21

We utilise both Windows and Linux server at our software development company.

One of the friction points with this setup is that we don't have a single sign-on solution. Being more of a Microsoft shop than a Linux one we want to authenticate against AD.

I read a couple of articles online and I understand this to be possible.

We are currently using the following services on Linux that requires authentication:
- git server (through SSH)
- Sendmail
- Apache web server currently using .htaccess files.
- SAMBA file shares

What I want to know is how practical is this sort of setup? Does it really work or is it error-prone?

Philip Fourie
  • 537
  • 2
  • 6
  • 13
  • Thanks for the great answers everyone, this gives me a better feeling of what is the experience of this setup out in the real world. This really helps. Selecting the correct answer here is difficult as all of them answer the question. – Philip Fourie May 31 '09 at 07:18
  • Check FreeIPA :) http://www.freeipa.org/ – GioMac Aug 15 '13 at 15:52

5 Answers5

12

Its not hard and it's perfectly practical.

We have a few hundred dual boot desktop machines that use AD auth as well as a number of servers which use AD auth to enable windows clients to use their samba shares without explicit auth by the users.

There was another article on SF about what you need to do.

Basically you need to config kerberos, winbind, nss and pam.

Then you do a kinit and a net ads join and your up.

You can configure pam to use multiple methods for auth if you want, so if one does not work it will fall back to the next.

We usually use files, winbindd and ldap for servers serving fileshares to windows servers.

If possible I'd use LDAP for account info and windbind strictly for auth, but I believe you can map attributes in I think /etc/ldap.conf if you need to. If you do end up using winbindd for account info it is possible to use the RID (hashing method) to generate uids/gids, but it is also possible to use other methods. We used RIDs on one large fileserver and it has been a real pain, so I'd try and explore one of the other options if possible. In our case all AD users and groups are reflected in LDAP by an upstream IDM system, so we use LDAP for account info on newer servers and use winbind purely for auth.

Jason Tan
  • 2,742
  • 2
  • 17
  • 24
7

Authenticating is absolutely simple using Likewise Open. http://www.likewise.com/products/likewise_open/index.php

Nearly my entire Linux infrastructure has centralized authentication and user management thanks to Likewise Open. It's stunningly simple to install and implement. I cannot possibly say enough good about it.

As a note, UIDs and GIDs are assigned according to a hash function, so they are identical across the entire infrastructure, so NFS mounts work perfectly.

Matt Simmons
  • 20,218
  • 10
  • 67
  • 114
4

I installed Windows Services for Unix and added a user in AD called "Unix Authenticator", then made the following config file changes on the linux machines:

/etc/ldap.conf:
host ldap.<foo>.com
base cn=Users,dc=<foo>,dc=com
binddn cn=Unix Authenticator,cn=Users,dc=<foo>,dc=com
bindpw <password>
nss_base_passwd cn=Users,dc=<foo>,dc=com?sub
nss_base_shadow cn=Users,dc=<foo>,dc=com?sub
nss_base_group cn=Users,dc=<foo>,dc=com?sub
nss_map_objectclass posixAccount User
nss_map_objectclass shadowAccount User
nss_map_objectclass posixGroup Group
nss_map_attribute cn msSFUName
nss_map_attribute uid msSFUName
nss_map_attribute gid gidNumber
nss_map_attribute gecos sAMAccountName
nss_map_attribute homeDirectory msSFUHomeDirectory
nss_map_attribute uniqueMember Member
pam_login_attribute msSFUName
pam_filter objectclass=user
pam_password ad
/etc/ldap.secret:
<password>
/etc/nsswitch.conf:
passwd: compat ldap
shadow: compat ldap
group: compat ldap
/etc/nsswitch.ldap:
host files dns
/etc/pam.d/system-auth:
auth required /lib/security/pam_env.so
auth sufficient /lib/security/pam_unix.so likeauth nullok
auth sufficient /lib/security/pam_ldap.so use_first_pass
auth required /lib/security/pam_deny.so

account sufficient /lib/security/pam_ldap.so
account required /lib/security/pam_unix.so

password required /lib/security/pam_cracklib.so retry=3
password sufficient /lib/security/pam_unix.so nullok md5 shadow use_authtok
password sufficient /lib/security/pam_ldap.so use_first_pass use_authtok
password required /lib/security/pam_deny.so

session required /lib/security/pam_limits.so
session required /lib/security/pam_unix.so

Hope this helps.

slm
  • 7,355
  • 16
  • 54
  • 72
Scott
  • 1,062
  • 1
  • 11
  • 11
  • This is a interesting approach, thanks I will explore this avenue as well. – Philip Fourie May 31 '09 at 07:18
  • 1
    Please don't use pam_ldap for auth (in /etc/pam.d/system-auth) as is. It will send your password in cleartext. You should be using LDAPS or GSSAPI if you want to authenticate via LDAP. You can use LDAP for NSS and Kerberos for authentication if you want to do it securely (see below) – TheFiddlerWins Jan 13 '15 at 16:38
2

Got Windows users auth'ing against AD, but most of our servers (public drive etc.) are linux, and they're part of the domain. From a windows PoV no-one notices. From my side, it feels a bit fruity ssh'ing with my windows username but thats about the size of it.

