Fedora 6 LDAP / Kerberos Auth to Active Directory on Windows Srvr 2003 R2
Fedora 6 LDAP / Kerberos Auth to Active Directory on Windows Srvr 2003 R2
Tested by Shannon VanWagner
Problem
Connecting Fedora 6 to a Windows Srvr 2003 R2
DC for auth and uid/gid sync with AD.
Solution
Configure Fedora 6 to use LDAP, Samba,
and Kerberos to auth with Windows Srvr 2003 R2
DC with Identity Mgmt for UNIX.
Here's How:
1.) On Windows Server 2003 R2 DC - enable "Identity Management for UNIX"
via Add/Rmv Programs > Add Win Components > AD Services > Identity
Mgmt for UNIX (reboot req'd). This will add the UNIX Properties tab
to user accounts in AD that will allow you to control the UID, primary
group GID, NIS Server setting, home dir location, and user shell setting.
2.) Create a user in AD to use for authenticating via LDAP from the
Fedora 6 client. Make this user a primary member of Domain Guests for
security.
3.) For any Win user that logs into the Fedora 6 machine, modify the
"UNIX Attributes" tab for the user's account in AD. Do this via the
Users and Computers mgmt console for AD. Be sure to add a unique UID
for the user, set the primary linux group, set home folder, and set
default shell via the "UNIX Attributes" tab for each user.
4a.) On the Fedora 6 client ensure that you have installed
these packages:
• gnome-vfs2-smb (as applicable)
• mtools (as applicable)
• nss
• nss-tools (as applicable)
• nss_ldap
• openldap
• openldap-clients
• pam
• pam_ccreds
• pam_krb5
• pam_ldap
• pam_smb
• pam_pkcs11
• samba
• system-config-samba
• samba-common
• samba-client
4b.) On the Fedora 6 client setup config files as follows,
replacing items such as "coolcompany.com" with values specific to your
env.
The example config files below assume the following:
The Fedora Machine to be auth'ed to AD is
hostname = fedrh-mach
ip addr = 10.10.10.100
The Win 2003 R2 DC is
hostname = coolw2k3r2-dc
ip addr = coolw2k3r2-dc
The special ldap query windows user is
user = cool-ldap-user
win password = custpassword
The "set" cmd in Windows shows
USERDNSDOMAIN = COOLCOMPANY.COM
USERDOMAIN = COOL
The domain "WINS" Server is
ip addr = 10.10.10.6
############
#/etc/hosts
############
::1 fedrh-mach localhost.COOLCOMPANY.COM localhost
127.0.0.1 localhost
127.0.0.2 fedrh-mach.COOLCOMPANY.COM fedrh-mach
10.10.10.5 coolw2k3r2-dc.COOLCOMPANY.COM coolw2k3r2-dc
############
#/etc/krb5.conf for connecting with Windows Server 2003 R2
############
[logging]
kdc = FILE:/var/log/krb5/krb5kdc.log
admin_server = FILE:/var/log/krb5/kadmind.log
default = SYSLOG:NOTICE: DAEMON
[libdefaults]
ticket_lifetime = 24000
default_realm = COOLCOMPANY.COM
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
aes256-cts arcfour-hmac-md5
#Line above is wrapped for the forum - put on one line!
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
aes256-cts arcfour-hmac-md5
#Line above is wrapped for the forum - put on one line!
