SLES 9 Authentication to Active Directory
Updated – 02/15/2008
We created a Windows 2003 Server and installed ADS on it and named it server.example.com. After which we installed Windows Services for Unix
http://www.microsoft.com/technet/interopmigration/unix/sfu/default.mspx
which can be downloaded from the above site.
After loading Windows Services for Unix we can now adjust a user, or create a new user so that it can be used by Linux. Follow the screen shots below in order to adjust the user properly.
- Open Active Directory Users and Computers
- Open the Properties of a User account you would like to activate for Linux Authentication. In this example we use geeko as the user.
- Once you have properties open we will then need to click on the new UNIX Attributes Tab.
- Notice the NIS Domain: field, we will need to select the domain from that field, in this example we choose example.com, and modified it according to the screen shot below.
- You may also choose to adjust the options according to your own environment. I would suggest setting the Primary group name/GID field to 100 so as to stay with the standard users group in SLES and SLED, unless your standard is set to something else otherwise.
Now that the User has been modified in Active Directory for Authentication to Linux we can move on to the next step.
We then created a SLES 9 SP3 server.
After the Installation was done we Installed Samba Client and Kerberos Client.
First We Configured Samba 3 to authenticate with ADS. The configuration file is as follows:
smb.conf is the main samba configuration file. We initially used YaST to setup our Samba Client and then went back to the smb.conf to make adjustments. You can find a full commented version at /usr/share/doc/packages/samba/examples/smb.conf.SuSE. Also it won’t hurt to just copy the one I have here into your configuration.
#/etc/samba/smb.conf [global] winbind separator = + winbind cache time = 10 winbind use default domain = yes workgroup = EXAMPLE printing = cups printcap name = cups printcap cache time = 750 cups options = raw map to guest = Bad User include = /etc/samba/dhcp.conf logon path = \\%L\profiles\.msprofile logon home = \\%L\%U\.9xprofile idmap gid = 10000-20000 idmap uid = 10000-20000 realm = EXAMPLE.COM security = ADS template homedir = /home/%U template shell = /bin/bash password server = server.example.com unix password sync = Yes passwd program = /usr/bin/passwd %u passwd chat = *New*password* %n\n *Retype*new*password*%n\n*password:*all*authentication*tokens*updated*successfully Pam password change = Yes [homes] comment = Home Directories valid users = %S, %D%w%S browseable = No read only = No inherit acls = Yes [profiles] comment = Network Profiles Service path = %H read only = No store dos attributes = Yes create mask = 0600 directory mask = 0700 [users] comment = All users path = /home read only = No inherit acls = Yes veto files = /aquota.user/groups/shares/ [groups] comment = All groups path = /home/groups read only = No inherit acls = Yes [printers] comment = All Printers path = /var/tmp printable = Yes create mask = 0600 browseable = No [print$] comment = Printer Drivers path = /var/lib/samba/drivers write list = @ntadmin root force group = ntadmin create mask = 0664 directory mask = 0775
After the smb.conf file was made we configured the Kerberos Client. You can setup the Kerberos Client in YaST and it will setup what needs to be setup for you. Here is what the /etc/krb5.conf file looks like. You can also just copy this one and change the proper entities where needed.
#/etc/krb5.conf [libdefaults] default_realm = EXAMPLE.COM clockskew = 300 [realms] EXAMPLE.COM = { kdc = server.example.com (could also be ip address) } [logging] kdc = FILE:/var/log/krb5/krb5kdc.log admin_server = FILE:/var/log/krb5/kadmind.log default = SYSLOG:NOTICE:DAEMON [domain_realm] .example.com = EXAMPLE.COM [appdefaults] pam = { ticket_lifetime = 1d renew_lifetime = 1d forwardable = true proxiable = false retain_after_close = false minimum_uid = 0 try_first_pass = true }
After this was done edit the /etc/nsswitch.conf file. Here is what the nsswitch.conf file looks like. Again, you can copy the one provided here.
