This article will cover Windows Server 2003 r1 only, and assumes the Domain Controller roll has already been added to the Windows server. A separate article for Windows Server 2003 r2 will be published.

The first part of this process is to install the Microsoft Services for Unix* on the domain controller. Services for Unix can be downloaded at www.microsoft.com/downloads/details.aspx . Once SFU35SEL_EN.exe has been downloaded to a convenient location on the Domain Controller, run the executable self extracting archive and extract the files to a convenient location. When the file has finished extraction, browse to the folder which the setup files were extracted to and run setup.exe. The install wizard will walk through the installation of Services for Unix. For the purpose of this article the standard installation is chosen and default options are accepted, users can change the defaults to better suit their environment if needed. Note it is not necessary to specify a NIS domain name, and the field is left blank in this article. Once the install wizard has finished, reboot the domain controller. After rebooting open the Active Directory Users and Computers tool by clicking Start -> Programs -> Administrative Tools -> Active Directory Users and Computers. In Active Directory Users and Computers, click on the Users folder in the left hand pane, this will display a listing of users and groups.

In order for Unix attributes to be applied to a user, a common group that the users will belong to must be given Unix attributes first. For the purpose of this article, the Domain Users group is chosen since all users created on the domain will have Domain Users as their primary group. To apply the Unix attributes, right click on Domain Users in the left hand pane and select properties. Once the Domain Users Properties window is open, click on the UNIX Attributes tab and select the NIS Domain from the drop down menu. The default GID is accepted in this case. Click Apply or OK.

Once a common group has been given Unix attributes, users can be given Unix attributes. To assign Unix attributes to a user, right click on the desired user in the left hand pane and select properties. In the Testuser Properties window, click the Unix Attributes tab, select the NIS Domain from the dropdown menu, the default UID is taken for the purpose of this article, select the desired Login Shell, Home Directory, and Primary Group, click Apply or OK.

To check that the Unix attributes were applied to the user, the following ldap search example can be run from a Unix system.

[root@virt4 ~]# ldapsearch -x -h IP.address.of.DomainController -D "cn=Administrator,cn=Users,dc=jp2k3,dc=test,dc=bogus" -b dc=jp2k3,dc=test,dc=bogus -W '(sAMAccountName=testuser)'

Where IP.address.of.DomainController is the IP address of the Domain Controller in the above steps for Services for Unix.

The output will be:

# extended LDIF
 #
 # LDAPv3
 # base < dc=jp2k3,dc=test,dc=bogus > with scope sub
 # filter: (sAMAccountName=testuser)
 # requesting: ALL
 #
 
 # Testuser, Users, jp2k3.test.bogus
 dn: CN=Testuser,CN=Users,DC=jp2k3,DC=test,DC=bogus
 objectClass: top
 objectClass: person
 objectClass: organizationalPerson
 objectClass: user
 cn: Testuser
 givenName: Testuser
 distinguishedName: CN=Testuser,CN=Users,DC=jp2k3,DC=test,DC=bogus
 instanceType: 4
 whenCreated: 20070824175725.0Z
 whenChanged: 20070824175747.0Z
 displayName: Testuser
 uSNCreated: 16414
 uSNChanged: 16421
 name: Testuser
 objectGUID:: 4yrdeRvLGE2H048A086BKw==
 userAccountControl: 66048
 badPwdCount: 0
 codePage: 0
 countryCode: 0
 badPasswordTime: 0
 lastLogoff: 0
 lastLogon: 0
 pwdLastSet: 128324518455312500
 primaryGroupID: 513
 objectSid:: AQUAAAAAAAUVAAAAZC5WDFg4Ts3ZL7syVAQAAA==
 accountExpires: 9223372036854775807
 logonCount: 0
 sAMAccountName: testuser
 sAMAccountType: 805306368
 userPrincipalName: testuser@jp2k3.test.bogus
 objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=jp2k3,DC=test,DC=bogus
 msSFU30Name: testuser
 msSFU30UidNumber: 10001
 msSFU30GidNumber: 10000
 msSFU30LoginShell: /bin/bash
 msSFU30Password: ABCD!efgh12345$67890
 msSFU30NisDomain: jp2k3
 msSFU30HomeDirectory: /home/testuser
 