[realms]
COOLCOMPANY.COM = {
kdc = coolw2k3r2-dc.coolcompany.com
admin_server = coolw2k3r2-dc.coolcompany.com
default_domain = COOLCOMPANY.COM
}
[domain_realm]
.coolcompany.com = COOLCOMPANY.COM
coolcompany.com = COOLCOMPANY.COM
############
#/etc/ldap.conf for connecting with Server 2003 R2 Only
############
host 10.10.10.5
base dc=coolcompany,dc=com
uri ldap://coolw2k3r2-dc.coolcompany.com/
binddn cn=cool-ldap-user,cn=Users,dc=coolcompany,dc=com
bindpw custpassword
scope sub
bind_timelimit 15
timelimit 15
ssl no
referrals no
nss_base_passwd dc=coolcompany,dc=com?sub
nss_base_shadow dc=coolcompany,dc=com?sub
nss_base_group dc=coolcompany,dc=com?sub?&(objectCategory=group)(gidnumber=*)
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_objectclass posixGroup group
nss_map_attribute gecos cn
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute uniqueMember member
nss_initgroups_ignoreusers root,ldap
############
# /etc/nsswitch.conf
############
passwd: files ldap
shadow: files ldap
group: files ldap
hosts: files dns wins
networks: files dns
services: files
protocols: files
rpc: files
ethers: files
netmasks: files
netgroup: files nis
publickey: files
bootparams: files
automount: files nis
aliases: files
############
#/etc/samba/smb.conf file
############
[global]
server string = %h
workgroup = COOL
realm = COOLCOMPANY.COM
security = ads
encrypt passwords = yes
use kerberos keytab = true
password server = coolw2k3r2-dc.coolcompany.com
netbios name = fedrh-mach
winbind use default domain = yes
winbind separator = +
idmap uid = 1000-59999
idmap gid = 1000-59999
winbind enum users = yes
winbind enum groups = yes
deadtime = 3
winbind cache time = 300
winbind nested groups = yes
template homedir = /home/%U
template shell = /bin/bash
client use spnego = yes
socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
idmap backend = ad
ldap idmap suffix = dc=coolcompany,dc=com
ldap admin dn = cn=cool-ldap-user,cn=Users,dc=coolcompany,dc=com
ldap suffix = dc=coolcompany,dc=com
dns proxy = no
domain master = no
preferred master = no
max log size = 100
log file = /var/log/samba/%m.log
printing = cups
printcap name = cups
printcap cache time = 750
cups options = raw
map to guest = Bad User
wins server = 10.10.10.6
usershare allow guests = no
case sensitive = no
preserve case = no
[admin]
comment = Admin Access
path = /
valid users = COOL+Administrator
admin users = COOL+Administrator
read only = No
create mask = 0600
directory mask = 0700
browseable = No
inherit permissions = Yes
[homes]
comment = Home Directories
path = /home
valid users = %S, %D%w%S
admin users = COOL+Administrator
read only = No
inherit acls = Yes
inherit permissions = Yes
create mask = 0600
directory mask = 0700
[printers]
comment = All Printers
path = /var/tmp
printable = Yes
create mask = 0600
browseable = No
[print$]
comment = Printer Drivers
path = /var/lib/samba/drivers
write list = @ntadmin root
force group = ntadmin
create mask = 0664
directory mask = 0775
#%PAM-1.0
#Line above is part of this file
############
#/etc/pam.d/system-auth config file
############
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_krb5.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
account sufficient pam_krb5.so
account required pam_unix.so
account sufficient pam_succeed_if.so uid < retry="3" success="1" default="ignore]" umask="0077" skel="/etc/skel" service="system-auth" service="system-auth" service="system-auth" service="system-auth">5a.) Set Fedora mach clock to within 5 min of AD server.
5b.)Run the following commands to setup the Fedora 6 machine for AD:
getent passwd (You should see local users only)
kdestroy (Destroys previous krb ticket)
kinit domain-admin-user@COOLCOMPANY.COM (Creates krb ticket)
klist (View krb Ticket)
net ads join -U domain-admin-user@COOLCOMPANY.COM (Joins the machine to domain)
kdestroy (Destroy admin krb ticket)
/etc/init.d/smb stop
/etc/init.d/winbind stop
chkconfig smb on
chkconfig winbind on
chkconfig nscd off
/etc/init.d/smb start
/etc/init.d/winbind start
smbpasswd -w somepassword (where "somepassword" is ldap query user paswd)
getent passwd (The output should list domain users)
getent group (Should output domain and local groups)
wbinfo -u (Should list domain users)
wbinfo -g (Should list domain groups)
su (should prompt for paswd and create a home dir for the user)
6.) After you are able to su to a windows user, reboot the machine and then login to
the system as a windows user (use a user with UNIX attribs enabled) to test.
NOTE: If you happen to get locked out, reboot in single user
mode, then edit your nsswitch.conf, removing "ldap" for passwd,group,shadow.
Good Luck! -Shannon VanWagner
Related Material
http://www.suseforums.net/index.php?showtopic=18932
http://forums.suselinuxsupport.de/i...t=0#entry224708
http://blog.scottlowe.org/2007/03/2...tive-directory/
http://forums.fedoraforum.org/archi...hp/t-29825.html
http://www.redmondmag.com/columns/a...ditorialsID=858
http://gentoo-wiki.com/HOWTO_LDAPv3#Startup_and_testing (for testing LDAP)
Tested by Shannon VanWagner
Problem
Connecting Fedora 6 to a Windows Srvr 2003 R2
DC for auth and uid/gid sync with AD.
Solution
Configure Fedora 6 to use LDAP, Samba,
and Kerberos to auth with Windows Srvr 2003 R2
DC with Identity Mgmt for UNIX.
