7

Despite multiple questions already about this, e.g. Linux on Windows AD Domain I'd like to know how to get Debian 6.0 Squeeze integrated with AD using open source or otherwise free of charge for commercial use tools only

EDIT: Only tools that have their (security) updates delivered via apt are acceptable.

So far I have been able to get the actual user authentication work via kerberos, e.g. the logs show that the username/password check succeeds, but the user is not able to login, see log excerpt below;

EDIT: Log updated with pam debug on:

May 12 10:06:33 debian-6-master login[10601]: pam_krb5(login:auth): pam_sm_authenticate: entry (0x0)
May 12 10:06:33 debian-6-master login[10601]: pam_krb5(login:auth): (user test.linux) attempting authentication as test.linux@AD.DOMAIN
May 12 10:06:36 debian-6-master login[10601]: pam_krb5(login:auth): user test.linux authenticated as test.linux@AD.DOMAIN
May 12 10:06:36 debian-6-master login[10601]: pam_krb5(login:auth): pam_sm_authenticate: exit (success)
May 12 10:06:36 debian-6-master login[10601]: pam_unix(login:account): could not identify user (from getpwnam(test.linux))
May 12 10:06:36 debian-6-master login[10601]: pam_krb5(login:account): pam_sm_acct_mgmt: entry (0x0)
May 12 10:06:36 debian-6-master login[10601]: pam_krb5(login:account): (user test.linux) retrieving principal from cache
May 12 10:06:36 debian-6-master login[10601]: pam_krb5(login:account): pam_sm_acct_mgmt: exit (success)
May 12 10:06:36 debian-6-master login[10601]: pam_env(login:session): No such user!?
May 12 10:06:36 debian-6-master login[10601]: pam_env(login:session): No such user!?
May 12 10:06:36 debian-6-master login[10601]: pam_krb5(login:session): pam_sm_open_session: entry (0x0)
May 12 10:06:36 debian-6-master login[10601]: pam_krb5(login:session): (user test.linux) getpwnam failed for test.linux
May 12 10:06:36 debian-6-master login[10601]: pam_krb5(login:session): pam_sm_open_session: exit (failure)
May 12 10:06:36 debian-6-master login[10601]: pam_unix(login:session): session opened for user test.linux by LOGIN(uid=0)
May 12 10:06:36 debian-6-master login[10601]: User not known to the underlying authentication module
May 12 10:06:36 debian-6-master login[10601]: PAM 1 more authentication failure; logname=LOGIN uid=0 euid=0 tty=/dev/tty3 ruser= rhost=

My ldap.conf looks like this:

base dc=ad,dc=domain
uri ldap://10.10.10.10
ldap_version 3
binddn test.linux@ad.domain
bindpw password
scope sub
pam_password ad
nss_base_passwd dc=ad,dc=domain?sub
nss_base_shadow dc=ad,dc=domain?sub
nss_base_group dc=ad,dc=domain?sub? &(objectCategory=group)(gidnumber=*)
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_objectclass posixGroup group
nss_map_attribute gecos cn
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute uniqueMember member
pam_sasl_mech DIGEST-MD5

nsswitch.conf:

# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         compat
group:          compat
shadow:         compat

hosts:          files dns ldap
networks:       files ldap

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis ldap

passwd_compat: files ldap
group_compat: files ldap
shadow_compat: files ldap

all /etc/pam.d are as created by pam-auth-update, all three (Kerberos, Unix and LDAP) authentication methods selected.

I can confirm from packet capture that the LDAP search results to correct user information, the same as shown below as a manual ldapsearch result:

