Linux Integration with MS Active Directory
Linux integrates well with Microsoft Active Directory using Samba Winbind, Kerberos, and Pam modules. Your Linux server can be setup to login using your Windows credentials, mount drives automatically based on the Active Credentials, and manage sessions using Kerberos tickets. Please note that applications such as Firefox need to understand Kerberos and be configured properly to work with Kerberos sessions.Here we assume that your AD server also hosts the Kerberos service.
Package requirements (Redhat EL 5 tested):
RPM:
- krb5-devel
- krb5-libs
- pam_krb5
- pam_krb5
- krb5-auth-dialog
- krb5-workstation
- krb5-devel
- krb5-libs
- samba-common
- samba-client
- samba
- system-config-samba
- samba-common
- pam_smb
- gnome-vfs2-smb
- pam_smb
Sources:
- libHX-3.2
- pam_mount-1.33
SAMBA
Create file “/etc/samba/smb.conf”:
[global]
workgroup = WORKGROUP
password server = AD-SERVER.TLD
realm = your.TLD
security = ads
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
template shell = /bin/bash
winbind use default domain = true
winbind offline logon = true
interfaces = eth0 lo
bind interfaces only = yes
socket options = SO_KEEPALIVE SO_KEEPALIVE IPTOS_LOWDELAY TCP_NODELAY
encrypt passwords = yes
winbind enum groups = yes
winbind enum users = yes
winbind cache time = 1800
domain master = no
time server = yes
passdb backend = tdbsam
netbios name = WINDOWS-MACHINE-NAME
printcap name = cups
cups options = raw
map to guest = Bad User
logon path = \\%L\profiles\.msprofile
logon home = \\%L\%U\.9xprofile
logon drive = P:
winbind refresh tickets = yes
[homes]
comment = Home Directories
valid users = %S, %D%w%S
browseable = No
read only = No
inherit acls = Yes
[profiles]
comment = Network Profiles Service
path = %H
read only = No
store dos attributes = Yes
create mask = 0600
directory mask = 0700
[users]
comment = All users
path = /home
read only = No
inherit acls = Yes
veto files = /aquota.user/groups/shares/
[groups]
comment = All groups
path = /home/groups
read only = No
inherit acls = Yes
[printers]
comment = All Printers
path = /var/tmp
printable = Yes
create mask = 0600
browseable = No
[print$]
comment = Printer Drivers
path = /var/lib/samba/drivers
write list = @ntadmin root
force group = ntadmin
create mask = 0664
directory mask = 0775
KERBEROS
Create file “/etc/krb5.conf”:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = your.TLD
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 120h
renew_lifetime = 14d
forwardable = yes
[realms]
AD-SERVER.TLD = {
kdc = AD-SERVER.TLD
admin_server = AD-SERVER.TLD
default_domain = AD-SERVER.TLD
}
[domain_realm]
.your.tld = YOUR.TLD
your.tld = YOUR.TLD
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
Automount CIFS shares (U-Drive)
Create file “/etc/security/pam_mount.conf.xml”:
Create file “/etc/pam.d/system-auth-ac”:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_mount.so
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_krb5.so use_first_pass
auth sufficient pam_winbind.so cached_login use_first_pass
auth required pam_deny.so
account required pam_access.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_krb5.so
account [default=bad success=ok user_unknown=ignore] pam_winbind.so cached_login
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password sufficient pam_krb5.so use_authtok
password sufficient pam_winbind.so cached_login use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_mkhomedir.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_krb5.so
session optional pam_mount.so
Reinit all daemons and test!
It should all work fine.
Read the documentation for Winbind/Samba, and Kerberos in detail.
No comments:
Post a Comment