Fedora 6 Integration into Active Directory
FedoraForum.org - Fedora Support Forums and Community
Results 1 to 13 of 13
  1. #1
    Shan_VanWagner Guest

    Fedora 6 Integration into Active Directory

    Fedora 6 LDAP / Kerberos Auth to Active Directory on Windows Srvr 2003 R2
    Tested by Shannon VanWagner

    Problem
    Connecting Fedora 6 to a Windows Srvr 2003 R2
    DC for auth and uid/gid sync with AD.


    Solution
    Configure Fedora 6 to use LDAP, Samba,
    and Kerberos to auth with Windows Srvr 2003 R2
    DC with Identity Mgmt for UNIX.

    Here's How:

    1.) On Windows Server 2003 R2 DC - enable "Identity Management for UNIX"
    via Add/Rmv Programs > Add Win Components > AD Services > Identity
    Mgmt for UNIX (reboot req'd). This will add the UNIX Properties tab
    to user accounts in AD that will allow you to control the UID, primary
    group GID, NIS Server setting, home dir location, and user shell setting.

    2.) Create a user in AD to use for authenticating via LDAP from the
    Fedora 6 client. Make this user a primary member of Domain Guests for
    security.

    3.) For any Win user that logs into the Fedora 6 machine, modify the
    "UNIX Attributes" tab for the user's account in AD. Do this via the
    Users and Computers mgmt console for AD. Be sure to add a unique UID
    for the user, set the primary linux group, set home folder, and set
    default shell via the "UNIX Attributes" tab for each user.

    4a.) On the Fedora 6 client ensure that you have installed
    these packages:
    gnome-vfs2-smb (as applicable)
    mtools (as applicable)
    nss
    nss-tools (as applicable)
    nss_ldap
    openldap
    openldap-clients
    pam
    pam_ccreds
    pam_krb5
    pam_ldap
    pam_smb
    pam_pkcs11
    samba
    system-config-samba
    samba-common
    samba-client


    4b.) On the Fedora 6 client setup config files as follows,
    replacing items such as "coolcompany.com" with values specific to your
    env.

    The example config files below assume the following:
    The Fedora Machine to be auth'ed to AD is
    hostname = fedrh-mach
    ip addr = 10.10.10.100

    The Win 2003 R2 DC is
    hostname = coolw2k3r2-dc
    ip addr = coolw2k3r2-dc

    The special ldap query windows user is
    user = cool-ldap-user
    win password = custpassword

    The "set" cmd in Windows shows
    USERDNSDOMAIN = COOLCOMPANY.COM
    USERDOMAIN = COOL

    The domain "WINS" Server is
    ip addr = 10.10.10.6


    ############
    #/etc/hosts
    ############
    ::1 fedrh-mach localhost.COOLCOMPANY.COM localhost
    127.0.0.1 localhost
    127.0.0.2 fedrh-mach.COOLCOMPANY.COM fedrh-mach
    10.10.10.5 coolw2k3r2-dc.COOLCOMPANY.COM coolw2k3r2-dc


    ############
    #/etc/krb5.conf for connecting with Windows Server 2003 R2
    ############
    [logging]
    kdc = FILE:/var/log/krb5/krb5kdc.log
    admin_server = FILE:/var/log/krb5/kadmind.log
    default = SYSLOG:NOTICE: DAEMON

    [libdefaults]
    ticket_lifetime = 24000
    default_realm = COOLCOMPANY.COM

    default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
    aes256-cts arcfour-hmac-md5
    #Line above is wrapped for the forum - put on one line!

    default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
    aes256-cts arcfour-hmac-md5
    #Line above is wrapped for the forum - put on one line!

