How do I configure Red Hat Enterprise Linux 4 to authenticate against Windows Active Directory using LDAP and Kerberos?
Article ID: 3639 - Created on: Jan 1, 2008 6:00 PM - Last Modified: Jan 1, 2008 6:00 PM
Introduction
Generally Red Hat Enterprise Linux systems authenticate against Active Directory using Samba Winbind. The same results can be achieved by using LDAP and Kerberos. Below explains the method to achieve that.
Scenario
In this exmaple, the domain is example.com. Other details from the Windows side are as follows:
Windows Domain: EXAMPLE.COM
Hostname: WINDOWS.EXAMPLE.COM
Windows Active Directory Ipaddress: 192.168.128.12
Windows Standard Edition 2003
This also assumes that DNS is also running on Active Directory (AD) for domain example.com.
Details from the Red Hat Enterprise Linux side are as follows:
Red Hat Enterprise Linux System: Red Hat Enterprise Linux4 Update 5
Hostname: RHEL-System
Red Hat Enterprise Linux system ip address: 192.168.128.13
Requirements
Requirements on Windows AD:
Install SFU.
Since Red Hat Enterprise Linux system is authenticating to Windows AD using LDAP and Kerberos, Windows AD should have "Services For Unix (SFU)" running.
Windows Services for Unix is provided by Microsoft which allows Integrating Windows to existing UNIX/Linux based environments. For more information on SFU, refer to the below manuals and articles.
http://technet.microsoft.com/en-us/interopmigration/bb380242.aspx
http://support.microsoft.com/kb/300496
http://www.microsoft.com/windows/sfu/docs/sfuwp.docRunning NTP server.
This is not compulsory as long as both Red Hat Enterprise Linux system and Windows AD should be syncing time using the same time source. If time is not synchronized in Windows AD or Red Hat Enterprise Linux box, make sure that there is no big difference in system time between them. Syncing with time server avoids clock skew errors.DNS services.
Either the Red Hat Enterprise Linux box can be dns client of the Windows AD domain, or if there is a centralized DNS server, then both Red Hat Enterprise Linux system and Windows AD can be client of that DNS Server. On the Red Hat Enterprise Linux system, make sure that the windows domain is resolvable.Configuring Users and Groups on Windows AD
Configure user accounts and groups so that users can log on across both Windows and UNIX/Linux environments as follows.
Start the MMC Active Directory Users and Computers snap-in (dsa.msc from the command line) and select a group that the users who can log on to both Windows and UNIX/Linux systems belong to (e.g., Domain Users)
Right-click and select Properties from the menu. Select the UNIX Attributes tab. From the NIS Domain drop-down list, select the NIS domain
In the GID field, enter a unique number between 0 and 65535. Conventionally, numbers below 100 are reserved for special groups. Starting with 10000 is recommended. Repeat this step for each group that UNIX and Linux users will belong to.
Select a user who will log on to UNIX and Linux systems, right-click the user’s name, and select Properties from the menu. Click the Account tab and make sure that the user’s logon name is valid for UNIX environments (typically eight or fewer alphanumeric characters—a-z, A-Z, and 0-9).If the logon name isn’t valid, change it and click Apply before proceeding
Click the Member Of tab and ensure that the user is a member of one of the groups that you configured to be visible to Server for NIS
Click the UNIX Attributes tab and select the NIS domain. The UID field is populated automatically beginning with 10001, and each new user configured for Server for NIS will have this field incremented by one. Enter the name of the user’s default shell (/bin/bash) , The user's Home Directory(/home/username for example).
Then, select the user’s primary group name or GID from the drop-down list, which will be populated with the groups that were configured earlier.
Requirements on Red Hat Enterprise Linux
Packages to be installed:
nss_ldap
krb5-libs
ntp
Integration
Run authconfig on the Red Hat Enterprise Linux system. Under "User Information" select "Use LDAP" and under "Authentication" Select "use MD5 Password, Use shadow Password, Use Kerberos" -> Click Next. Under LDAP Settings, type the server information:
Windows-Server-IP-address, Base DN: dc=example,dc=com Server:192.168.128.12 Base DN: dc=example,dc=com Kerberos Settings: Realm: EXAMPLE.COM [Capital letters are compulsory] kdc: 192.168.128.12:88 Admin Server: 192.168.128.12:749Obtain and cache kerberos ticket on the Red Hat Enterprise Linux system from the AD Kerberos Server:
#kinit Administrator@EXAMPLE.COM Password for Administrator@EXAMPLE.COM:The above will add the appropriate kerberos and LDAP pam modules to the system-auth file:
# cat /etc/pam.d/system-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required /lib/security/$ISA/pam_env.so auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok auth sufficient /lib/security/$ISA/pam_krb5.so use_first_pass auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass auth required /lib/security/$ISA/pam_deny.so account required /lib/security/$ISA/pam_unix.so broken_shadow account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet account [default=bad success=ok user_unknown=ignore] /lib/security/$ISA/pam_ldap.so account [default=bad success=ok user_unknown=ignore] /lib/security/$ISA/pam_krb5.so account required /lib/security/$ISA/pam_permit.so password requisite /lib/security/$ISA/pam_cracklib.so retry=3 password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow password sufficient /lib/security/$ISA/pam_krb5.so use_authtok password sufficient /lib/security/$ISA/pam_ldap.so use_authtok password required /lib/security/$ISA/pam_deny.so session required /lib/security/$ISA/pam_limits.so session required /lib/security/$ISA/pam_unix.so session optional /lib/security/$ISA/pam_krb5.so session optional /lib/security/$ISA/pam_ldap.soBind to the Active Directory as a particular user to get the information and map POSIX Attributes to that AD by first editing /etc/ldap.conf and specify the below:
binddn cn=username,cn=Users,dc=example,dc=com bindpwd PasswordNote: The username in the above line is the Windows users which has unix attributes; specify any of the users created earlier. Since Active Directory is also an LDAP server, the user created will be available under "cn=Users,dc=example,dc=com" and and groups are available in "ou=Groups,dc=example,dc=com".
Map the password, shadow, and group files to Active Directory users, groups and attributes. Edit /etc/ldap.conf to include the below lines.
nss_base_passwd cn=Users,dc=example,dc=com?one nss_base_shadow cn=Users,dc=example,dc=com?one nss_base_group ou=Group,ec=example,dc=com?one nss_map_objectclass posixAccount User nss_map_objectclass shadowAccount User nss_map_attribute uid sAMAccountName nss_map_attribute uidNumber msSFU30UidNumber nss_map_attribute gidNumber msSFU30GidNumber nss_map_attribute cn sAMAccountName nss_map_attribute uniqueMember member nss_map_attribute homeDirectory msSFU30HomeDirectory nss_map_attribute loginShell msSFU30LoginShell nss_map_attribute gecos name nss_map_objectclass posixGroup Group ssl no tls_cacertdir /etc/openldap/cacerts pam_password md5Check to see if users and groups created in Active Directory with Unix Attributes are seen on Linux using getent passwd and getent group commands. These should return lists of the users and groups.
Try logging in as a Windows user on the console.
Since the user won't have a home directory, it will drop to the / directory. This is expected behavior. Use the pam_mkhomedirs.so module, so that when users login for the first time, their home directory is created automatically. Add the below line to create home directories automatically when users login for the first time.
session required /lib/security/$ISA/pam_mkhomedir.so skell=/etc/skell umask=0022