Adding Linux Workstations to Active Directory 2003 1. Introduction What is this document about? This document is supposed to help you in integrating your Linux Machines into your existing Active Directory 2003 setup. This way you can have a centralized authentication and user information. 2. Requirements In order for this to work you will have to install the following packages in the order shown below: On the Active Directory Server:
a) Unix Services for Windows 3.5 or later
On the Linux clients:
a) PAM b) Kerberos c) LDAP d) nss_ldap
3. Getting started Install the Kerberos client and library. Now you should have a /etc/krb5.conf if you do not create it:
#touch /etc/krb5.conf
Edit the new file and modify the below example in order to fit into your organization’s setup:
[libdefaults] clockskew = 300 default_realm = ADTEST.LOCAL [realms] ADTEST.LOCAL = { kdc = linuxad.adtest.local default_domain = ADTEST.LOCAL kpasswd_server = linuxad.adtest.local } [domain_realm] .ADTEST.LOCAL = ADTEST.LOCAL ADTEST.LOCAL = ADTEST.LOCAL
First notice the capital letters. You MUST keep that information CAPITALIZED. Explanation: ADTEST.LOCAL is the Active Directory domain linuxad.adtest.local is the machine running the domain controller Testing it: In order to test and see if the Kerberos authentication is working run the following:
#kinit usernameFromAD
After you run this you should see something similar to this:
Password for usernameFromAD@ADTEST.LOCAL:
Type in the password. If everything went as it should you should now have a ticket for that user. In order to check this, type in the following:
#klist
You should see something similar to:
Ticket cache: FILE:/tmp/krb5cc_0 Default principal: usernameFromAD@ADTEST.LOCALValid starting Expires Service principal 08/19/05 15:56:41 08/20/05 01:56:43 krbtgt/ADTEST.LOCAL@ADTEST.LOCAL renew until 08/20/05 15:56:41
If you are seeing this then congratulations, Kerberos authentication is working. Now, install the LDAP client. Once you have done that you should have a file called /etc/ldap.conf (NOTE: this may vary across distributions). Do the following:
#mv /etc/ldap.conf /etc/ldap.conf.orig #touch /etc/ldap.conf
Now go in /etc and edit the new ldap.conf file and put the following in it:
host IP.OF.YOUR.SERVER base cn=Users,dc=linuxad,dc=adtest,dc=local binddn cn=directory,cn=Users,dc=adtest,dc=local bindpw directory scope sub ssl no nss_base_passwd cn=Users,dc=adtest,dc=local?sub nss_base_shadow cn=Users,dc=adtest,dc=local?sub nss_base_group cn=Users,dc=adtest,dc=local?sub nss_map_objectclass posixAccount user nss_map_objectclass shadowAccount user nss_map_attribute uid sAMAccountName nss_map_attribute uidNumber msSFU30UidNumber nss_map_attribute gidNumber msSFU30GidNumber nss_map_attribute loginShell msSFU30LoginShell nss_map_attribute gecos name nss_map_attribute userPassword msSFU30Password nss_map_attribute homeDirectory msSFU30HomeDirectory nss_map_objectclass posixGroup Group nss_map_attribute uniqueMember msSFU30PosixMember nss_map_attribute cn cn pam_login_attribute sAMAccountName pam_filter objectclass=user pam_member_attribute msSFU30PosixMember pam_groupdn cn=student,dc=adtest,dc=local pam_password ad
Explanation: Ok first make sure that host is set to the IP of your AD server next make sure that cn=Users is changed to whatever container you have in your organization (e.g. LinuxUsers). NOTE: Stay away from spaces, LDAP does not like them. Also, make sure you change that in the entire file not just at the top. Next, binddn cn=directory,cn=Users,dc=adtest,dc=local. In this line change cn=directory to some username that does not have any privileges on the network. This is the user that LDAP will search the username database with so it does not have to be administrator or anything like that. It can be an extremely locked down user. Last thing, bindpw directory change the directory part to whatever password you have set for the above mentioned account directory. In my case the user/password is directory/directory Configuring PAM to use ldap. Go under /etc/pam.d and do:
#mv /etc/pam.d/login /etc/pam.d/login.orig #touch /etc/pam.d/login
Now edit /etc/pam.d/login and put the following in there:
auth requisite pam_securetty.so auth requisite pam_nologin.so auth required pam_env.so auth required pam_unix.so account required pam_access.so account required pam_unix.so session required pam_motd.so session required pam_limits.so session optional pam_mail.so dir=/var/mail standard session optional pam_lastlog.so session required pam_mkhomedir.so skel=/etc/skel/ umask=0077 session required pam_unix.so password required pam_unix.so md5 shadow
Save and from a different console(not ssh, if you want to use ssh just copy the newly created login file to a file called ssh) and try to login with an Active Directory user. You should be able to login and most likely you will get an error about not having a home directory. That is ok you just need to create the home directory specified on the ADS under the Unix tab. That is it. Now you should be able to login with any AD user on that machine and also ssh into it without any problems. 4. Issues/Drawbacks The biggest drawback from this is that for the moment I have not been able to figure out how to allow users to change their passwords from the Linux workstations. This means that users will not be able to use "passwd" in order to change their passwords and will have to use a Windows machine for this or have their passwords reset manually by an Administrator. I am working on figuring out if LDAP/PAM can do this natively but so far I have not had much luck. Another issue is that you must have the home directories created for the users. PAM has the capability to do this automatically but again, I have not been able to get this working properly. LDAP Access Control Lists. Those can be used by the administrator in order to limit who can view the LDAP query information. Again, I have yet to be able to get them working. Here is an example of what I have in my ldap.conf file:
access to attr=userPassword by self write by dn.base="cn=Admins,dc=adtest,dc=local" write by * none access to * by self write by dn.base="cn=Admins,dc=adtest,dc=local" write by * none
I do not know if the above is not working because of something in the rules or if ldap.conf is just not the right place to add them to. Last issue. The need of a user/pass for the querying of information. You have to have a minimum user in order to add it to ldap.conf and be able to query the AD server. Even though the user can be a nobody on your network it is still a security list. Unfortunately I do not think there is a workaround for this.