dn: CN=Linux\, test,OU=SpecialAccounts,OU=FI1-Helsinki,OU=EMEA,OU=_Managed Are
 as,DC=ad,DC=domain
objectClass: top
objectClass: person
objectClass: domainanizationalPerson
objectClass: user
cn: Linux, test
sn: Linux
givenName: test
distinguishedName: CN=Linux\, test,OU=SpecialAccounts,OU=FI1-Helsinki,OU=EMEA,
 OU=_Managed Areas,DC=ad,DC=domain
instanceType: 4
whenCreated: 20110407131914.0Z
whenChanged: 20110511125854.0Z
displayName: Linux, test
uSNCreated: 4144737
uSNChanged: 4638378
name: Linux, test
objectGUID:: wwZt/MX/K0S36BL4bS2w+g==
userAccountControl: 66048
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 129489044965699903
lastLogoff: 0
lastLogon: 129495915807176914
pwdLastSet: 129466559550934238
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAzXxBZqg31mUH5TsrkisAAA==
accountExpires: 9223372036854775807
logonCount: 35
sAMAccountName: test.linux
sAMAccountType: 805306368
userPrincipalName: test.linux@ad.domain
lockoutTime: 0
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=ad,DC=domain
dSCorePropagationData: 20110407131916.0Z
dSCorePropagationData: 16010101000000.0Z
lastLogonTimestamp: 129488989872488561
uid: test.linux
msSFU30Name: test.linux
msSFU30NisDomain: ad
uidNumber: 10002
gidNumber: 10000
unixHomeDirectory: /home/test.linux
loginShell: /bin/sh

# refldap://DomainDnsZones.ad.domain/DC=DomainDnsZones,DC=ad,DC=domain

# refldap://ForestDnsZones.ad.domain/DC=ForestDnsZones,DC=ad,DC=domain

# refldap://ad.domain/CN=Configuration,DC=ad,DC=domain

# pagedresultscookie=
  1. With a correct username and password I get MOTD and a message User not known to the underlying authentication module
  2. With a wrong username I get Login incorrect
  3. With a correct username, but wrong password, I get SASL/DIGEST-MD5 authentication started followed by Login incorrect

The AD is running Windows 2k8(r2) server, all debian packages are what you get from apt.

Any ideas very much welcome.

EDIT 2: As suggested below, I tried with sssd with similar results, now the password is asked twice, and the log shows:

May 12 14:53:06 debian-6-master login[11389]: pam_sss(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=/dev/tty3 ruser= rhost= user=test.linux
May 12 14:53:06 debian-6-master login[11389]: pam_sss(login:auth): received for user test.linux: 10 (User not known to the underlying authentication module)
May 12 14:53:14 debian-6-master login[11389]: pam_krb5(login:auth): user test.linux authenticated as test.linux@AD.DOMAIN
May 12 14:53:14 debian-6-master login[11389]: pam_unix(login:account): could not identify user (from getpwnam(test.linux))
May 12 14:53:15 debian-6-master login[11389]: pam_sss(login:account): Access denied for user test.linux: 10 (User not known to the underlying authentication module)
May 12 14:53:15 debian-6-master login[11389]: pam_env(login:session): No such user!?
May 12 14:53:15 debian-6-master login[11389]: pam_env(login:session): No such user!?
May 12 14:53:15 debian-6-master login[11389]: pam_krb5(login:session): (user test.linux) getpwnam failed for test.linux
May 12 14:53:15 debian-6-master login[11389]: pam_unix(login:session): session opened for user test.linux by LOGIN(uid=0)
May 12 14:53:15 debian-6-master login[11389]: User not known to the underlying authentication module

EDIT 3:

If I run sssd on the foreground with debug level set to 5, the log shows:

