|
Home > Archive > Red Hat Topics > November 2006 > RH password authentication on Windows Active Directory
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
RH password authentication on Windows Active Directory
|
|
| Mike Ingram 2006-11-15, 7:13 am |
| Hi,
I am trying to get this working, on RHEL-4, and am having partial success.
I have googled a lot, but still haven't found the answer that works for me!
I have configured winbind and can see all the AD users and groups from
RedHat.
I have configured krb5.conf, and nsswitch.conf was automatically modified by
winbind.
The problem I have is simply that I cannot use the AD password to log in -
the /etc/passwd entry works okay.
Is anyone able to assist, or point me to a good source for getting the
authentication working?
Many thanks.
| |
| Roger Eriksson 2006-11-15, 7:13 am |
| "Mike Ingram" <mike.ingram@iinet.net.au> wrote in
news:455ac645$0$28175$5a62ac22@per-qv1-newsreader-01.iinet.net.au:
> Hi,
>
> I am trying to get this working, on RHEL-4, and am having partial
> success. I have googled a lot, but still haven't found the answer that
> works for me! I have configured winbind and can see all the AD users
> and groups from RedHat.
> I have configured krb5.conf, and nsswitch.conf was automatically
> modified by winbind.
> The problem I have is simply that I cannot use the AD password to log
> in - the /etc/passwd entry works okay.
>
> Is anyone able to assist, or point me to a good source for getting the
> authentication working?
I have my notes on how I've did on our systems. I'll paste it here,
neutralize our computers and domains and try to translate it to something
looking like English. It's not an howto but more like some notes that
will be enough for me to get the next server working (it has done so for
at least three servers). Hopefull you'll get something useful from it
though.
<cut>
*Kerberos*
Edit /etc/smb5.conf (after making a backup of course)
....
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = YOUR.ACTIVE.DIRECTORY.DOMAIN
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
YOUR.ACTIVE.DIRECTORY.DOMAIN = {
kdc = your.kdc.server:88
admin_server = your.admin.server:749
default_domain = your.domain
}
[domain_realm]
.your.domain = YOUR.ACTIVE.DIRECTORY.DOMAIN
your.domain = YOUR.ACTIVE.DIRECTORY.DOMAIN
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
....
Verify that kerberos work with users on your domain. It is important that
you give the domain name in caps.
[root@computer ~]# kinit user@YOUR.ACTIVE.DIRECTORY.DOMAIN
Password for user@YOUR.ACTIVE.DIRECTORY.DOMAIN:
[root@computer ~]#
If it fail you will be notified.
*Samba/Winbind
Install Samba and Winbind
Edit /etc/samba/smb.conf
....
# Any line which starts with a ; (semi-colon) or a # (hash)
# is a comment and is ignored. In this example we will use a #
# for commentry and a ; for parts of the config file that you
# may wish to enable
#
# NOTE: Whenever you modify this file you should run the command
"testparm"
# to check that you have not made any basic syntactic errors.
#
#======================= Global Settings ================================
[global]
log file = /var/log/samba/%m.log
load printers = no
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
client ntlmv2 auth = yes
client use spnego = yes
client signing = yes
encrypt passwords = yes
use spnego = yes
winbind use default domain = yes
realm = YOUR.ACTIVE.DIRECTORY.DOMAIN
winbind uid = 10000-20000
template shell = /bin/bash
allow hosts = 127.0.0.1 xxx.xxx.xxx.xxx/xxx.xxx.xxx.xxx
dns proxy = no
cups options = raw
server string = Samba Server
winbind enum users = yes
password server = your.password(ad).server your.2nd.pw.server
winbind gid = 10000-20000
template homedir = /home/%D/%U
local master = no
workgroup = YOURWORKGROUP
winbind enum groups = yes
server signing = yes
os level = 20
printcap name = /etc/printcap
security = ads
winbind separator = +
max log size = 50
log level = 1
#============================ Share Definitions =========================
[homes]
comment = Home for user %U
browseable = no
writable = yes
create mode = 0644
directory mode = 0755
# NOTE: If you have a BSD-style print system there is no need to
# specifically define each individual printer
[printers]
comment = All Printers
path = /usr/spool/samba
browseable = no
# Set public = yes to allow user 'guest account' to print
guest ok = no
writable = no
printable = yes
....
Test the configuration with 'testparm'.
Join the AD domain. The user joing must have sufficient rights to add ned
computers to the domain.
[root@computer ~]# net ads join -U user@YOUR.ACTIVE.DIRECTORY.DOMAIN
user@YOUR.ACTIVE.DIRECTORY.DOMAIN's password:
Using short domain name -- YOURWORKGROUP
Joined 'COMPUTER' to realm 'YOUR.ACTIVE.DIRECTORY.DOMAIN'
[root@computer ~]#
*NSSwitch
To use winbind to verify passwd and group (through AD).
Edit /etc/nsswitch.conf
....
