Thursday, August 17, 2006

Found recently while i was facing a problem, that many people find it difficult to find a proper solution to give linux clients easy logins to AD via AD username mappings. Here are the steps :

Basics:
-------

Active Directory has an LDAP Backend which serves
for username lookups

Active Directory uses Kerberos Authentication Mechanism
to grant access to Users

Linux Client (if configured as a client to AD)
has to perform the following :

1. Get User Name (as an LDAP Client) from AD's LDAP Server
2. Authenticate a user using Kerberos Authentication Mechanism
to the Kerberos Server at Windows end

To do the above, we can use two methods; one, use nss_ldap
along with kerberos and, two, use winbind

The client should have nss_ldap built in, so i am giving
a good example of how to use nss_ldap to authenticate to an AD


Windows Server End:
-------------------

1. Create an Active Directory using the normal method

2. Install Microsoft Services For Unix 3.5.
While installing, give options as "Local Username Mapping Server"
and subsequently "Network Information Services"

3. Create a Basic LDAP User for LDAP Bind :

i. Create a Normal User
ii. Define User cannot change password and Password never expires
iii. After the user has been created, you need to set the
UNIX attributes for the user. Give it the UID and GID 499,
with home directory /dev/null and shell /bin/false.

4. Define a Share :

i. Go to start-settings->control panel->
administrative tools->domain controller security policies

ii. Then local policies->security options->Digitally sign
client/server communications (always).
Check Define this policy and select the Disabled radio button,
then click apply then ok.

iii. Create a folder c:\share and share it,
call it "share" Create a normal user and
assign his home folder under share.

5. Active Directory object management


i. Open the Active Directory Users and Groups management tool.

a.) Modify a group object to function as a POSIX group.
b.) Right-click on the user group for assignment of a GID.
c.) Click on the Unix Attributes tab.
d.) Populate the NIS Domain dropdown and the GID number as appropriate.

ii. Modify a user object to function as a POSIX user.

a.) Locate and activate the tab that says Unix Settings.
b.) Under Unix Settings, set the UID and GID for the user,
as well as the home directory location
(on the Linux filesystem /home/). Note: You will need
to ensure that the directory exists with the appropriate
user object having access to the directory.
c.) Reset the user's password. This causes the AD password
and the Unix password attributes to synchronize.

iii. Add the user as a Unix member of the group.

a.) After you have added the user as a Unix user,
you will also need to come back to the group properties
and add the user as a member on the Unix Attributes tab.
Otherwise, the user will not be populated in the msSFU30PosixMember
attribute.

6. Allowing Anonymous Searches in Active Directory


i. On your Windows 2000 Active Directory server, run the
Active Directory Users and Groups administration tool.
ii. Select the top level of the directory from the tree
view in the left hand panel, and right click. A menu will appear.
Select the first item, which should be "Delegate Control..."
iii. Click "Next"
iv. In the next window, titled "Users or Groups", click "Add ..."
v. In the next list, select "ANONYMOUS LOGON" and click "Add".
You may also need to select "Everyone" and the "Guests" group,
depending on how you have Active Directory configured.
Click OK when this is done.
vi. Click "Next"
vii. Select "Create a custom task to delegate" and click "Next".
viii. Click "Next"
ix. In the next list, select "Read". "Read All Properties" will
be selected at the same time. Click "Next" when this is done.
x Click "Finish".

On the Linux Client End:
----------------------

1. Edit /etc ldap.conf and enter the following :



# @(#)$Id: ldap.conf,v 1.27 2003/01/17 21:37:12 lukeh Exp $
#
# This is the configuration file for the LDAP nameservice
# switch library and the LDAP PAM module.
#
# PADL Software
# http://www.padl.com
#

# Your LDAP server. Must be resolvable without using LDAP.
# Multiple hosts may be specified, each separated by a
# space. How long nss_ldap takes to failover depends on
# whether your LDAP client library supports configurable
# network or connect timeouts (see bind_timelimit).
host

# The distinguished name of the search base.
base dc=,dc=com

binddn cn=Administrator,cn=Users,dc=,dc=com
bindpw

ssl no
pam_password ad

nss_map_objectclass posixAccount User
nss_map_objectclass shadowAccount User
nss_map_objectclass posixGroup Group

nss_map_attribute uid sAMAccountName
nss_map_attribute uidNumber msSFU30uidNumber
nss_map_attribute gidNumber msSFU30gidNumber
nss_map_attribute gecos cn
nss_map_attribute homeDirectory msSFU30homeDirectory
nss_map_attribute loginShell msSFU30loginShell

pam_login_attribute sAMAccountName
pam_filter objectclass=User
nss_base_passwd cn=Users,dc=,dc=com



2. /etc/pam.d/system-auth should contain the following :



auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass
auth required /lib/security/$ISA/pam_deny.so

account required /lib/security/$ISA/pam_unix.so
account [default=bad success=ok user_unknown=ignore service_err=ignore system_err=ignore] /lib/security/$ISA/pam_ldap.so
account sufficient /lib/security/pam_localuser.so

password required /lib/security/$ISA/pam_cracklib.so retry=3 type=
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
password sufficient /lib/security/$ISA/pam_ldap.so use_authtok
password required /lib/security/$ISA/pam_deny.so

session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
session optional /lib/security/$ISA/pam_ldap.so



3. /etc/nsswitch.conf should contain the following:



passwd files ldap
shadow files ldap
group files ldap



4. Enter the following in /etc/resolv.conf



nameserver
search



5. Kill the firewall / ( Or open the right ports ! ) I am too lazy here to find out the ports !!!

6. do an

ldapsearch -x "" from the client

7. If the above command results in output, you have it !

Do an ssh from some other client and your ad username logins will work !