Fedora Linux Support Community & Resources Center
  #1  
Old 11th April 2007, 06:25 PM
Shan_VanWagner Offline
Registered User
 
Join Date: Apr 2007
Location: Seattle USA
Posts: 7
Fedora 6 Integration into Active Directory

Fedora 6 LDAP / Kerberos Auth to Active Directory on Windows Srvr 2003 R2
Tested by Shannon VanWagner

Problem
Connecting Fedora 6 to a Windows Srvr 2003 R2
DC for auth and uid/gid sync with AD.


Solution
Configure Fedora 6 to use LDAP, Samba,
and Kerberos to auth with Windows Srvr 2003 R2
DC with Identity Mgmt for UNIX.

Here's How:

1.) On Windows Server 2003 R2 DC - enable "Identity Management for UNIX"
via Add/Rmv Programs > Add Win Components > AD Services > Identity
Mgmt for UNIX (reboot req'd). This will add the UNIX Properties tab
to user accounts in AD that will allow you to control the UID, primary
group GID, NIS Server setting, home dir location, and user shell setting.

2.) Create a user in AD to use for authenticating via LDAP from the
Fedora 6 client. Make this user a primary member of Domain Guests for
security.

3.) For any Win user that logs into the Fedora 6 machine, modify the
"UNIX Attributes" tab for the user's account in AD. Do this via the
Users and Computers mgmt console for AD. Be sure to add a unique UID
for the user, set the primary linux group, set home folder, and set
default shell via the "UNIX Attributes" tab for each user.

4a.) On the Fedora 6 client ensure that you have installed
these packages:
• gnome-vfs2-smb (as applicable)
• mtools (as applicable)
• nss
• nss-tools (as applicable)
• nss_ldap
• openldap
• openldap-clients
• pam
• pam_ccreds
• pam_krb5
• pam_ldap
• pam_smb
• pam_pkcs11
• samba
• system-config-samba
• samba-common
• samba-client


4b.) On the Fedora 6 client setup config files as follows,
replacing items such as "coolcompany.com" with values specific to your
env.

The example config files below assume the following:
The Fedora Machine to be auth'ed to AD is
hostname = fedrh-mach
ip addr = 10.10.10.100

The Win 2003 R2 DC is
hostname = coolw2k3r2-dc
ip addr = coolw2k3r2-dc

The special ldap query windows user is
user = cool-ldap-user
win password = custpassword

The "set" cmd in Windows shows
USERDNSDOMAIN = COOLCOMPANY.COM
USERDOMAIN = COOL

The domain "WINS" Server is
ip addr = 10.10.10.6


############
#/etc/hosts
############
::1 fedrh-mach localhost.COOLCOMPANY.COM localhost
127.0.0.1 localhost
127.0.0.2 fedrh-mach.COOLCOMPANY.COM fedrh-mach
10.10.10.5 coolw2k3r2-dc.COOLCOMPANY.COM coolw2k3r2-dc


############
#/etc/krb5.conf for connecting with Windows Server 2003 R2
############
[logging]
kdc = FILE:/var/log/krb5/krb5kdc.log
admin_server = FILE:/var/log/krb5/kadmind.log
default = SYSLOG:NOTICE: DAEMON

[libdefaults]
ticket_lifetime = 24000
default_realm = COOLCOMPANY.COM

default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
aes256-cts arcfour-hmac-md5
#Line above is wrapped for the forum - put on one line!

default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
aes256-cts arcfour-hmac-md5
#Line above is wrapped for the forum - put on one line!

[realms]
COOLCOMPANY.COM = {
kdc = coolw2k3r2-dc.coolcompany.com
admin_server = coolw2k3r2-dc.coolcompany.com
default_domain = COOLCOMPANY.COM
}

[domain_realm]
.coolcompany.com = COOLCOMPANY.COM
coolcompany.com = COOLCOMPANY.COM


