Configure SLED 10 Single Sign-On LDAP / Kerberos Authentication to Active Directory on Windows Server 2003
HOW TO: Configure SUSE Linux Enterprise Desktop ( SLED ) 10 Single Sign-On LDAP / Kerberos Authentication to Active Directory on Windows Server 2003 R2 with UID/GID mapping via LDAP.
Example:
SUSE Linux Enterprise Desktop ( SLED ) 10 Single Sign-On LDAP / Kerberos Authentication to Active Directory on Windows Server 2003 R2
- On your Windows Server 2003 R2 Domain Controller – enable “Identity Management for UNIX” via Add/Remove Programs > Add Windows Components > Active Directory Services > Identity Management for UNIX (reboot required)— this will add a UNIX Properties tab to each user account in AD Users and Computers that will allow you to control the user UID, primary group GID, NIS Server setting, and user shell setting (e.g. /bin/bash).
- Create a user in active directory to use for authenticating via LDAP from the SLED 10 client.. make this user a member of Domain Guests to avoid any security problems imposed by having the password in the ldap.conf file. Example: In the ldap.conf example below, the the LDAP query user is called <linux-ldap-user> and the password for the user is included as the bindpw.
- For any user that will be logging into the SLED 10 client machine, modify the “UNIX Attributes” tab for their specific user account in Active Directory. Do this via the Users and Computers snap-in – add a unique UID for the user, set their primary linux group, set the home folder, and set the default shell.
- On the SLED 10 client setup your config files as follows – see the file comment headers for the file names and locations (replace items such as “domain.com” with settings specific to your environment):
######################################## # /etc/hosts ######################################## # Syntax: # # IP-Address Full-Qualified-Hostname Short-Hostname # 127.0.0.1 localhost 10.10.10.1 WINDOWS-DC-HOSTNAME.DOMAIN.COM WINDOWS-DC-HOSTNAME # special IPv6 addresses ::1 localhost ipv6-localhost ipv6-loopback fe00::0 ipv6-localnet ff00::0 ipv6-mcastprefix ff02::1 ipv6-allnodes ff02::2 ipv6-allrouters ff02::3 ipv6-allhosts 127.0.0.2 client-hostname.DOMAIN.COM client-hostname
################################################### #krb5.conf for connecting with Windows Server 2003# ################################################### [logging] kdc = FILE:/var/log/krb5/krb5kdc.log admin_server = FILE:/var/log/krb5/kadmind.log default = SYSLOG:NOTICE:DAEMON [libdefaults] ticket_lifetime = 24000 default_realm = DOMAIN.COM default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5 aes256-cts arcfour-hmac-md5 default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5 aes256-cts arcfour-hmac-md5 [realms] AIRBIQUITY.COM = { kdc = windows-dc-hostname.domain.com admin_server = windows-dc-hostname.domain.com default_domain = DOMAIN.COM } [domain_realm] .domain.com = DOMAIN.COM domain.com = DOMAIN.COM
############################################################### ##custom ldap.conf for connecting with Server 2003 R2 ############################################################### host 10.10.10.1 base dc=domain,dc=com uri ldap://windows-dc-hostname.domain.com/ binddn cn=linux-ldap-user,cn=Users,dc=domain,dc=com bindpw ldap-user-passwd scope sub bind_timelimit 15 timelimit 15 ssl no referrals no nss_base_passwd dc=domain,dc=com?sub nss_base_shadow dc=domain,dc=com?sub nss_base_group dc=domain,dc=com?sub?&(objectCategory=group)(gidnumber=*) nss_map_objectclass posixAccount user nss_map_objectclass shadowAccount user nss_map_objectclass posixGroup group nss_map_attribute gecos cn nss_map_attribute homeDirectory unixHomeDirectory nss_map_attribute uniqueMember member nss_initgroups_ignoreusers root,ldap
################################################### # /etc/nsswitch.conf ################################################### # An example Name Service Switch config file. This file should be # sorted with the most-used services at the beginning. # # The entry '[NOTFOUND=return]' means that the search for an # entry should stop if the search in the previous entry turned # up nothing. Note that if the search failed due to some other reason # (like no NIS server responding) then the search continues with the # next entry. # # Legal entries are: # # compat Use compatibility setup # nisplus Use NIS+ (NIS version 3) # nis Use NIS (NIS version 2), also called YP # dns Use DNS (Domain Name Service) # files Use the local files # [NOTFOUND=return] Stop searching if not found so far # # For more information, please read the nsswitch.conf.5 manual page. # passwd: files ldap shadow: files ldap group: files ldap hosts: files dns wins networks: files dns services: files protocols: files rpc: files ethers: files netmasks: files netgroup: files nis publickey: files bootparams: files automount: files nis aliases: files
