LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Enterprise Linux Forums > Linux - Enterprise
User Name
Password
Linux - Enterprise This forum is for all items relating to using Linux in the Enterprise.

Notices

Reply
 
Search this Thread
Old 10-11-2005, 06:22 AM   #1
rtkaczyk
LQ Newbie
 
Registered: Oct 2005
Location: Brisbane
Distribution: Red Hat
Posts: 2

Rep: Reputation: 0
Post RHEL4 authentication to Windows 2003 Active Directory


Hi,

I have a client who uses RHEL4 client PCs and I would like to configure their current Windows 2003 Active Directory to allow the linux clients to authenticate againt it.

I have seen truckloads of documents that show how to configure LDAP that talk about NIS, PAM, but they are all very complex and look far too involved. Red Hat claim that RHEL4 can authenticate against Active Directory so I would have thought the process would be much simpler.

Coming from the Windows world, I'm seeing all of these mamoth Linux documents that have hundreds of configuration steps, it seems like it's too much to acomplish what is in Windows a simple task.

Does anyone know of a good tutorial or HowTo on how to configure RHEL4 to authenticate to Active Directory?
 
Old 10-11-2005, 08:56 PM   #2
paul_mat
Member
 
Registered: Nov 2004
Location: Townsville, Australia
Distribution: Fedora Core 5, CentOS 4, RHEL 4
Posts: 855

Rep: Reputation: 30
i have made a how-to guide for Authenticating against Active Directories using winbind for pop3. you should be able to follow it and it's reasonably simple, but you'll have to edit a different pam module, i'm not near my linux server at the moment so i can't tell you what module, but i think it's the '/etc/pam.d/system-auth' module. also pam module that is shown on the site requires a local unix user and a ADS user, so you might want to change it.

http://tlug.dnho.net/?q=node/146#comment-144
 
Old 10-11-2005, 09:02 PM   #3
paul_mat
Member
 
Registered: Nov 2004
Location: Townsville, Australia
Distribution: Fedora Core 5, CentOS 4, RHEL 4
Posts: 855

Rep: Reputation: 30
i have made a how-to guide for Authenticating against Active Directories using winbind for pop3. you should be able to follow it and it's reasonably simple, but you'll have to edit a different pam module, i'm not near my linux server at the moment so i can't tell you what module, but i think it's the '/etc/pam.d/system-auth' module. also pam module that is shown on the site requires a local unix user and a ADS user, so you might want to change it.

http://tlug.dnho.net/?q=node/146#comment-144

i'd suggest running threw this guide on a test machine with RHEL installed on it a few times so your sure you know what your doing before you try it out on an important machine, because if you mess with pam authentication you could lock yourself out of your own machine.

i'd suggest making up backup copy of any pam file before you change it

(cp /etc/pam.d/system-auth /etc/pam.d/system-auth.backup)

and if it does lock you out try and access your machine via ssh (putty is a good windows client), because the /etc/pam.d/sshd pam module wouldn't have been change.

(cp /etc/pam.d/system-auth.backup /etc/pam.d/system-auth) will reset your pam module to it's orginal configuration
 
Old 10-13-2005, 02:44 PM   #4
Bleunique
LQ Newbie
 
Registered: Oct 2005
Posts: 8

Rep: Reputation: 0
I have around 40 Gentoo/Fedora/RHEL servers that authenticate with AD via nss_ldap/pam_ldap. If there's a need for a "how-to," I can write one up. It's not terribly difficult, but the devil in the little details.

EDIT: We're working on the RHEL4 set-up now, so it's not tested.

Last edited by Bleunique; 10-13-2005 at 02:46 PM.
 
Old 10-13-2005, 05:03 PM   #5
paul_mat
Member
 
Registered: Nov 2004
Location: Townsville, Australia
Distribution: Fedora Core 5, CentOS 4, RHEL 4
Posts: 855

Rep: Reputation: 30
well you can see the one i've made above, if you think it's no clear, or not right then by all means, make your own and either post a link on this forum or just fill it out on this it on this forum. Everyone's different and people like find your instructions easier than other instructions.
 
Old 10-13-2005, 05:32 PM   #6
Bleunique
LQ Newbie
 
Registered: Oct 2005
Posts: 8

Rep: Reputation: 0
Your solution uses winbind and POP3, I was referring to a pam_ldap setup. To each his own Just different methods of achieving the same goal.
 