 # search reference
 ref: ldap://ForestDnsZones.jp2k3.test.bogus/DC=ForestDnsZones,DC=jp2k3,DC=test
  ,DC=bogus
 
 # search reference
 ref: ldap://DomainDnsZones.jp2k3.test.bogus/DC=DomainDnsZones,DC=jp2k3,DC=test
  ,DC=bogus
 
 # search reference
 ref: ldap://jp2k3.test.bogus/CN=Configuration,DC=jp2k3,DC=test,DC=bogus
 
 # search result
 search: 2
 result: 0 Success
 
 # numResponses: 5
 # numEntries: 1
 # numReferences: 3

In the above example, the msSFU30 attributes are shown, if they are not, msSFU has not been installed or configured properly on the Domain Controller. Also note in the above example that the users msSFU30Password is a string of chronological characters. In order to sync the Unix password with the NTLM password, the users password must be changed from the domain controller before the users can log into the Unix system with the domain username and password.

It is important to note that since Microsoft does not allow anonymous binds to the ldap server, a bind user must be created on the domain. For the purpose of this article, a user called ldapauthuser is created. No special privileges are necessary for this user, nor are Unix attributes.

The second part of this process is to configure the linux client to use the Domain Controller for authentication. Below is an example /etc/ldap.conf that will be changed to suite the users environment.

host IP.address.of.DomainController
base dc=jp2k3,dc=test,dc=bogus
binddn cn=ldapauthuser,cn=Users,dc=jp2k3,dc=test,dc=bogus
bindpw secretpasswd
scope sub
ssl no
nss_base_passwd dc=jp2k3,dc=test,dc=bogus
nss_base_shadow dc=jp2k3,dc=test,dc=bogus
nss_base_group dc=jp2k3,dc=test,dc=bogus
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_objectclass posixGroup group
nss_map_attribute uid sAMAccountName
nss_map_attribute uidNumber msSFU30UidNumber
nss_map_attribute gidNumber msSFU30GidNumber
nss_map_attribute loginShell msSFU30LoginShell
nss_map_attribute gecos name
nss_map_attribute userPassword msSFU30Password
nss_map_attribute homeDirectory msSFU30HomeDirectory
nss_map_attribute uniqueMember msSFU30PosixMember
nss_map_attribute cn cn
pam_login_attribute sAMAccountName
pam_filter objectclass=User
pam_password ad

After /etc/ldap.conf has been configured, edit the file /etc/nsswitch.conf. Below is an example of the portion that must be edited to add ldap in /etc/nsswitch.conf:

#
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Legal entries are:
#
#       nis or yp               Use NIS (NIS version 2), also called YP
#       dns                     Use DNS (Domain Name Service)
#       files                   Use the local files
#       db                      Use the local database (.db) files
#       compat                  Use NIS on compat mode
#       hesiod                  Use Hesiod for user lookups
#       ldap                    Use LDAP (only if nss_ldap is installed)
#       nisplus or nis+         Use NIS+ (NIS version 3), unsupported
#       [NOTFOUND=return]       Stop searching if not found so far
#

# To use db, put the "db" in front of "files" for entries you want to be
# looked up first in the databases
#
# Example:
#passwd:    db files ldap nis
#shadow:    db files ldap nis
#group:     db files ldap nis

passwd:     files ldap
shadow:     files ldap
group:      files ldap

Once ldap is added to /etc/nsswitch.conf, the file /etc/pam.d/system-auth must be edited so that a users home directory will be created if it does not already exist. Below is the necessary /etc/pam.d/system-auth.

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/$ISA/pam_ldap.so use_first_pass
auth        required      /lib/security/$ISA/pam_deny.so

account     required      /lib/security/$ISA/pam_unix.so broken_shadow
account     sufficient    /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
account     [default=bad success=ok user_unknown=ignore] /lib/security/$ISA/pam_ldap.so
account     required      /lib/security/$ISA/pam_permit.so

password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3
password    sufficient    /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
password    sufficient    /lib/security/$ISA/pam_ldap.so use_authtok
password    required      /lib/security/$ISA/pam_deny.so

session     required      /lib/security/$ISA/pam_mkhomedir.so skel=/etc/skel umask=0077
session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so
session     optional      /lib/security/$ISA/pam_ldap.so

After the changes have been made to /etc/pam.d/system-auth, functionality can be tested with the id command.

[root@virt4 ~]# id testuser
 uid=10001(testuser) gid=10000(Domain Users) groups=10000(Domain Users)

The commands getent passwd and getent group should also report Domain users and groups.

Users that have had Unix attributes added to their account on the Domain Controller should now be able to log into the Red Hat system using Domain usernames and passwords.

*Note: Red Hat assumes no responsibility for the installation and configuration of Microsoft Services for Unix.