RHEL4 authentication to Windows 2003 Active Directory
 

Hi,

I have a client who uses RHEL4 client PCs and I would like to configure their current Windows 2003 Active Directory to allow the linux clients to authenticate againt it.

I have seen truckloads of documents that show how to configure LDAP that talk about NIS, PAM, but they are all very complex and look far too involved. Red Hat claim that RHEL4 can authenticate against Active Directory so I would have thought the process would be much simpler.

Coming from the Windows world, I'm seeing all of these mamoth Linux documents that have hundreds of configuration steps, it seems like it's too much to acomplish what is in Windows a simple task.

Does anyone know of a good tutorial or HowTo on how to configure RHEL4 to authenticate to Active Directory?

i have made a how-to guide for Authenticating against Active Directories using winbind for pop3. you should be able to follow it and it's reasonably simple, but you'll have to edit a different pam module, i'm not near my linux server at the moment so i can't tell you what module, but i think it's the '/etc/pam.d/system-auth' module. also pam module that is shown on the site requires a local unix user and a ADS user, so you might want to change it.

http://tlug.dnho.net/?q=node/146#comment-144

i have made a how-to guide for Authenticating against Active Directories using winbind for pop3. you should be able to follow it and it's reasonably simple, but you'll have to edit a different pam module, i'm not near my linux server at the moment so i can't tell you what module, but i think it's the '/etc/pam.d/system-auth' module. also pam module that is shown on the site requires a local unix user and a ADS user, so you might want to change it.

http://tlug.dnho.net/?q=node/146#comment-144

i'd suggest running threw this guide on a test machine with RHEL installed on it a few times so your sure you know what your doing before you try it out on an important machine, because if you mess with pam authentication you could lock yourself out of your own machine.

i'd suggest making up backup copy of any pam file before you change it

(cp /etc/pam.d/system-auth /etc/pam.d/system-auth.backup)

and if it does lock you out try and access your machine via ssh (putty is a good windows client), because the /etc/pam.d/sshd pam module wouldn't have been change.

(cp /etc/pam.d/system-auth.backup /etc/pam.d/system-auth) will reset your pam module to it's orginal configuration

I have around 40 Gentoo/Fedora/RHEL servers that authenticate with AD via nss_ldap/pam_ldap. If there's a need for a "how-to," I can write one up. It's not terribly difficult, but the devil in the little details.

EDIT: We're working on the RHEL4 set-up now, so it's not tested.

well you can see the one i've made above, if you think it's no clear, or not right then by all means, make your own and either post a link on this forum or just fill it out on this it on this forum. Everyone's different and people like find your instructions easier than other instructions.

Your solution uses winbind and POP3, I was referring to a pam_ldap setup. To each his own :) Just different methods of achieving the same goal.

yea? well i'd be interested in see how that works, so if you have the time, you should write the how to guide to it, if you don't i'll just rearch it on my own

Authenticate Linux against AD
 

This is from a Wiki page I created on our company intranet. It's not finished, but I've tried to mark those sections as (not finished). We are going to be testing RHEL4 soon, so I can't comment how well this will work on that OS. I apologize if it's too simple, or not detailed enough. It's a work in progress and designed for Unix and Windows admins where I work who may or may not have any experience with LDAP. It also may have mistakes as I haven't gave it a good once-over.

There is one problem that I have with this. After you make this work, if you do a getent passwd, then you can see Microsoft Services For Unix's hash of the user's passwords. I'm still investigating ways to prevent this, but in the interem, I've aliased the getent command to a script that removes the hashes before displaying the results. My workaround is not a good solution, and doesn't provide any security.

If you find errors, have questions, etc., please post here. I'm subscribed, and removed linuxquestions.org from my spam filter ;) With the right versions of nss_ldap and pam_ldap, and a bit of PAM tweaking, these instructions should work on any server that uses PAM for authentication.
------
Make a backup of ANY file you plan to edit, and ALWAYS have at least one root terminal open (just in case).

Active Directory (not finished)
Allow Anonymous Reads to the AD or create a bind user (prefer bind user)

Install MS Services for Unix (not finished)
www.microsoft.com/sfu/
Install NIS services to update the schema, then disable the NIS server

Install MS Certificate Server (not finished)
This will let AD use SSL

Packages for Linux
Fedora - nss_ldap (Works with version 234-4, does NOT work with version 220)
Gentoo - pam_ldap, nss_ldap (Tested with Gentoo 2005.1)

Older versions of nss_ldap and pam_ldap had bugs that prevented them from working with AD. It's recommended you get the latest stable version.

ldap.conf
On most systems, the LDAP configuration is located in /etc/openldap/ldap.conf and the NSS_LDAP/PAM_LDAP stuff is in /etc/ldap.conf. Our example domain is, surprise, example.com

Here are some of the important things to be configured in /etc/ldap.conf

Base
Because an LDAP server is heirarchal, and can contain many domains, The base variable tells LDAP what base container you will be searching. Because user account information in contained in the Users container in our Active Directory domain, you will set your base to
If your server authenticates for a sub-domain, for example, adserver.subdomain.example.com, then your base variable should be set to
Host
The host variable is exactly that, the fully qualified domain name (fqn) or IP address of the Active Directory you wish to authenticate against. If you enable SSL (highly recommended), you will have to use the fqdn.
For redundancy, OpenLDAP allows you to have multiple hosts separated by a space. Failover timeout depends on if your LDAP libraries allow you to set a timeout using the bind_timelimit variable.
Scope
SSL
The use of SSL is STRONGLY encouraged. If SSL is not enabled, you will not be able to use the passwd command to change your Active Directory password from Linux. It's worth the extra effort.