Old 10-13-2005, 05:52 PM   #7
paul_mat
Member
 
Registered: Nov 2004
Location: Townsville, Australia
Distribution: Fedora Core 5, CentOS 4, RHEL 4
Posts: 855

Rep: Reputation: 30
yea? well i'd be interested in see how that works, so if you have the time, you should write the how to guide to it, if you don't i'll just rearch it on my own
 
Old 10-18-2005, 05:07 PM   #8
Bleunique
LQ Newbie
 
Registered: Oct 2005
Posts: 8

Rep: Reputation: 0
Authenticate Linux against AD

This is from a Wiki page I created on our company intranet. It's not finished, but I've tried to mark those sections as (not finished). We are going to be testing RHEL4 soon, so I can't comment how well this will work on that OS. I apologize if it's too simple, or not detailed enough. It's a work in progress and designed for Unix and Windows admins where I work who may or may not have any experience with LDAP. It also may have mistakes as I haven't gave it a good once-over.

There is one problem that I have with this. After you make this work, if you do a getent passwd, then you can see Microsoft Services For Unix's hash of the user's passwords. I'm still investigating ways to prevent this, but in the interem, I've aliased the getent command to a script that removes the hashes before displaying the results. My workaround is not a good solution, and doesn't provide any security.

If you find errors, have questions, etc., please post here. I'm subscribed, and removed linuxquestions.org from my spam filter With the right versions of nss_ldap and pam_ldap, and a bit of PAM tweaking, these instructions should work on any server that uses PAM for authentication.
------
Make a backup of ANY file you plan to edit, and ALWAYS have at least one root terminal open (just in case).

Active Directory (not finished)
Allow Anonymous Reads to the AD or create a bind user (prefer bind user)

Install MS Services for Unix (not finished)
www.microsoft.com/sfu/
Install NIS services to update the schema, then disable the NIS server

Install MS Certificate Server (not finished)
This will let AD use SSL

Packages for Linux
Fedora - nss_ldap (Works with version 234-4, does NOT work with version 220)
Gentoo - pam_ldap, nss_ldap (Tested with Gentoo 2005.1)

Older versions of nss_ldap and pam_ldap had bugs that prevented them from working with AD. It's recommended you get the latest stable version.

ldap.conf
On most systems, the LDAP configuration is located in /etc/openldap/ldap.conf and the NSS_LDAP/PAM_LDAP stuff is in /etc/ldap.conf. Our example domain is, surprise, example.com

Here are some of the important things to be configured in /etc/ldap.conf

Base
Because an LDAP server is heirarchal, and can contain many domains, The base variable tells LDAP what base container you will be searching. Because user account information in contained in the Users container in our Active Directory domain, you will set your base to
Code:
base    cn=Users,dc=example,dc=com
If your server authenticates for a sub-domain, for example, adserver.subdomain.example.com, then your base variable should be set to
Code:
base    cn=Users,dc=subdomain,dc=example,dc=com
Host
The host variable is exactly that, the fully qualified domain name (fqn) or IP address of the Active Directory you wish to authenticate against. If you enable SSL (highly recommended), you will have to use the fqdn.
Code:
host    adserver.example.com
For redundancy, OpenLDAP allows you to have multiple hosts separated by a space. Failover timeout depends on if your LDAP libraries allow you to set a timeout using the bind_timelimit variable.
Code:
host    ad1.example.com ad2.example.com
Scope
Code:
scope   sub
SSL
The use of SSL is STRONGLY encouraged. If SSL is not enabled, you will not be able to use the passwd command to change your Active Directory password from Linux. It's worth the extra effort.

