Active Directory integration

Active Directory depends entirely on DNS for name resolution. It is imperative that the file is configured with both the correct DNS servers and a domain search suffix. Whether configured via DHCP or static configuration, ensure that these values are correct for your domain. For the example domain configuration, the following contents are appropriate (be sure to replace 192.168.1.1, 192.168.1.2, and internal.domain.tld with appropriate values for your network):

If you elected to install the bind package, you can test DNS configuration with the following commands (be sure to replace server1 and internal.domain.tld with appropriate values for your network):

$ nslookup -type=SRV _kerberos._tcp.internal.domain.tld.
$ nslookup -type=SRV _ldap._tcp.internal.domain.tld.
$ nslookup server1.internal.domain.tld.

You should get output similar to the following (adjust appropriately for only one DC, or more than two):

Server:        192.168.1.1
Address:       192.168.1.1#53

_kerberos._tcp.internal.domain.tld service = 0 100 88 server1.internal.domain.tld.
_kerberos._tcp.internal.domain.tld service = 0 100 88 server2.internal.domain.tld.
...
_ldap._tcp.internal.domain.tld     service = 0 100 389 server1.internal.domain.tld.
_ldap._tcp.internal.domain.tld     service = 0 100 389 server2.internal.domain.tld.
...
Name:   server1.internal.domain.tld
Address: 192.168.1.1

In an Active Directory domain, more specifically for Kerberos ticketing, it is imperative that time is synchronized will all other hosts on the network. A margin of error no more than five minutes is required. For the example domain configuration, an appropriate /etc/ntp.conf file should have the following contents (be sure to replace server1, server2, and internal.domain.tld with appropriate values for your network):

/etc/ntp.conf

# Use your domain's NTP servers 
server '''server1'''.'''internal.domain.tld'''
server '''server2'''.'''internal.domain.tld'''

# Restrictions
restrict default kod limited nomodify nopeer noquery notrap
restrict 127.0.0.1
restrict ::1

# Location of drift file
driftfile /var/lib/ntp/ntpd.drift

Enable and start the unit.

The Samba documentation recommends a minimal Kerberos configuration, with just enough information in the [libdefaults] section to hand off the work of discovering domain details to DNS. Unfortunately, this does not work well in practice. Continuing with the example domain configuration, modify the file with the following contents (be sure to replace instances of INTERNAL, internal.domain.tld, SERVER1, and INTERNAL.DOMAIN.TLD with appropriate values for your network):

A default installation of samba does not ship with an example file. For our example domain configuration, use the following base settings (replace instances of INTERNAL and INTERNAL.DOMAIN.TLD with appropriate values for your network):

If you do not wish to share local printers configured in , then add the following to the [Global] section of the file:

The remainder of the configuration depends on whether your domain supports RFC2307 Unix/NFS Attributes. Consult with your domain administrator if unsure.

Be certain that the values below do not overlap with system values, and that all users have at least the uidNubmer attribute, and that those users' PrimaryGroup has a gid attribute. Append to the following to the the [Global] section of the file (replace INTERNAL with the NetBIOS domain name):

Additionally, if user accounts in AD have a gidNumber attribute, you can use it instead of the RID for the user's Primary Group by appending the following setting (again in the [Global] section):

If your administrator has not extended the AD schema to include the RFC2307 attributes, use the following idmap configuration in the [Global] section of the file (replace INTERNAL with the NetBIOS domain name):

/etc/samba/smb.conf

[Global]
...
   # UID/GID mapping for local users
   idmap config * : backend = tdb
   idmap config * : range = 3000-7999

   # UID/GID mapping for domain users
   idmap config '''INTERNAL''' : backend = rid
   idmap config '''INTERNAL''' : range = 10000-999999

   # Template settings for users
   template shell = /bin/bash
   template homedir = /home/%U

   # Allow offline/cached credentials and ticket refresh
   winbind offline logon = yes
   winbind refresh tickets = yes
...

Verify connectivity by listing the AD domain users and groups that system is aware of:

# wbinfo -u
# wbinfo -g

You should get a list of AD users followed by AD groups.

If you are not familiar with Active Directory, there are a few keywords that are helpful to know.

• Domain : The name used to group computers and accounts.
• SID : Each computer that joins the domain as a member must have a unique SID or System Identifier.
• SMB : Server Message Block.
• NETBIOS: Network naming protocol used as an alternative to DNS. Mostly legacy, but still used in Windows Networking.
• WINS: Windows Information Naming Service. Used for resolving Netbios names to windows hosts.
• Winbind: Protocol for windows authentication.