################################################################################ ## /etc/ntp.conf file ## ## Sample NTP configuration file. ## See package 'ntp-doc' for documentation, Mini-HOWTO and FAQ. ## Copyright ? 1998 S.u.S.E. GmbH Fuerth, Germany. ## ## Author: Michael Andres, <ma@suse.de> ## ################################################################################ ## ## Radio and modem clocks by convention have addresses in the ## form 127.127.t.u, where t is the clock type and u is a unit ## number in the range 0-3. ## ## Most of these clocks require support in the form of a ## serial port or special bus peripheral. The particular ## device is normally specified by adding a soft link ## /dev/device-u to the particular hardware device involved, ## where u correspond to the unit number above. ## ## Generic DCF77 clock on serial port (Conrad DCF77) ## Address: 127.127.8.u ## Serial Port: /dev/refclock-u ## ## (create soft link /dev/refclock-0 to the particular ttyS?) ## # server 127.127.8.0 mode 5 prefer ## ## Undisciplined Local Clock. This is a fake driver intended for backup ## and when no outside source of synchronized time is available. ## server 127.127.1.0 # local clock (LCL) fudge 127.127.1.0 stratum 10 # LCL is unsynchronized ## ## Outside source of synchronized time ## ## server xx.xx.xx.xx # IP address of server server 10.10.10.1 ## ## Miscellaneous stuff ## driftfile /var/lib/ntp/drift/ntp.drift # path for drift file logfile /var/log/ntp # alternate log file # logconfig =syncstatus + sysevents # logconfig =all # statsdir /tmp/ # directory for statistics files # filegen peerstats file peerstats type day enable # filegen loopstats file loopstats type day enable # filegen clockstats file clockstats type day enable # # Authentication stuff # # keys /etc/ntp.keys # path for keys file # trustedkey 1 2 3 4 5 6 14 15 # define trusted keys # requestkey 15 # key (7) for accessing server variables # controlkey 15 # key (6) for accessing server variables ######################END OF FILE#############################
######################################## # /etc/sudoers file. ####################################### # This file MUST be edited with the 'visudo' command as root. # # See the sudoers man page for the details on how to write a sudoers file. # # Host alias specification # User alias specification # Cmnd alias specification # Defaults specification # prevent environment variables from influencing programs in an # unexpected or harmful way (CVE-2005-2959, CVE-2005-4158, # CVE-2006-0151) Defaults always_set_home Defaults env_reset # In the default (unconfigured) configuration, sudo asks for the root password. # This allows use of an ordinary user account for administration of a freshly # installed system. When configuring sudo, delete the two # following lines: #Defaults targetpw # ask for the password of the target user i.e. root #ALL ALL=(ALL) ALL # WARNING! Only use this together with 'Defaults targetpw'! # Runas alias specification # User privilege specification root ALL=(ALL) ALL %Domain_Admins All=(ALL)ALL %windows_group_of_your_choice ALL=(ALL)ALL # Uncomment to allow people in group wheel to run all commands # %wheel ALL=(ALL) ALL # Same thing without a password # %wheel ALL=(ALL) NOPASSWD: ALL # Samples # %users ALL=/sbin/mount /cdrom,/sbin/umount /cdrom # %users localhost=/sbin/shutdown -h now
################################################ #/etc/samba/smb.conf file ################################################ # smb.conf is the main Samba configuration file. You find a full commented # version at /usr/share/doc/packages/samba/examples/smb.conf.SUSE if the # samba-doc package is installed. # Date: 2007-02-07 [global] workgroup = DOMAIN-SHORTNAME realm = DOMAIN.COM security = ads encrypt passwords = yes use kerberos keytab = true password server = windows-dc-hostname.domain.com netbios name = client-hostname winbind use default domain = yes winbind separator = + idmap uid = 1000-59999 idmap gid = 1000-59999 winbind enum users = yes winbind enum groups = yes deadtime = 10 winbind cache time = 10 winbind nested groups = yes template homedir = /home/%U template shell = /bin/bash client use spnego = yes socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384 idmap backend = ad ldap idmap suffix = dc=domain,dc=com ldap admin dn = cn=Administrator,cn=Users,dc=domain,dc=com ldap suffix = dc=domain,dc=com dns proxy = no domain master = no preferred master = no max log size = 100 log file = /var/log/samba/%m.log printing = cups printcap name = cups printcap cache time = 750 cups options = raw map to guest = Bad User include = /etc/samba/dhcp.conf logon path = \\%L\profiles\.msprofile logon home = \\%L\%U\.9xprofile logon drive = P: usershare allow guests = no [admin] comment = Windows Admin Access path = / valid users = "@Domain_Admins" admin users = "@Domain_Admins" read only = No create mask = 0664 browseable = No inherit permissions = Yes [printers] comment = All Printers path = /var/tmp printable = Yes create mask = 0600 browseable = No [print$] comment = Printer Drivers path = /var/lib/samba/drivers write list = @ntadmin root force group = ntadmin create mask = 0664 directory mask = 0775