Here's How:
1.) On Windows Server 2003 R2 DC - enable "Identity Management for UNIX"
via Add/Rmv Programs > Add Win Components > AD Services > Identity
Mgmt for UNIX (reboot req'd). This will add the UNIX Properties tab
to user accounts in AD that will allow you to control the UID, primary
group GID, NIS Server setting, home dir location, and user shell setting.
2.) Create a user in AD to use for authenticating via LDAP from the
Fedora 6 client. Make this user a primary member of Domain Guests for
security.
3.) For any Win user that logs into the Fedora 6 machine, modify the
"UNIX Attributes" tab for the user's account in AD. Do this via the
Users and Computers mgmt console for AD. Be sure to add a unique UID
for the user, set the primary linux group, set home folder, and set
default shell via the "UNIX Attributes" tab for each user.
4a.) On the Fedora 6 client ensure that you have installed
these packages:
• gnome-vfs2-smb (as applicable)
• mtools (as applicable)
• nss
• nss-tools (as applicable)
• nss_ldap
• openldap
• openldap-clients
• pam
• pam_ccreds
• pam_krb5
• pam_ldap
• pam_smb
• pam_pkcs11
• samba
• system-config-samba
• samba-common
• samba-client
4b.) On the Fedora 6 client setup config files as follows,
replacing items such as "coolcompany.com" with values specific to your
env.
The example config files below assume the following:
The Fedora Machine to be auth'ed to AD is
hostname = fedrh-mach
ip addr = 10.10.10.100
The Win 2003 R2 DC is
hostname = coolw2k3r2-dc
ip addr = coolw2k3r2-dc
The special ldap query windows user is
user = cool-ldap-user
win password = custpassword
The "set" cmd in Windows shows
USERDNSDOMAIN = COOLCOMPANY.COM
USERDOMAIN = COOL
The domain "WINS" Server is
ip addr = 10.10.10.6
############
#/etc/hosts
############
::1 fedrh-mach localhost.COOLCOMPANY.COM localhost
127.0.0.1 localhost
127.0.0.2 fedrh-mach.COOLCOMPANY.COM fedrh-mach
10.10.10.5 coolw2k3r2-dc.COOLCOMPANY.COM coolw2k3r2-dc
############
#/etc/krb5.conf for connecting with Windows Server 2003 R2
############
[logging]
kdc = FILE:/var/log/krb5/krb5kdc.log
admin_server = FILE:/var/log/krb5/kadmind.log
default = SYSLOG:NOTICE: DAEMON
[libdefaults]
ticket_lifetime = 24000
default_realm = COOLCOMPANY.COM
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
aes256-cts arcfour-hmac-md5
#Line above is wrapped for the forum - put on one line!
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
aes256-cts arcfour-hmac-md5
#Line above is wrapped for the forum - put on one line!
[realms]
COOLCOMPANY.COM = {
kdc = coolw2k3r2-dc.coolcompany.com
admin_server = coolw2k3r2-dc.coolcompany.com
default_domain = COOLCOMPANY.COM
}
[domain_realm]
.coolcompany.com = COOLCOMPANY.COM
coolcompany.com = COOLCOMPANY.COM
############
#/etc/ldap.conf for connecting with Server 2003 R2 Only
############
host 10.10.10.5
base dc=coolcompany,dc=com
uri ldap://coolw2k3r2-dc.coolcompany.com/
binddn cn=cool-ldap-user,cn=Users,dc=coolcompany,dc=com
bindpw custpassword
scope sub
bind_timelimit 15
timelimit 15
ssl no
referrals no
nss_base_passwd dc=coolcompany,dc=com?sub
nss_base_shadow dc=coolcompany,dc=com?sub
nss_base_group dc=coolcompany,dc=com?sub?&(objectCategory=group)(gidnumber=*)
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_objectclass posixGroup group
nss_map_attribute gecos cn
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute uniqueMember member
nss_initgroups_ignoreusers root,ldap
############
# /etc/nsswitch.conf
############
passwd: files ldap
shadow: files ldap
group: files ldap
hosts: files dns wins
networks: files dns
services: files
protocols: files
rpc: files
ethers: files
netmasks: files
netgroup: files nis
publickey: files
bootparams: files
automount: files nis
aliases: files
############
#/etc/samba/smb.conf file
############
[global]
server string = %h
workgroup = COOL
realm = COOLCOMPANY.COM
security = ads
encrypt passwords = yes
use kerberos keytab = true
password server = coolw2k3r2-dc.coolcompany.com
netbios name = fedrh-mach
winbind use default domain = yes
winbind separator = +
idmap uid = 1000-59999
idmap gid = 1000-59999
winbind enum users = yes
winbind enum groups = yes
deadtime = 3
winbind cache time = 300
winbind nested groups = yes
template homedir = /home/%U
template shell = /bin/bash
client use spnego = yes
socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
