LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 12-23-2005, 02:49 PM   #1
bret
Member
 
Registered: Apr 2005
Location: SLC, Utah
Distribution: RHEL 4, RHEL 5
Posts: 59

Rep: Reputation: 16
cannot authenticate to AD after Kerberos client install


I would like to be able to authenticate to Active Directory from Linux, rather than use the local etc/passwd method. I have setup the client install for Kerberos on SuSE Linux 9.1 ES. I am able to bring up a command prompt and execute "kinit userid", and successfully authenticate to AD.

I did the standard install through Yast.
- I selected the Kerberos client install, and put in my domain, as well as my dns, as asked. My etc/security/pam_unix2.conf is as follows:

auth: use_krb5 nullok
account: use_krb5
password: use_krb5 nullok
session: none

This file gets modified from the 'Yast Install Kerberos client'.

After rebooting the linux server, I cannot enter an AD userid (I get "Login failed"). I also get the following log entries in /var/log/messages

pam_krb5: unable to determine uid/gid for user
pam_krb5: authentication fails for 'xxxxxx'
pam_krb5: pam_sm_authenticate returning 10 (User not known to the underlying authentication module)


I can only enter ids that exist in etc/local. Once logged in (using an etc/passwd id) I can then run kinit and authenticate to AD. Any ideas how to get my linux server to allow initial authentication to AD form the login prompt?

Thanks in advance,

Bret

Last edited by bret; 12-23-2005 at 02:59 PM.
 
Old 12-24-2005, 01:31 AM   #2
sidmark-2850
Member
 
Registered: Aug 2003
Posts: 133

Rep: Reputation: 15
You could run winbind on your system. Kerberos only authenticates users and does not provide user information like uid, gid, home directory, login shell, etc. Information on winbind can be found on www.samba.org.

You can also look up services for unix as this will allow you to add unix schema attributes into your active directory. This may not be desirable as the schema attributes cannot be removed once the schema is extended.

Sid.
 
Old 01-09-2006, 11:45 PM   #3
Cabous
LQ Newbie
 
Registered: Jun 2005
Location: South Africa
Distribution: SuSE 9.2
Posts: 6

Rep: Reputation: 0
Got the same issues as you Bret

Bret;
Have you got this working by now? I can also use kinit fine but logging on is another story. Somehow authentication just doesn't go to the ADS server.

Thanks


Later
 
Old 01-10-2006, 01:19 AM   #4
live_dont_exist
Member
 
Registered: Aug 2004
Location: India
Distribution: Redhat 9.0,FC3,FC5,FC10
Posts: 257

Rep: Reputation: 30
Wrong forum guys...this is a security forum ...a Samba forum should help yo much better but still ..Yeah winbindd needs to be running ...

This is all you need in your /etc/krb5.conf :-

Code:
[root@arvind Perl]# more /etc/krb5.conf
[libdefaults]
 default_realm = xxxxx.NET
 
[realms]
 xxxxx.NET = {
  kdc = domaincontroller.xxxxx.net
  default_domain = xxxxx.NET
 }
 
[domain_realms]
        .kerberos.server = xxxxx.NET
If kinit is working then you need to run net ads join...to add ur machine into the domain so you can access other Windows machines.You need domain admin rights to do this.

Cheers
Arvind
p.s....Try and move your thread out of here into a different forum Youll get more help there...
 
Old 02-02-2006, 05:14 PM   #5
bret
Member
 
Registered: Apr 2005
Location: SLC, Utah
Distribution: RHEL 4, RHEL 5
Posts: 59

Original Poster
Rep: Reputation: 16
Thumbs up Now it works! Here's what I did.

How to setup SuSE Linux authentication to use Active Directory

1) From the linux desktop, start YaST
2) Select [Networking Services]
a. Select [Kerberos Client]
i. Select radio button [Use Kerberos]
ii. Basic Kerberos Settings
1. Default Domain: YOURDOMAIN.COM
2. Default Realm: YOURDOMAIN.COM
3. KDC Server Address: windowsdc.yourdomain.com
4. CLICK [Finish]
(this dialog will modify /etc/krb5.conf)

3) From a command prompt
a. Kinit userid (where userid is your 5 digit network id)
You will be prompted for your password
eg. 12345@YOURDOMAIN.COMs Password:

your response will be:
kinit: NOTICE: ticket renewable lifetime is 1 week

4) Once you have verified the Kerberos client set-up is working, you will need to tie the linux login screen to Kerberos.
a. Edit the /etc/security/pam_unix2.conf file. Add the following lines:

auth: use_krb5 nullok
account: use_krb5
password: use_krb5 nullok
session: none

5) Add user manually to /etc/passwd (make sure you use a unique uid!!!!)

12345:x:1002:100:Joe Geeko:/home/12345:/bin/bash

6) Create users home directory

cp R /etc/skel /home/12345

7) Change ownership to new user

chown R 12345. /home/12345

8) you can now logout and login with your new Active Directory credentials.

note: the userids I use are numeric, and must be added manually to /etc/passwd. If you have userids that don't start with a numeric, you will be able to use YaST or useradd.

I did not need to install winbind or samba. I also didn't need to do a net ads join.

These instructions are simply designed to allow you to use your AD user id to authenticate to linux.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
SBS2003 domain, Fedora C3 client, kerberos authentication issues Spida Linux - Networking 0 11-23-2005 10:07 PM
Kerberos Install Problem! mesh2005 Linux - Networking 2 11-10-2005 05:35 AM
Cannot Authenticate Via SSH Sivel Linux - Software 10 07-03-2005 10:13 AM
How to make Samba server authenticate Linux client? Niceman2005 Linux - Networking 1 11-27-2004 02:35 PM
Samba 3.0.2, Kerberos, Linux (RHAS3.0), Win2kAD - linux smb server with a w2k client irishb3 Linux - Networking 2 07-20-2004 08:05 AM


All times are GMT -5. The time now is 03:54 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration