Linux Active Directory How-To
Linux Active Directory How-To:
1. Document scope
This document briefly describes how to configure a GNU/Linux machine to authenticate users against a Microsoft Windows Server 2003 Active Directory Server.
The idea behind this is to use Windows 2003 ADS (and possibly later versions) to authenticate a foreign user and allow him/her to use a Linux machine which is a member of the Windows domain, without having to create a user account manually on the Linux machine. This is very useful when you have large numbers of machines and users.
If everything works as it should, then you only need to configure the users on the Active Directory Server. The users can then walk up to any machine on the network and log on. If a user never used that machine before, a user account will be magically created. The magic trick is known as Single Sign-On (SSO).
The whole process is rather complicated and relies on a number of subsystems working together:
- Pluggable Authentication Modules (PAM)
- Server Message Block (SMB, Samba)
- WinBIND (part of Samba)
- Kerberos 5 (By MIT, with Microsoft compatibility hacks)
The biggest problem is configuring Samba and determining exactly what identifiers and spelling to use where, since Kerberos and NETBIOS are fond of uppercase, while everything else prefers lowercase.
Of course, nothing works, until every last little detail is correct, so these and other subtleties can lead to many hours of happy debugging and experimenting before everything suddenly begins to work. Just about every imaginable error message was discovered the hard way and they were all documented in the references below. Of course, since you will be following this great guide, you wont ever see them - let's hope anyway.
Note that everything here was tested on Linux, but it should also apply almost directly to Solaris, since Samba is cross platform.
2. Referenced Documents
Chapter 6. Domain membership part II, Server configuration basics: HTTP://us4.samba.org/samba/docs/man/samba-howto-collection/domain-member.html#ads-member
Chapter 24. Winbind: Use of Domain Accounts Part III. Advanced Configuration, HTTP://us4.samba.org/samba/docs/man/samba-howto-collection/winbind.html
Kerberos Administration Guide, HTTP://web.mit.edu/kerberos/krb5-1.3/krb5-1.3/doc/krb5-admin.html
Linux PAM, HTTP://www.kernel.org/pub/linux/libs/pam3.
3. Configuration
We want to use the Windows 2003 Active Directory Server (ADS) to authenticate a foreign user and allow him or her to use a Linux machine which is a member of the Windows domain. Initially, the user jdoe doesn't exist on the Linux machine. We want to use Winbind and Samba to assign a UID and GID from a pool of reserve numbers and create a home directory automatically under /home/winnt for this foreign user. This will (hopefully) allow jdoe to walk up to the Linux machine, log in and use it to run X applications, without ever having been manually configured on it.
This guide assumes that you already have a Windows ADS running. First verify a few things on the Windows ADS machine and note that the NETBIOS work group must be uppercase:
NETBIOS Workgroup: YOURWORKGROUPNAME Domain name: example.com Fully qualified domain host name: msads.example.com User name defined in ADS: jdoe User password: jdoe123 User primary group: winusergrp Administrator name: Administrator Administrator password: Supersecret
This illustrates some weird points. Rather confusingly, the MS Windows NETBIOS work group, is also referred to as the domain name in MS Windows documentation. The NETBIOS work group is actually used more often than the real domain name, so when in doubt, use the NETBIOS work group, since it will usually be the correct one for the occasion.
The MS Windows user name, will become work group+user name on Linux, and the Windows primary group, will become the work group+group name on Linux.
3.1 Kerberos
Kerberos is configured in the file /etc/krb5.conf. Verify the following lines and not the UPPERCASE domain name:
[libdefaults] default_realm = EXAMPLE.COM [realms] EXAMPLE.COM = { kdc = msads.example.com> } [domain_realms] .kerberos.server = EXAMPLE.COM
Note that Kerberos requires that the clocks of the machines in the domain are synchronized in time. The default maximum skew allowed is 5 minutes. Windows and Linux handle times differently. UNIX is UTC based, and Windows is local time zone based, so be careful. Configuring NTP is necessary, but is also beyond the scope of this document.
3.2 Nsswitch Configuration
Verify the following lines in /etc/nsswitch.conf:
passwd: files winbind shadow: files winbind group: files winbind
You may need to run ldconfig to set up the winbind libraries:
user@comp# ldconfig -v |grep winbind
Since nothing was working at the time, I cannot tell whether that was really a required step.
3.3 Samba configuration
Here's the [global] section from smb.conf:
[global] workgroup = YOURWORKGROUPNAME realm = EXAMPLE.COM preferred master = no server string = Samba Server security = ADS encrypt passwords = yes log level = 3 log file = /var/log/samba/%m max log size = 50 winbind separator = + printcap name = cups printing = cups idmap uid = 10000-20000 idmap gid = 10000-20000 template homedir /home/winnt/%D/%U template shell = /bin/false add machine script = /usr/sbin/useradd -d /var/lib/nobody -g 100 -s /bin/false -M %u password server = msads.example.com
The /bin/false shell will prevent foreign domain users from opening a command shell and is recommended for security.
The default Windind separator is a backslash, but that doesn't work well, since it is a reserve character on UNIX/Linux. The general rule is to change it to a '+'.
3.4 Ethernet configuration
You have to set the ADS machine as (one of) the DNS in /etc/resolv.conf, to enable the Linux machine to find the Kerberos and LDAP servers on the ADS. Verify the ethernet and DNS setting with ifconfig and nslookup.
3.5 Join the Domain
First restart the network and Samba:
user@comp # service network restart
user@comp # service smb restart
Verify that smbd and nmbd are running with
user@comp # ps e
Try to join the Windows Domain:
user@comp # net ads join -S msads.example.com -U administrator%Supersecret
You should get the message: "Joined LINUXMACHINE to realm EXAMPLE.COM", at which point most joyful celebrations are in order.
You can now start the Winbind daemon with the maximum debug information:
user@comp # winbindd -d 10
Watch /var/log/messages for errors:
user@comp # tail -f /var/log/messages
You can investigate the domain records with:
user@comp # wbinfo -u
user@comp # whinfo -g
user@comp # getent password
user@comp # getent group
With those utilities, you should be able to see the user names and groups in the domain that you just joined. User YOURWORKGROUPNAME+jdoe and the group YOURWORKGROUPNAME+winusergrp should be listed.
3.6 Kerberos and error messages
If you get the message: Cannot find KDC for requested realm, then either the password server in smb.conf is wrong, or the DNS setting in resolv.conf is wrong.
If you get the message: KRB5 error code 68 while getting the initial credentials, then the Linux machine can talk to the ADS machine, but your Kerberos realm name in smb.conf is wrong.
If you get the message: The workgroup in smb.conf does not match the short domain name obtained from the server, then you did not specify the NETBIOS name properly.
--
Butch Whitby