To enable SSL, simply change the value of the ssl variable to yes.
Code:
ssl yes
The TLS_CACERT variable is required if you have a self-signed cert or a cert issued by your own CA. This should point to the issuing CA's certificate. You will need to convert the certificate to PEM format. WARNING!!!! This file must be world readable... i.e. don't stick it in /root/ or you will get the infamous "I have no name!" problem.
Code:
TLS_CACERT /etc/ssl/certs/adcert.pem
Bind User
If you don't wish to enable anonymous browsing of your Active Directory, you will need to create a user to bind with in order to use PAM_LDAP. Although this may seem more secure, the ldap.conf file must be readable by world which exposes the bind user's password to everyone. This is the recommended method. The bind user will need to have the rights to view the Active Directory.
Code:
binddn cn=binduser,cn=Users,dc=example,dc=com
bindpwd secret
Root Bind DN
This is the user that root will bind as. The password is stored in the same directory as ldap.conf in a file called ldap.secret. I'd recommend commenting/leaving it out unless you absolutely need it. I don't like the idea of keeping an administrator password in a clear-text file... even if it's only readable by root.
Code:
rootbinddn cn=administrator,cn=Users,dc=example,dc=com
Active Directory Mappings
In order to make PAM_LDAP talk to Active Directory, you must map the normal (read: the universal non-Microsoft) LDAP name for Unix attributes to their equivalent Active Directory names. The details of these mappings are beyond the scope of this document, however they are required for PAM_LDAP/Active Directory integration.
Code:
#
# Active Directory Mappings
#
pam_login_attribute     sAMAccountName
pam_filter              objectclass=User
pam_password            ad
nss_base_passwd         cn=Users,dc=example,dc=com
nss_base_shadow         cn=Users,dc=example,dc=com
nss_base_group          cn=Users,dc=example,dc=com
nss_map_objectclass     posixAccount    User
nss_map_objectclass     shadowAccount   User
nss_map_attribute       uid             sAMAccountName
nss_map_attribute       uidNumber       msSFU30UidNumber
nss_map_attribute       gidNumber       msSFU30GidNumber
nss_map_attribute       cn              sAMAccountName
nss_map_attribute       uniqueMember    member
nss_map_attribute       userPassword    msSFU30Password
nss_map_attribute       homeDirectory   msSFU30HomeDirectory
nss_map_attribute       loginShell      msSFU30LoginShell
nss_map_attribute       gecos           name
nss_map_objectclass     posixGroup      Group
The nss_base_passwd, nss_base_shadow, and nss_base_group will all need to be changed to suit your enviroment. In general, you can just use the value of the base variable. The example assume a server in the domain example.com. If your Active Directory authenticates for a sub-domain, you will need to adjust accordingly. For example, if your server is called mydc.subdomain.example.com, then these mappings will be
Code:
nss_base_passwd         cn=Users,dc=subdomain,dc=example,dc=com
nss_base_shadow         cn=Users,dc=subdomain,dc=example,dc=com
nss_base_group          cn=Users,dc=subdomain,dc=example,dc=com
Example OpenLDAP Configuration File
Code:
# $OpenLDAP: pkg/ldap/libraries/libldap/ldap.conf,v 1.9 2000/09/04 19:57:01 kurt Exp $
# This file should be world readable but not world writable.
base    cn=Users,dc=example,dc=com
host    adserver.example.com
scope   sub
ssl yes
TLS_CACERT /etc/ssl/certs/adcert.pem
binddn cn=binduser,cn=Users,dc=example,dc=com
bindpwd mypassword
#rootbinddn cn=administrator,cn=Users,dc=example,dc=com

#
# Active Directory Mappings
#
pam_login_attribute     sAMAccountName
pam_filter              objectclass=User
pam_password            ad
nss_base_passwd         cn=Users,dc=example,dc=com
nss_base_shadow         cn=Users,dc=example,dc=com
nss_base_group          cn=Users,dc=example,dc=com
nss_map_objectclass     posixAccount    User
nss_map_objectclass     shadowAccount   User
nss_map_attribute       uid             sAMAccountName
nss_map_attribute       uidNumber       msSFU30UidNumber
nss_map_attribute       gidNumber       msSFU30GidNumber
nss_map_attribute       cn              sAMAccountName
nss_map_attribute       uniqueMember    member
nss_map_attribute       userPassword    msSFU30Password
nss_map_attribute       homeDirectory   msSFU30HomeDirectory
nss_map_attribute       loginShell      msSFU30LoginShell
nss_map_attribute       gecos           name
nss_map_objectclass     posixGroup      Group
SSL PEM file Howto
Converting the Active Directory CA Certificate to the pem format

If your Active Directory server doesn't have certificate from Verisign, Thawte, etc., then you will need to import the CA Certificate from you CA server. If you are running Microsoft Certificate Server on your Active Directory server, you can download the CA cert from http://youractivedirectoryserver.you....com/certsrv/. You will need to convert the certificate from DER format to PEM format using the following command
Code:
openssl pkcs7 -in activedirectory.cer -inform DER -out adcert.pem -outform PEM
Save this file in the same place as specified in the TLS_CACERT variable.

