Linux integration with Active Directory
Skočit na navigaci
Skočit na vyhledávání
We may think whatever we want about Microsoft Active Directory, however, the truth is that MS AD is world wide used system for computer management. It works and it is possible to use it for both Windows and Linux authentication and authorisation.
There are several ways of how to integrate Linux system into AD [1]. When direct integration is chosen, several methods may be used.
- Comupter is domain member
- Samba4 + winbind
- SSSD
- SSSD + realmd
- Computer is not domain member
- LDAP + Kerberos
- SSSD
Samba + winbind
LDAP + Kerberos
LDAP is used for obtaining information about account, Kerberos is used to provide authentication. The first is managed by libnss-ldap, the latter one by libpam-krb5.
- Install packages required packages: libnss-ldap, libpam-krb5
- Configure
/etc/libnss-ldap.conf - Configure
/etc/krb5.conf - Configure
/etc/nsswitch.conf
libnss-ldap.conf
# Replace windc.example.com with your Windows DC uri ldap://windc.example.com/ base dc=example,dc=com ldap_version 3 # Add a user to AD, that can read the container # with the users, that you want use. binddn ldap-connect@example.com bindpw ldapconnectpassword scope sub timelimit 30 pam_filter objectclass=User pam_login_attribute sAMAccountName pam_lookup_policy yes # Modify cn=User,dc=e... to your container with your users. nss_base_passwd cn=Users,dc=example,dc=com?sub nss_base_shadow cn=Users,dc=example,dc=com?sub nss_base_group cn=Users,dc=example,dc=com?sub # For MSSFU: nss_map_objectclass posixAccount User nss_map_objectclass shadowAccount User #nss_map_attribute uid uid nss_map_attribute uniqueMember primaryGroupID #nss_map_attribute uidNumber uidNumber #nss_map_attribute gidNumber gidNumber nss_map_attribute userPassword unixUserPassword nss_map_attribute homeDirectory unixHomeDirectory #nss_map_attribute loginShell loginShell nss_map_attribute gecos name nss_map_attribute cn sAMAccountName
krb5.conf
[libdefaults]
default_realm = EXAMPLE.COM
default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5 des3-hmac-sha1
default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5 des3-hmac-sha1
clockskew = 300
[realms]
EXAMPLE.COM = {
kdc = windc.example.com
kdc = windc2.example.com
default_domain = example.com
}
[domain_realm]
example.com = EXAMPLE.COM
.example.com = EXAMPLE.COM
[logging]
default = FILE:/var/log/kerberos/krb5libs.log
If your AD is set to trust external Kerberos and want to allow your users to login using more than one realm, you also need to setup pam. In our case we needed to set /etc/pam.d/common-auth
# here are the per-package modules (the "Primary" block) auth [success=3 default=ignore] pam_krb5.so realm=EXAMPLE.ORG minimum_uid=1000 auth [success=2 default=ignore] pam_krb5.so realm=EXAMPLE.COM minimum_uid=1000 use_first_pass auth [success=1 default=ignore] pam_unix.so nullok_secure try_first_pass # here's the fallback if no module succeeds auth requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around auth required pam_permit.so
nsswitch.conf
passwd: files ldap group: files ldap shadow: files ldap gshadow: files hosts: files dns ldap networks: files ldap protocols: db files services: db files ethers: db files rpc: db files netgroup: nis