Authenticating Linux against Windows 2003 Active Directory
Linux - EnterpriseThis forum is for all items relating to using Linux in the Enterprise.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Authenticating Linux against Windows 2003 Active Directory
Hi all,
I'm reproducing a post that I made on experts exchange here as I'm hoping someone here might be able to help. I'm following the Lanrx documents for getting AD authentication working, but I've run into a problem.
I'm trying to authenticate a Red Hat Enterprise Linux AS 3 server against a Windows 2003 Active directory. I'm currently trying to use LDAP. I'm using Microsoft Services for Unix 3.5 on the Windows machine. Here is what I have done so far:
1. Installed nss_ldap-207-11.i386.rpm - This includes --enable-schema-mapping and --enable-rfc2307bis in the configure portion of the source RPM
2. Edited /etc/ldap.conf and set the following:
binddn cn=padl,cn=Users,dc=mydomain,dc=com
bindpw userpass
scope sub
ssl no
pam_password md5
nss_base_passwd cn=Users,dc=mydomain,dc=com?sub
nss_base_shadow cn=Users,dc=mydomain,dc=com?sub
nss_base_group cn=Users,dc=mydomain,dc=com?sub
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_attribute uid sAMAccountName
nss_map_attribute uidNumber msSFU30UidNumber
nss_map_attribute gidNumber msSFU30GidNumber
nss_map_attribute loginShell msSFU30LoginShell
nss_map_attribute gecos name
nss_map_attribute userPassword msSFU30Password
nss_map_attribute homeDirectory msSFU30HomeDirectory
nss_map_objectclass posixGroup Group
nss_map_attribute uniqueMember msSFU30PosixMember
nss_map_attribute cn cn
pam_login_attribute sAMAcountName
pam_filter objectclass=user
pam_member_attribute msSFU30PosixMember
pam_groupdn cn=unixusergroup,dc=mydomain,dc=com
3. Setup auth by using authconfig as follows:
Select LDAP for NSS information, select cache information, added the IP for the AD server, set the Base DN to cn=Users,dc=mydomain,dc=com
Select LDAP for authentication, use prepopulated fields from previous screen
Select OK and then edit /etc/pam.d/system-auth so that it looks as follows:
I'm not seeing any mention of pam_ldap in those messages. However, each time I try and login, I see several new successful logins for the padl account in the Windows Event Viewer.
Can anyone either help me resolve this issue and get this working, or point me at a comprehensive howto that illustrates doing this with winbind ? The problem as I understand it with using winbind is that you don't get consistent UID / GID information, or anything else that you would normally get from Microsoft services for unix. Is there a way to use winbind for authentication and then LDAP for information maybe ?
Hi Wayne,
I don't know if this will help but I am out at a site where we were running Solaris and wanted to so something similar to you. We had to create a Kerberos Realm on the Windows 2003 Server and use Kerberos from Solaris to accomplish the authentication.
Again, I am not sure if this applies to your situation or not
Originally posted by duliano Hi Wayne,
I don't know if this will help but I am out at a site where we were running Solaris and wanted to so something similar to you. We had to create a Kerberos Realm on the Windows 2003 Server and use Kerberos from Solaris to accomplish the authentication.
Again, I am not sure if this applies to your situation or not
Good Luck
Thanks for the response
I've got kerberos running, and I can do a kinit Administrator, and receive a ticket...
Once I've received that ticket, I can do a
net ads join
and once I've done that, I can see that a machine account for the machine is added to the AD server. However, I still can't use pam_ldap for ssh / console logins
Have you got that working at all ? Or is that not something that you're trying to do ?
I've still not been able to access the documents from LanRX. I have registered at the site multiple times, but have never received a reply with a user name/password. When I try to log in with an account I've created, I'm redirected back to the "create account" dialogue. Can anyone suggest what I'm doing wrong? Is there an alternate source for the documents?
If you tell me what your username is, I can make sure that your account is activated.
As far as an alternative source for the documents, in the near future, you will be able to get them at newsforge.com
I have created accounts as dbruso@abm.com and dbruso@pacbell.net. I appreciate your help. One of the benefits of working with open source products is "meeting" the community. Thanks a lot!
I think that I saw your e-mails bouncing back to me, for some reason.
I enabled your account. If you have more problems, e-mail me at Eric dot Anderson at LanRx dot com, and I will be happy to reset your password or whatnot.
pam_login_attribute sAMAccountName
pam_filter objectclass=User
nss_base_passwd cn=Users,dc=our,dc=domain,dc=com?one
pam_password ad
This is the config taken from a securityfocus article.
I can now login as a user, and I can see AD users and groups when I do a getent passwd or getent group
The problem I now have is that a getent group shows the groups, but not the members. Which is a problem for a number of reasons.
I've just tried the following command:
ldapsearch -H ldap://our.server.ip -x -D cn=padl,cn=Users,dc=our,dc=domain,dc=com -wOurPassword -b cn=Users,dc=our,dc=domain,dc=com -s sub "sAMAccountName=testgroup"
I get multiple msSFU30PosixMember attributes in the output of this command, one per user in the group, but the entry is as follows:
msSFU30PosixMember: CN=Wayne P,CN=Users,DC=our,DC=domain,DC=com
testgroup is a group that includes a user named waynep. getent group shows this group as follows (and does not include the user):
testgroup:x:10011:
Is there any way that I can have users being part of groups on the AD ?
Originally posted by LanRx I believe that I had that same problem, and that I resolved it by changing
nss_map_attribute uid sAMAccountName
to
nss_map_attribute uid uid
I discovered that when I was having a problem with the component requiring group membership to authenticate
Hmmm - that doesn't seem to work. In fact, it seems to stop authentication against the AD working all together.
I made the change as advised, and once I had, getent passwd no longer showed AD users. Attempting to use users with su or ssh failed with
su: user waynep does not exist
and
check pass; user unknown
respectively.
I then tried changing the pam_login_attribute from sAMAccountName to uid as well, but that still didnt' work.
I then reverted pam_login_attribute and nss_map attribute uid to sAMAccountName and was able to login again, but the group situation was not resolved.
I then changed my approach slightly so that instead of looking for uid or short username (waynep instead of Wayne P) in the output of an ldapsearch on the group, I looked for group information in the ldap search output of the user.
In there, I see multiple lines starting with memberOf and listing the group name, e.g.
memberOf: CN=testgroup,CN=users,DC=our,DC=domain,DC=com
Is there any way to use that rather than the member list from the group info ?
Or am I on the wrong track ?
Just to sumarise (as reading through my original e-mail, this may not be clear), I want a user that authenticates against the AD to be part of multiple groups that should be maintained on the AD
For example, when I do an id when logged in as waynep, I want to see
uid=10002(waynep) gid=10002(waynep_unixgroup) groups=10002(waynep_unixgroup),10011(testgroup)
Unfortunately, then, I'm going to have to wait to look into it further until I have my AD Lab back up and running (which I have to have done within a matter of days, anyway). I"ll try to pop back in and let you know what I find.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.