m (added mounting of filesystems via common user)
m (Protected "Linux Auth with Active Directory" ([edit=sysop] (indefinite) [move=sysop] (indefinite)))

Latest revision as of 14:58, July 20, 2012

Mbm329 23:23, March 9, 2012 (UTC)

Setup Prerequesites Edit

/etc/hosts Edit

Place entries in /etc/hosts for domain controllers. domaincontroller1 domaincontroller2

/etc/ntp.conf Edit

Make sure NTP is setup on the host and synchronized to the time of the domain controller (important for kerberos)

#don't panic should the hardware clock acts erratically
tinker panic 0

#lock it down
restrict default kod nomodify notrap nopeer noquery

server prefer

# Drift file. Put this in a directory which the daemon can write to.
# No symbolic links allowed, either, since the daemon updates the file
# by creating a temporary in the same directory and then rename()'ing
# it to the file.
driftfile /var/lib/ntp/drift

/etc/ntp/step-tickers Edit

To allow NTP to start with a timeserver initially upon loading ntpdate at bootup.

Setup Kerberos Authentication configurations Edit

/etc/krb5.conf Edit

  default = FILE:/var/log/krb5libs.log
  kdc = FILE:/var/log/krb5kdc.log
  admin_server = FILE:/var/log/kadmind.log

  default_realm = EXAMPLE.COM
  dns_lookup_realm = true
  dns_lookup_kdc = true

    kdc =
    kdc =
    admin_server =
    admin_server =
    default_domain =

[domain_realm] = EXAMPLE.COM = EXAMPLE.COM

  pam = {
    debug = false
    ticket_lifetime = 36000
    renew_lifetime = 36000
    forwardable = true
    krb4_convert = false

/etc/pam.d/system-auth-ac Edit

Add in appropriate PAM modules for proper auth, account, and session entries.[1]

auth sufficient #place after
account sufficient #place after
session required skel=/etc/skel umask=0077 #place after

Setup NSS LDAP Library Configuration Edit

/etc/ldap.conf Edit

Setup nss_ldap client library config to bind to your domain controller.[2]

host domaincontroller1 domaincontroller2
base dc=example,dc=com
uri ldap:// ldap://
bindpw binduser_password
scope sub
ssl no

#Timeout helpers if ldap is unavailable - Ref:
bind_policy soft
bind_timelimit 1
timelimit 5
idle_timelimit 3600
nss_initgroups_ignoreusers root,mbm

#Filter passwd and shadow to improve speed of lookups and return far less than max allowed from AD - Ref:
nss_base_passwd dc=example,dc=com?sub?&(objectCategory=user)(uidNumber=*)
nss_base_shadow dc=example,dc=com?sub?&(objectCategory=user)(uidNumber=*)
nss_base_group dc=example,dc=com?sub?&(objectCategory=group)(gidNumber=*)

nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_objectclass posixGroup group
nss_map_attribute gecos cn
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute uniqueMember member

/etc/nsswitch.conf Edit

For passwd, shadow, and group, have the system look at files, then ldap for resolution.

passwd: files ldap
shadow: files ldap
group: files ldap

Test LDAP Configuration Edit

Test querying of passwd data from ldap:

getent passwd
getent passwd <username>

Test querying of group data from ldap: Edit

getent group
getent group <group>

Test querying of shadow data from ldap: Edit

getent shadow
getent shadow <username>

Test listing of users with id command: Edit

id <username>

Setup Automatic CIFS Home Directory Mounting Edit

/etc/request-key.conf Edit

This will enable the mounts to authenticate via kerberos tickets. You must ensure the "keyutils" package is installed on the system.

create cifs.spnego * * /usr/sbin/cifs.upcall %k
create dns_resolver * * /usr/sbin/cifs.upcall %k

/etc/auto.master Edit

/winhomes /etc/auto.winhomes

/etc/auto.winhomes Edit

Here, "*" is defined as any key (subdirectory that is accessed under /winhomes), and "&" is the name of that key that was referenced. Two examples are shown below to show that you could specify certain users go to a specific server and everybody else go to a different one.

user1 -fstype=cifs,rw,soft,sec=krb5i,uid=&,file_mode=0700,dir_mode=0700 ://HOME_SHARE_SERVER1/home_share/&
*     -fstype=cifs,rw,soft,sec=krb5i,uid=&,file_mode=0700,dir_mode=0700 ://HOME_SHARE_SERVER2/home_share/&

It's possible that the server that you're trying to authorize the users doesn't support packet signing. In which case, you should use sec=krb5 instead of sec=krb5i.

user1 -fstype=cifs,rw,soft,sec=krb5,uid=&,file_mode=0700,dir_mode=0700 ://HOME_SHARE_SERVER1/home_share/&
*     -fstype=cifs,rw,soft,sec=krb5,uid=&,file_mode=0700,dir_mode=0700 ://HOME_SHARE_SERVER2/home_share/&

/etc/skel/.bash_profile Edit

Add this code to the default .bash_profile to create a symlink to the autofs mountpoint for easy access to the home share.

if ! [ -h ~/h ] ;then
  ln -s /winhomes/$(whoami) ~/h

Test CIFS Auto-Mounting Edit

Test auto-mounting of homedir when accessed by user:

ls -l ~/h/

Configure SAMBA to Join System to Domain[3] Edit

/etc/samba/smb.conf Edit

workgroup = workgroup
security = ads
realm =
use kerberos keytab = true
password server =

Run following commands to join system to domain:

sudo kdestroy
sudo kinit domain_admin_username@EXAMPLE.COM
sudo net ads join -U domain_admin_username

Test SSO Access for File Shares Edit

Login as a standard user account and use smbclient to access the user's homeshare without requiring a password.

std_user$ smbclient -k '\\domaincontroller1\home_share\' -c 'ls std_user\*'
OS=[Windows Server 2008 R2 Enterprise 7600] Server=[Windows Server 2008 R2 Enterprise 6.1]
  .                                   D        0  Thu Oct  6 17:55:41 2011
  ..                                  D        0  Thu Oct  6 17:55:41 2011
  std_user_file.txt                      A       26  Thu Oct  6 17:55:50 2011

                61235 blocks of size 524288. 38719 blocks available

User-mounted CIFS Filesystems Edit

Since the system is now in a Windows domain, we can allow users to mount their own CIFS shares that they have access to to increase their productivity. This is allowed by making /sbin/mount.cifs to suid-root.

$ sudo chmod 4755 /sbin/mount.cifs

The mount.cifs command can now be accessed directly by the user to mount their own filesystems like so:

$ /sbin/mount.cifs '//SERVER1/SHARE/DIRECTORY TO BE MOUNTED' /home/USERNAME/MOUNTPOINT -o rw,soft,sec=krb5,uid=USERNAME,file_mode=0700,dir_mode=0700

It's important that the command's arguments are specified in the order above. You could even create a wrapper script that the user could call that would handle the options for them as well.

Bibliography Edit

Community content is available under CC-BY-SA unless otherwise noted.