Tuesday, March 4, 2008

Ubuntu 7.10 server and Active Directory Integration

2003 R2 has Advanced services for NIS(Unix Services) which allows to do Active directory integration with unix. Following is very detailed blog on how to go about doing this:
Linux, Active Directory, and Windows Server 2003 R2 Revisited
I won't repeat the Windows setup steps mentioned in that blog, so make sure you have the AD setup as described in the above blog. The following are the steps taken to make this work with Ubuntu Server 7.10 without TGT validation:

Install the following packages:
sudo apt-get install krb5-user libnss-ldap libpam-krb5

libnss-ldap makes you go through certain steps and make sure you pick the values as you fill out in /etc/ldap.conf below.

Edit /etc/krb5.conf file and It should look like following:

[libdefaults]
default_realm = YOURDOMAIN.PVT

krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true

[realms]
YOURDOMAIN.PVT = {
kdc = YOURSERVER.YOURDOMAIN.PVT:88
admin_server = YOURSERVER.YOURDOMAIN.PVT
default_domain = YOURDOMAIN.PVT
}

[domain_realm]
.YOURDOMAIN.PVT = YOURDOMAIN.PVT
YOURDOMAIN.PVT = YOURDOMAIN.PVT
[login]
krb4_convert = true
krb4_get_tickets = false

Here you can add multiple domains and multiple kdc and admin_server depending on the structure of your AD.

Next Step is to edit the /etc/ldap.conf. This should look like following:
host YOURSERVER.IP.ADDRESS.HERE
base dc=YOURDOMAIN,dc=PVT
uri ldap://YOURSERVER.YOURDOMAIN.PVT
binddn ad_bind_user@YOURDOMAIN.PVT
bindpw ad_bind_password
scope sub
ssl no
pam_filter objectClass=User
nss_base_passwd dc=YOURDOMAIN,dc=PVT?sub
nss_base_shadow dc=YOURDOMAIN,dc=PVT?sub
nss_base_group dc=YOURDOMAIN,dc=PVT?sub
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_objectclass posixGroup group
nss_map_attribute gecos name
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute uniqueMember member

Now edit the /etc/nsswitch.conf by adding ldap for the fields passwd, group and shadow.

Next Step is to edit /etc/pam.d/common-auth. This should look like following:
#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
# traditional Unix authentication mechanisms.
#
auth sufficient pam_krb5.so minimum_uid=10000
auth required pam_unix.so nullok_secure



minimum_uid=10000 is one way to make sure system userids are not touched and this depends on what number uid starts on your AD setup.

This should be all that is for setup. Now lets do some testing:

1. Getting a kerboreos ticket:
kinit ad_user_name
This should prompt for a password, and should give you prompt back if successful.
You can view the ticket generated by using klist.
If you get an error message, you have to work with what it says.
One common one is Time Sync error, for that you would need to issue following:
sudo ntpdate YOURNTPSERVER
Generally, you can use your AD Domain Controller as your NTP server.
2. If this is successful, next thing is to check pam authentication.
Restart ssh or telnet, the service you gonna test AD authentication against.
sudo /etc/init.d/ssh restart.
Now, in the current window, do a tail -f /var/log/auth.log
This would shows the running auth log.
Now open a new session to ssh(or whatever you are testing) and login with AD credentials. If your setup is correct, this should be working.
Othewise, auth.log is your friend to see where it is breaking.