ActiveDirectoryHowto

Revision 4 as of 2005-07-06 09:43:06

Clear message

Active Directory from Microsoft is a directory service, that uses some open protocols, like Kerberos, ldap and SSL.

There are some ways to use AD for authentication, you can use pam_krb5, LDAP or winbind. For Winbind see [ActiveDirectoryWinbindHowto].

Kerberos: pam_krb5

Configure AD:

For pam_krb5 you do not need to configure anything.

pam_krb5

    # apt-get install krb5-user libpam-krb5

Packetinfo: krb5-user-1.3.4-4 MIT Kerberos5, libpam-krb5-1.0-8 MIT Kerberos5

set up /etc/krb5.conf, e.g. 

    [logging]
        default = FILE:/var/log/krb5lib.log

    [libdefaults]
        ticket_lifetime = 24000
        default_realm = EXAMPLE.COM
        default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
        default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc

    [realms]
    EXAMPLE.COM = {
         kdc = windc.example.com
         admin_server = windc.example.com
         default_domain = example.com
    }


    [domain_realm]
        .example.com = EXAMPLE.COM
        example.com = EXAMPLE.COM

Replace windc.example.com with the IP or FQDN of your Windows domain controller and EXAMPLE.COM with your kerberos realm, typically is this the domainname in uppercase.

Try if you can receive a kerberos ticket: 

    # kinit user
    Password for user@EXAMPLE.COM: ...

    # klist
    Ticket cache: FILE:/tmp/krb5cc_1003
    Default principal: user@EXAMPLE.COM

    Valid starting     Expires            Service principal
    11/26/04 11:23:53  11/26/04 21:23:53  krbtgt/EXAMPLE.COM@EXAMPLE.COM


    Kerberos 4 ticket cache: /tmp/tkt0
    klist: You have no tickets cached

set up /etc/pam.d/common-auth, e.g. 

    auth    sufficient      pam_krb5.so ccache=/tmp/krb5cc_%u
    auth    sufficient      pam_unix.so likeauth nullok use_first_pass
    auth    required        pam_deny.so

set up /etc/pam.d/common-session, e.g. 

    session required        pam_unix.so
    session required        pam_mkhomedir.so skel=/etc/skel/ umask=0077

attachment:IconsPage/IconNote.png kpasswd for password changing does not work.

attachment:IconsPage/IconNote.png The user from AD have to exist in /etc/passwd on the ubuntu workstation, you can also use libnss-ldap to get the account info also from AD.

LDAP: libnss-ldap

Configure AD

It is necessary to extend the LDAP schema from AD with the UNIX attributes , install "UNIX Services for Windows" from Microsoft (I used version 3.5). SFU: http://www.microsoft.com/windows/sfu/

libnss-ldap

Install libnss-ldap and the Name Service Caching Deamon for a better performance. 

    # apt-get install libnss-ldap nscd

Packetinfo: libnss-ldap-211-4, nscd-2.3.2-ds1-13ubuntu2

set up /etc/nsswitch.conf for ldap, e.g. 

    passwd:      compat ldap
    shadow:      compat ldap
    group:       compat ldap

    hosts:       files dns
    networks:    files dns

    services:    db files
    protocols:   db files
    rpc:         db files
    ethers:      db files
    netmasks:    files
    netgroup:    files
    bootparams:  files

    automount:   files
    aliases:     files

set up /etc/libnss-ldap.conf, e.g. 

    # Replace windc.example.com with your Windows DC
    uri ldap://windc.example.com/

    base dc=example,dc=com
    ldap_version 3

    # Add a user to AD, that can read the container
    # with the users, that you want use.
    binddn cn=ldapreader,cn=Users,dc=example,dc=com
    bindpw cvfd123

    scope sub
    timelimit 30


    pam_filter objectclass=User

    pam_login_attribute sAMAccountName
    pam_lookup_policy yes

    # Modify ou=User,dc=e... to your container with your users.
    nss_base_passwd ou=User,dc=example,dc=com?sub
    nss_base_shadow ou=User,dc=example,dc=com?sub
    nss_base_group  ou=User,dc=example,dc=com?sub

    # For MSSFU:
    nss_map_objectclass posixAccount User
    nss_map_objectclass shadowAccount User
    nss_map_attribute uid sAMAccountName
    nss_map_attribute uniqueMember member
    nss_map_attribute uidNumber msSFU30UidNumber
    nss_map_attribute gidNumber msSFU30GidNumber
    nss_map_attribute userPassword msSFU30Password
    nss_map_attribute homeDirectory msSFU30HomeDirectory
    nss_map_attribute loginShell msSFU30LoginShell
    nss_map_attribute gecos name
    nss_map_attribute cn sAMAccountName

attachment:IconsPage/IconNote.png With this config is the LDAP Traffic unencrypted and someone can sniff it. To make it secure use SSL

set up /etc/pam.d/common-auth 

    #
    # /etc/pam.d/common-auth - authentication settings common to all services
    #
    # This file is included from other service-specific PAM config files,
    # and should contain a list of the authentication modules that define
    # the central authentication scheme for use on the system
    # (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the
    # traditional Unix authentication mechanisms.
    #
    auth    sufficient      pam_ldap.so
    auth    required        pam_unix.so nullok_secure use_first_pass

set up /etc/pam.d/common-account 

    #
    # /etc/pam.d/common-account - authorization settings common to all services
    #
    # This file is included from other service-specific PAM config files,
    # and should contain a list of the authorization modules that define
    # the central access policy for use on the system.  The default is to
    # only deny service to users whose accounts are expired in /etc/shadow.
    #
    account sufficient      pam_ldap.so
    account required        pam_unix.so

other usseful config files:

  • login.defs nscd.conf

From GuyVanSanden Tue Jun 7 13:34:50 +0100 2005 From: Guy Van Sanden Date: Tue, 07 Jun 2005 13:34:50 +0100 Subject: Sudo Message-ID: <20050607133450+0100@https://www.ubuntulinux.org>

I'm using pam_krb5 against a MIT server. gksu(do) does not work with this module (because it queries your password with username@DOMAIN). Is there a way arround this?