SLES 9 Authentication to Active Directory

Updated – 02/15/2008

We created a Windows 2003 Server and installed ADS on it and named it server.example.com. After which we installed Windows Services for Unix

http://www.microsoft.com/technet/interopmigration/unix/sfu/default.mspx

which can be downloaded from the above site.

After loading Windows Services for Unix we can now adjust a user, or create a new user so that it can be used by Linux. Follow the screen shots below in order to adjust the user properly.

1. Open Active Directory Users and Computers
2. Open the Properties of a User account you would like to activate for Linux Authentication. In this example we use geeko as the user.


Click to view.

3. Once you have properties open we will then need to click on the new UNIX Attributes Tab.


Click to view.

4. Notice the NIS Domain: field, we will need to select the domain from that field, in this example we choose example.com, and modified it according to the screen shot below.


Click to view.

5. You may also choose to adjust the options according to your own environment. I would suggest setting the Primary group name/GID field to 100 so as to stay with the standard users group in SLES and SLED, unless your standard is set to something else otherwise.

Now that the User has been modified in Active Directory for Authentication to Linux we can move on to the next step.

We then created a SLES 9 SP3 server.

After the Installation was done we Installed Samba Client and Kerberos Client.

First We Configured Samba 3 to authenticate with ADS. The configuration file is as follows:

smb.conf is the main samba configuration file. We initially used YaST to setup our Samba Client and then went back to the smb.conf to make adjustments. You can find a full commented version at /usr/share/doc/packages/samba/examples/smb.conf.SuSE. Also it won’t hurt to just copy the one I have here into your configuration.

#/etc/samba/smb.conf
[global]
        winbind separator = +
        winbind cache time = 10
        winbind use default domain = yes
        workgroup = EXAMPLE
        printing = cups
        printcap name = cups
        printcap cache time = 750
        cups options = raw
        map to guest = Bad User
        include = /etc/samba/dhcp.conf
        logon path = \\%L\profiles\.msprofile
        logon home = \\%L\%U\.9xprofile
        idmap gid = 10000-20000
        idmap uid = 10000-20000
        realm = EXAMPLE.COM
        security = ADS
        template homedir = /home/%U
        template shell = /bin/bash
        password server = server.example.com
	  unix password sync = Yes
	  passwd program = /usr/bin/passwd %u
	  passwd chat = *New*password* %n\n *Retype*new*password*%n\n*password:*all*authentication*tokens*updated*successfully
	  Pam password change = Yes
[homes]
        comment = Home Directories
        valid users = %S, %D%w%S
        browseable = No
        read only = No
        inherit acls = Yes
[profiles]
        comment = Network Profiles Service
        path = %H
        read only = No
        store dos attributes = Yes
        create mask = 0600
        directory mask = 0700
[users]
        comment = All users
        path = /home
        read only = No
        inherit acls = Yes
        veto files = /aquota.user/groups/shares/
[groups]
        comment = All groups
        path = /home/groups
        read only = No
        inherit acls = Yes
[printers]
        comment = All Printers
        path = /var/tmp
        printable = Yes
        create mask = 0600
        browseable = No
[print$]
        comment = Printer Drivers
        path = /var/lib/samba/drivers
        write list = @ntadmin root
        force group = ntadmin
        create mask = 0664
        directory mask = 0775

		

After the smb.conf file was made we configured the Kerberos Client. You can setup the Kerberos Client in YaST and it will setup what needs to be setup for you. Here is what the /etc/krb5.conf file looks like. You can also just copy this one and change the proper entities where needed.

#/etc/krb5.conf
[libdefaults]
        default_realm = EXAMPLE.COM
        clockskew = 300
[realms]
EXAMPLE.COM = {
        kdc = server.example.com (could also be ip address)
}
[logging]
        kdc = FILE:/var/log/krb5/krb5kdc.log
        admin_server = FILE:/var/log/krb5/kadmind.log
        default = SYSLOG:NOTICE:DAEMON
[domain_realm]
        .example.com = EXAMPLE.COM
[appdefaults]
pam = {
        ticket_lifetime = 1d
        renew_lifetime = 1d
        forwardable = true
        proxiable = false
        retain_after_close = false
        minimum_uid = 0
        try_first_pass = true
}

After this was done edit the /etc/nsswitch.conf file. Here is what the nsswitch.conf file looks like. Again, you can copy the one provided here.

