBOTS.COM = {
kdc = ad1.autobots.com
admin_server = ad1.autobots.com
}
[domain_realm]
.autobots.com = AUTOBOTS.COM
autobots.com = AUTOBOTS.COM
Step 7. Test the config KERBEROS Config...
#kinit user1@AUTOBOTS.COM
where user1 is AD user and AUTOBOTS.COM is the Default Realm value in krb5.conf. KRB is case sensitive..so be carefull..
enter the password of Ad user USer1.. if evrything is okay then you will get the prompt.
#klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: user1@AUTOBOTS.COM
Valid starting Expires Service principal
08/19/14 16:16:20 08/20/14 02:16:24 krbtgt/AUTOBOTS.COM@AUTOBOTS.COM
renew until 08/26/14 16:16:20
Step 8. now test winbind
# net join -S ad1 -U administrator
Enter Administrator's password:
Using short domain name AUTOBOTS
Joined 'AUTOBOTS' to realm 'AUTOBOTS.COM'
# net ads testjoin
Join is OK
# net ads info
# wbinfo domainusers
administrator
guest
krbtgt
aduser11
aduser12
aduser21
aduser22
aduser31
aduser32
aduser41
aduser42
# wbinfo domaingroups
domain computers
domain controllers
schema admins
enterprise admins
Step 9. To Allow SSH and GUI login on lbox, configure PAM as follow
make sure you have a backup of /etc/pam.d directory:
root# cp -a /etc/pam.d /etc/pam.d.bak
These are the relevant lines for the various pam controlled methods: account, auth, password, and session.
Just place these lines into the pam.d file of any service for which you'd like to control authorization by ADS.
For SSH, /etc/pam.d/sshd
For GUI, /etc/pam.d/gdm
auth sufficient pam_winbind.so
account sufficient pam_winbind.so
password sufficient pam_winbind.so use_authtok
And this goes into /etc/pam.d/system-auth:
session required pam_mkhomedir.so skel=/etc/skel umask=0022
Now. All of that sets up your linux box to allow Active Directory Domain users to log in, with a bash shell, into a homedir in /home/DOMAIN/user. It will even create the home directories for any user that doesn't already have one, provided the session portion of the file contains the call to system-auth.
Now. let's say you want to be able to limit access to the server to only users from certain groups. well, it actually turned out to be kind of simple to do. As we know, all users and groups from active directory are mapped to unix uids and gids. Well, we can make that work for us.
by replacing the account entries in /etc/pam.d/sshd or gmd with:
account sufficient pam_succeed_if.so gid = 10003
Krb errors
http://research.imb.uq.edu.au/~l.rathbone/ldap/kerberos.shtml
PAM Entries
https://blogs.oracle.com/tkblog/entry/integrating_linux_with_active_directory
--------------------------------------------------------
AD OS : Windows 2008 R2
Linux CLIENT OS : CentOS release 6.5
DOMAIN : autobots.com
AD HOSTNAME : ad1.autobots.com
LBOX HOSTNAME: lbox1.autobots.com
--------------------------------------------------------
Step 1. Configure proper Networking so that you can reach you AD Server.
Step 2. Configure DNS on LBOX, so it can resolve AD server with domain name.
Make entries in /etc/resolve.conf
[root@lbox1 Desktop]# cat /etc/resolv.conf
# Generated by NetworkManager
search autobots.com
nameserver 10.0.0.10
nameserver 10.0.0.11
Also make entry of Linux Box in DNS Server forward as well as reverse
check with below commands
#dig ad1.autobots.com
#dig lbox1.autobots.com
Step 3. Configure NTP on LBOX, so its time matches with AD Server..
Note: Time Difference should not be more than 5 min
Step 4. Install and configure SAMBA and KERBEROS
#yum -y install samba samba-client samba-common samba-winbind \
samba-winbind-clients krb5* pam_krb5-2.3.11-9.el6.x86_64 oddjob-mkhomedir-0.30-5.el6.x86_64
...output abbreviated...