This section works with the default configuration of Windows Server 2012 R2.

Digital signing is enabled by default in Windows Server, and must be enabled at both the client and server level. For certain versions of Samba, Linux clients may experience issues connecting to the domain and/or shares. It is recommended you add the following parameters to your file:

client signing = auto 
server signing = auto

If that is not successful, you can disable Digital Sign Communication (Always) in the AD group policies. In your AD Group Policy editor, locate:

Under Local policies > Security policies > Microsoft Network Server > Digital sign communication (Always) activate define this policy and use the disable radio button.

If you use Windows Server 2008 R2, you need to modify that in GPO for Default Domain Controller Policy > Computer Setting > Policies > Windows Setting > Security Setting > Local Policies > Security Option > Microsoft network client: Digitally sign communications (always).

Please note that disabling this GPO affects the security of all members of the domain.

The next few steps will begin the process of configuring the Host. You will need root or sudo access to complete these steps.

Install the following packages:

• samba, see also Samba
• ntp or , see also NTPd or OpenNTPD

Active Directory is heavily dependent upon DNS. You will need to update to use one or more of the Active Directory domain controllers:

/etc/resolv.conf

nameserver <IP1>
nameserver <IP2>

Replacing <IP1> and <IP2> with valid IP addresses for the AD servers. If your AD domains do not permit DNS forwarding or recursion, you may need to add additional resolvers.

Read System time#Time synchronization to configure an NTP service.

On the NTP servers configuration, use the IP addresses for the AD servers, as they typically run NTP as a service. Alternatively, you can use other known NTP servers provided the Active directory servers sync to the same stratum.

Ensure that the service is configured to sync the time automatically very early on startup.

Let us assume that your AD is named example.com. Let us further assume your AD is ruled by two domain controllers, the primary and secondary one, which are named PDC and BDC, pdc.example.com and bdc.example.com respectively. Their IP adresses will be 192.168.1.2 and 192.168.1.3 in this example. Take care to watch your syntax; upper-case is very important here.

Now you can query the AD domain controllers and request a kerberos ticket (uppercase is necessary):

You can use any username that has rights as a Domain Administrator.

Run klist to verify you did receive the token. You should see something similar to:

If you get errors stating that /etc/security/pam_winbind.conf was not found, create the file and add the following:

/etc/security/pam_winbind.conf

[global]
  debug = no
  debug_state = no
  try_first_pass = yes
  krb5_auth = yes
  krb5_ccache_type = FILE
  cached_login = yes
  silent = no
  mkhomedir = yes

With this setup, winbind will create user keytabs on the fly (krb5_ccache_type = FILE) at login and maintain them. You can verify this by simply running klist in a shell after logging in as an AD user but without needing to run kinit. You may need to set additional permissions on /etc/krb5.keytab eg 640 instead of 600 to get this to work (see for example)

Samba is a free software re-implementation of the SMB/CIFS networking protocol. It also includes tools for Linux machines to act as Windows networking servers and clients.

In this section, we will focus on getting Authentication to work first by editing the 'Global' section first. Later, we will go back and add shares.

/etc/samba/smb.conf

[Global]
  netbios name = MYARCHLINUX
  workgroup = EXAMPLE
  realm = EXAMPLE.COM
  server string = %h Arch Linux Host
  security = ads
  encrypt passwords = yes
  password server = pdc.example.com
  client signing = auto
  server signing = auto

  idmap config * : backend = tdb
  idmap config * : range = 10000-20000

  winbind use default domain = Yes
  winbind enum users = Yes
  winbind enum groups = Yes
  winbind nested groups = Yes
  winbind separator = +
  winbind refresh tickets = yes
  winbind offline logon = yes
  winbind cache time = 300

  template shell = /bin/bash
  template homedir = /home/%D/%U
   
  preferred master = no
  dns proxy = no
  wins server = pdc.example.com
  wins proxy = no

  inherit acls = Yes
  map acl inherit = Yes
  acl group control = yes

  load printers = no
  debug level = 3
  use sendfile = no

You need an AD Administrator account to do this. Let us assume this is named Administrator. The command is 'net ads join'

Hopefully, you have not rebooted yet! Fine. If you are in an X-session, quit it, so you can test login into another console, while you are still logged in.

Enable and start the individual Samba daemons , , and .

