Tuesday, August 25, 2009

Linux Authentication with Active Directory 2003 R2

One way of simplifying your authentication environment is to use a single authentication source for all of your nodes - Windows, Linux or Unix. You can authenticate them all against a directroy service such a Active directory or eDirectory. In this article we'll describe how to unify your Linux and Active Directroy environment. with minor changes, this same procedure can be used to authenticate your Linux hosts against eDirectory or any other LDAP compliant Directory Service.

Windows 2003 is nothing but customized version of LDAP and attributes. We can modify and extend schema of windows LDAP to store custome values and attributes. SFU ( Service for Unix) package doing same thing which can extend microsoft ldap schema and make it compatibale to store Linux/Unix POSIX compliant attributes. SFU is freely available for windows 2000/2003 early version but Windows 2003 R2 version as inbuilt Unix managment capability so you do not need to install SFU or extranal software.

Following is my setup to configure Linux to authenticate against active directory.

1. Enable Unix/Linux Identity Managment for Unix in Windows 2003 R2

Start > Settings > Control Panel > Add/Remove Windows Components and select Active Directory Services









2. Once this installed you can see new tab in Active Directory Users and Computers inside User management properties. And select NIS Domain (which is default Domain name) define UID, GID, Home Directory of user which you want at Linux/Unix for users side at logon.












(Notes :- I have created new OU with UNIX name and created three different OU inside UNIX , People, Groups & Computers for easy management. You can use anyname you like)

3. Linux workstation configuration file following.

a. /etc/ldap.conf
b. /etc/nsswitch.conf
c. /etc/krb5.conf
d. /etc/pam.d/system-auth

Following my configuration files.

#cat /etc/ldap.conf










# cat /etc/nsswitch.conf

passwd: file ldap
shadow: file ldap
group: file ldap


# cat /etc/krb5.conf



# cat /etc/pam.d/system-auth
(Notes : Please compile or install latest version of pam_krb5.so. older version has some bug which break your functionality)

I have compiled pam_krb5-2.3.7 which support force password change at next logon.



After done all the above changes you can run getent command to check list of user created in AD.

#getent passwd
#getent group


TEST Configuration:

Create user account with option "User must change password at next logon"



Now try to login at Unix/Linux workstation with user.



Single Sign on (SSO) Configuration with OpenSSH.


Logged into Windows 2003 R2 and run following command to generate keytab file for kerberos services principal.

c:\>ktpass -princ host/linux01.example.com@EXAMPLE.COM -mapuser EXAMPLE\linux01 -crypto rc4-hmac-nt -pass * -ptype KRB5_NT_SRV_HST -out linux01.keytab

(EXAMPLE.COM is a realm of kerberos or Domain name of Windows 2003 it should be Upper letter, and EXAMPLE\linux01 is NetBios name of Domain and workstation of Linux, -pass * command will ask you for workstation password any password which you want to set for workstation)

c:\> setspn linux01

(setspn will Registere ServicePrincipalNames)

Now copy linux01.keytab file securly on linux01 workstation and rename and copy inside /etc/krb5.keytab

Verifiy keytab with following command

#klist -keK /etc/krb5.keytab

TEST SSO Login for SSH.

Loggied into Linux workstation (linux01 in my example)

Get kerberos ticket run following command.

#kinit username

Verifiy kerberos TGT ticket to run following command.

#klist

Run SSH and it will not ask you for password this time because you have kerberos ticket already.

#ssh username@linux01

Best of Luck for your configuration.