Integrate Linux with Active Directory

From Notes

Jump to: navigation, search

Contents

Linux and Active Directory

This document was written using the following software and versions on an x86:

  • CentOS Linux v4.5
  • OpenLDAP 2.3.34
  • Samba 3.0.25b-33 (from Sernet RPMs)
  • MIT Kerberos 5
  • Windows Server 2003(tm) Active Directory


Configuration

The following items must be installed and configured:

  • Samba 3.0.25b+

Sample smb.conf 

[global]
  workgroup = DOMAIN
  security = ads
  server string = Samba Server

  log file = /var/log/samba/%m.log
  max log size = 50
  log level = 1

  password server = *
  realm = REALM.LOCAL

  os level = 10
  local master = no
  domain master = no 
  preferred master = no

  wins support = no
  wins server = xxx.xxx.xxx.xxx
  wins proxy = no

  dns proxy = no 

  ldap admin dn = cn=idmap-admin,ou=serviceaccounts,dc=example,dc=org
  ldap suffix = dc=example,dc=org
  ldap idmap suffix = ou=Idmap

  idmap backend = ldap:"ldap://ldap-server1.example.org,ldap://ldap-server2.example.org"
  idmap gid = 150000 - 200000
  idmap uid = 150000 - 200000

  # winbind separator = '\'
  winbind use default domain = yes
  winbind nested groups = yes
  winbind enum users = yes
  winbind enum groups = yes

  # Setup home directories for AD logins
  #template homedir = /home/%D/%U
  template homedir = /tmp
  template shell = /bin/bash


  • nss_ldap

Sample nsswitch.conf (showing only relevant portion): 

passwd:     files winbind
shadow:     files winbind
group:      files winbind
hosts:      files dns wins
  • pam_ldap

Note that this sample also uses LDAP authentication.

Sample /etc/pam.d/system-auth: 

auth        required      /lib/security/$ISA/pam_env.so debug
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok debug
auth        sufficient    /lib/security/$ISA/pam_winbind.so use_first_pass debug
auth        required      /lib/security/$ISA/pam_deny.so debug

account     sufficient    /lib/security/$ISA/pam_unix.so debug
account     sufficient   /lib/security/$ISA/pam_winbind.so debug

password    sufficient    /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow debug
password    sufficient    /lib/security/$ISA/pam_winbind.so use_authtok debug
password    required      /lib/security/$ISA/pam_deny.so debug

session     required      /lib/security/$ISA/pam_limits.so debug
session     required      /lib/security/$ISA/pam_unix.so debug
session     optional      /lib/security/$ISA/pam_winbind.so debug


  • nscd - causes problems at times where may need to stop to make authentication work.
    • defaults ok, set to start on boot
  • kerberos 5

Sample /etc/krb5.conf: 

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = REALM.LOCAL
 dns_lookup_realm = false
 dns_lookup_kdc = true
 ticket_lifetime = 24h
 forwardable = yes

[realms]
 REALM.LOCAL = {
      default_domain = realm.local
      kdc = xxx.xxx.xxx.xxx
      admin_server = xxx.xxx.xxx.xxx
}

[domain_realm]
 .kerberos.server = realm.local
 .realm.local = REALM.LOCAL

[kdc]
 profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }


An LDAP server is also required to store ID mappings (linux uid/gid - AD SID).

Setup an LDAP Directory for UID/GID Translation

On the LDAP server, with the example as OpenLDAP 2.3.34, the following steps must be followed:

  • Configure server to use the [samba schema]
  • Configure equality index on SambaSID
  • Create Idmap OU
  • Either use the root DN or create a user with permission to modify the Idmap OU to use from each client for directory access


Put it all together

  • Add the client to AD as a member server using the MMC or Active Directory Users and Computers
  • Create a join from the client 
net ads join -U<admin>@REALM.LOCAL
  • Test the join 
net ads testjoin
  • Setup the LDAP password on the client, this should be the password of the 'ldap admin dn' noted in the smb.conf: 
smbpasswd -w <password>
  • Restart Samba and winbind 
 /etc/init.d/smb restart
 /etc/init.d/winbind restart

Troubleshooting

Samba Client is not in the same domain as the AD domain: 

[:root@client:] net ads join -Uuser@REALM.LOCAL
user@REALM.LOCAL's password: 
Using short domain name -- REALM
Failed to set servicePrincipalNames. Please ensure that
the DNS domain of this server matches the AD domain,
Or rejoin with using Domain Admin credentials.
Deleted account for 'client' in realm 'REALM.LOCAL'
Failed to join domain: Constraint violation
  • It is possible to bypass this issue by temporarily setting the hostname to the same DNS domain as the AD domain via the hostname command AND in the /etc/hosts file.

Samba version is too low (3.0.10 RHEL 4): 

[:root@client:] net ads join
[2007/07/31 14:01:47, 0] libads/ldap.c:ads_add_machine_acct(1405)
  ads_add_machine_acct: Host account for client already exists - modifying old account
[2007/07/31 14:01:47, 0] libads/ldap.c:ads_join_realm(1763)
  ads_join_realm: ads_add_machine_acct failed (client): Insufficient access
ads_join_realm: Insufficient access

nscd is caching the wrong information: 

[:root@hostname:] net ads testjoin
[2007/08/01 09:53:49, 0] libads/kerberos.c:ads_kinit_password(228)
  kerberos_kinit_password HOSTNAME$@REALM.LOCAL failed: Preauthentication failed
[2007/08/01 09:53:49, 0] libads/kerberos.c:ads_kinit_password(228)
  kerberos_kinit_password HOSTNAME$@REALM.LOCAL failed: Preauthentication failed
Join to domain is not valid: Logon failure
  • Restart or stop nscd to fix this issue.