############
#/etc/ldap.conf for connecting with Server 2003 R2 Only
############
host 10.10.10.5
base dc=coolcompany,dc=com
uri ldap://coolw2k3r2-dc.coolcompany.com/
binddn cn=cool-ldap-user,cn=Users,dc=coolcompany,dc=com
bindpw custpassword
scope sub
bind_timelimit 15
timelimit 15
ssl no
referrals no
nss_base_passwd dc=coolcompany,dc=com?sub
nss_base_shadow dc=coolcompany,dc=com?sub
nss_base_group dc=coolcompany,dc=com?sub?&(objectCategory=group)( gidnumber=*)
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_objectclass posixGroup group
nss_map_attribute gecos cn
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute uniqueMember member
nss_initgroups_ignoreusers root,ldap


############
# /etc/nsswitch.conf
############

passwd: files ldap
shadow: files ldap
group: files ldap

hosts: files dns wins
networks: files dns

services: files
protocols: files
rpc: files
ethers: files
netmasks: files
netgroup: files nis
publickey: files

bootparams: files
automount: files nis
aliases: files


############
#/etc/samba/smb.conf file
############
[global]
server string = %h
workgroup = COOL
realm = COOLCOMPANY.COM
security = ads
encrypt passwords = yes
use kerberos keytab = true
password server = coolw2k3r2-dc.coolcompany.com
netbios name = fedrh-mach
winbind use default domain = yes
winbind separator = +
idmap uid = 1000-59999
idmap gid = 1000-59999
winbind enum users = yes
winbind enum groups = yes
deadtime = 3
winbind cache time = 300
winbind nested groups = yes
template homedir = /home/%U
template shell = /bin/bash
client use spnego = yes
socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
idmap backend = ad
ldap idmap suffix = dc=coolcompany,dc=com
ldap admin dn = cn=cool-ldap-user,cn=Users,dc=coolcompany,dc=com
ldap suffix = dc=coolcompany,dc=com
dns proxy = no
domain master = no
preferred master = no
max log size = 100
log file = /var/log/samba/%m.log
printing = cups
printcap name = cups
printcap cache time = 750
cups options = raw
map to guest = Bad User
wins server = 10.10.10.6
usershare allow guests = no
case sensitive = no
preserve case = no
[admin]
comment = Admin Access
path = /
valid users = COOL+Administrator
admin users = COOL+Administrator
read only = No
create mask = 0600
directory mask = 0700
browseable = No
inherit permissions = Yes
[homes]
comment = Home Directories
path = /home
valid users = %S, %D%w%S
admin users = COOL+Administrator
read only = No
inherit acls = Yes
inherit permissions = Yes
create mask = 0600
directory mask = 0700
[printers]
comment = All Printers
path = /var/tmp
printable = Yes
create mask = 0600
browseable = No
[print$]
comment = Printer Drivers
path = /var/lib/samba/drivers
write list = @ntadmin root
force group = ntadmin
create mask = 0664
directory mask = 0775


#%PAM-1.0
#Line above is part of this file
############
#/etc/pam.d/system-auth config file
############
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_krb5.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so

account sufficient pam_krb5.so
account required pam_unix.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so

password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session required pam_mkhomedir.so umask=0077 skel=/etc/skel


#%PAM-1.0
#The line above is part of the /etc/pam.d/su config file
############
#/etc/pam.d/su config file
############
#Comment the line below to force paswd prompt for su
#auth sufficient /lib/security/$ISA/pam_rootok.so
auth required /lib/security/$ISA/pam_stack.so service=system-auth
account required /lib/security/$ISA/pam_stack.so service=system-auth
password required /lib/security/$ISA/pam_stack.so service=system-auth
session required /lib/security/$ISA/pam_selinux.so close
session required /lib/security/$ISA/pam_stack.so service=system-auth
session required /lib/security/$ISA/pam_selinux.so open
session optional /lib/security/$ISA/pam_xauth.so

5a.) Set Fedora mach clock to within 5 min of AD server.