    [realms]
    COOLCOMPANY.COM = {
    kdc = coolw2k3r2-dc.coolcompany.com
    admin_server = coolw2k3r2-dc.coolcompany.com
    default_domain = COOLCOMPANY.COM
    }

    [domain_realm]
    .coolcompany.com = COOLCOMPANY.COM
    coolcompany.com = COOLCOMPANY.COM


    ############
    #/etc/ldap.conf for connecting with Server 2003 R2 Only
    ############
    host 10.10.10.5
    base dc=coolcompany,dc=com
    uri ldap://coolw2k3r2-dc.coolcompany.com/
    binddn cn=cool-ldap-user,cn=Users,dc=coolcompany,dc=com
    bindpw custpassword
    scope sub
    bind_timelimit 15
    timelimit 15
    ssl no
    referrals no
    nss_base_passwd dc=coolcompany,dc=com?sub
    nss_base_shadow dc=coolcompany,dc=com?sub
    nss_base_group dc=coolcompany,dc=com?sub?&(objectCategory=group)( gidnumber=*)
    nss_map_objectclass posixAccount user
    nss_map_objectclass shadowAccount user
    nss_map_objectclass posixGroup group
    nss_map_attribute gecos cn
    nss_map_attribute homeDirectory unixHomeDirectory
    nss_map_attribute uniqueMember member
    nss_initgroups_ignoreusers root,ldap


    ############
    # /etc/nsswitch.conf
    ############

    passwd: files ldap
    shadow: files ldap
    group: files ldap

    hosts: files dns wins
    networks: files dns

    services: files
    protocols: files
    rpc: files
    ethers: files
    netmasks: files
    netgroup: files nis
    publickey: files

    bootparams: files
    automount: files nis
    aliases: files


    ############
    #/etc/samba/smb.conf file
    ############
    [global]
    server string = %h
    workgroup = COOL
    realm = COOLCOMPANY.COM
    security = ads
    encrypt passwords = yes
    use kerberos keytab = true
    password server = coolw2k3r2-dc.coolcompany.com
    netbios name = fedrh-mach
    winbind use default domain = yes
    winbind separator = +
    idmap uid = 1000-59999
    idmap gid = 1000-59999
    winbind enum users = yes
    winbind enum groups = yes
    deadtime = 3
    winbind cache time = 300
    winbind nested groups = yes
    template homedir = /home/%U
    template shell = /bin/bash
    client use spnego = yes
    socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
    idmap backend = ad
    ldap idmap suffix = dc=coolcompany,dc=com
    ldap admin dn = cn=cool-ldap-user,cn=Users,dc=coolcompany,dc=com
    ldap suffix = dc=coolcompany,dc=com
    dns proxy = no
    domain master = no
    preferred master = no
    max log size = 100
    log file = /var/log/samba/%m.log
    printing = cups
    printcap name = cups
    printcap cache time = 750
    cups options = raw
    map to guest = Bad User
    wins server = 10.10.10.6
    usershare allow guests = no
    case sensitive = no
    preserve case = no
    [admin]
    comment = Admin Access
    path = /
    valid users = COOL+Administrator
    admin users = COOL+Administrator
    read only = No
    create mask = 0600
    directory mask = 0700
    browseable = No
    inherit permissions = Yes
    [homes]
    comment = Home Directories
    path = /home
    valid users = %S, %D%w%S
    admin users = COOL+Administrator
    read only = No
    inherit acls = Yes
    inherit permissions = Yes
    create mask = 0600
    directory mask = 0700
    [printers]
    comment = All Printers
    path = /var/tmp
    printable = Yes
    create mask = 0600
    browseable = No
    [print$]
    comment = Printer Drivers
    path = /var/lib/samba/drivers
    write list = @ntadmin root
    force group = ntadmin
    create mask = 0664
    directory mask = 0775


    #%PAM-1.0
    #Line above is part of this file
    ############
    #/etc/pam.d/system-auth config file
    ############
    # User changes will be destroyed the next time authconfig is run.
    auth required pam_env.so
    auth sufficient pam_krb5.so
    auth sufficient pam_unix.so nullok try_first_pass
    auth requisite pam_succeed_if.so uid >= 500 quiet
    auth required pam_deny.so

    account sufficient pam_krb5.so
    account required pam_unix.so
    account sufficient pam_succeed_if.so uid < 500 quiet
    account required pam_permit.so

    password requisite pam_cracklib.so try_first_pass retry=3
    password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
    password required pam_deny.so

    session optional pam_keyinit.so revoke
    session required pam_limits.so
    session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
    session required pam_unix.so
    session required pam_mkhomedir.so umask=0077 skel=/etc/skel


