Linux Auth with Active Directory

Mbm329 23:23, March 9, 2012 (UTC)

/etc/hosts
Place entries in /etc/hosts for domain controllers. 10.1.1.2 domaincontroller1.example.com domaincontroller1 10.1.1.3 domaincontroller2.example.com domaincontroller2

/etc/ntp.conf
Make sure NTP is setup on the host and synchronized to the time of the domain controller (important for kerberos) tinker panic 0
 * 1) don't panic should the hardware clock acts erratically

restrict default kod nomodify notrap nopeer noquery restrict 127.0.0.1
 * 1) lock it down

server 10.1.1.2 prefer server 10.1.1.3
 * 1) servers

driftfile /var/lib/ntp/drift
 * 1) Drift file. Put this in a directory which the daemon can write to.
 * 2) No symbolic links allowed, either, since the daemon updates the file
 * 3) by creating a temporary in the same directory and then rename'ing
 * 4) it to the file.

/etc/ntp/step-tickers
To allow NTP to start with a timeserver initially upon loading ntpdate at bootup. 10.1.1.2 10.1.1.3

/etc/krb5.conf
[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log
 * Ref: http://blog.scottlowe.org/2007/01/15/linux-ad-integration-version-4

[libdefaults] default_realm = EXAMPLE.COM dns_lookup_realm = true dns_lookup_kdc = true

[realms] EXAMPLE.COM = { kdc = domaincontroller1.example.com:88 kdc = domaincontroller2.example.com:88 admin_server = domaincontroller1.example.com:749 admin_server = domaincontroller2.example.com:749 default_domain = example.com }

[domain_realm] .example.com = EXAMPLE.COM example.com = EXAMPLE.COM

[appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false }

/etc/pam.d/system-auth-ac
Add in appropriate PAM modules for proper auth, account, and session entries. ... auth sufficient pam_krb5.so #place after unix.so ... account sufficient pam_krb5.so #place after unix.so ... session required pam_mkhomedir.so skel=/etc/skel umask=0077 #place after pam_unix.so

/etc/ldap.conf
Setup nss_ldap client library config to bind to your domain controller. host domaincontroller1 domaincontroller2 base dc=example,dc=com uri ldap://domaincontroller1.example.com/ ldap://domaincontroller2.example.com/ binddn binduser@example.com bindpw binduser_password scope sub ssl no
 * Ref: http://blog.scottlowe.org/2007/01/15/linux-ad-integration-version-4

bind_policy soft bind_timelimit 1 timelimit 5 idle_timelimit 3600 nss_initgroups_ignoreusers root,mbm
 * 1) Timeout helpers if ldap is unavailable - Ref: http://www.nabble.com/Re%3A-allowing-local-accounts-when-LDAP-is-unavailable--p23358537.html

nss_base_passwd dc=example,dc=com?sub?&(objectCategory=user)(uidNumber=*) nss_base_shadow dc=example,dc=com?sub?&(objectCategory=user)(uidNumber=*) nss_base_group dc=example,dc=com?sub?&(objectCategory=group)(gidNumber=*)
 * 1) Filter passwd and shadow to improve speed of lookups and return far less than max allowed from AD - Ref: http://blog.scottlowe.org/2008/04/11/ad-integration-tip-dealing-with-more-than-1000-users/#comment-37287

nss_map_objectclass posixAccount user nss_map_objectclass shadowAccount user nss_map_objectclass posixGroup group nss_map_attribute gecos cn nss_map_attribute homeDirectory unixHomeDirectory nss_map_attribute uniqueMember member

/etc/nsswitch.conf
For passwd, shadow, and group, have the system look at files, then ldap for resolution. ... passwd: files ldap shadow: files ldap group: files ldap ...

Test LDAP Configuration
Test querying of passwd data from ldap: getent passwd getent passwd

Test querying of group data from ldap:
getent group getent group

Test querying of shadow data from ldap:
getent shadow getent shadow

Test listing of users with id command:
id

/etc/request-key.conf
This will enable the mounts to authenticate via kerberos tickets. You must ensure the "keyutils" package is installed on the system. create cifs.spnego * * /usr/sbin/cifs.upcall %k create dns_resolver * * /usr/sbin/cifs.upcall %k

/etc/auto.master
/winhomes /etc/auto.winhomes

/etc/auto.winhomes
Here, "*" is defined as any key (subdirectory that is accessed under /winhomes), and "&" is the name of that key that was referenced. Two examples are shown below to show that you could specify certain users go to a specific server and everybody else go to a different one. user1 -fstype=cifs,rw,soft,sec=krb5i,uid=&,file_mode=0700,dir_mode=0700 ://HOME_SHARE_SERVER1/home_share/&
 * -fstype=cifs,rw,soft,sec=krb5i,uid=&,file_mode=0700,dir_mode=0700 ://HOME_SHARE_SERVER2/home_share/&

It's possible that the server that you're trying to authorize the users doesn't support packet signing. In which case, you should use sec=krb5 instead of sec=krb5i. user1 -fstype=cifs,rw,soft,sec=krb5,uid=&,file_mode=0700,dir_mode=0700 ://HOME_SHARE_SERVER1/home_share/&
 * -fstype=cifs,rw,soft,sec=krb5,uid=&,file_mode=0700,dir_mode=0700 ://HOME_SHARE_SERVER2/home_share/&

/etc/skel/.bash_profile
Add this code to the default .bash_profile to create a symlink to the autofs mountpoint for easy access to the home share. if ! [ -h ~/h ] ;then ln -s /winhomes/$(whoami) ~/h fi

Test CIFS Auto-Mounting
Test auto-mounting of homedir when accessed by user: ls -l ~/h/

/etc/samba/smb.conf
workgroup = workgroup security = ads realm = example.com use kerberos keytab = true password server = domaincontroller1.example.com domaincontroller2.example.com

Run following commands to join system to domain: sudo kdestroy sudo kinit domain_admin_username@EXAMPLE.COM sudo net ads join -U domain_admin_username

Test SSO Access for File Shares
Login as a standard user account and use smbclient to access the user's homeshare without requiring a password. std_user$ smbclient -k '\\domaincontroller1\home_share\' -c 'ls std_user\*' OS=[Windows Server 2008 R2 Enterprise 7600] Server=[Windows Server 2008 R2 Enterprise 6.1] .                                  D        0  Thu Oct  6 17:55:41 2011 ..                                 D        0  Thu Oct  6 17:55:41 2011 std_user_file.txt                     A       26  Thu Oct  6 17:55:50 2011

61235 blocks of size 524288. 38719 blocks available

User-mounted CIFS Filesystems
Since the system is now in a Windows domain, we can allow users to mount their own CIFS shares that they have access to to increase their productivity. This is allowed by making /sbin/mount.cifs to suid-root. $ sudo chmod 4755 /sbin/mount.cifs

The mount.cifs command can now be accessed directly by the user to mount their own filesystems like so: $ /sbin/mount.cifs '//SERVER1/SHARE/DIRECTORY TO BE MOUNTED' /home/USERNAME/MOUNTPOINT -o rw,soft,sec=krb5,uid=USERNAME,file_mode=0700,dir_mode=0700

It's important that the command's arguments are specified in the order above. You could even create a wrapper script that the user could call that would handle the options for them as well.