(Fri May 13 13:50:33 2011) [sssd[nss]] [nss_cmd_endpwent] (4): Terminating request info for all accounts
(Fri May 13 13:50:33 2011) [sssd[nss]] [nss_cmd_getpwnam] (4): Requesting info for [test.linux] from [<ALL>]
(Fri May 13 13:50:33 2011) [sssd[nss]] [nss_cmd_getpwnam] (2): No matching domain found for [test.linux], fail!
(Fri May 13 13:50:34 2011) [sssd[pam]] [pam_cmd_authenticate] (4): entering pam_cmd_authenticate
(Fri May 13 13:50:34 2011) [sssd[pam]] [pam_print_data] (4): command: PAM_AUTHENTICATE
(Fri May 13 13:50:34 2011) [sssd[pam]] [pam_print_data] (4): domain: (null)
(Fri May 13 13:50:34 2011) [sssd[pam]] [pam_print_data] (4): user: test.linux
(Fri May 13 13:50:34 2011) [sssd[pam]] [pam_print_data] (4): service: login
(Fri May 13 13:50:34 2011) [sssd[pam]] [pam_print_data] (4): tty: /dev/tty3
(Fri May 13 13:50:34 2011) [sssd[pam]] [pam_print_data] (4): ruser: (null)
(Fri May 13 13:50:34 2011) [sssd[pam]] [pam_print_data] (4): rhost: (null)
(Fri May 13 13:50:34 2011) [sssd[pam]] [pam_print_data] (4): authtok type: 1
(Fri May 13 13:50:34 2011) [sssd[pam]] [pam_print_data] (4): authtok size: 8
(Fri May 13 13:50:34 2011) [sssd[pam]] [pam_print_data] (4): newauthtok type: 0
(Fri May 13 13:50:34 2011) [sssd[pam]] [pam_print_data] (4): newauthtok size: 0
(Fri May 13 13:50:34 2011) [sssd[pam]] [pam_print_data] (4): priv: 1
(Fri May 13 13:50:34 2011) [sssd[pam]] [pam_print_data] (4): cli_pid: 12507
(Fri May 13 13:50:34 2011) [sssd[pam]] [pam_reply] (4): pam_reply get called.
(Fri May 13 13:50:34 2011) [sssd[pam]] [pam_reply] (4): blen: 8
(Fri May 13 13:50:34 2011) [sssd[nss]] [nss_cmd_endpwent] (4): Terminating request info for all accounts
(Fri May 13 13:50:34 2011) [sssd[nss]] [nss_cmd_getpwnam] (4): Requesting info for [test.linux] from [<ALL>]
(Fri May 13 13:50:34 2011) [sssd[nss]] [nss_cmd_getpwnam] (2): No matching domain found for [test.linux], fail!
Community
  • 1
Kimvais
  • 315
  • 3
  • 15
  • It seems that many people have succeeded using _winbind_ instead of LDAP. Is that really the way to go? – Kimvais May 12 '11 at 06:06
  • If it is not clear by now, I would like to get this to work without _any_ third party components - i.e. using only stuff that is available via official squeeze repositories. – Kimvais May 12 '11 at 06:42

5 Answers5

5

I would recommend to use sssd. This is a standard package in Debian squeeze and makes life a lot easier. When you install sssd, it should ask you which authentication methods should be used. Make your selection there, and nsswitch.conf and the pam.d scripts will automatically be updated. You will need to have a few details about your AD domain at hand, but then, you should know them anyway (e.g. which DC to use and what the kerberos realm name is, etc.).

Believe me, I have researched this a lot (and some of the questions asked in this regard on this site are from me), and sssd is the answer. It even works nicely for laptops, as the credentials are cached and you can determine the characteristics of the cache.

Here is our sssd.conf file with a few comments:

# SSSD configuration generated using /usr/lib/sssd/generate-config
[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam
domains = your.domain

[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
debug_level = 8

[pam]
reconnection_retries = 3
debug_level = 8

[domain/<your.domain>]
; Using enumerate = true leads to high load and slow response
enumerate = false
cache_credentials = true
#entry_cache_timeout = 60

id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
#access_provider = ldap

ldap_uri = ldap://you.domain.controller
ldap_search_base = CN=Users,DC=your,DC=domain
ldap_tls_reqcert = demand
ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt
ldap_default_bind_dn = cn=LDAPsearch,CN=Users,dc=your,dc=domain
ldap_default_authtok_type = password
ldap_default_authtok = <password for LDAPsearch>
ldap_pwd_policy = none
ldap_user_object_class = user
ldap_group_object_class = group
ldap_user_home_directory = unixHomeDirectory

krb5_kdcip = your.domain.controller
krb5_realm = <kerberos realm name>
krb5_changepw_principle = kadmin/changepw
krb5_auth_timeout = 15

This is based on using the UNIX services in Windows Server 2008 (which is now an integral part of it, used to be an add-in in 2k3 and earlier).

In difference to other LDAP systems, AD needs an authenticated session before any data can be retrieved. We have created a special user named LDAPsearch to facilitate this, but it can probably also be done with the actual domain user.

When configuring users, you will have to set up their UNIX service details (home directory, user ID, and primary group membership), but that is very straightforward.