    #%PAM-1.0
    #The line above is part of the /etc/pam.d/su config file
    ############
    #/etc/pam.d/su config file
    ############
    #Comment the line below to force paswd prompt for su
    #auth sufficient /lib/security/$ISA/pam_rootok.so
    auth required /lib/security/$ISA/pam_stack.so service=system-auth
    account required /lib/security/$ISA/pam_stack.so service=system-auth
    password required /lib/security/$ISA/pam_stack.so service=system-auth
    session required /lib/security/$ISA/pam_selinux.so close
    session required /lib/security/$ISA/pam_stack.so service=system-auth
    session required /lib/security/$ISA/pam_selinux.so open
    session optional /lib/security/$ISA/pam_xauth.so

    5a.) Set Fedora mach clock to within 5 min of AD server.

    5b.)Run the following commands to setup the Fedora 6 machine for AD:
    getent passwd (You should see local users only)
    kdestroy (Destroys previous krb ticket)
    kinit domain-admin-user@COOLCOMPANY.COM (Creates krb ticket)
    klist (View krb Ticket)
    net ads join -U domain-admin-user@COOLCOMPANY.COM (Joins the machine to domain)
    kdestroy (Destroy admin krb ticket)
    /etc/init.d/smb stop
    /etc/init.d/winbind stop
    chkconfig smb on
    chkconfig winbind on
    chkconfig nscd off
    /etc/init.d/smb start
    /etc/init.d/winbind start
    smbpasswd -w somepassword (where "somepassword" is ldap query user paswd)
    getent passwd (The output should list domain users)
    getent group (Should output domain and local groups)
    wbinfo -u (Should list domain users)
    wbinfo -g (Should list domain groups)
    su <winuser-with-UNIX-Attribs> (should prompt for paswd and create a home dir for the user)

    6.) After you are able to su to a windows user, reboot the machine and then login to
    the system as a windows user (use a user with UNIX attribs enabled) to test.

    NOTE: If you happen to get locked out, reboot in single user
    mode, then edit your nsswitch.conf, removing "ldap" for passwd,group,shadow.

    Good Luck! -Shannon VanWagner

    Related Material
    http://www.suseforums.net/index.php?showtopic=18932
    http://forums.suselinuxsupport.de/in...=0#entry224708
    http://blog.scottlowe.org/2007/03/22...ive-directory/
    http://forums.fedoraforum.org/archiv...p/t-29825.html
    http://www.redmondmag.com/columns/ar...itorialsID=858
    Last edited by Shan_VanWagner; 11th April 2007 at 06:31 PM. Reason: Remove smileys

  2. #2
    Join Date
    Jan 2005
    Posts
    5,057
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Good reference. You should move this to the How-TO section.

    Just one question. Where can I D/L this Windows Server 2003 software?

    Just a little LDAP AD humor.

    SJ
    Do the Math

  3. #3
    Join Date
    Jul 2005
    Posts
    590
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Very nice guide!

  4. #4
    Shan_VanWagner Guest
    To SlowJet...

    *Laughing*... very good... M$ should make Server 2003 free as far as I'm concerned if they want to stay in the race!! (checkout http://digg.com/linux_unix/The_rise_of_Linux_finally). Unfortunately I'm not in control of which flavor of LDAP server we're allowed to use in my organization so this post is for all the poor greasies like me who have to deal with a Interoperable(or not so much so) environment like mine!
    Last edited by Shan_VanWagner; 11th April 2007 at 08:28 PM.

  5. #5
    Join Date
    Oct 2006
    Location
    E. San Francisco Bay Area
    Posts
    194
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Shan_VanWagner
    To SlowJet...

    *Laughing*... very good... M$ should make Server 2003 free as far as I'm concerned if they want to stay in the race!! (checkout http://digg.com/linux_unix/The_rise_of_Linux_finally). Unfortunately I'm not in control of which flavor of LDAP server we're allowed to use in my organization so this post is for all the poor greasies like me who have to deal with a Interoperable(or not so much so) environment like mine!
    Have you looked at the Centrify DC product? You don't need R2 and it makes no changes to the AD schema.

    I'm currently running a pilot with this solution, and so far it's been impressive. It also allows joining MAC OSX, Soalris and several other *NIX platforms to AD. Admin rights can be delegated and group policy can be pushed on a single host or entire OU basis.