Next we will need to modify the NSSwitch configuration, which tells the Linux host how to retrieve information from various sources and in which order to do so. In this case, we are appending Active Directory as additional sources for Users, Groups, and Hosts.

Let us check if winbind is able to query the AD. The following command should return a list of AD users:

• Note we created an Active Directory user called 'test.user' on the domain controller

We can do the same for AD groups:

To ensure that our host is able to query the domain for users and groups, we test nsswitch settings by issuing the 'getent' command.

The following output shows what a stock Arch Linux install looks like:

# getent passwd

root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/bin/false
daemon:x:2:2:daemon:/sbin:/bin/false
mail:x:8:12:mail:/var/spool/mail:/bin/false
ftp:x:14:11:ftp:/srv/ftp:/bin/false
http:x:33:33:http:/srv/http:/bin/false
nobody:x:99:99:nobody:/:/bin/false
dbus:x:81:81:System message bus:/:/bin/false
ntp:x:87:87:Network Time Protocol:/var/empty:/bin/false
avahi:x:84:84:avahi:/:/bin/false
administrator:*:10001:10006:Administrator:/home/EXAMPLE/administrator:/bin/bash
guest:*:10002:10007:Guest:/home/EXAMPLE/guest:/bin/bash
krbtgt:*:10003:10006:krbtgt:/home/EXAMPLE/krbtgt:/bin/bash
test.user:*:10000:10006:Test User:/home/EXAMPLE/test.user:/bin/bash

And for groups:

# getent group

root:x:0:root
bin:x:1:root,bin,daemon
daemon:x:2:root,bin,daemon
sys:x:3:root,bin
adm:x:4:root,daemon
tty:x:5:
disk:x:6:root
lp:x:7:daemon
mem:x:8:
kmem:x:9:
wheel:x:10:root
ftp:x:11:
mail:x:12:
uucp:x:14:
log:x:19:root
utmp:x:20:
locate:x:21:
rfkill:x:24:
smmsp:x:25:
http:x:33:
games:x:50:
network:x:90:
video:x:91:
audio:x:92:
optical:x:93:
floppy:x:94:
storage:x:95:
scanner:x:96:
power:x:98:
nobody:x:99:
users:x:100:
dbus:x:81:
ntp:x:87:
avahi:x:84:
domain computers:x:10008:
domain controllers:x:10009:
schema admins:x:10010:administrator
enterprise admins:x:10011:administrator
cert publishers:x:10012:
domain admins:x:10013:test.user,administrator
domain users:x:10006:
domain guests:x:10007:
group policy creator owners:x:10014:administrator
ras and ias servers:x:10015:
allowed rodc password replication group:x:10016:
denied rodc password replication group:x:10017:krbtgt
read-only domain controllers:x:10018:
enterprise read-only domain controllers:x:10019:
dnsadmins:x:10020:
dnsupdateproxy:x:10021:

Try out some net commands to see if Samba can communicate with AD:

Now we will change various rules in PAM to allow Active Directory users to use the system for things like login and sudo access. When changing the rules, note the order of these items and whether they are marked as required or sufficient is critical to things working as expected. You should not deviate from these rules unless you know how to write PAM rules.

In case of logins, PAM should first ask for AD accounts, and for local accounts if no matching AD account was found. Therefore, we add entries to include into the authentication process.

The Arch Linux PAM configuration keeps the central auth process in . Starting with the stock configuration from , change it like this:

Find the line:

auth required pam_unix.so ...

Delete it, and replace with:

auth [success=1 default=ignore] pam_localuser.so
auth [success=2 default=die] pam_winbind.so
auth [success=1 default=die] pam_unix.so nullok
auth requisite pam_deny.so

Find the line:

account required pam_unix.so

Keep it, and add this below:

account [success=1 default=ignore] pam_localuser.so
account required pam_winbind.so

Find the line:

password required pam_unix.so ...

Delete it, and replace with:

password [success=1 default=ignore] pam_localuser.so
password [success=2 default=die] pam_winbind.so
password [success=1 default=die] pam_unix.so sha512 shadow
password requisite pam_deny.so

Find the line:

session required pam_unix.so

Keep it, and add this line immediately above it:

session required pam_mkhomedir.so skel=/etc/skel/ umask=0022

Below the pam_unix line, add these:

session [success=1 default=ignore] pam_localuser.so
session required pam_winbind.so

In order for logged-in Active Directory users to be able to change their passwords with the 'passwd' command, the file must include the information from system-auth.