Obviously you can use a different search base, and you can also add filters to ensure users are members of particular groups etc. Just read the man page for sssd.

wolfgangsz
  • 8,767
  • 3
  • 29
  • 34
  • Tried it, installed `sssd` and binding for both NSS and pam, but no help. :( – Kimvais May 12 '11 at 17:30
  • From your second edit I can see that the actual authentication worked fine ('user test.linux authenticated as test.linux@AD.DOMAIN'). It seems that maybe the problem is that the user doesn't have a local account? If you read the documentation, there are ways to overcome that, too, but you will need to modify various files in /etc/pam.d/ – wolfgangsz May 12 '11 at 23:48
  • @wolfgangsz: yes, that's how far I got without SSSD as well and it is part of the whole deal - all account is to be retrieved from LDAP. Do you have any documentation pointers? – Kimvais May 13 '11 at 04:46
  • You can retrieve the account information from LDAP, but the user must have a local account. And if he doesn't have one, then you will need to create one. There are some sites that offer instructions on how to configure PAM to do this (i.e. creating a home folder etc on successful login), unfortunately I don't have any links at the moment. – wolfgangsz May 17 '11 at 10:13
  • Are you sure, @wolfgangsz - this seems to suggest otherwise http://www.linuxforums.org/forum/red-hat-fedora-linux/177811-requiring-local-accounts-sssd.html – Kimvais May 17 '11 at 10:43
  • OK, my wording wasn't that great. When a user has authenticated, then PAM needs to establish a session. Usually this requires a home directory and a few other bits. And I suspect that this is where your logins fail. As said, there are plug-ins that allow automatic creation of a home directory. – wolfgangsz May 17 '11 at 12:17
  • I had to add ` sufficient pam_sss.so` to /etc/pam.d/common-* to get this to work. Thanks for help, @wolfgangsz ! – Kimvais May 17 '11 at 13:50
0

Take a look at Likewise Open. Much less mucking around necessary, though having an emulated windows registry isn't exactly my idea of a good time. But, the more recent versions have gotten pretty solid, it's worth a look.

Shane Madden
  • 112,982
  • 12
  • 174
  • 248
  • I wasn't able to locate a free download link or license on the website, are you sure this tool is _free of charge for commercial use_? – Kimvais May 12 '11 at 06:03
  • Yup, it's GPL licensed (Ubuntu and Red Hat, for instance, include it in their main package repositories and fully support it). Looks like the [download](http://www.likewise.com/download/) on their site requires registration, which is annoying.. – Shane Madden May 12 '11 at 06:12
  • Hmm, ok so now the question remains, how to get that thing via `apt-get` off somewhere. – Kimvais May 12 '11 at 06:30
0

Likewise is popular, but I've been using Centrify Express for all of my linux boxes in my work lab lately & it's been great. It comes with their own version of SAMBA & getting it set up is a simple as installing the RPM (make sure you read the PDF though).

churnd
  • 3,977
  • 5
  • 33
  • 41
0

There was a similar question in this thread, and the OP got things working with winbind to do the username and UID lookups, and pam_krb5 for password authentication. I've got several squeeze servers running that way now.

All of the necessary parts are in Debian. No third party or non-security-updated repositories required.

Community
  • 1
Mike Renfro
  • 1,281
  • 1
  • 8
  • 11
0

SSSD may be the answer although I haven't used it yet so I don't know. What I have used is winbind from samba3x and that worked fairly well. The problem with configuring kerberos and ldap directly, for me at least, is that you then have to backfill UID/GID and home directory for all your existing users and maintain two worlds of data in AD/LDAP which didn't seem like a good use of time. winbind will expose the native AD groups, rekey its machine account in kerberos, etc. The only downside is that it insists on 15 character or less hostnames for maintaining some weird kind of netbios compatibility that I'm not convinced actually exists or matters to anything inside windows anymore and every once and a while the daemon gets wedged and needs to be restarted which requires working OOB access. Combine with pam_mkhomedir and pam_access so accounts get homedirs autopopulated and you can limit who has access to which hosts if you need to. Be advised that while usernames and groups with spaces in them work in a surprising number of places, they break some tools such as pam_access access.conf not working with groups with spaces in them.

mtinberg
  • 1,803
  • 10
  • 9