Just usin plain old samba.

Tom Newton
  • 4,021
  • 2
  • 23
  • 28
2

You don't need to use Samba, AD supports Kerberos and LDAP directly. There is no reason for you to use any external software on most distributions.

For Debian/Ubuntu you can do it with libnss-ldap and libpam-krb5. There are a few tricks to get it 100%. This assumes you have "unixHomeDirectory" populated for Linux users, your Linux boxes are using NTP common with your Windows systems (required by Kerberos) and that you are OK with plain text NSS lookups (not password but group membership info etc - you can also use TLS but that's more complicated to set up). You should NOT have pam_ldap as a password or auth source in PAM unless you are set up to use TLS.

/etc/ldap.conf

# LDAP Configuration for libnss-ldap and libpam-ldap.
# Permit host to continue boot process with out contacting LDAP server
bind_policy soft
# Define LDAP servers to use for queries, these must be Global Catalog servers
uri ldap://ldap.site.company.local
# Define root search location for queries
base dc=company,dc=local
#debug 1
# LDAP version, almost always going to be v3, it is quite mature
ldap_version 3
# Username used to proxy authentication. You can have this in a separate file owned by root for security OR use TLS/SSL (see man page)
# Do NOT use LDAP for authentication if you are using plain text binds, use Kerberos instead (and LDAP for authorization only). See libpam-krb5.
binddn cn=ldap-auth-svc,ou=ldap,ou=services,dc=site,dc=company,dc=local
# Password for proxy acct
bindpw SooperSekeretPazzwerd
#  TCP port to perform queries on, 3268 is a Global Catalog port which will reply for all users in *.company.local
port 3268
# Search range scope (sub = all)
scope sub
# Tell the client to close TCP connctions after 30 seconds, Windows will do this on the server side anyways, this will prevent errors from showing up in the logs.
 idle_timelimit 30
# Expect queries for group membership to return DN for group members instead of usernames (lets you use MSAD group membership seamlessly)
nss_schema rfc2307bis
# Filters - User accounts must have a UID >= 2000 to be recognized in this configuration and must have a unixHomeDirectory defined.
nss_base_group dc=company,dc=local?sub?&(objectClass=group)(gidNumber=*)
nss_base_user dc=company,dc=local?sub?&(objectClass=user)(!(objectClass=localputer))(uidNumber>=2000)(unixHomeDirectory=*)
nss_base_shadow dc=company,dc=local?sub?&(objectClass=user)(!(objectClass=localputer))(uidNumber>=2000)(unixHomeDirectory=*)
# Object Class mappings.  You may want to have the posixAccount to map to "mail" and have users login with their email addresses, i.e.  "nss_map_objectclass posixAccount mail".
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_objectclass posixGroup group
# Attribute mappings.
nss_map_attribute uniqueMember member
nss_map_attribute uid sAMAccountName
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute shadowLastChange pwdLastSet
# Attribute in LDAP to query to match the username used by PAM for authentication
pam_login_attribute sAMAccountName
# Filter for objects which are allowed to login via PAM
pam_filter objectclass=User

You should not need to edit /etc/krb5.conf assuming your Linux boxes are using DNS servers that know about AD (_msdcs zones with the appropriate SRV records are resolvable)

/etc/nsswitch.conf should have "files ldap" for users, groups, shadow.

For Red Hat using SSSD:

/etc/sssd/sssd.conf

[domain/AD]
id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
access_provider = ldap

ldap_uri = ldap://ldap.company.local:3268/
ldap_search_base = dc=company,dc=com
ldap_default_bind_dn = cn=ldap-auth-svc,ou=ldap,ou=services,dc=site,dc=company,dc=local
ldap_default_authtok = SooperSekeretPazzwerd
ldap_schema = rfc2307bis
ldap_user_object_class = user
ldap_group_object_class = group
ldap_user_name = sAMAccountName
ldap_user_home_directory = unixHomeDirectory
enumerate = true
ldap_tls_reqcert = never
ldap_tls_cacertdir = /etc/openldap/cacerts

ldap_id_use_start_tls = False
cache_credentials = True
krb5_realm = SITE.COMPANY.COM
case_sensitive = false
[sssd]
services = nss, pam
config_file_version = 2

domains = AD
[nss]
filter_users = root,named,avahi,nscd
TheFiddlerWins
  • 2,973
  • 1
  • 14
  • 22
  • Do you need to change anything on the AD side in this scenario? I remember seeing some "Unix tools for windows" needing to be installed when using SAMBA? – Martin Nielsen Jan 13 '15 at 10:24
  • This solution does not depend on SAMBA, it is using native LDAP/Kerberos. The only reason to use the Unix tools is to get a GUI to edit the POSIX user/group attributes. Even that is not required if you're using SSSD. SAMBA (in Winbind) lets you install software that makes the system emulate a Windows client. The setup above just uses standard LDAP/Kerberos. – TheFiddlerWins Jan 13 '15 at 16:35
  • Argh damn, i wanted to write "ldap/kerberos" i don't know what happened. My fault. But the Unix tools for AD are not actually required for LDAP/Kerberos? – Martin Nielsen Jan 14 '15 at 08:57