To enable SSL, simply change the value of the ssl variable to yes.
The TLS_CACERT variable is required if you have a self-signed cert or a cert issued by your own CA. This should point to the issuing CA's certificate. You will need to convert the certificate to PEM format. WARNING!!!! This file must be world readable... i.e. don't stick it in /root/ or you will get the infamous "I have no name!" problem.
Bind User
If you don't wish to enable anonymous browsing of your Active Directory, you will need to create a user to bind with in order to use PAM_LDAP. Although this may seem more secure, the ldap.conf file must be readable by world which exposes the bind user's password to everyone. This is the recommended method. The bind user will need to have the rights to view the Active Directory.
Root Bind DN
This is the user that root will bind as. The password is stored in the same directory as ldap.conf in a file called ldap.secret. I'd recommend commenting/leaving it out unless you absolutely need it. I don't like the idea of keeping an administrator password in a clear-text file... even if it's only readable by root.
Active Directory Mappings
In order to make PAM_LDAP talk to Active Directory, you must map the normal (read: the universal non-Microsoft) LDAP name for Unix attributes to their equivalent Active Directory names. The details of these mappings are beyond the scope of this document, however they are required for PAM_LDAP/Active Directory integration.
The nss_base_passwd, nss_base_shadow, and nss_base_group will all need to be changed to suit your enviroment. In general, you can just use the value of the base variable. The example assume a server in the domain example.com. If your Active Directory authenticates for a sub-domain, you will need to adjust accordingly. For example, if your server is called mydc.subdomain.example.com, then these mappings will be
Example OpenLDAP Configuration File
SSL PEM file Howto
Converting the Active Directory CA Certificate to the pem format

If your Active Directory server doesn't have certificate from Verisign, Thawte, etc., then you will need to import the CA Certificate from you CA server. If you are running Microsoft Certificate Server on your Active Directory server, you can download the CA cert from http://youractivedirectoryserver.you....com/certsrv/. You will need to convert the certificate from DER format to PEM format using the following command
Save this file in the same place as specified in the TLS_CACERT variable.

NSS_LDAP
The following is an example of an /etc/nsswitch.conf that uses pam_ldap
System-Auth
NOTE: We use pam_stack so that everything in pam.d refers to system-auth for simplicity. If you don't use pam_stack, then you'll need to adjust accordingly. Note the use of pam_mkhomedir to automagically create user directories, it makes things simpler.

In /etc/pam.d/system-auth we have

Fedora:
Gentoo: (debug is on for testing)

hi there,

i followed your how-to guide, that is great by the way, and i can authincate against Active directory using the pam ldap module. but i was wondering if there was a way to just allow users from first, second and third OU to be able to logon to the system. and deny users from the fourth?

ou=first,dc=example,dc=com
ou=second,dc=example,dc=com
ou=third,dc=example,dc=com
ou=fourth,dc=example,dc=com

Hmm.... I haven't tried to do that, so I really don't know.

If you use a bind user, perhaps you could deny the permission to the bind user on that specific container?

I'll see if I can't come up with something on my test machine.


EDIT: Apparently, pam_ldap has a filter option, this may be a possible solution?

I do have this setup myself.
It does work smoothly but it's not perfect yet.

according to padl.com both pam_ldap and nss_ldap do support the simple application security layer (sasl).
but somehow I can't get it to work. Just after I authenticated (common-auth -> pam_krb) to the Active Directory (tgt present) ldap should use the kerberod creditentials to bind to the AD for account information retrieval.

Of course the simple bind solution may use SSL/TLS so there's no plain text password in the wire but it still is on the local harddisk.

Does anyone have a working fully kerberized way to authenaticate against AD?


regards, RS

Kerberos authentication from Apache
 

I don't know of a way to do a pam-based version of kerberos, but Microsoft actually has one how to do it from Apache in KB article 555092 (sorry, the board won't let me post the link.)

Randy

You mentioned that "I have no name!" problem.... well, I am having it. Through a variety of different sources I finally have authentication working to LDAP (not using AD, but same general thing..).. and pam_mkhomedir creates a home directory for the users, but the bash prompt shows up like so... "I have no name!@machine"

Now, using 'getent passwd username' it returns the proper information, including username, uid/gid, full name, homedir, and login shell.. now, I DO have the login shell setup as a symbolic link, because our LDAP infrastructure is based on solaris and so the homedir/loginshell is different..

Any ideas on how to get this to work properly? Thanks!

Hi,

I don't know if it applies to your problem but I had the same thing on a Ubuntu system and fixed it by chmod 644 /etc/libnss-ldap.conf


//jonas

I'm gonna check out that how-to tomorrow, thank you sooooo much.

I tried the winbind solution and had a problem with it. Please correct me if I'm wrong, but winbind generates a different uid for each machine you're logged into. So cross mounting home directories didn't work so well.

I came to the conclusion (after much reading) that the way to go with network logons in linux was kerberos/ldap. I looked into all the OpenLDAP documents I could find, and I was like, why can't I just use my AD infrastructure instead of running another LDAP server and another Kerberos server. From my dealings with winbind, the kerberos setup is the same and it worked fine.

This past weekend I installed a test windows 2003 R2 server and made it a DC and installed the SFU package that it comes with. The other thing I installed was ADAM, becasue I'm thinking that if I have to replace all of the NIS maps (well the automount maps, at least), I could just import the nis schema to ADAM. Yes, I know that ADAM is another LDAP server, which I was trying to get away from but I think it will be slightly easier to manage.