idmap backend = ad
ldap idmap suffix = dc=coolcompany,dc=com
ldap admin dn = cn=cool-ldap-user,cn=Users,dc=coolcompany,dc=com
ldap suffix = dc=coolcompany,dc=com
dns proxy = no
domain master = no
preferred master = no
max log size = 100
log file = /var/log/samba/%m.log
printing = cups
printcap name = cups
printcap cache time = 750
cups options = raw
map to guest = Bad User
wins server = 10.10.10.6
usershare allow guests = no
case sensitive = no
preserve case = no
[admin]
comment = Admin Access
path = /
valid users = COOL+Administrator
admin users = COOL+Administrator
read only = No
create mask = 0600
directory mask = 0700
browseable = No
inherit permissions = Yes
[homes]
comment = Home Directories
path = /home
valid users = %S, %D%w%S
admin users = COOL+Administrator
read only = No
inherit acls = Yes
inherit permissions = Yes
create mask = 0600
directory mask = 0700
[printers]
comment = All Printers
path = /var/tmp
printable = Yes
create mask = 0600
browseable = No
[print$]
comment = Printer Drivers
path = /var/lib/samba/drivers
write list = @ntadmin root
force group = ntadmin
create mask = 0664
directory mask = 0775
#%PAM-1.0
#Line above is part of this file
############
#/etc/pam.d/system-auth config file
############
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_krb5.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
account sufficient pam_krb5.so
account required pam_unix.so
account sufficient pam_succeed_if.so uid < retry="3" success="1" default="ignore]" umask="0077" skel="/etc/skel" service="system-auth" service="system-auth" service="system-auth" service="system-auth">5a.) Set Fedora mach clock to within 5 min of AD server.
5b.)Run the following commands to setup the Fedora 6 machine for AD:
getent passwd (You should see local users only)
kdestroy (Destroys previous krb ticket)
kinit domain-admin-user@COOLCOMPANY.COM (Creates krb ticket)
klist (View krb Ticket)
net ads join -U domain-admin-user@COOLCOMPANY.COM (Joins the machine to domain)
kdestroy (Destroy admin krb ticket)
/etc/init.d/smb stop
/etc/init.d/winbind stop
chkconfig smb on
chkconfig winbind on
chkconfig nscd off
/etc/init.d/smb start
/etc/init.d/winbind start
smbpasswd -w somepassword (where "somepassword" is ldap query user paswd)
getent passwd (The output should list domain users)
getent group (Should output domain and local groups)
wbinfo -u (Should list domain users)
wbinfo -g (Should list domain groups)
su
6.) After you are able to su to a windows user, reboot the machine and then login to
the system as a windows user (use a user with UNIX attribs enabled) to test.
NOTE: If you happen to get locked out, reboot in single user
mode, then edit your nsswitch.conf, removing "ldap" for passwd,group,shadow.
Good Luck! -Shannon VanWagner
Related Material
http://www.suseforums.net/index.php?showtopic=18932
http://forums.suselinuxsupport.de/i...t=0#entry224708
http://blog.scottlowe.org/2007/03/2...tive-directory/
http://forums.fedoraforum.org/archi...hp/t-29825.html
http://www.redmondmag.com/columns/a...ditorialsID=858
http://gentoo-wiki.com/HOWTO_LDAPv3#Startup_and_testing (for testing LDAP)
Hi, I have been following your tutorial and everything works except for the LDAP portion. I am running Ubuntu 7.04 and WIn2K server non R2 with SFU installed.
ReplyDeleteI cannot seem to get past the following errors; kerberos works finer (I can get a key with kinit but LDAP does not work. I have PAM setup to use the kerb5 module and NSSWITCH setup to use files ldap, just as you describe. I have searched all over for this error whcih i appears to be common but so far I have been unsucesful. any ideas?!
Jul 8 22:19:48 localhost getent: nss_ldap: reconnecting to LDAP server (sleeping 1 seconds)...
Jul 8 22:19:49 localhost getent: nss_ldap: failed to bind to LDAP server ldap://themis.zerogravity.local: Invalid credentials
Jul 8 22:19:49 localhost getent: nss_ldap: could not search LDAP server - Server is unavailable
EK,
ReplyDeletePlease have a look the following website to perform some testing with your LDAP setup:
http://gentoo-wiki.com/HOWTO_LDAPv3#Startup_and_testing
Also, please be sure that you've created a simple Windows user for which to put in your ldap.conf file (remember the password for the user has to be included in the ldap.conf file as well).