Monday, 10 June 2013

Linux Integration with Active Directory


Linux systems can be authenticated with Windows Active Directory. Here I define the exact steps for configuring Linux servers with Active Directory. Here I am using “example.com” domain name and “dc01.example.com” hostname of Active Directory Server.
Follow the following steps to integrate Linux system with Active Directory. In this scenario Linux systems will be authenticated by AD domain users.

  1. On Linux machine configure hosts file to enter the AD domain server entry to resolve their name.
#vim /etc/hosts
10.226.1.1 dc01 dc01.example.com
2. /etc/resolv.conf
Search example.com
nameserver 10.226.1.1

  1. Configure the NTP on Linux Server.
Open file /etc/ntp.conf and make following entry.
#vim /etc/ntp.conf
server 10.226.1.1
restrict 10.226.1.1 mask 255.255.255.255 nomodify notrap noquery
  1. Restart NTP Service.
#service ntpd restart
#chkconfig ntpd on

  1. KERBROS CONFIGURATION : (/etc/krb5.conf)
Remove all entries in /etc/krb5.conf and add following entries in this file.

[libdefaults]
 default_realm = EXAMPLE.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 forwardable = yes

[realms]
 EXAMPLE.COM = {
  kdc = dc01.example.com
  kdc = *
  admin_server = dc01.example.com
  kdc = EXAMPLE.COM
        }

[domain_realm]
 example.com = example.com
 .example.com = example.com
  
[appdefaults]
   pam = {
   ticket_lifetime                 = 36000
   renew_lifetime                 = 36000
   forwardable                     = true
   proxiable                         = false
   retain_after_close             = false
   minimum_uid                   = 0
   debug                             = false
   }

[logging]
   default                           =  FILE:/var/log/krb5libs.log
   kdc                                = FILE:/var/log/kdc.log
  admin_server                   = FILE:/var/log/kadmind.log

  1. Verify your Kerberos configuration by trying to get a Kerberos ticket for an Active Directory user.
# kinit <username>@EXAMPLE.COM
Password for <username>@EXAMPLE.COM:

# klist -5
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: <username>@EXAMPLE.COM

Valid starting     Expires            Service principal
11/07/06 13:58:31  11/07/06 23:58:31  krbtgt/ EXAMPLE.COM @ EXAMPLE.COM

Note: It's very important that the kerberos domain is specified using ALL-UPPERCASE characters.  After the test, destroy the ticket by running the kdestroy command.

  1. SMB Configuration: (/etc/samba/smb.conf)
Add the following steps in /etc/samba/smb.conf file to communicate with AD using winbind.

[global]

   workgroup = EXAMPLE
   password server = EXAMPLE.COM
   realm = EXAMPLE.COM
   security = ads
   idmap uid = 16777216-33554431
   idmap gid = 16777216-33554431
   template homedir = /home/%D/%U
   template shell = /bin/bash
   winbind use default domain = true
   winbind offline logon = true
   encrypt passwords = true
   idmap backend = rid
   passdb backend = tdbsam


Except these entries comment out all other parameters.

  1. JOIN to Domain:
Join the Linux System using Administrator password of AD.
# net ads join -U Administrator
Administrator's password:

Using short domain name -- EXAMPLE
Joined 'SystemName' to realm 'EXAMPLE.COM'

NOTE:  # net ads join –U Administrator –d 10
The above cmd will display the configuring procedure (verbose mode).

  1. NSSWITCH Configuration
Configure the Name Service Switch library by editing /etc/nsswitch.conf. The lines beginning with passwd: and group: needs to be changed into the following:
passwd:       files winbind
shadow:      files winbind
group:        files winbind
Verify that you can do lookups for single AD users and groups using the getent command as below:

# getent passwd <username>
testuser:x:12580:10000:testuser:/home/DOMAIN/<username>:/bin/bash
 
# getent group <username>
<groupname>:x:10222:<username>
 
If wbinfo -g and wbinfo -u works, but getent passwd <username> and/or getent group <username> fails to produce expected results, the problem is probably located in the NSS library rather than in the Winbind setup.

9.       Restart Winbind Service on Linux Server
# /etc/init.d/winbind restart

# chkconfig winbind on

  1. Check the AD Integration with Linux is ok.

# net ads testjoin
Join is OK

# wbinfo –t
It will test the trust relationship between the machine and the domain

# wbinfo -u
wbinfo -u should return a list of users from your domain

# wbinfo -g
wbinfo -g should return a list of groups from your domain

  1. PAM Configuration
The Pluggable Authentication Modules (PAM) subsystem must now be configured to allow users to authenticate to Active Directory. Common to most Linux distributions is that the configuration files for PAM reside in the directory /etc/pam.d./system-auth

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_fprintd.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_winbind.so cached_login use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_winbind.so cached_login
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 minlen=8 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    sufficient    pam_winbind.so cached_login use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     optional      pam_oddjob_mkhomedir.so skel=/etc/skel umask=0022
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid

session     required      pam_unix.so

No comments:

Post a Comment