Linux Active Directory How-To

Linux Active Directory How-To

Document scope

This document briefly describes how to configure a GNU/Linux machine to authenticate users against a Microsoft Windows Server 2003 Active Directory Server.

The idea behind this is to use Windows 2003 ADS (and possibly later versions) to authenticate a foreign user and allow him/her to use a Linux machine which is a member of the Windows domain, without having to create a user account manually on the Linux machine. This is very useful when you have large numbers of machines and users.

If everything works as it should, then you only need to configure the users on the Active Directory Server. The users can then walk up to any machine on the network and log on. If a user never used that machine before, a user account will be magically created. The magic trick is known as Single Sign-On (SSO).

The whole process is rather complicated and relies on a number of subsystems working together:

• Pluggable Authentication Modules (PAM)
• Server Message Block (SMB, Samba)
• WinBIND (part of Samba)
• Kerberos 5 (By MIT, with Microsoft compatibility hacks)

The biggest problem is configuring Samba and determining exactly what identifiers and spelling to use where, since Kerberos and NETBIOS are fond of uppercase, while everything else prefers lowercase.

Of course, nothing works, until every last little detail is correct, so these and other subtleties can lead to many hours of happy debugging and experimenting before everything suddenly begins to work. Just about every imaginable error message was discovered the hard way and they were all documented in the references below. Of course, since you will be following this great guide, you wont ever see them - let's hope anyway.

Note that everything here was tested on Linux, but it should also apply almost directly to Solaris, since Samba is cross platform.

Referenced Documents

• Chapter 6. Domain membership part II, Server Configuration basics: HTTP://us4.samba.org/samba/docs/man/samba-howto-collection/domain-member.html#ads-member

• Chapter 24. Winbind: Use of Domain Accounts Part III. Advanced Configuration, HTTP://us4.samba.org/samba/docs/man/samba-howto-collection/winbind.html

• Kerberos Administration Guide, HTTP://web.mit.edu/kerberos/krb5-1.3/krb5-1.3/doc/krb5-admin.html

• Linux PAM, HTTP://www.kernel.org/pub/linux/libs/pam3.

Configuration

We want to use the Windows 2003 Active Directory Server (ADS) to authenticate a foreign user and allow him or her to use a Linux machine which is a member of the Windows domain. Initially, the user jdoe doesn't exist on the Linux machine. We want to use Winbind and Samba to assign a UID and GID from a pool of reserve numbers and create a home directory automatically under /home/winnt for this foreign user. This will (hopefully) allow jdoe to walk up to the Linux machine, log in and use it to run X applications, without ever having been manually configured on it.

This guide assumes that you already have a Windows ADS running. First verify a few things on the Windows ADS machine and note that the NETBIOS work group must be uppercase:

NETBIOS Workgroup:  YOURWORKGROUPNAME
Domain name: example.com
Fully qualified domain host name: msads.example.com
User name defined in ADS: jdoe
User password: jdoe123
User primary group: winusergrp
Administrator name: Administrator
Administrator password: Supersecret

This illustrates some weird points. Rather confusingly, the MS Windows NETBIOS work group, is also referred to as the domain name in MS Windows documentation. The NETBIOS work group is actually used more often than the real domain name, so when in doubt, use the NETBIOS work group, since it will usually be the correct one for the occasion.

The MS Windows user name, will become work group+user name on Linux, and the Windows primary group, will become the work group+group name on Linux.

Kerberos

Kerberos is configured in the file /etc/krb5.conf. Verify the following lines and not the UPPERCASE domain name:

[libdefaults]
default_realm = EXAMPLE.COM
[realms]
EXAMPLE.COM = 
  {
  kdc = msads.example.com>
  }
[domain_realms]
.kerberos.server = EXAMPLE.COM

Note that Kerberos requires that the clocks of the machines in the domain are synchronized in time. The default maximum skew allowed is 5 minutes. Windows and Linux handle times differently. UNIX is UTC based, and Windows is local time zone based, so be careful. Configuring NTP is necessary, but is also beyond the scope of this document.

Nsswitch [[Configuration~|Configuration]

Verify the following lines in /etc/nsswitch.conf:

passwd: files winbind
shadow: files winbind
group: files winbind

You may need to run ldconfig to set up the winbind libraries:

user@comp# ldconfig -v |grep winbind

Since nothing was working at the time, I cannot tell whether that was really a required step.

Samba Configuration

Here's the [global] section from smb.conf:

[global]
workgroup = YOURWORKGROUPNAME
realm = EXAMPLE.COM
preferred master = no
server string = Samba Server
security = ADS
encrypt passwords = yes
log level = 3
log file = /var/log/samba/%m
max log size = 50
winbind separator = +
printcap name = cups
printing = cups
idmap uid = 10000-20000
idmap gid = 10000-20000
template homedir /home/winnt/%D/%U
template shell = /bin/false
add machine script = /usr/sbin/useradd -d /var/lib/nobody -g 100 -s /bin/false -M %u
password server = msads.example.com

The /bin/false shell will prevent foreign domain users from opening a command shell and is recommended for security.

The default Windind separator is a backslash, but that doesn't work well, since it is a reserve character on UNIX/Linux. The general rule is to change it to a '+'.

Ethernet Configuration

You have to set the ADS machine as (one of) the DNS in /etc/resolv.conf, to enable the Linux machine to find the Kerberos and LDAP servers on the ADS. Verify the ethernet and DNS setting with ifconfig and nslookup.

Join the Domain

First restart the network and Samba:

user@comp # service network restart
user@comp # service smb restart

Verify that smbd and nmbd are running with

user@comp # ps e

Try to join the Windows Domain:

user@comp # net ads join -S msads.example.com -U administrator%Supersecret

You should get the message: "Joined LINUXMACHINE to realm EXAMPLE.COM", at which point most joyful celebrations are in order.

You can now start the Winbind daemon with the maximum debug information:

user@comp # winbindd -d 10

Watch /var/log/messages for errors:

user@comp # tail -f /var/log/messages

You can investigate the domain records with:

user@comp # wbinfo -u
user@comp # whinfo -g
user@comp # getent password
user@comp # getent group

With those utilities, you should be able to see the user names and groups in the domain that you just joined. User YOURWORKGROUPNAME+jdoe and the group YOURWORKGROUPNAME+winusergrp should be listed.

Kerberos and error messages

If you get the message: Cannot find KDC for requested realm, then either the password server in smb.conf is wrong, or the DNS setting in resolv.conf is wrong.

If you get the message: KRB5 error code 68 while getting the initial credentials, then the Linux machine can talk to the ADS machine, but your Kerberos realm name in smb.conf is wrong.

If you get the message: The workgroup in smb.conf does not match the short domain name obtained from the server, then you did not specify the NETBIOS name properly.

--
Butch Whitby