##################################### #/etc/samba/smbusers file ##################################### # This file allows you to map usernames from the clients to the server. # Unix_name = SMB_name1 SMB_name2 ... # # See section 'username map' in the manual page of smb.conf for more # information. # # This file is _not_ included in the default configuration as it makes the # usage of an user named administrator impossible. ;root = administrator ;nobody = guest pcguest smbguest # # /etc/pam.d/common-account - authorization settings common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of the authorization modules that define # the central access policy for use on the system. The default is to # only deny service to users whose accounts are expired. # account sufficient pam_krb5.so account required pam_unix2.so # # /etc/pam.d/common-auth - authentication settings common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of the authentication modules that define # the central authentication scheme for use on the system # (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the # traditional Unix authentication mechanisms. # auth required pam_env.so auth sufficient pam_krb5.so auth required pam_unix2.so # # /etc/pam.d/common-password - password-related modules common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of modules that define the services to be # used to change user passwords. The default is pam_unix2 in combination # with pam_pwcheck. # The "nullok" option allows users to change an empty password, else # empty passwords are treated as locked accounts. # # password required pam_pwcheck.so nullok password required pam_unix2.so nullok use_first_pass use_authtok #password required pam_make.so /var/yp # # /etc/pam.d/common-session - session-related modules common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of modules that define tasks to be performed # at the start and end of sessions of *any* kind (both interactive and # non-interactive). The default is pam_unix2. # session required pam_limits.so session required pam_unix2.so session required pam_mkhomedir.so umask=0077 skel=/etc/skel
#%PAM-1.0 ###########line above is part of this file################# #/etc/pam.d/su config file ########################################################### #auth sufficient pam_rootok.so auth include common-auth account include common-account password include common-password session include common-session session optional pam_xauth.so
- After making the above configuration file changes run the following commands:
getent passwd (You should only see SLED 10 local users in this listing)
kdestroy (This will destroy any cached Kerberos ticket you have)
kinit domain-admin-user@DOMAIN.COM (This will create a new kerberos ticket for the machine)
klist (Use this to make sure you have a Kerberos Ticket)
net ads join -U domain-admin-user@DOMAIN.COM (This will join the machine to the domain)
/etc/init.d/smb stop
/etc/init.d/winbind stop
/etc/init.d/smb start
/etc/init.d/winbind start
kdestroy —THIS IS IMPORTANT TO ENSURE THE LINUX ROOT CANNOT SURF WINDOWS ADMIN SHARES ON OTHER PCs
getent passwd (The output should now list domain users and their associated UIDs)
getent group (Should output domain groups and GIDs as well as local)
wbinfo -u (Should list domain users)
wbinfo -g (Should list domain groups)
su <windows-domain-user> (should prompt you for the user’s password, create a home dir for them if necessary, and then switch you to the user)
- Add the windows ldap query user to the smbpasswd -w command (not sure this is really needed):
smbpasswd -w <password-for-ldap-query-user-as-in-ldap.conf>
- “Enable” the ntp, smb, and winbind daemons via YaST>System>RunLevel Editor.. these daemons will need to be enabled on startup for everything to work. Also, disable the nscd daemon from startup as it causes problems with winbind.
- After you are able to su to a windows user, reboot the machine and then login to the system as a windows user (with UNIX attribs enabled) to test.
NOTE: If you happen to get yourself locked out of the system, change your nsswitch.conf file to get back in. Simply boot to the SLED 10 installation disc using the “Recover System” option, then issue these commands to change the /etc/nsswitch.conf file back to its original state:
mount -w /dev/hda1 /mnt (where /dev/hda1 is your system partition)
vi /mnt/etc/nsswitch.conf (use vi to remove the “ldap” from passwd, group, and shadow – should only say “files” or “compat” – this makes the machine look only at the local files for authentication)
reboot and then login as root so you can troubleshoot the problem… a good troubleshooting step is to perform a cat /var/log/messages to see what types of errors your machine is encountering.
Environment:
For SuSE Linux Enterprise Desktop (SLED) 10 connecting to at least one Windows Server 2003
R2 Domain Controller with Active Directory and Identity Management for UNIX.
No comments yet