Find the line:

password required pam_unix.so sha512 shadow nullok

Delete it, and replace with:

password include system-auth

Now, start a new console session (or ssh) and try to login using the AD credentials. The domain name is optional, as this was set in the Winbind configuration as 'default realm'. Please note that in the case of ssh, you will need to modify the file to allow kerberos authentication .

Both should work. You should notice that /home/example/test.user will be automatically created. Log into another session using an linux account. Check that you still be able to log in as root - but keep in mind to be logged in as root in at least one session!

Earlier we skipped configuration of the shares. Now that things are working, go back to , and add the exports for the host that you want available on the windows network.

In the above example, the keyword NETWORK is to be used. Do not mistakenly substitute this with your domain name. For adding groups, prepend the '@' symbol to the group. Note that is encapsulated in quotes so Samba correctly parses it when reading the configuration file.

This explains how to generate a machine keytab file which you will need e.g. to enable password-free kerberized ssh to your machine from other machines in the domain. The scenario in mind is that you have a bunch of systems in your domain and you just added a server/workstation using the above description to your domain onto which a lot of users need to ssh in order to work - e.g. GPU workstation or an OpenMP compute node, etc. In this case you might not want to type your password every time you log in. On the other hand the key authentication used by many users in this case can not give you the necessary credentials to e.g. mount kerberized NFSv4 shares. So this will help you to enable password-free logins from your clients to the machine in question using kerberos ticket forwarding.

run 'net ads keytab create -U administrator' as root to create a machine keytab file in /etc/krb5.keytab. It will prompt you with a warning that we need to enable keytab authentication in our configuration file, so we will do that in the next step. In my case it had problems when a key tab file is already in place - the command just did not come back it hang ... In that case you should rename the existing /etc/krb5.keytab and run the command again - it should work now.

verify the content of your keytab by running:

Now you need to tell winbind to use the file by adding these lines to the /etc/samba/smb.conf:

 kerberos method = secrets and keytab
 dedicated keytab file = /etc/krb5.keytab

It should look something like this:

Restart the

Check if everything works by getting a machine ticket for your system by running

# kinit MYARCHLINUX$ -kt /etc/krb5.keytab

This should not give you any feedback but running 'klist' should show you sth like:

Some common mistakes here are a) forgetting the trailing $ or b) ignoring case sensitivity - it needs to look exactly like the entry in the keytab (usually you cannot to much wrong with all capital)

All we need to do is add some options to our and restart the .

Edit to look like this in the appropriate places:

Restart the .

First we need to make sure that the tickets on our client are forwardable. This is usually standard but we better check anyways. You have to look for the forwardable option and set it to 'true' in the Kerberos configuration file /etc/krb5.conf

forwardable     =       true

Secondly we need to add the options

 GSSAPIAuthentication yes
 GSSAPIDelegateCredentials yes

to our file to tell ssh to use this options - alternatively they can be invoked using the options directly in the ssh command (see for help).

On Client:

make sure you have a valid ticket - if in doubt run 'kinit'

then use ssh to connect to you machine

you should get connected without needing to enter your password.

if you have key authentication additionally activated then you should perform

to see which authentication method it actually uses.

For debugging you can enable DEBUG3 on the server and look into the journal using journalctl.

In case your clients are not using domain accounts on their local machines (for whatever reason) it can be hard to actually teach them to kinit before ssh to the workstation. Therefore I came up with a nice workaround:

On a system let the user run:

Now test the file by invoking:

kinit username@EXAMPLE.COM -kt username.keytab

It should not promt you to give your password nor should it give any other feedback. If it worked you are basically done - just put the line above into your ~./bashrc - you can now get kerberos tickets without typing a password and with that you can connect to your workstation without typing a password while being completely kerberized and able to authenticate against NFSv4 and CIFS via tickets - pretty neat.

The file 'username.keytab' is not machinespecific and can therefore be copied around. E.g. we created the files on a linux machine and copied them to our Mac clients as the commands on Macs are different ...

• Wikipedia - Active Directory
• Wikipedia - Samba
• Wikipedia - Kerberos
• Samba - Documentation
• Samba Wiki - Samba, Active Directory & LDAP

can be used instead of Samba to integrate with AD. See SSSD documentation.

• Centrify
• Likewise

• PowerBroker Identity Services Open: formerly Likewise acquired by BeyondTrust
• Centrify Express for Linux