#
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Legal entries are:
#
# nisplus or nis+ Use NIS+ (NIS version 3)
# nis or yp Use NIS (NIS version 2), also called YP
# dns Use DNS (Domain Name Service)
# files Use the local files
# db Use the local database (.db) files
# compat Use NIS on compat mode
# hesiod Use Hesiod for user lookups
# [NOTFOUND=return] Stop searching if not found so far
#
# To use db, put the "db" in front of "files" for entries you want to be
# looked up first in the databases
#
# Example:
#passwd: db files nisplus nis
#shadow: db files nisplus nis
#group: db files nisplus nis
passwd: files winbind
shadow: files
group: files winbind
#hosts: db files nisplus nis dns
hosts: files dns
# Example - obey only what nisplus tells us...
#services: nisplus [NOTFOUND=return] files
#networks: nisplus [NOTFOUND=return] files
#protocols: nisplus [NOTFOUND=return] files
#rpc: nisplus [NOTFOUND=return] files
#ethers: nisplus [NOTFOUND=return] files
#netmasks: nisplus [NOTFOUND=return] files
bootparams: nisplus [NOTFOUND=return] files (bootparams: files)
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files
netgroup: nisplus (netgroup: files)
publickey: nisplus (netgroup: files)
automount: files nisplus (netgroup: files)
aliases: files nisplus (netgroup: files)
....
[root@computer ~]# wbinfo -t
checking the trust secret via RPC calls succeeded
[root@computer ~]#
wbinfo -u lists all users on the AD domain.
wbinfo -g lists all groups on the domain.
*PAM (Pluggable Authentification Module)
[root@computer ~]# cp /etc/pam.d/system-auth /etc/pam.d/system-auth-
winbind
[root@computer ~]#
Edit /etc/pam.d/system-auth-winbind
....
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_securetty.so
auth required pam_nologin.so
auth sufficient pam_winbind.so
auth sufficient pam_unix.so likeauth nullok use_first_pass
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_winbind.so
account sufficient pam_succeed_if.so uid < 100 quiet
account required pam_permit.so
password requisite pam_cracklib.so retry=3
password sufficient pam_winbind.so
password sufficient pam_unix.so nullok use_authtok md5 shadow
password required pam_deny.so
session required pam_limits.so
session required pam_unix.so
session required pam_mkhomedir.so skel=/etc/skel umask=0022
....
This file is a copy of system-auth with the exception that it will
authenticate through winbind also.
It will also create a home directory for the user the first time he logs
in.
Edit /etc/pam.d/samba
Add "-winbind" to every row with "system-auth".
....
#%PAM-1.0
auth required pam_nologin.so
auth required pam_stack.so service=system-auth-winbind
account required pam_stack.so service=system-auth-winbind
session required pam_stack.so service=system-auth-winbind
password required pam_stack.so service=system-auth-winbind
....
Create the directory /home/YOURWORKGROUP
[root@computer ~]# mkdir /home/YOURWORKGROUP
Restart Samba and Winbind
[root@computer ~]# service smb restart
Shutting down SMB services: [ OK ]
Shutting down NMB services: [ OK ]
Starting SMB services: [ OK ]
Starting NMB services: [ OK ]
[root@computer ~]# service winbind restart
Shutting down Winbind services: [ OK ]
Starting Winbind services: [ OK ]
[root@computer ~]#
Now you should be able to see your home directory from Windows (\\server
in Explorer).
*Secure Shell (SSH)
Now when PAM and Winbind is working we'll set up ssh to use the same way
to authenticate.
Edit /etc/pam.d/sshd
....
#%PAM-1.0
auth sufficient pam_winbind.so
auth sufficient pam_unix.so use_first_pass
auth required pam_stack.so service=system-auth-winbind
auth required pam_nologin.so
account sufficient pam_winbind.so
account required pam_stack.so service=system-auth-winbind
password required pam_stack.so service=system-auth-winbind
session required pam_stack.so service=system-auth-winbind
session optional pam_console.so
....
<cut>
If someone spot something stupid, please let me know. It works here but
that doesn't mean it couldn't be done in a better way ;-)
Now I'm working on getting DB2 9.1 to authenticate against the AD. This
part is new to me... There seems to be some support for Kerberos..
--
Mvh
/RE
| |
| Mike Ingram 2006-11-15, 7:13 am |
|
"Roger Eriksson" <roger.erixon@gmail.com> wrote in message
news:Xns987C722ADF3EAwrtjcouycmjoweprcgj
w@130.239.8.26...
> "Mike Ingram" <mike.ingram@iinet.net.au> wrote in
> news:455ac645$0$28175$5a62ac22@per-qv1-newsreader-01.iinet.net.au:
>
>
> I have my notes on how I've did on our systems. I'll paste it here,
> neutralize our computers and domains and try to translate it to something
> looking like English. It's not an howto but more like some notes that
> will be enough for me to get the next server working (it has done so for
> at least three servers). Hopefull you'll get something useful from it
> though.
>
> <cut>
> *Kerberos*
>
> Edit /etc/smb5.conf (after making a backup of course)
>
> ...
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
> default_realm = YOUR.ACTIVE.DIRECTORY.DOMAIN
> dns_lookup_realm = false
> dns_lookup_kdc = false
>
<snip>
Many thanks Roger.
I'll give this a go when I'm back at work tomorrow, and let you know how it
turns out.
One more question for now - Do I need to do anything (like load software or
make config changes etc) on the Windows AD at all?
Cheers,
Mike.
| |
| Roger Eriksson 2006-11-15, 7:13 am |
| "Mike Ingram" <mike.ingram@iinet.net.au> wrote in
news:455af2a2$0$28219$5a62ac22@per-qv1-newsreader-01.iinet.net.au:
> One more question for now - Do I need to do anything (like load
> software or make config changes etc) on the Windows AD at all?
This would be at least a year back and since I have a memory like a gold
fish I usually make notes on the things I do and I can't find anything
about this.
We're running the AD on MS W AS 2000 and not 2003 but if that makes any
difference I don't know.
--
Mvh
/RE
|
|
|
|
|