Active Directory Integration

From ArchWiki
Revision as of 14:59, 15 December 2006 by Moo-Crumpus (talk | contribs) (Requirements)
Jump to: navigation, search

HowTo Arch Linux as Active Directory Member

This guide explains how to include Archlinux into an existing Windows Active Directory.

WARNING

Having Backups of all modified files is recommended, as well as testing login before any rebooting. In the worst case, login will be broken for all users, including root - so be warned.

General

  • What you get:
    • Windows AD users & archlinux users are accepted archlinux box users, at the console or gdm
    • Windowes AD users can use Samba shares like Windows Shares.
  • What you won't get
    • Windows users are simply users on your machine. Possibly you can have Windows AD Admins to be linux admins, too. But this is not worked out so far in this HowTo.
    • Several other apps use authentication - like sudo, f.e. As far as they use PAM, it should be able to let them check against AD user accounts, too. But this is not worked out so far.

Requirements

  • Be a Windows Admin.
  • Be root.
  • Be able to work with linux without X.
  • Be able to edit files.
  • Note: There is no need to taint the AD with linux schemes.

Installation :

These packages are needed on the Arch machine:

  • Samba
  • Kerberos aka Heimdal
  • NTP

We´re starting to install those by using pacman:

  • pacman -Sy samba ntp heimdal

Now we can go on to the windows machine.

Windows AD Policy

It is necessary to disable "Digital Sign Communication (Always)" in the AD group policies. Dive into

'Local policies'
'Security policies'
'Microsoft Network Server'
'Digital sign communication (Always)'
and

  • activate "define this policy" and
  • use the "disable" radio button

Installation of Linux :

Kerberus - krb5.conf :

Configurate the file /etc/krb5.conf as following. We´re here counting on that our domain is called TEST.DK in the AD

# This is made to get this server to work under the domain TEST.DK  
  
[libdefaults]
default_realm = PDC.TEST.DK
clockskew = 300
ticket_lifetime = 1d
[realms]
PDC.TEST.DK = {
kdc = pdc1.test.dk
kdc = pdc2.test.dk
admin_server = pdc1.test.dk
}
 
[domain_realm]
.test.dk = PDC.TEST.DK
test.dk = PDC.TEST.DK


[logging]
default = SYSLOG:NOTICE:DEAMON
kdc = FILE:/var/log/kdc.log 
kadmin = FILE:/var/log/kadmin.log 

  
[appdefaults]
pam = {
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = false
retain_after_close = false
minimum_uid = 0
debug = false
}

WARNING: Don´t change your domain's name to any other thing then the name of your AD's forest. It should be the domain name you´re PDC is running with

P.S. your tickets is in use in this defined time, as defined above .

Now you shall edit the file /etc/hosts - So the machine knows where your pdc is no matter what.

192.168.X.X PDC.TEST.DK

Now you can request a ticket with the following command - with the domains naime part in upper case:

# kinit ADMINISTRATOR@PDC.TEST.DK
# password for ADMINISTRATOR@PDC.TEST.DK:

You´ll now be asked for the password as shown above: - if its the correct password – you´ll be returned to the console, which just means it works. There can be a problem about the clock on the machines – Therefor its important that the time is the same on both machines. To avoid this, the time can be synchronized with this command:

# /usr/bin/ntpdate pdc1.test.dk

You can also edit your /etc/ntp.conf like this:

server pdc1.test.dk
server pdc2.tet.dk

Now you have told your machines with machine its allowed to update time from.

PAM (login) :

Now we have to change /etc/pam.d/login so it sends its request to PDC. In case it has to check usernames and passwords, it will query the PDC:

#%PAM-1.0
auth    required        /lib/security/pam_securetty.so
auth    required        /lib/security/pam_nologin.so
auth    sufficient      /lib/security/pam_unix.so shadow md5 nullok likeauth
auth    required        /lib/security/pam_krb5.so use_first_pass

account required        /lib/security/pam_unix.so

password        required        /lib/security/pam_cracklib.so
password        required        /lib/security/pam_unix.so shadow md5 nullok use_authtok

session required        /lib/security/pam_unix.so
session optional        /lib/security/pam_krb5.so
session optional        /lib/security/pam_console.so

Now it should all work in theory, so if you try to log in to your server, you should be able to use a windows AD username and password.