    It isn't free, but then as has already been pointed out, neither is Win2K3

    Regards,
    Bert
    Those who dance are often mistaken for insane
    By those who cannot hear the music...

  6. #6
    Join Date
    Mar 2005
    Location
    Mobile, Alabama, USA
    Age
    42
    Posts
    342
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks for this howto. I'm working with CentOS 5. Looking here because their forum is kinda dead. I've got the server joined to the domain, but if I try to use Putty to ssh in as a windows user, Putty just closes. I do NOT have Identity Management for UNIX installed on the Windows side. Any ideas?

  7. #7
    Shan_VanWagner Guest
    The_Jaymz, Have you tried logging in locally to the machine - does that work? Also, checkout your /etc/ssh/sshd.conf file to ensure the "UsePAM no" directive is set to "UsePAM yes".

    Good luck.
    Shannon VanWagner

  8. #8
    Join Date
    Mar 2005
    Location
    Mobile, Alabama, USA
    Age
    42
    Posts
    342
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I did try logging in locally, but it didn't work. I put SLES on that machine today and followed your steps on their site with no luck. Im going back to Centos tomorrow and will try again. Here's a bit more about the system:

    Windows Server 2003 R2 w/ SP2 - DC with Terminal Services will run an application that needs to connect to a DB2 database on the Linux server. The users will log into the Windows server with RDP, and then start the application. They will then log into the application which is really logging into DB2... which authenticates against AD. I'll have to jump through hoops backwards to get Identity Management for UNIX installed on the Windows side. Is that component absolutely necessary?
    Thanks for your help.

  9. #9
    Shan_VanWagner Guest
    The_Jaymz,

    unfortunately yes - the Windows Server will need to have the Unix Identity Management feature enabled. Activating this component adds a "Unix Attributes" tab to the users' dialog in AD "Users and Computers" and this will allow for the mapping of usernames,passwords,gid,uid,home dir, shell, and primary group settings for your Linux users in Active Directory. As for seeing the directory - this happens with LDAP and Kerberos - but again, the AD must be enabled to use the attributes.

    Shannon VanWagner

  10. #10
    010878 Guest
    hey thanks for great articles. I just want to say that I try your stepsusing Fedora 6 Client And Windows 2000 Advanced Server and it works great.At first it's always say : operation error everytime i try to do net join but after i make a little bit changes in krb5.conf that you gave in your articles then it works wonders

    Here's the part of krb5.conf that you mention in your article:

    default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
    aes256-cts arcfour-hmac-md5
    #Line above is wrapped for the forum - put on one line!

    default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
    aes256-cts arcfour-hmac-md5
    #Line above is wrapped for the forum - put on one line!

    and I made changes to :

    default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
    aes-256-cts arcfour-hmac-md5

    default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
    aes-256-cts arcfour-hmac-md5

    and I haven't even download samba yet and i don't have pam_ldap but i installed samba-common and samba client.

    the only problem i'm having now is... is it possible when you login using windows user and you can mount the share folder for only the user folder and if different user login then it will automatically unmount the previous user share folder and mounting the current logged in user share folder on win active directory ?

    anyway thanks again for this wonderful article.

  11. #11
    Mel Wade Guest

    Bad Password/Authentication Succeeds.

    I've followed this step my stop. Everything works except up to the SU (or any other) login. I keep getting an "incorrect password" response.

    Even more odd is that I get the following in the log:

    Sep 2 21:20:03 library su: pam_krb5[3131]: authentication succeeds for 'mwade' (mwade@UCASTUDENT.NET)

    When trying to logn from a client, I get this in the log:

    Sep 2 21:32:19 library gdm[3177]: pam_krb5[3177]: error resolving user name 'mwade' to uid/gid pair
    Sep 2 21:32:19 library gdm[3177]: pam_krb5[3177]: error getting information about 'mwade'
    Sep 2 21:32:24 library gdm[3177]: Couldn't authenticate user

    Here's the response to the ID command:
    [root@library ~]# id mwade
    uid=10006(mwade) gid=10000(LinuxUser) groups=10000(LinuxUser)

    I don't know if this is realted, but when joining the domain I got this:
    [root@library ~]# net ads join -U administrator
    administrator's password:
    Using short domain name -- UCASTUDENT
    [2007/09/02 22:15:33, 0] libads/ldap.c:ads_get_upn(2698)
    ads_get_dnshostname: No userPrincipalName attribute!
    Joined 'LIBRARY' to realm 'UCASTUDENT.NET'

    FYI: I'm running CentOS 5.0/K12LSTP 5.0EL

    What would cause this? I've been working on this for a couple days with sever different methods of AD authentication and come up with about the same results. Could there be something on the AD side that is casuing a problem?

