|
Microsoft Active Directory This article is written specfic to configuration against a Samba 4 Active Directory as part of the みる directory server, for Microsoft Active Directory support please refer to the Ubuntu Wiki article: ActiveDirectoryHowto. |
Contents |
There are two important concepts for users: authentication, and accounts. With Active Directory authentication uses the Kerberos 5 protocol, and account information uses LDAP. Therefore we need to configure Kerberos 5 and LDAP on Ubuntu in order to manage users in an Active Directory.
Throughout this article the following IP addresses are going to be used, adjust appropriately for your network.
IP address Description 10.30.2.1 Router and DNS server or proxy 10.30.2.2 DHCP and TFTP server 10.30.2.10 NFS server 10.30.2.20 LTSP server 10.30.2.100-200 LTSP clients
It is assumed Active Directory is configured with an AD realm of EXAMPLE.COM and we will create one user:
account name: wendy UID: 1002 GID: 1002 home directory: /home/wendy shell: /bin/bash
For LDAP accounts the software package libnss-ldap is required, in Ubuntu Dapper CD this is not in the main repository it is part of the universe repository, however if you are using an internet repository it is part of the main repository and you can skip to the next stage. In order to access to the universe repository edit the file /etc/apt/sources.list and uncomment the universe lines.
## Uncomment the following two lines to add software from the 'universe' ## repository. ## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu ## team, and may not be under a free licence. Please satisfy yourself as to ## your rights to use the software. Also, please note that software in ## universe WILL NOT receive any review or updates from the Ubuntu security ## team. deb http://hk.archive.ubuntu.com/ubuntu/ dapper universe main restricted multiverse deb-src http://hk.archive.ubuntu.com/ubuntu/ dapper universe main restricted
Then update the package list and install.
$ sudo apt-get update $ sudo apt-get install libnss-ldap
Enter the address of the Active Directory server.
Specify the LDAP search basedn
Select LDAP version 3.
Some extra configuration changes are required for the Active Directory schema, edit /etc/libnss-ldap.conf
# libnss-ldap.conf # Your LDAP server. Must be resolvable without using LDAP. # Multiple hosts may be specified, each separated by a # space. How long nss_ldap takes to failover depends on # whether your LDAP client library supports configurable # network or connect timeouts (see bind_timelimit). host 10.30.2.2 # The distinguished name of the search base. base example,dc=com # The LDAP version to use (defaults to 3 # if supported by client library) ldap_version 3 # RFC 2307 (AD) mappings # <to> <from> nss_map_attribute userPassword sambaPassword nss_map_attribute gecos name nss_map_attribute uid unixName nss_map_attribute shadowLastChange pwdLastSet nss_map_objectclass posixGroup group pam_filter objectclass=User pam_password crypt # Disable SASL security layers. This is needed for AD. sasl_secprops maxssf=0
Configure the name service to use LDAP, edit /etc/nsswitch.conf
# /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd: files ldap group: files ldap shadow: files ldap hosts: files dns mdns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis
The getent command will show the name service contents, so with Active Directory configured with a user and libnss-ldap configured you should be able to see the extra users and groups
$ getent passwd … gdm:x:106:111:Gnome Display Manager:/var/lib/gdm:/bin/false test:x:1000:1000:Test,,,:/home/test:/bin/bash wendy:x:1002:1002:wendy:/home/wendy:/bin/bash $ getent group … gdm:x:111: test:x:1000: wendy:x:1002:
A simple file test will show whether Ubuntu understands a username from AD.
$ cd /tmp $ touch moo $ ls -l moo -rw-rw-r-- 1 root root 0 2006-07-20 14:27 moo $ sudo chown wendy moo $ ls -l moo -rw-rw-r-- 1 wendy root 0 2006-07-20 14:27 moo
To view the users via LDAP install the ldap-utils package.
$ sudo apt-get install ldap-utils $ ldapsearch -x -H ldap://10.30.2.2 "(objectClass=posixAccount)" sAMAccountName # extended LDIF # # LDAPv3 # base <> with scope sub # filter: (objectClass=posixAccount) # requesting: sAMAccountName # # wendy, Users, EXAMPLE.COM dn: cn=wendy,cn=Users,dc=EXAMPLE,dc=COM sAMAccountName: wendy # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1
Now the user information exists we need to configure Linux so that the users are allowed to login. The login protocol for Active Directory is Kerberos 5, so we need to install the PAM Kerberos 5 module, and the client package to help testing.
$ sudo apt-get-install heimdal-clients libpam-heimdal
Configure Kerberos with the details of the AD realm and IP addresses, /etc/krb5.conf
[libdefaults]
default_realm = EXAMPLE.COM
[realms]
EXAMPLE.COM = {
kdc = 10.30.2.2:88
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
Update the PAM configuration to check for Kerberos accounts, /etc/pam.d/common-auth, choose whether you want a Kerberos login prompt or a regular prompt first.
# # /etc/pam.d/common-auth - authentication settings common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of the authentication modules that define # the central authentication scheme for use on the system # (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the # traditional Unix authentication mechanisms. # auth sufficient pam_krb5.so ccache=/tmp/krb5cc_%u auth sufficient pam_unix.so likeauth nullok_secure use_first_pass auth required pam_deny.so
To manage the Kerberos tickets update /etc/pam.d/common-session
# # /etc/pam.d/common-session - session-related modules common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of modules that define tasks to be performed # at the start and end of sessions of *any* kind (both interactive and # non-interactive). The default is pam_unix. # session required pam_unix.so session optional pam_foreground.so session optional pam_krb5.so minimum_uid=1000 ➊
➊ Many alternatives are possible here, a popular replacement for "minimum_uid" is "ignore_root".
