Authenicating kerberos against active directory

Posted on February 12, 2008 by Stephen Reese

Your /etc/pam.d/system-auth is created with the command “authconfig” on a RHEL5 machine though you may have to manually edit it with other distributions:

#%PAM-1.0# This file is auto-generated.# User changes will be destroyed the next time authconfig is run.auth        required      /lib/security/$ISA/pam_env.soauth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullokauth        sufficient    /lib/security/$ISA/pam_krb5.so use_first_passauth        required      /lib/security/$ISA/pam_deny.soaccount     required      /lib/security/$ISA/pam_unix.so broken_shadowaccount     sufficient    /lib/security/$ISA/pam_succeed_if.so uid < 100 quietaccount     [default=bad success=ok user_unknown=ignore] /lib/security/$ISA/pam_krb5.soaccount     required      /lib/security/$ISA/pam_permit.sopassword    requisite     /lib/security/$ISA/pam_cracklib.so retry=3password    sufficient    /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadowpassword    sufficient    /lib/security/$ISA/pam_krb5.so use_authtokpassword    required      /lib/security/$ISA/pam_deny.sosession     required      /lib/security/$ISA/pam_limits.sosession     required      /lib/security/$ISA/pam_unix.sosession     optional      /lib/security/$ISA/pam_krb5.so

Your /etc/krb5.conf should look something like this. Your system time must be accurate or else it will not work correctly.

[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log[libdefaults] default_realm = AD.DOMAIN.EDUclockskew = 300 dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h forwardable = yes[realms]UFL.EDU = { kdc = DC01.AD.DOMAIN.EDU default_domain = DOMAIN.EDU }AD.DOMAIN.EDU = {  kdc = ad.domain.edu  admin_server = ad.domain.edu }[domain_realm]        .domain.edu = DOMAIN.EDU        domain.edu = DOMAIN.EDU[kdc] profile = /var/kerberos/krb5kdc/kdc.conf[appdefaults] pam = {   debug = false   ticket_lifetime = 36000   renew_lifetime = 36000   forwardable = true   krb4_convert = false }

Next you need run kinit to make sure that you can contact the kerberos server, if it returns nothing then you should be good.

$ kinitPassword for rsreese@AD.DOMAIN.EDU: blahblah

Next setup two cron entries to keep the time up to date and kinit alive:
$ sudo crontab -e

0 23 * * 1,3,5 /usr/sbin/ntpdate time.nrc.ca0 */4 * * * kinit -R

The /etc/samba/smb.conf file needs to be setup.

# grep -Ev '#|;|^$' /etc/samba/smb.conf[global]   workgroup = UFAD   realm = AD.DOMAIN.EDU   server string = SRVV-SERV   hosts allow = 10.242. 10.228.   load printers = no log file = /var/log/samba/%m.log   max log size = 50   security = ads   idmap uid = 10000 - 20000   idmap gid = 10000 - 20000winbind enum users=yeswinbind enum groups=yes   template homedir = /home/%U   template shell = /bin/bashclient use spnego = yes  winbind use default domain = no  encrypt passwords = yes  smb passwd file = /etc/samba/smbpasswd   socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192   local master = no   dns proxy = no[homes]   comment = %U Home Directory   browseable = no   path = %H   valid users = %U  writable = yes   create mode = 0664   directory mode = 0775[printers]   comment = All Printers   path = /var/spool/samba   browseable = no   guest ok = no   writable = no   printable = yes

Now add the computer object to the domain via the Active directory “Users and Computers”

You need to join the linux machine to the domain. First create an account on the domain for the machine as mentioned in the beginning or this will fail.
# net ads join -U administrator

SElinux needs to be told to let Samba play nicely
# setsebool -P samba_enable_home_dirs=1

~~~~~~~~~~~~~~~~~~~NOT NEEDED~~~~~~~~~~~~~~~~~~~~~~~~
The /etc/ldap.conf looks like this:

host 10.241.28.100
base dc=domain,dc=edu
uri ldap://ad.domain.edu/
binddn rsreese@domain.edu
bindpw
scope sub
pam_filter objectclass=User
pam_login_attribute sAMAccountName
pam_lookup_policy yes
nss_base_passwd dc=edu?sub
nss_base_shadow dc=edu?sub
nss_base_group dc=edu?sub
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_attribute uid sAMAccountName
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute shadowLastChange pwdLastSet
nss_map_objectclass posixGroup group
nss_map_attribute uniqueMember member
pam_login_attribute sAMAccountName
pam_filter objectclass=User
pam_password ad
ssl no
tls_cacertdir /etc/openldap/cacerts
pam_password md5

~~~~~~~~~~~~~~~~~~~NOT NEEDED~~~~~~~~~~~~~~~~~~~~~~~~
Next I edit the /etc/nsswitch.conf to add ldap support:

passwd: files ldap
shadow: files
group: files ldap
hosts: files dns
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files
netgroup: files
publickey: nisplus
automount: files
aliases: files nisplus

This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>