5b.)Run the following commands to setup the Fedora 6 machine for AD:
getent passwd (You should see local users only)
kdestroy (Destroys previous krb ticket)
kinit domain-admin-user@COOLCOMPANY.COM (Creates krb ticket)
klist (View krb Ticket)
net ads join -U domain-admin-user@COOLCOMPANY.COM (Joins the machine to domain)
kdestroy (Destroy admin krb ticket)
/etc/init.d/smb stop
/etc/init.d/winbind stop
chkconfig smb on
chkconfig winbind on
chkconfig nscd off
/etc/init.d/smb start
/etc/init.d/winbind start
smbpasswd -w somepassword (where "somepassword" is ldap query user paswd)
getent passwd (The output should list domain users)
getent group (Should output domain and local groups)
wbinfo -u (Should list domain users)
wbinfo -g (Should list domain groups)
su <winuser-with-UNIX-Attribs> (should prompt for paswd and create a home dir for the user)

6.) After you are able to su to a windows user, reboot the machine and then login to
the system as a windows user (use a user with UNIX attribs enabled) to test.

NOTE: If you happen to get locked out, reboot in single user
mode, then edit your nsswitch.conf, removing "ldap" for passwd,group,shadow.

Good Luck! -Shannon VanWagner

Related Material
http://www.suseforums.net/index.php?showtopic=18932
http://forums.suselinuxsupport.de/in...=0#entry224708
http://blog.scottlowe.org/2007/03/22...ive-directory/
http://forums.fedoraforum.org/archiv...p/t-29825.html
http://www.redmondmag.com/columns/ar...itorialsID=858

Last edited by Shan_VanWagner; 11th April 2007 at 06:31 PM. Reason: Remove smileys
Reply With Quote
  #2  
Old 11th April 2007, 07:35 PM
SlowJet Offline
Registered User
 
Join Date: Jan 2005
Posts: 5,048
Good reference. You should move this to the How-TO section.

Just one question. Where can I D/L this Windows Server 2003 software?

Just a little LDAP AD humor.

SJ
__________________
Do the Math
Reply With Quote
  #3  
Old 11th April 2007, 07:36 PM
sentry Offline
Registered User
 
Join Date: Jul 2005
Posts: 591
Very nice guide!
Reply With Quote
  #4  
Old 11th April 2007, 08:18 PM
Shan_VanWagner Offline
Registered User
 
Join Date: Apr 2007
Location: Seattle USA
Posts: 7
To SlowJet...

*Laughing*... very good... M$ should make Server 2003 free as far as I'm concerned if they want to stay in the race!! (checkout http://digg.com/linux_unix/The_rise_of_Linux_finally). Unfortunately I'm not in control of which flavor of LDAP server we're allowed to use in my organization so this post is for all the poor greasies like me who have to deal with a Interoperable(or not so much so) environment like mine!

Last edited by Shan_VanWagner; 11th April 2007 at 08:28 PM.
Reply With Quote
  #5  
Old 11th April 2007, 11:12 PM
bseltzer Offline
Registered User
 
Join Date: Oct 2006
Location: E. San Francisco Bay Area
Posts: 194
Quote:
Originally Posted by Shan_VanWagner
To SlowJet...

*Laughing*... very good... M$ should make Server 2003 free as far as I'm concerned if they want to stay in the race!! (checkout http://digg.com/linux_unix/The_rise_of_Linux_finally). Unfortunately I'm not in control of which flavor of LDAP server we're allowed to use in my organization so this post is for all the poor greasies like me who have to deal with a Interoperable(or not so much so) environment like mine!
Have you looked at the Centrify DC product? You don't need R2 and it makes no changes to the AD schema.

I'm currently running a pilot with this solution, and so far it's been impressive. It also allows joining MAC OSX, Soalris and several other *NIX platforms to AD. Admin rights can be delegated and group policy can be pushed on a single host or entire OU basis.

It isn't free, but then as has already been pointed out, neither is Win2K3

Regards,
Bert
__________________
Those who dance are often mistaken for insane
By those who cannot hear the music...
Reply With Quote
  #6  
Old 7th May 2007, 04:03 PM
The_Jaymz Offline
Registered User
 
Join Date: Mar 2005
Location: Mobile, Alabama, USA
Age: 36
Posts: 342
Thanks for this howto. I'm working with CentOS 5. Looking here because their forum is kinda dead. I've got the server joined to the domain, but if I try to use Putty to ssh in as a windows user, Putty just closes. I do NOT have Identity Management for UNIX installed on the Windows side. Any ideas?
Reply With Quote
  #7  
Old 8th May 2007, 06:47 AM
Shan_VanWagner Offline
Registered User
 
Join Date: Apr 2007
Location: Seattle USA
Posts: 7
The_Jaymz, Have you tried logging in locally to the machine - does that work? Also, checkout your /etc/ssh/sshd.conf file to ensure the "UsePAM no" directive is set to "UsePAM yes".