If you want home directories automagically created for new users add the following line.
session required pam_mkhomedir.so umask=0022 skel=/etc/skel
Samba 4 passwords cannot be changed via kpasswd and so common-password settings are irrelevant. The account information is handled already by pam_unix with NSS and libnss-ldap so no changes required for common-account. However the extra information would be along the lines of this.
# # /etc/pam.d/common-account - authorization settings common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of the authorization modules that define # the central access policy for use on the system. The default is to # only deny service to users whose accounts are expired in /etc/shadow. # account required pam_unix.so account [default=bad success=ok user_unknown=ignore service_err=ignore system_err=ignore] pam_krb5.so minimum_uid=1000
If the AD server is running on PC Engines WRAP hardware there is no battery backup clock. This means when the machine is switched off for a period of time the clock will reset. When the machine is powered up it will need an internet connection to resync the time. Without a time resync Kerberos will not allow clients to login.
With the AD server running and an account setup try acquiring some tokens with the kinit command.
$ kinit wendy wendy@EXAMPLE.COM's Password:
For security and clock sanity in a network environment Kerberos requires that all clocks are synchronised. The kinit command will otherwise fail.
kinit: krb5_get_init_creds: Too large time skew
Setup time synchronisation with the ntpdate program and maintain clock consistency with the ntpd server.
$ sudo apt-get install ntpdate $ sudo ntpdate ntp.ubuntu.com 25 Jul 16:22:06 ntpdate[8158]: step time server 82.211.81.145 offset 402569.951826 sec $ sudo apt-get install ntp-simple
Confirm you now have tickets with the klist command.
$ klist
Credentials cache: FILE:/tmp/krb5cc_1000
Principal: wendy@EXAMPLE.COM
Issued Expires Principal
Jul 25 16:23:06 Jul 26 02:23:58 krbtgt/EXAMPLE.COM@EXAMPLE.COM
To test the accounts we need a method of logging in, as we need it for LTSP we can install the OpenSSH server and client packages.
$ sudo apt-get install openssh-server openssh-client
Try to login using the AD user account.
$ ssh wendy@localhost The authenticty of host 'localhost (127.0.0.1)' can't be established. RSA key fingerprint is xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'localhost' (RSA) to the list of known hosts. wendy@localhosts password: Linux ubuntu 2.6.15-23-386 #1 PREEMPT Tue May 23 13:49:40 UTC 2006 i686 GNU/Linux The programs included with the Ubuntu system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Wed Jul 26 10:32:24 2006 from localhost wendy@ubuntu:~$
If you get a password error confirm that the password works correctly with kinit, if that works then there might be a problem with time synchronisation between the AD and your server. First step is to enable debug logging with the pam_krb5 module, edit common-auth and add the keyword "debug" to the end of the Kerberos line.
auth sufficient pam_krb5.so minimum_uid=1000 use_first_pass debug
Try to login again and monitor /var/log/auth.log, this should explain why you cannot login.
The following error can arise if an invalid /etc/krb5.keytab exists.
Aug 7 19:31:27 ubuntu sshd[4444]: pam_krb5: pam_sm_authenticate(ssh wendy): entry: Aug 7 19:31:27 ubuntu sshd[4444]: pam_krb5: verify_krb_v5_tgt(): krb5_mk_req(): KDC has no support for encryption type Aug 7 19:31:27 ubuntu sshd[4444]: pam_krb5: pam_sm_authenticate(ssh wendy): exit: failure Aug 7 19:31:30 ubuntu sshd[4444]: Failed password for wendy from 127.0.0.1 port 50054 ssh2
The following error usually indicates lack of valid /etc/krb5.keytab, usually not a problem.
Aug 7 20:00:05 ubuntu sshd[4764]: pam_krb5: pam_sm_authenticate(ssh wendy): entry: Aug 7 20:00:05 ubuntu sshd[4764]: pam_krb5: verify_krb_v5_tgt(): krb5_kt_read_service_key(): Key table entry not found Aug 7 20:00:05 ubuntu sshd[4764]: pam_krb5: pam_sm_authenticate(ssh wendy): exit: success Aug 7 20:00:05 ubuntu sshd[4764]: Failed password for wendy from 10.0.0.69 port 39428 ssh2
However one cause of failure is that the shadow account details cannot be found, ensure you have the following in /etc/nsswitch.conf.
shadow: files ldap
Specifying any of the following will fail.
shadow: files shadow: compat
The following error indicates an incorrect host name, domain name, or AD domain:
Sep 9 17:35:00 ubuntu sshd[8088]: pam_krb5: pam_sm_authenticate(ssh steve-o): entry: Sep 9 17:35:00 ubuntu sshd[8088]: pam_krb5: verify_v5_tgt(): krb5_sname_to_principal(): Cannot determine realm for host Sep 9 17:35:00 ubuntu sshd[8088]: pam_krb5: pam_sm_authenticate(ssh steve-o): exit: failure Sep 9 17:35:00 ubuntu sshd[8088]: Failed password for steve-o from 127.0.0.1 port 52992 ssh2
Check that /etc/hostname matches /etc/hosts with full domain entries that match /etc/krb5.conf, the following examples highlight where the domain name should appear.
/etc/hostname:
ubuntu.example.com
/etc/hosts:
127.0.0.1 localhost 10.82.6.10 ubuntu.example.com ubuntu
/etc/krb.conf:
[libdefaults]
default_realm = EXAMPLE.COM
[realms]
EXAMPLE.COM = {
kdc = 10.30.2.2:88
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
© 2008 Novell, Inc. All Rights Reserved.