#/etc/nsswitch.conf # # An example Name Service Switch config file. This file should be # sorted with the most-used services at the beginning. # # The entry '[NOTFOUND=return]' means that the search for an # entry should stop if the search in the previous entry turned # up nothing. Note that if the search failed due to some other reason # (like no NIS server responding) then the search continues with the # next entry. # # Legal entries are: # # compat Use compatibility setup # nisplus Use NIS+ (NIS version 3) # nis Use NIS (NIS version 2), also called YP # dns Use DNS (Domain Name Service) # files Use the local files # db Use the /var/db databases # [NOTFOUND=return] Stop searching if not found so far # # For more information, please read the nsswitch.conf.5 manual page. # # passwd: files nis # shadow: files nis # group: files nis passwd: files winbind shadow: files winbind group: files winbind hosts: files dns networks: files dns services: files protocols: files rpc: files ethers: files netmasks: files netgroup: files publickey: files bootparams: files automount: files nis aliases: files
Now we can start the winbind Daemon
rcwinbind start
rcnscd stop chkconfig nscd off
After the winbind Daemon has been started we will need to make sure kerberos is working properly with the following command.
kinit Administrator@EXAMPLE.COM
After we have verified that kerberos is working you can now join your server to the Domain with the following command.
net ads join -U Administrator
Now see if you can retrieve the Domain Information with the following commands.
wbinfo -u wbinfo -g
Also some other helpful commands to find out how the users and groups are coming across to the system. Using these commands will show you how the AD users and groups are being seen to the system. If there is something in front of the username or group that you can see here you may need to adjust your smb.conf settings and then restart winbind.
getent passwd getent group
In order for a user to Login we need to edit the /etc/pam.d/login file as follows:
#%PAM-1.0 auth required pam_securetty.so auth required pam_env.so auth sufficient pam_winbind.so auth sufficient pam_unix2.so nullok use_first_pass auth required pam_deny.so auth required pam_nologin.so account sufficient pam_winbind.so account required pam_unix2.so password sufficient pam_winbind.so password required pam_pwcheck.so nullok password required pam_unix2.so nullok use_first_pass use_authtok session required pam_mkhomedir.so skel=/etc/skel/ umask=0077 #session sufficient pam_unix2.so none # debug or trace session sufficient pam_limits.so
Notice the highlighted pam_mkhomedir.so line. This helps to create a home directory in Unix if one does not already exists with umask 077 so that only the user has access to it. Also, the highlighted pam_winbind.so will allow the authentication to the AD server.
If you will be logging into the system via ssh then your /etc/pam.d/sshd file should look as follows:
#%PAM-1.0 auth sufficient pam_winbind.so auth required pam_unix2.so # set_secrpc auth required pam_nologin.so auth required pam_env.so account sufficient pam_winbind.so account required pam_unix2.so account required pam_nologin.so password sufficient pam_winbind.so use_authtok password required pam_pwcheck.so password required pam_unix2.so use_first_pass use_authtok password required pam_unix2.so use_authtok session required pam_unix2.so none # trace or debug session required pam_mkhomedir.so skel=/etc/skel/ umask=0077 session required pam_limits.so # Enable the following line to get resmgr support for # ssh sessions (see /usr/share/doc/packages/resmgr/README.SuSE) #session optional pam_resmgr.so fake_ttyname
Again notice the changes are highlighted.
Now we can try to login via ssh or the console with a windows username and it should allow you to.
Now if you would like you can also adjust other pam methods such as sudo or su to use winbind as well. You will just need to make the proper changes to the file /etc/pam.d/* as such.
Another question that will arise is “How do I lock my system down to only allowing specific groups to login?” , and the answer is simple. Just add the following line to your pam configuration either for login or sshd, or both, and your all set.
account sufficient pam_succeed_if.so gid=10003
This addition of pam_succeed_if.so pam module will only allow the authentication to succeed if its user matches the gid of 10003. Now of course you will need to change the gid number to fit your needs. Please see the online man pages for this pam module for more details here http://man-wiki.net/index.php/8:pam_succeed_if
Enjoy!!
Related Articles
May 11th, 2023
SUSE Awarded 16 Badges in G2 Spring 2023 Report
Jul 25th, 2022
No comments yet