Good luck.
Shannon VanWagner
Reply With Quote
  #8  
Old 9th May 2007, 01:04 AM
The_Jaymz Offline
Registered User
 
Join Date: Mar 2005
Location: Mobile, Alabama, USA
Age: 36
Posts: 342
I did try logging in locally, but it didn't work. I put SLES on that machine today and followed your steps on their site with no luck. Im going back to Centos tomorrow and will try again. Here's a bit more about the system:

Windows Server 2003 R2 w/ SP2 - DC with Terminal Services will run an application that needs to connect to a DB2 database on the Linux server. The users will log into the Windows server with RDP, and then start the application. They will then log into the application which is really logging into DB2... which authenticates against AD. I'll have to jump through hoops backwards to get Identity Management for UNIX installed on the Windows side. Is that component absolutely necessary?
Thanks for your help.
Reply With Quote
  #9  
Old 9th May 2007, 08:12 AM
Shan_VanWagner Offline
Registered User
 
Join Date: Apr 2007
Location: Seattle USA
Posts: 7
The_Jaymz,

unfortunately yes - the Windows Server will need to have the Unix Identity Management feature enabled. Activating this component adds a "Unix Attributes" tab to the users' dialog in AD "Users and Computers" and this will allow for the mapping of usernames,passwords,gid,uid,home dir, shell, and primary group settings for your Linux users in Active Directory. As for seeing the directory - this happens with LDAP and Kerberos - but again, the AD must be enabled to use the attributes.

Shannon VanWagner
Reply With Quote
  #10  
Old 11th August 2007, 05:22 AM
010878 Offline
Registered User
 
Join Date: Aug 2007
Posts: 1
hey thanks for great articles. I just want to say that I try your stepsusing Fedora 6 Client And Windows 2000 Advanced Server and it works great.At first it's always say : operation error everytime i try to do net join but after i make a little bit changes in krb5.conf that you gave in your articles then it works wonders

Here's the part of krb5.conf that you mention in your article:

default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
aes256-cts arcfour-hmac-md5
#Line above is wrapped for the forum - put on one line!

default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
aes256-cts arcfour-hmac-md5
#Line above is wrapped for the forum - put on one line!

and I made changes to :

default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
aes-256-cts arcfour-hmac-md5

default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
aes-256-cts arcfour-hmac-md5

and I haven't even download samba yet and i don't have pam_ldap but i installed samba-common and samba client.

the only problem i'm having now is... is it possible when you login using windows user and you can mount the share folder for only the user folder and if different user login then it will automatically unmount the previous user share folder and mounting the current logged in user share folder on win active directory ?

anyway thanks again for this wonderful article.
Reply With Quote
  #11  
Old 3rd September 2007, 05:26 AM
Mel Wade Offline
Registered User
 
Join Date: Dec 2006
Posts: 4
Bad Password/Authentication Succeeds.

I've followed this step my stop. Everything works except up to the SU (or any other) login. I keep getting an "incorrect password" response.

Even more odd is that I get the following in the log:

Sep 2 21:20:03 library su: pam_krb5[3131]: authentication succeeds for 'mwade' (mwade@UCASTUDENT.NET)

When trying to logn from a client, I get this in the log:

Sep 2 21:32:19 library gdm[3177]: pam_krb5[3177]: error resolving user name 'mwade' to uid/gid pair
Sep 2 21:32:19 library gdm[3177]: pam_krb5[3177]: error getting information about 'mwade'
Sep 2 21:32:24 library gdm[3177]: Couldn't authenticate user

Here's the response to the ID command:
[root@library ~]# id mwade
uid=10006(mwade) gid=10000(LinuxUser) groups=10000(LinuxUser)
I don't know if this is realted, but when joining the domain I got this:
[root@library ~]# net ads join -U administrator
administrator's password:
Using short domain name -- UCASTUDENT
[2007/09/02 22:15:33, 0] libads/ldap.c:ads_get_upn(2698)
ads_get_dnshostname: No userPrincipalName attribute!
Joined 'LIBRARY' to realm 'UCASTUDENT.NET'
FYI: I'm running CentOS 5.0/K12LSTP 5.0EL

What would cause this? I've been working on this for a couple days with sever different methods of AD authentication and come up with about the same results. Could there be something on the AD side that is casuing a problem?