Samba Configuration :

In here you can make a lot of strange things – So its a good thing to start reading at http://us3.samba.org/samba/ where you can get a lot of info about this. Here is what my smb.conf looks like:

[Global]
netbios name = Atlantis
workgroup = TEST
realm = TEST.DK
server string = Atlantis
map to guest = Bad User
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
winbind gid = 10000-20000
winbind separator =+
os level = 20

 
# Theres no shell defined for users in AD, so I define a default shell to use
# Not sure if its even possible to define a shell in AD
template shell = /bin/bash

 
# Er sat til dette som default
; encrypt passwords = yes

 
# I denne "mode", vil Samba opføre sig som et medlem af domæne i et AD's realm. For at operere i denne "mode"
# skal maskinen der kører Samba have Kerberus installeret og konfigureret (/etc/krb5.conf) og dermed vil Samba
# tvinges til at joine AD's realm ved hjælp af internettet.
security = ads
password server = 192.168.X.X
preferred master = no
dns proxy = no
wins server = 192.168.X.X
wins proxy = no

 
# This should not be nessesary - BUT ???? 
admin users = @"NET+domain admins"

 
# secures that Samba only is listening to the cluster-service
interfaces = 192.168.0.0/255.255.255.0
bind interfaces only = yes

 
load printers = no
debug level = 3
use sendfile = no

 
[homes]
comment = User´s homedirs
path =/home/%U
# valid users = %S net+%S
browseable = no
read only = no

 
# Find ud af om disse er nødvendige  
force group = "NET+domain admins"
inherit acls = Yes
map acl inherit = Yes

 
# Accepts the users to change their rigths 
acl group control = yes

 
[data]  
comment = Data
valid users = %S net+%S
path = /data
read only = no
browseable = yes

 
[Back-up]
comment = Backup filer
path = /backup
read only = no
browseable = yes
valid users = @"NET+Domain Admins"

You can run a test if your configuration is good enough.

# testparm<pre>
Fix the errors and restart samba
<pre># /etc/rc.d/samba restart 

We shall now explain to Samba that it shall use the PDC´s database about the users.Here are we using winbind wich is a part of samba´s suite.Winbind maps the UID and GID in the PDC over on our Linux-machine. Winbind uses a Unix-implementation of RPC-calls,Pluggable Authentication Module(PAM) and Name Service Switch(NSS) to allowe windows domain and users to access and grant permissions on the Linux-machine. The best part of winbind is, that you don´t have to define the mapping yourself, but only define a range of UID and GID. That´s what we defined in smb.conf. You shall edit /etc/nsswitch.conf . Only the to lines as shown here:

passwd:            compat winbind
shadow:            compat winbind
group:             compat winbind

Note: nsswitch is a part of glib-package – be shure that changes is not updating – eller or remember to change it back. Else you´ll have big problems later on. Registrate your configurations and remember those with this command:

wbinfo ----seth-auth-user=UDBY\\administrator%password

Testing :

We can now test on several ways: First a test of Samba and Winbind conf:

/etc/rc.d/samba restart
/usr/sbin/winbindd

for some paranoids friends – we can test if winbinds is running correctly:

ps -aux | grep winbind

To test if we can get the info out of the PDC –

/usr/bin/wbinfo -u     eller wbinfo -u

We should not have a printet list of users in the PDC. We can do the same with our groups:

/usr/bin/wbinfo -g   eller wbinfo -g

We can use getent commands to get both the locale and the PDc userlist. These opetunities will generate a list of data – as /etc/passwd and /etc/group. It a good idea to test if AD´s users is valid on our Linux-server:

touch testfile $ chown ”TEST+Guest” testfile

If this works – Welldone – Then there´s no more problems.

Samba Server on the domain :

Some good commands !

# net ads info
LDAP server: 192.168.X.X
LDAP server name: win2003
Realm: TEST.DK
Bind Path: dc=TEST,dc=DK
LDAP port: 389
Server time: Wed, 01 Mar 2006 14:59:44 GMT
KDC server: 192.168.X.X
Server time offset: -7

# net ads lookup
# net ads status

Lets get on to the last part - to registrate our Linux-server on our Windows-domain

# net ads join -U Administrator
Administrator's password:
Using short domain name -- TEST
Joined 'MACHINE-NAME' to realm 'TEST.DK'

To check if it all is happend in the correct way – jump to your PDC and look in the AD under computers. There shold now be a record of your machine. And last - to leave to domain - the command is :

# net ads leave
Removed 'MACHINE-NAME' from realm 'TEST.DK'

More INFO:

Everything there is to know about Samba

Please feel free to comment this article - but if your edit this - PLEASE LET ME KNOW