NSS_LDAP
The following is an example of an /etc/nsswitch.conf that uses pam_ldap
Code:
# /etc/nsswitch.conf:
# $Header: /home/cvsroot/gentoo-src/rc-scripts/etc/nsswitch.conf,v 1.4 2002/11/18 19:39:22 azarah Exp $
passwd:      files ldap compat
shadow:      files ldap compat
group:       files ldap compat
hosts:       files dns
networks:    files dns
services:    db files
protocols:   db files
rpc:         db files
ethers:      db files
netmasks:    files
netgroup:    files
bootparams:  files
automount:   files
aliases:     files
System-Auth
NOTE: We use pam_stack so that everything in pam.d refers to system-auth for simplicity. If you don't use pam_stack, then you'll need to adjust accordingly. Note the use of pam_mkhomedir to automagically create user directories, it makes things simpler.

In /etc/pam.d/system-auth we have

Fedora:
Code:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/$ISA/pam_ldap.so use_first_pass
auth        required      /lib/security/$ISA/pam_deny.so

account     required      /lib/security/$ISA/pam_unix.so broken_shadow
account     sufficient    /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
account     [default=bad success=ok user_unknown=ignore] /lib/security/$ISA/pam_
ldap.so
account     required      /lib/security/$ISA/pam_permit.so

password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3
password    sufficient    /lib/security/$ISA/pam_unix.so nullok use_authtok md5
shadow
password    sufficient    /lib/security/$ISA/pam_ldap.so use_authtok
password    required      /lib/security/$ISA/pam_deny.so

session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so
session     required      /lib/security/$ISA/pam_mkhomedir.so skel=/etc/skel/ umask=0
session     optional      /lib/security/$ISA/pam_ldap.so
Gentoo: (debug is on for testing)
Code:
auth required /lib/security/pam_env.so debug
#auth sufficient /lib/security/pam_ldap.so use_first_pass
auth sufficient /lib/security/pam_unix.so likeauth nullok nodelay debug
auth sufficient /lib/security/pam_ldap.so use_first_pass debug
auth required /lib/security/pam_deny.so debug

account sufficient /lib/security/pam_unix.so debug
account sufficient /lib/security/pam_ldap.so debug

password required /lib/security/pam_cracklib.so retry=3 debug
password sufficient /lib/security/pam_ldap.so use_authtok use_first_pass debug
password sufficient /lib/security/pam_unix.so nullok md5 shadow use_authtok debug
#password sufficient /lib/security/pam_ldap.so use_authtok use_first_pass
password required /lib/security/pam_deny.so debug

session required /lib/security/pam_limits.so debug
session optional /lib/security/pam_unix.so debug
session required /lib/security/pam_mkhomedir.so skel=/etc/skel/ umask=0
session optional /lib/security/pam_ldap.so debug

Last edited by Bleunique; 11-04-2005 at 10:30 AM.
 
Old 11-03-2005, 04:25 PM   #9
paul_mat
Member
 
Registered: Nov 2004
Location: Townsville, Australia
Distribution: Fedora Core 5, CentOS 4, RHEL 4
Posts: 855

Rep: Reputation: 30
hi there,

i followed your how-to guide, that is great by the way, and i can authincate against Active directory using the pam ldap module. but i was wondering if there was a way to just allow users from first, second and third OU to be able to logon to the system. and deny users from the fourth?

ou=first,dc=example,dc=com
ou=second,dc=example,dc=com
ou=third,dc=example,dc=com
ou=fourth,dc=example,dc=com
 
Old 11-03-2005, 04:48 PM   #10
Bleunique
LQ Newbie
 
Registered: Oct 2005
Posts: 8

Rep: Reputation: 0
Hmm.... I haven't tried to do that, so I really don't know.

If you use a bind user, perhaps you could deny the permission to the bind user on that specific container?

