Linux integration with Active Directory

From DCEwiki
Jump to: navigation, search

We may think whatever we want about Microsoft Active Directory, however, the truth is that MS AD is world wide used system for computer management. It works and it is possible to use it for both Windows and Linux authentication and authorisation.

There are several ways of how to integrate Linux system into AD [1]. When direct integration is chosen, several methods may be used.

  • Comupter is domain member
    • Samba4 + winbind
    • SSSD
    • SSSD + realmd
  • Computer is not domain member
    • LDAP + Kerberos
    • SSSD

Samba + winbind[edit]

LDAP + Kerberos[edit]

LDAP is used for obtaining information about account, Kerberos is used to provide authentication. The first is managed by libnss-ldap, the latter one by libpam-krb5.

  1. Install packages required packages: libnss-ldap, libpam-krb5
  2. Configure /etc/libnss-ldap.conf
  3. Configure /etc/krb5.conf
  4. Configure /etc/nsswitch.conf

libnss-ldap.conf[edit]

# Replace windc.example.com with your Windows DC
uri ldap://windc.example.com/

base dc=example,dc=com
ldap_version 3

# Add a user to AD, that can read the container
# with the users, that you want use.
binddn ldap-connect@example.com
bindpw ldapconnectpassword

scope sub
timelimit 30

pam_filter objectclass=User

pam_login_attribute sAMAccountName
pam_lookup_policy yes

# Modify cn=User,dc=e... to your container with your users.
nss_base_passwd cn=Users,dc=example,dc=com?sub
nss_base_shadow cn=Users,dc=example,dc=com?sub
nss_base_group  cn=Users,dc=example,dc=com?sub

# For MSSFU:
nss_map_objectclass posixAccount User
nss_map_objectclass shadowAccount User
#nss_map_attribute uid uid
nss_map_attribute uniqueMember primaryGroupID
#nss_map_attribute uidNumber uidNumber
#nss_map_attribute gidNumber gidNumber
nss_map_attribute userPassword unixUserPassword
nss_map_attribute homeDirectory unixHomeDirectory
#nss_map_attribute loginShell loginShell
nss_map_attribute gecos name
nss_map_attribute cn sAMAccountName

krb5.conf[edit]

[libdefaults]
default_realm = EXAMPLE.COM
default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5 des3-hmac-sha1
default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5 des3-hmac-sha1
clockskew = 300

[realms]
EXAMPLE.COM = {
   kdc = windc.example.com
   kdc = windc2.example.com
   default_domain = example.com
}

[domain_realm]
example.com = EXAMPLE.COM
.example.com = EXAMPLE.COM

[logging]
default = FILE:/var/log/kerberos/krb5libs.log

If your AD is set to trust external Kerberos and want to allow your users to login using more than one realm, you also need to setup pam. In our case we needed to set /etc/pam.d/common-auth

# here are the per-package modules (the "Primary" block)
auth    [success=3 default=ignore]      pam_krb5.so realm=EXAMPLE.ORG minimum_uid=1000
auth    [success=2 default=ignore]      pam_krb5.so realm=EXAMPLE.COM minimum_uid=1000 use_first_pass
auth    [success=1 default=ignore]      pam_unix.so nullok_secure try_first_pass
# here's the fallback if no module succeeds
auth    requisite                       pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth    required                        pam_permit.so

nsswitch.conf[edit]

passwd:         files ldap
group:          files ldap
shadow:         files ldap
gshadow:        files

hosts:          files dns ldap
networks:       files ldap

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

SSSD[edit]

Remarks[edit]

References[edit]

  1. Window Integration Guide, Red Hat, 2015, online