Active Directory Authentication

On August 5, 2005, In Linux, By Brad

This article outlines the high level steps required to configure your linux workstation or server to authenticate against a Microsoft Active Directory (AD) domain. Most of the information was pulled from a number of tutorials, newsgroup posts, and from the samba documentation.


Ensure that samba and winbind are installed.

Configure winbind and samba to start automatically upon system startup. Since I did this on a Redhat Linux system (Enterprise AS v4) I will use the commands specific to RHEL, although they may be the same on other distributions.

[root@myhost]# chkconfig smb on
[root@myhost]# chkconfig winbind on

Edit your /etc/hosts file and include entries for your AD domain controllers.

# /etc/hosts

127.0.0.1    localhost
10.200.8.10  auth1.mydomain.com   auth1
10.200.8.20  auth2.mydomain.com   auth2

Edit your /etc/samba/smb.conf file as follows (modify to suit your domain information):

[global]
# NT Workgroup Settings
netbios name = MYHOST
workgroup = MYDOMAIN
server string = Linux Server

# Samba Performance Settings
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
client schannel = no

# Network Browsing Settings
local master = no
domain master = no
preferred master = no
wins support = no
dns proxy = no
wins proxy = no

# Active Directory Member
realm = MYDOMAIN.COM
security = ads
ads server = 10.200.8.10
password server = auth1.mydomain.com auth2.mydomain.com

# Winbind Settings
winbind separator = +
winbind use default domain = yes
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
winbind cache time = 10

#winbind gid = 10000-20000
#winbind trusted domains only = no

# Defaults for local accounts created by winbind
#template shell = /bin/bash
template shell = /usr/local/bin/bash-wrapper
template homedir = /home/%U

# Logging Settings
max log size = 50
log file = /var/log/samba/%m.log

# Printer Settings
printcap name = /etc/printcap
load printers = yes
cups options = raw

#============= Share Definitions ==============#

[homes]
comment = Home Directories
browseable = no
writable = yes

# specifically define each individual printer
[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
guest ok = no
writable = no
printable = yes

Edit your /etc/krb5.conf file as follows:

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = MYDOMAIN.COM
dns_lookup_realm = yes
dns_lookup_kdc = yes

[realms]
MYDOMAIN.COM = {
kdc = auth1.mydomain.com
default_domain = mydomain.com
}

[domain_realm]
.mydomain.com = MYDOMAIN.COM
mydomain.com = MYDOMAIN.COM

[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}

Now, start up Samba and Winbind.

[root@myhost]# service smb start
[root@myhost]# service winbind start

Run system-config-authentication. Under “User Information” check “Use Winbind”. The others should be clear. Under “Authentication” check “Use MD5 Passwords”, “Use Shadow Passwords”, “Use SMB Authentication”, “Use Winbind Authentication”, and “Local authorization is sufficient”.

Click the next button and then enter in your domain specific settings. Select the “Join Domain” button and enter in your domain login credentials (you will need Admin privileges to join the domain).

Click OK once the computer has been joined to the domain. Now is a good time to check Active Directory to ensure that the computer account has been created properly. The system-config-authentication program also modifies a number of other files such as /etc/nsswitch.conf and /etc/pam.d/system-auth.

If you would like home directories to be created automatically for domain users who login to your linux computer, append the following line to /etc/pam.d/system-auth.

session required /lib/security/$ISA/pam_mkhomedir.so skel=/etc/skel/ umask=0077

(Note: Running system-config-authentication again will overwrite any changes you make to this file.)

Now we need to check if our linux computer can talk to Active Directory. The “wbinfo” and “getent” commands provide an easy way to test our setup.

List all users: [root@myhost]# wbinfo -u

List all groups: [root@myhost]# wbinfo -g

Check RPC communication: [root@myhost]# wbinfo -t

Check trusted domains: [root@myhost]# wbinfo -m

Get all AD group membership information: [root@myhost]# getent group

If you get some error relating to the inability to allocate a UID or GID, you may need to stop winbind, delete /var/cache/samba/winbindd_idmap.tdb and then restart winbind.

Next, you can create a login shell wrapper to restrict SSH access to specific Active Directory security groups. If you don’t want to restrict access then edit /etc/samba/smb.conf and change the template shell back to /bin/bash. Otherwise, create the following shell script and give it execute permissions (chmod a+x /usr/local/bin/bash-wrapper).

#!/bin/sh

# This script restricts shell access to privileged users. The "template shell"
# option in the '/etc/samba/smb.conf' file should be set to call this wrapper.

# Get group memberships for this user.
BFN_ID=$(/usr/bin/id)

# Grant shell access to users that are in the local wheel group.
if /bin/echo "$BFN_ID" | /bin/grep '[=,][0-9]+(wheel)' > /dev/null
then
exec /bin/bash --login "$@"
fi

# Grant shell access to users that are in the domain administrators group.
if /bin/echo "$BFN_ID" | /bin/grep '[=,][0-9]+(Domain Admins)' > /dev/null
then
exec /bin/bash --login "$@"
fi

# Else print a notice and just exit.
echo "Shell access to this computer is disabled."

# eof

You now need to edit /etc/pam.d/sshd and /etc/pam.d/login so that those programs look to winbind for authentication.

[root@myhost]# cat /etc/pam.d/sshd
#%PAM-1.0
auth       required     pam_stack.so service=system-auth
auth       required     pam_nologin.so
auth       sufficient   pam_winbind.so
account    required     pam_stack.so service=system-auth
account    sufficient   pam_winbind.so
password   required     pam_stack.so service=system-auth
session    required     pam_stack.so service=system-auth

[root@myhost]# cat /etc/pam.d/login
#%PAM-1.0
auth       required     pam_securetty.so
auth       sufficient   pam_winbind.so
auth       required     pam_stack.so service=system-auth
auth       required     pam_nologin.so
account    sufficient   pam_winbind.so
account    required     pam_stack.so service=system-auth
password   required     pam_stack.so service=system-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_stack.so service=system-auth
session    optional     pam_console.so
# pam_selinux.so open should be the last session rule
session    required     pam_selinux.so multiple open
[root@myhost]#

Restart Samba and Winbind and everything should work.

[root@myhost]# service smb restart
[root@myhost]# service winbind restart
 
1 Comments
Leave A Response

1 Response » to “Active Directory Authentication”

  1. Lisa Sittler says:
    June 23, 2010 at 10:43 am

    Really concise. I like the wrapper for restricting access to the shell. Just found this but will definitely give it a try.

Leave a Reply



Go To Top »