Failure to set the LDAP password via smbpasswd: 

Aug  1 10:36:36 hostname winbindd[12447]: [2007/08/01 10:36:36, 0] passdb/secrets.c:fetch_ldap_pw(769)
Aug  1 10:36:36 hostname winbindd[12447]:   fetch_ldap_pw: neither ldap secret retrieved!
Aug  1 10:36:36 hostname winbindd[12447]: [2007/08/01 10:36:36, 0] lib/fault.c:fault_report(41)
Aug  1 10:36:36 hostname winbindd[12447]:   ===============================================================
Aug  1 10:36:36 hostname winbindd[12447]: [2007/08/01 10:36:36, 0] lib/fault.c:fault_report(42)
Aug  1 10:36:36 hostname winbindd[12447]:   INTERNAL ERROR: Signal 11 in pid 12447 (3.0.25b-SerNet-RedHat)
Aug  1 10:36:36 hostname winbindd[12447]:   Please read the Trouble-Shooting section of the Samba3-HOWTO
Aug  1 10:36:36 hostname winbindd[12447]: [2007/08/01 10:36:36, 0] lib/fault.c:fault_report(44)
Aug  1 10:36:36 hostname winbindd[12447]: 
Aug  1 10:36:36 hostname winbindd[12447]:   From: http://www.samba.org/samba/docs/Samba3-HOWTO.pdf
Aug  1 10:36:36 hostname winbindd[12447]: [2007/08/01 10:36:36, 0] lib/fault.c:fault_report(45)
Aug  1 10:36:36 hostname winbindd[12447]:   ===============================================================
Aug  1 10:36:36 hostname winbindd[12447]: [2007/08/01 10:36:36, 0] lib/util.c:smb_panic(1632)
Aug  1 10:36:36 hostname winbindd[12447]:   PANIC (pid 12447): internal error
Aug  1 10:36:36 hostname winbindd[12447]: [2007/08/01 10:36:36, 0] lib/util.c:log_stack_trace(1736)
Aug  1 10:36:36 hostname winbindd[12447]:   BACKTRACE: 27 stack frames:
Aug  1 10:36:36 hostname winbindd[12447]:    #0 winbindd(log_stack_trace+0x2d) [0x3c9499]
Aug  1 10:36:36 hostname winbindd[12447]:    #1 winbindd(smb_panic+0x86) [0x3c9307]
Aug  1 10:36:36 hostname winbindd[12447]:    #2 winbindd [0x3b4628]
Aug  1 10:36:36 hostname winbindd[12447]:    #3 winbindd [0x3b4639]
Aug  1 10:36:36 hostname winbindd[12447]:    #4 /lib/tls/libc.so.6 [0x1d6898]
Aug  1 10:36:36 hostname winbindd[12447]:    #5 winbindd(smbldap_set_creds+0x9e) [0x4d7774]
Aug  1 10:36:36 hostname winbindd[12447]:    #6 winbindd [0x4f99fe]
Aug  1 10:36:36 hostname winbindd[12447]:    #7 winbindd [0x4fc259]
Aug  1 10:36:36 hostname winbindd[12447]:    #8 winbindd(idmap_init+0x8c3) [0x4f427f]
Aug  1 10:36:36 hostname winbindd[12447]:    #9 winbindd(idmap_sids_to_unixids+0x2f) [0x4f6bd3]
Aug  1 10:36:36 hostname winbindd[12447]:    #10 winbindd(idmap_sid_to_uid+0xad) [0x4f9407]
Aug  1 10:36:36 hostname winbindd[12447]:    #11 winbindd(winbindd_dual_sid2uid+0x123) [0x366995]
Aug  1 10:36:36 hostname winbindd[12447]:    #12 winbindd [0x363dd3]
Aug  1 10:36:36 hostname winbindd[12447]:    #13 winbindd [0x365806]
Aug  1 10:36:36 hostname winbindd[12447]:    #14 winbindd [0x36399d]
Aug  1 10:36:36 hostname winbindd[12447]:    #15 winbindd(async_request+0x17c) [0x363321]
Aug  1 10:36:36 hostname winbindd[12447]:    #16 winbindd [0x365a81]
Aug  1 10:36:36 hostname winbindd[12447]:    #17 winbindd(winbindd_sid2uid_async+0x83) [0x366868]
Aug  1 10:36:36 hostname winbindd[12447]:    #18 winbindd [0x33c127]
Aug  1 10:36:36 hostname winbindd[12447]:    #19 winbindd [0x3699c9]
Aug  1 10:36:36 hostname winbindd[12447]:    #20 winbindd [0x365947]
Aug  1 10:36:36 hostname winbindd[12447]:    #21 winbindd [0x363952]
Aug  1 10:36:36 hostname winbindd[12447]:    #22 winbindd [0x339e81]
Aug  1 10:36:36 hostname winbindd[12447]:    #23 winbindd [0x33abf3]
Aug  1 10:36:36 hostname winbindd[12447]:    #24 winbindd(main+0x73c) [0x33b69d]
Aug  1 10:36:36 hostname winbindd[12447]:    #25 /lib/tls/libc.so.6(__libc_start_main+0xd3) [0x1c3de3]
Aug  1 10:36:36 hostname winbindd[12447]:    #26 winbindd [0x339521]
Aug  1 10:36:36 hostname winbindd[12447]: [2007/08/01 10:36:36, 0] lib/fault.c:dump_core(181)
Aug  1 10:36:36 hostname winbindd[12447]:   dumping core in /var/log/samba/cores/winbindd
Aug  1 10:36:36 hostname winbindd[12447]:
  • Set the LDAP password using smbpasswd: 
smbpasswd -w <password>
Retrieved from "http://www.itsecureadmin.com/wiki/index.php/Integrate_Linux_with_Active_Directory"
Personal tools