Installed:
samba.x86_64 0:3.5.10-114.el6_0.2
samba-client.x86_64 0:3.5.10-114.el6_0.2
samba-common.x86_64 0:3.5.10-114.el6_0.2
samba-winbind.x86_64 0:3.5.10-114.el6_0.2
samba-winbind-clients.x86_64 0:3.5.10-114.el6_0.2
...output abbreviated...
Step 5. Now, edit and add below lines to /etc/samba/smb.conf
[global]
workgroup = AUTOBOTS
password server = AD1.AUTOBOTS.COM
realm = AUTOBOTS.COM
security = ads
idmap uid = 10000-19999
idmap gid = 10000-19999
idmap config AUTOBOTS:backend = rid
idmap config AUTOBOTS:range = 10000000-19999999
winbind enum users = no
winbind enum groups = no
winbind separator = +
winbind use default domain = yes
template homedir = /home/%D/%U
template shell = /bin/bash
Restart the samba and winbind services
#/etc/init.d/smb restart
#/etc/init.d/winbind restart
#chkconfig on smb
#chkconfig on winbind
Step 6. Now configure KERBEROS Client..
Edit /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = AUTOBOTS.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
AUTOBOTS.COM = {
kdc = ad1.autobots.com
admin_server = ad1.autobots.com
}
[domain_realm]
.autobots.com = AUTOBOTS.COM
autobots.com = AUTOBOTS.COM
Step 7. Test the config KERBEROS Config...
#kinit user1@AUTOBOTS.COM
where user1 is AD user and AUTOBOTS.COM is the Default Realm value in krb5.conf. KRB is case sensitive..so be carefull..
enter the password of Ad user USer1.. if evrything is okay then you will get the prompt.
#klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: user1@AUTOBOTS.COM
Valid starting Expires Service principal
08/19/14 16:16:20 08/20/14 02:16:24 krbtgt/AUTOBOTS.COM@AUTOBOTS.COM
renew until 08/26/14 16:16:20
Step 8. now test winbind
# net join -S ad1 -U administrator
Enter Administrator's password:
Using short domain name AUTOBOTS
Joined 'AUTOBOTS' to realm 'AUTOBOTS.COM'
# net ads testjoin
Join is OK
# net ads info
# wbinfo domainusers
administrator
guest
krbtgt
aduser11
aduser12
aduser21
aduser22
aduser31
aduser32
aduser41
aduser42
# wbinfo domaingroups
domain computers
domain controllers
schema admins
enterprise admins
Step 9. To Allow SSH and GUI login on lbox, configure PAM as follow
make sure you have a backup of /etc/pam.d directory:
root# cp -a /etc/pam.d /etc/pam.d.bak
These are the relevant lines for the various pam controlled methods: account, auth, password, and session.
Just place these lines into the pam.d file of any service for which you'd like to control authorization by ADS.
For SSH, /etc/pam.d/sshd
For GUI, /etc/pam.d/gdm
auth sufficient pam_winbind.so
account sufficient pam_winbind.so
password sufficient pam_winbind.so use_authtok
And this goes into /etc/pam.d/system-auth:
session required pam_mkhomedir.so skel=/etc/skel umask=0022
Now. All of that sets up your linux box to allow Active Directory Domain users to log in, with a bash shell, into a homedir in /home/DOMAIN/user. It will even create the home directories for any user that doesn't already have one, provided the session portion of the file contains the call to system-auth.
Now. let's say you want to be able to limit access to the server to only users from certain groups. well, it actually turned out to be kind of simple to do. As we know, all users and groups from active directory are mapped to unix uids and gids. Well, we can make that work for us.
by replacing the account entries in /etc/pam.d/sshd or gmd with:
account sufficient pam_succeed_if.so gid = 10003
Krb errors
http://research.imb.uq.edu.au/~l.rathbone/ldap/kerberos.shtml
PAM Entries
https://blogs.oracle.com/tkblog/entry/integrating_linux_with_active_directory