I'll see if I can't come up with something on my test machine.


EDIT: Apparently, pam_ldap has a filter option, this may be a possible solution?

Last edited by Bleunique; 11-03-2005 at 04:54 PM.
 
Old 11-09-2005, 05:05 AM   #11
montii
LQ Newbie
 
Registered: Nov 2005
Distribution: NLD9
Posts: 1

Rep: Reputation: 0
I do have this setup myself.
It does work smoothly but it's not perfect yet.

according to padl.com both pam_ldap and nss_ldap do support the simple application security layer (sasl).
but somehow I can't get it to work. Just after I authenticated (common-auth -> pam_krb) to the Active Directory (tgt present) ldap should use the kerberod creditentials to bind to the AD for account information retrieval.

Of course the simple bind solution may use SSL/TLS so there's no plain text password in the wire but it still is on the local harddisk.

Does anyone have a working fully kerberized way to authenaticate against AD?


regards, RS
 
Old 12-06-2005, 07:56 AM   #12
rwalton3
LQ Newbie
 
Registered: Dec 2005
Posts: 1

Rep: Reputation: 0
Kerberos authentication from Apache

I don't know of a way to do a pam-based version of kerberos, but Microsoft actually has one how to do it from Apache in KB article 555092 (sorry, the board won't let me post the link.)

Randy
 
Old 12-09-2005, 04:27 PM   #13
randomperson83
LQ Newbie
 
Registered: Dec 2005
Posts: 1

Rep: Reputation: 0
You mentioned that "I have no name!" problem.... well, I am having it. Through a variety of different sources I finally have authentication working to LDAP (not using AD, but same general thing..).. and pam_mkhomedir creates a home directory for the users, but the bash prompt shows up like so... "I have no name!@machine"

Now, using 'getent passwd username' it returns the proper information, including username, uid/gid, full name, homedir, and login shell.. now, I DO have the login shell setup as a symbolic link, because our LDAP infrastructure is based on solaris and so the homedir/loginshell is different..

Any ideas on how to get this to work properly? Thanks!
 
Old 01-20-2006, 08:38 AM   #14
jonas_larson
Member
 
Registered: Jul 2003
Location: Stockholm, Sweden
Distribution: RH9
Posts: 37

Rep: Reputation: 15
Hi,

I don't know if it applies to your problem but I had the same thing on a Ubuntu system and fixed it by chmod 644 /etc/libnss-ldap.conf


//jonas
 
Old 02-27-2006, 08:54 PM   #15
tohmeiphun
LQ Newbie
 
Registered: Oct 2004
Location: Boston
Distribution: all of 'em
Posts: 8

Rep: Reputation: 0
I'm gonna check out that how-to tomorrow, thank you sooooo much.

I tried the winbind solution and had a problem with it. Please correct me if I'm wrong, but winbind generates a different uid for each machine you're logged into. So cross mounting home directories didn't work so well.

I came to the conclusion (after much reading) that the way to go with network logons in linux was kerberos/ldap. I looked into all the OpenLDAP documents I could find, and I was like, why can't I just use my AD infrastructure instead of running another LDAP server and another Kerberos server. From my dealings with winbind, the kerberos setup is the same and it worked fine.

This past weekend I installed a test windows 2003 R2 server and made it a DC and installed the SFU package that it comes with. The other thing I installed was ADAM, becasue I'm thinking that if I have to replace all of the NIS maps (well the automount maps, at least), I could just import the nis schema to ADAM. Yes, I know that ADAM is another LDAP server, which I was trying to get away from but I think it will be slightly easier to manage.
 
  


Reply

Tags
directory, ldap, password


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Active Directory Authentication zenix Suse/Novell 29 03-22-2007 10:00 AM
connecting samba to a windows 2003 active directory domain Jcrofton Linux - Networking 8 09-17-2006 06:07 PM
Authenticating Linux against Windows 2003 Active Directory Builder Linux - Enterprise 26 08-30-2005 03:56 AM
active directory authentication mozilla Linux - Networking 2 02-21-2005 04:55 AM
Slackware Linux and Windows 2003 Server Active Directory..HOW TO? Synick_ Linux - Networking 0 05-14-2004 06:24 AM


All times are GMT -5. The time now is 02:30 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration