Friday, 10 August 2012

Windows AD authentication for Linux Clients



Release:
RedHat Enterprise Linux 6
Windows Enterprise Server 2003 R2

Problem:
Need to login linux client using the windows active directory authentication using kerberos and samba
Samba-winbind

Solution:

Assumption:
Domain Name : MANSOOR.COM
AD Server IP Address : 192.168.122.25
AD Server Hostname : AKT-VPC
Linux Client IP Address : 192.168.122.59
Linux Clinet Hostname : AKT-VPC4

Step # 1 Install the required RPMs
# yum install krb5-libs pam_krb5 krb5-workstation samba-common samba-client samba-winbind

Step # 2 Add the  domain server entry in the host file
   # vi /etc/hosts
     192.168.122.25   akt-vpc.mansoor.com       akt-vpc
     192.168.122.59   akt-vpc4.mansoor.com       akt-vpc4

Step 3 # Mention the name server ipaddress in the resolv.conf file
     # vi /etc/resolv.conf
                  Search mansoor.com
                  nameserver 192.168.122.25

Step 4 # Configure Kerberos for AD Integration:

     Modify the /etc/krb5.conf file, to enable the Domain controller authentication in Linux.
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = MANSOOR.COM
 dns_lookup_realm = true
 dns_lookup_kdc = true
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true

[realms]
 MANSOOR.COM = {
  kdc = akt-vpc.mansoor.com
  admin_server = akt-vpc.example.com
  default_domain = mansoor.com
 }

[domain_realm]
 .mansoor.com = MANSOOR.COM
 mansoor.com = MANSOOR.COM

[kdc]
  profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
  pam = {
        debug = false
        ticket_lifetime = 36000
        renew_lifetime = 36000
        forwardable = true
        krb4_convert = false
        }

Step 5 # Configure PAM for AD Integration:
PAM needs to be configured to use Active Directory authentication. Edit the system-auth file like below

# vi /etc/pam.d/system-auth
         
   auth        required      pam_env.so
   auth        sufficient    pam_unix.so nullok try_first_pass
   auth        requisite     pam_succeed_if.so uid >= 500 quiet
   auth        sufficient    pam_krb5.so use_first_pass
   auth        sufficient    pam_winbind.so use_first_pass
   auth        required      pam_deny.so

   account     required      pam_unix.so broken_shadow
   account     sufficient    pam_localuser.so
   account     sufficient    pam_succeed_if.so uid < 500 quiet
   account     [default=bad success=ok user_unknown=ignore] pam_krb5.so
   account     [default=bad success=ok user_unknown=ignore] pam_winbind.so
   account     required      pam_permit.so

   password    requisite     pam_cracklib.so try_first_pass retry=3
   password    sufficient    pam_unix.so nullok try_first_pass use_authtok
   password    sufficient    pam_krb5.so use_authtok
   password    sufficient    pam_winbind.so use_authtok
   password    required      pam_deny.so

   session     optional      pam_keyinit.so revoke
   session     required      pam_limits.so
   session     optional      pam_mkhomedir.so skel=/etc/skel/ umask=0022
   session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet
   use_uid
   session     required      pam_unix.so
   session     optional      pam_krb5.so
Step 7 # Change the user information and authentication type to winbind using the “authconfig-tui” command

#authconfig-tui
Do as shown below
 
Select Next
Select Join Domain
Select YES

Select OK (don’t give any password)
Enter the Administrator password: (provide the windows ads administrator password here)
 
Select OK
Output:
Joined domain MANSOOR.
Starting Winbind services:                                 [  OK  ]

Setp 8 # Restart the winbind service
# service winbind restart
         # chkconfig --level 35 winbind on

Step 9 # To test the enumeration function of the winbind use the below commands.

         # wbinfo -u List all domain users
         #  wbinfo -g List all domain groups
        # getent passwd Get the entries in the linux database to check it's picking up domain users
        #  getent group As above, but for domain groups
        #wbinfo -a user%pass Authenticate a (domain) username and password combination

      Step 10 # Samba configuration

# vi /etc/samba/smb.conf

        workgroup = MANSOOR
        realm = MANSOOR.COM
        server string = Samba Server Version %v
        security = ADS
        password server = akt-vpc.mansoor.com
        idmap uid = 16777216-33554431
        idmap gid = 16777216-33554431
        template homedir = /home/%U
        template shell = /bin/bash
        winbind separator = #
        winbind enum users = Yes
        winbind enum groups = Yes
        winbind use default domain = Yes
     winbind offline logon = false
# service smb restart
# chkconfig smb on

     Step 10 # SSH configuration

vim /etc/pam.d/sshd using Winbind:
   auth      required     pam_sepermit.so
   auth      include     password-auth
   auth      required     pam_nologin.so
   auth      sufficient   pam_stack.so service=system-auth
   auth      sufficient   pam_winbind.so

   account    sufficient  pam_stack.so service=system-auth
   account    sufficient  pam_winbind.so
   account    required    pam_access.so
   account    include     password-auth

   password  required     pam_stack.so service=system-auth
   password   include     password-auth

   session    sufficient  pam_stack.so service=system-auth
   session   required     pam_limits.so
   session   optional     pam_console.so
   session   required     pam_loginuid.so
   session   include      password-auth
# service sshd restart
# chkconfig sshd on

    Step 11 # VSFTPD configuration
   # Vim /etc/pam.d/vsftpd
   #Add below lines
    auth       sufficient    pam_winbind.so
    account    sufficient    pam_winbind.so

   #chkconfig vsftpd on
   #service vsftpd restart


Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)