Authenicating kerberos against active directory
Your /etc/pam.d/system-auth is created with the command "authconfig" on a RHEL5 machine though you may have to manually edit it with other distributions:
Your /etc/krb5.conf should look something like this. Your system time must be accurate or else it will not work correctly.
Next you need run kinit to make sure that you can contact the kerberos server, if it returns nothing then you should be good.
Next setup two cron entries to keep the time up to date and kinit alive:
$ sudo crontab -e
The /etc/samba/smb.conf file needs to be setup.
Now add the computer object to the domain via the Active directory "Users and Computers"
You need to join the linux machine to the domain. First create an account on the domain for the machine as mentioned in the beginning or this will fail.
# net ads join -U administrator
SElinux needs to be told to let Samba play nicely
# setsebool -P samba_enable_home_dirs=1
~~~~~~~~~~~~~~~~~~~NOT NEEDED~~~~~~~~~~~~~~~~~~~~~~~~
The /etc/ldap.conf looks like this:
host 10.241.28.100
base dc=domain,dc=edu
uri ldap://ad.domain.edu/
binddn rsreese@domain.edu
bindpw
scope sub
pam_filter objectclass=User
pam_login_attribute sAMAccountName
pam_lookup_policy yes
nss_base_passwd dc=edu?sub
nss_base_shadow dc=edu?sub
nss_base_group dc=edu?sub
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_attribute uid sAMAccountName
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute shadowLastChange pwdLastSet
nss_map_objectclass posixGroup group
nss_map_attribute uniqueMember member
pam_login_attribute sAMAccountName
pam_filter objectclass=User
pam_password ad
ssl no
tls_cacertdir /etc/openldap/cacerts
pam_password md5
~~~~~~~~~~~~~~~~~~~NOT NEEDED~~~~~~~~~~~~~~~~~~~~~~~~
Next I edit the /etc/nsswitch.conf to add ldap support:
passwd: files ldap
shadow: files
group: files ldap
hosts: files dns
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files
netgroup: files
publickey: nisplus
automount: files
aliases: files nisplus
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth sufficient /lib/security/$ISA/pam_krb5.so use_first_pass
auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_unix.so broken_shadow
account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
account [default=bad success=ok user_unknown=ignore] /lib/security/$ISA/pam_krb5.so
account required /lib/security/$ISA/pam_permit.so
password requisite /lib/security/$ISA/pam_cracklib.so retry=3
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
password sufficient /lib/security/$ISA/pam_krb5.so use_authtok
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
session optional /lib/security/$ISA/pam_krb5.so
Your /etc/krb5.conf should look something like this. Your system time must be accurate or else it will not work correctly.
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = AD.DOMAIN.EDU
clockskew = 300
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
[realms]
UFL.EDU = {
kdc = DC01.AD.DOMAIN.EDU
default_domain = DOMAIN.EDU
}
AD.DOMAIN.EDU = {
kdc = ad.domain.edu
admin_server = ad.domain.edu
}
[domain_realm]
.domain.edu = DOMAIN.EDU
domain.edu = DOMAIN.EDU
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
Next you need run kinit to make sure that you can contact the kerberos server, if it returns nothing then you should be good.
$ kinit
Password for rsreese@AD.DOMAIN.EDU:
blahblah
Next setup two cron entries to keep the time up to date and kinit alive:
$ sudo crontab -e
0 23 * * 1,3,5 /usr/sbin/ntpdate time.nrc.ca
0 */4 * * * kinit -R
The /etc/samba/smb.conf file needs to be setup.
# grep -Ev '#|;|^$' /etc/samba/smb.conf
[global]
workgroup = UFAD
realm = AD.DOMAIN.EDU
server string = SRVV-SERV
hosts allow = 10.242. 10.228.
load printers = no
log file = /var/log/samba/%m.log
max log size = 50
security = ads
idmap uid = 10000 - 20000
idmap gid = 10000 - 20000
winbind enum users=yes
winbind enum groups=yes
template homedir = /home/%U
template shell = /bin/bash
client use spnego = yes
winbind use default domain = no
encrypt passwords = yes
smb passwd file = /etc/samba/smbpasswd
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
local master = no
dns proxy = no
[homes]
comment = %U Home Directory
browseable = no
path = %H
valid users = %U
writable = yes
create mode = 0664
directory mode = 0775
[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
guest ok = no
writable = no
printable = yes
Now add the computer object to the domain via the Active directory "Users and Computers"
You need to join the linux machine to the domain. First create an account on the domain for the machine as mentioned in the beginning or this will fail.
# net ads join -U administrator
SElinux needs to be told to let Samba play nicely
# setsebool -P samba_enable_home_dirs=1
~~~~~~~~~~~~~~~~~~~NOT NEEDED~~~~~~~~~~~~~~~~~~~~~~~~
The /etc/ldap.conf looks like this:
host 10.241.28.100
base dc=domain,dc=edu
uri ldap://ad.domain.edu/
binddn rsreese@domain.edu
bindpw
scope sub
pam_filter objectclass=User
pam_login_attribute sAMAccountName
pam_lookup_policy yes
nss_base_passwd dc=edu?sub
nss_base_shadow dc=edu?sub
nss_base_group dc=edu?sub
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_attribute uid sAMAccountName
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute shadowLastChange pwdLastSet
nss_map_objectclass posixGroup group
nss_map_attribute uniqueMember member
pam_login_attribute sAMAccountName
pam_filter objectclass=User
pam_password ad
ssl no
tls_cacertdir /etc/openldap/cacerts
pam_password md5
~~~~~~~~~~~~~~~~~~~NOT NEEDED~~~~~~~~~~~~~~~~~~~~~~~~
Next I edit the /etc/nsswitch.conf to add ldap support:
passwd: files ldap
shadow: files
group: files ldap
hosts: files dns
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files
netgroup: files
publickey: nisplus
automount: files
aliases: files nisplus
0 Comments:
Post a Comment
<< Home