#/etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Legal entries are:
#
#       compat                  Use compatibility setup
#       nisplus                 Use NIS+ (NIS version 3)
#       nis                     Use NIS (NIS version 2), also called YP
#       dns                     Use DNS (Domain Name Service)
#       files                   Use the local files
#       db                      Use the /var/db databases
#       [NOTFOUND=return]       Stop searching if not found so far
#
# For more information, please read the nsswitch.conf.5 manual page.
#
# passwd: files nis
# shadow: files nis
# group:  files nis
passwd: files winbind
shadow: files winbind
group:  files winbind
hosts:          files dns
networks:       files dns
services:       files
protocols:      files
rpc:            files
ethers:         files
netmasks:       files
netgroup:       files
publickey:      files
bootparams:     files
automount:      files nis
aliases:        files

Now we can start the winbind Daemon

rcwinbind start

rcnscd stop
chkconfig nscd off

After the winbind Daemon has been started we will need to make sure kerberos is working properly with the following command.

kinit Administrator@EXAMPLE.COM

After we have verified that kerberos is working you can now join your server to the Domain with the following command.

net ads join -U Administrator

Now see if you can retrieve the Domain Information with the following commands.

wbinfo -u
wbinfo -g

Also some other helpful commands to find out how the users and groups are coming across to the system. Using these commands will show you how the AD users and groups are being seen to the system. If there is something in front of the username or group that you can see here you may need to adjust your smb.conf settings and then restart winbind.

getent passwd
getent group

In order for a user to Login we need to edit the /etc/pam.d/login file as follows:

#%PAM-1.0
auth required pam_securetty.so
auth required pam_env.so
auth sufficient pam_winbind.so
auth sufficient pam_unix2.so nullok use_first_pass
auth required pam_deny.so
auth required pam_nologin.so
account sufficient pam_winbind.so
account required pam_unix2.so
password sufficient pam_winbind.so
password required pam_pwcheck.so nullok
password required pam_unix2.so nullok use_first_pass use_authtok
session required pam_mkhomedir.so skel=/etc/skel/ umask=0077
#session sufficient pam_unix2.so none # debug or trace
session sufficient pam_limits.so

Notice the highlighted pam_mkhomedir.so line. This helps to create a home directory in Unix if one does not already exists with umask 077 so that only the user has access to it. Also, the highlighted pam_winbind.so will allow the authentication to the AD server.

If you will be logging into the system via ssh then your /etc/pam.d/sshd file should look as follows:

#%PAM-1.0
auth     sufficient     pam_winbind.so
auth     required       pam_unix2.so    # set_secrpc
auth     required       pam_nologin.so
auth     required       pam_env.so
account  sufficient     pam_winbind.so
account  required       pam_unix2.so
account  required       pam_nologin.so
password sufficient     pam_winbind.so use_authtok
password required       pam_pwcheck.so
password required       pam_unix2.so    use_first_pass use_authtok
password required       pam_unix2.so    use_authtok
session  required       pam_unix2.so    none # trace or debug
session required pam_mkhomedir.so skel=/etc/skel/ umask=0077
session  required       pam_limits.so
# Enable the following line to get resmgr support for
# ssh sessions (see /usr/share/doc/packages/resmgr/README.SuSE)
#session  optional      pam_resmgr.so fake_ttyname

Again notice the changes are highlighted.

Now we can try to login via ssh or the console with a windows username and it should allow you to.

Now if you would like you can also adjust other pam methods such as sudo or su to use winbind as well. You will just need to make the proper changes to the file /etc/pam.d/* as such.

Another question that will arise is “How do I lock my system down to only allowing specific groups to login?” , and the answer is simple. Just add the following line to your pam configuration either for login or sshd, or both, and your all set.

account sufficient pam_succeed_if.so gid=10003

This addition of pam_succeed_if.so pam module will only allow the authentication to succeed if its user matches the gid of 10003. Now of course you will need to change the gid number to fit your needs. Please see the online man pages for this pam module for more details here http://man-wiki.net/index.php/8:pam_succeed_if

Enjoy!!