Mel

Last edited by Mel Wade; 3rd September 2007 at 07:03 AM.
Reply With Quote
  #12  
Old 4th September 2007, 03:53 AM
Mel Wade Offline
Registered User
 
Join Date: Dec 2006
Posts: 4
I've got it authenticating and have narrowed down the problem. When I add in the pam_mount commands in the system-auth, it breaks:

Code:
#%PAM-1.0
#Line above is part of this file
############
#/etc/pam.d/system-auth config file
############
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_krb5.so
#auth optional pam_mount.so use_first_path
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so

account sufficient pam_krb5.so
account required pam_unix.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so

password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session required pam_mkhomedir.so umask=0077 skel=/etc/skel
#session optional pam_mount.so
Here is what happens when I su user

Code:
[root@library ~]# su try
Password:
reenter password:
pam_mount(readconfig.c:197) reading options_allow...
pam_mount(pam_mount.c:439) back from global readconfig
pam_mount(pam_mount.c:441) per-user configurations not allowed by pam_mount.conf
pam_mount(pam_mount.c:459) pam_sm_open_session: real uid/gid=0:0, effective uid/gid=0:0
pam_mount(readconfig.c:418) checking sanity of volume record (home)
pam_mount(pam_mount.c:474) about to perform mount operations
pam_mount(mount.c:368) information for mount:
pam_mount(mount.c:369) ----------------------
pam_mount(mount.c:370) (defined by globalconf)
pam_mount(mount.c:373) user:          try
pam_mount(mount.c:374) server:        studenta
pam_mount(mount.c:375) volume:        home
pam_mount(mount.c:376) mountpoint:    /home/try/Desktop/SaveHere2
pam_mount(mount.c:377) options:       uid=try
pam_mount(mount.c:378) fs_key_cipher:
pam_mount(mount.c:379) fs_key_path:
pam_mount(mount.c:380) use_fstab:   0
pam_mount(mount.c:381) ----------------------
pam_mount(mount.c:177) realpath of volume "/home/try/Desktop/SaveHere2" is "/home/try/Desktop/SaveHere2"
Segmentation fault
[root@library ~]#
Reply With Quote
  #13  
Old 4th September 2007, 06:09 PM
Shan_VanWagner Offline
Registered User
 
Join Date: Apr 2007
Location: Seattle USA
Posts: 7
#auth optional pam_mount.so use_first_path
Have you tried the above directive as:
auth optional pam_mount.so use_first_pass
Reply With Quote
Reply

Tags
active, directory, fedora, integration

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Integrating Fedora 10 into Active Directory JamesMatelski Security and Privacy 7 2nd December 2009 08:08 AM
Fedora 10 in Active Directory Domain Keldorn Servers & Networking 3 31st March 2009 06:56 AM
Fedora join to Active Directory linuxiski Installation, Upgrades and Live Media 1 10th February 2009 05:13 AM
Fedora 9 on Active Directory benso37 Using Fedora 0 13th August 2008 08:52 PM
Authenticating a Fedora 9 box against Active Directory cbuege Servers & Networking 1 20th June 2008 05:27 PM


Current GMT-time: 09:30 (Sunday, 26-10-2014)

TopSubscribe to XML RSS for all Threads in all ForumsFedoraForumDotOrg Archive
logo

All trademarks, and forum posts in this site are property of their respective owner(s).
FedoraForum.org is privately owned and is not directly sponsored by the Fedora Project or Red Hat, Inc.

Privacy Policy | Term of Use | Posting Guidelines | Archive | Contact Us | Founding Members

Powered by vBulletinฎ Copyright ฉ2000 - 2012, vBulletin Solutions, Inc.

FedoraForum is Powered by RedHat
Kurtamysh Photos - Kasaoka Instagram Photos - Falkenberg