Integrate Linux into Active Directory

September 09, 2007

Integrate Linux into Active Directory

Introduction
This is mostly based on Scott's weblog, just modify some for Ubuntu and added the winbind part

Enivronment

Ubuntu Server 7.04
Vmware Server
Windows 2003 PDC

Setup Microsoft's Service for Unix 3.5

Download and install Microsoft's Services for Unix 3.5
Accept the standard installation
Where prompted for "security settings", leave both boxes blank
Where prompted for "username mapping" select "Local Username Mapping Server" and subsequently "Network Information Services"
Select the Windows Domain Name
Reboot server when complete

Authentication and Authorization via LDAP
Setup required software

#apt-get install ldap-utils nscd libnss-ldap

We will need a user to bind to Active Directory, you can create a new one or use existing. Here will use "proxyuser". To Test the user can bind to the directory (In default setting in Active Directory, the user container should be "cn=Users,dc=home,dc=local"):

ldapsearch -x -W -D "cn=proxyuser,cn=Users,dc=mydomain" -LLL "(sAMAccountName=proxyuser)"

Edit /etc/libnss-ldap.conf and /etc/pam_ldap.conf. Firstly, backup the original one.

#cp /etc/libnss-ldap.conf /etc/libnss-ldap.conf.old
#cp /etc/pam_ldap.conf /etc/pam_ldap.conf.old

Modified libnss-ldap.conf.

base cn=Users,dc=mydomain
uri ldap://pdc

binddn cn=proxyuser,cn=Users,dc=mydomain
bindpw password
scope sub

nss_base_passwd cn=Users,dc=mydomain?sub
nss_base_shadow cn=Users,dc=mydomain?sub
nss_base_group cn=Users,dc=mydomain?sub

nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_objectclass posixGroup Group

nss_map_attribute uid sAMAccountName
nss_map_attribute uidNumber msSFU30UidNumber
nss_map_attribute gidNumber msSFU30GidNumber
nss_map_attribute loginShell msSFU30LoginShell
nss_map_attribute gecos name
nss_map_attribute userPassword msSFU30Password
nss_map_attribute homeDirectory msSFU30HomeDirectory
nss_map_attribute uniqueMember msSFU30PosixMember
nss_map_attribute cn cn

pam_login_attribute sAMAccountName
pam_filter objectclass=user
pam_password ad

Links /etc/pam_ldap.conf to /etc/libnss-ldap.conf

#ln -s /etc/libnss-ldap.conf /etc/pam_ldap.conf

Edit /etc/nsswitch.conf, add ldap to passwd and group

passwd:    compat ldap
group:     compat ldap

Simple test. If success, you will get the account

#getent passwd

Edit PAM to use LDAP
/etc/pam.d/common-auth

auth sufficient pam_ldap.so minimum_uid=10000
auth required   pam_unix.so nullok_secure use_first_pass

/etc/pam.d/common-password

password sufficient pam_ldap.so use_first_pass
password required   pam_unix.so nullok obscure min=4 max=8 md5

Authentication via Kerberos, Authorization via LDAP
Setup required software

#apt-get install krb5-clients krb5-user krb5-config

Edit /etc/krb5.conf to access your KDC

[logging]
   default = FILE:/var/log/krb5libs.log
   kdc = FILE:/var/log/krb5kdc.log
   admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = MYDOMAIN
   dns_lookup_realm = true
   dns_lookup_kdc = true

default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
[realms]
MYDOMAIN = {  
kdc = pdc.mydomain          
admin_server = pdc.mydomain
   }
[domain_realm]         .mydomain = MYDOMAIN         mydomain = MYDOMAIN

For test kerberos configuration if it works or not, just try

#kinit <userid>@<realm>

If success, klist will show the ticket

#klist

Make use samba to get keytab. Firstly setup it

#apt-get install samba-common smbclient

Edit /etc/samba/smb.conf

workgroup = MYDOMAIN security = ads realm = MYDOMAIN use kerberos keytab = true password server = pdc.mydomain

Get Domain Administrator's Kerberos ticket

#kinit administrator@MYDOMAIN

Join to the Domain

#net ads join -U administrator

If success, computer object will be in AD and keytab will be generated automatically

Edit PAM to use Kerberos
/etc/pam.d/common-auth

auth sufficient pam_krb5.so minimum_uid=10000
auth required   pam_unix.so nullok_secure use_first_pass

/etc/pam.d/common-account

account sufficient pam_krb5.so
account required   pam_unix.so

Make Use Winbind for Integration
Setup winbind

apt-get install winbind

Edit /etc/samba/smb.conf

workgroup = MYDOMAIN
security = ads
realm = MYDOMAIN
use kerberos keytab = true
password server = pdc.mydomain
client ntlmv2 auth = yes
client use spnego = yes
domain master = no
idmap uid = 10000 - 20000
idmap gid = 10000 - 20000
restrict anonymous = 2
template homedir = /home/%D/%U
template shell = /bin/bash
winbind enum users = yes
winbind enum groups = yes

Edit /etc/nsswitch.conf, add winbind to passwd and group

passwd:    compat winbind
group:     compat winbind

Edit PAM to use Winbind
/etc/pam.d/common-auth

auth sufficient pam_winbind.so
auth required   pam_unix.so nullok_secure use_first_pass

/etc/pam.d/common-account

account sufficient pam_winbind.so
account required   pam_unix.so

nscd should not be running while running winbind

Reference

AD bind errors: http://www.willeke.com:9080/wikildap/Wiki.jsp?page=CommonActiveDirectoryBindErrors
Winbind: http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/winbind.html
Linux-AD Integration from Scott's weblog: http://blog.scottlowe.org/2007/01/15/linux-ad-integration-version-4/

Search This Blog

沒腦人

Integrate Linux into Active Directory