    Mel
    Last edited by Mel Wade; 3rd September 2007 at 07:03 AM.

  12. #12
    Mel Wade Guest
    I've got it authenticating and have narrowed down the problem. When I add in the pam_mount commands in the system-auth, it breaks:

    Code:
    #%PAM-1.0
    #Line above is part of this file
    ############
    #/etc/pam.d/system-auth config file
    ############
    # User changes will be destroyed the next time authconfig is run.
    auth required pam_env.so
    auth sufficient pam_krb5.so
    #auth optional pam_mount.so use_first_path
    auth sufficient pam_unix.so nullok try_first_pass
    auth requisite pam_succeed_if.so uid >= 500 quiet
    auth required pam_deny.so
    
    account sufficient pam_krb5.so
    account required pam_unix.so
    account sufficient pam_succeed_if.so uid < 500 quiet
    account required pam_permit.so
    
    password requisite pam_cracklib.so try_first_pass retry=3
    password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
    password required pam_deny.so
    
    session optional pam_keyinit.so revoke
    session required pam_limits.so
    session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
    session required pam_unix.so
    session required pam_mkhomedir.so umask=0077 skel=/etc/skel
    #session optional pam_mount.so
    Here is what happens when I su user

    Code:
    [root@library ~]# su try
    Password:
    reenter password:
    pam_mount(readconfig.c:197) reading options_allow...
    pam_mount(pam_mount.c:439) back from global readconfig
    pam_mount(pam_mount.c:441) per-user configurations not allowed by pam_mount.conf
    pam_mount(pam_mount.c:459) pam_sm_open_session: real uid/gid=0:0, effective uid/gid=0:0
    pam_mount(readconfig.c:418) checking sanity of volume record (home)
    pam_mount(pam_mount.c:474) about to perform mount operations
    pam_mount(mount.c:368) information for mount:
    pam_mount(mount.c:369) ----------------------
    pam_mount(mount.c:370) (defined by globalconf)
    pam_mount(mount.c:373) user:          try
    pam_mount(mount.c:374) server:        studenta
    pam_mount(mount.c:375) volume:        home
    pam_mount(mount.c:376) mountpoint:    /home/try/Desktop/SaveHere2
    pam_mount(mount.c:377) options:       uid=try
    pam_mount(mount.c:378) fs_key_cipher:
    pam_mount(mount.c:379) fs_key_path:
    pam_mount(mount.c:380) use_fstab:   0
    pam_mount(mount.c:381) ----------------------
    pam_mount(mount.c:177) realpath of volume "/home/try/Desktop/SaveHere2" is "/home/try/Desktop/SaveHere2"
    Segmentation fault
    [root@library ~]#

  13. #13
    Shan_VanWagner Guest
    #auth optional pam_mount.so use_first_path
    Have you tried the above directive as:
    auth optional pam_mount.so use_first_pass

Similar Threads

  1. Integrating Fedora 10 into Active Directory
    By JamesMatelski in forum Security and Privacy
    Replies: 7
    Last Post: 2nd December 2009, 09:08 AM
  2. Fedora 10 in Active Directory Domain
    By Keldorn in forum Servers & Networking
    Replies: 3
    Last Post: 31st March 2009, 06:56 AM
  3. Fedora join to Active Directory
    By linuxiski in forum Installation, Upgrades and Live Media
    Replies: 1
    Last Post: 10th February 2009, 06:13 AM
  4. Fedora 9 on Active Directory
    By benso37 in forum Using Fedora
    Replies: 0
    Last Post: 13th August 2008, 08:52 PM
  5. Authenticating a Fedora 9 box against Active Directory
    By cbuege in forum Servers & Networking
    Replies: 1
    Last Post: 20th June 2008, 05:27 PM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •