Active Directory Authentication on Ubuntu Linux
How to configure Ubuntu Linux to use Active Directory authentication
This article discusses AD authentication for Ubuntu Linux. The process was tested on Ubuntu x86 (32 bit) version 10.10. Active Directory is a commonly used directory service based on the LDAP directory access protocol and Kerberos authentication. Both of these protocols have their roots in UNIX and Linux, an so it makes sense that we can configure these protocols on Linux to interoperate with Active Directory.
Note: this article provides configuration help for a version of Ubuntu that will soon be deprecated. To configure the latest version of Ubuntu, please read Ubuntu 11.10 - Logging into Active Directory
When Ubuntu is first installed, it is configured by default to use its local account database. To interoperate with Active Directory, we will configure the LDAP and Kerberos protocols, then we'll configure naming and authentication modules, NSS and PAM, to use these protocols to locate and authenticate users in AD.
A few prerequisites, your Ubuntu machine must be configured to use a DNS server that can locate your AD domain, and the data and time on the computer must remain nearly in sync with the AD domain controllers. I won't get into those here, but be advised that if your clock is off by more than 5 minutes, or if you can't resolve the IP addresses of your AD domain controllers, AD authentication will fail.
Installing the Necessary Modules
The first thing we need to do is install the Kerberos and LDAP modules that we'll need. To do this, open a terminal window and gain root permissions. To do this, type sudo bash
Next, we can use apt-get to install the modules, by typing the following commands:
apt-get update
apt-get install krb5-user
apt-get install libpam-krb5
apt-get install libnss-ldap
While installing these modules, you may be prompted to enter some information about your Active Directory. Don't be too concerned about what you enter, since it will not result in a complete configuration, and we'll have to edit the configuration files later anyway.
Configuring Kerberos
After installing the modules, we can begin configuring Kerberos and LDAP. Let's start with Kerberos. With our terminal window still open with root access, edit the Kerberos configuration file by typing: vi /etc/krb5.conf and configure the file as shown below:
Change the domain names to match your Active Directory. Be advised that case matters. Kerberos Realm names are shown in upper case. DNS domain names are shown in lower case. To test the configuration, you can attempt to get a Kerberos ticket. To do this, type kinit myuser@myrealm . You should be prompted for your password. If you are successful, you will recieve a ticket-granting ticket from Active Directory. You can view this ticket by typing klist . If you are not successful, then you either made a mistake in the krb5.conf file, or your Ubuntu machine's DNS configuration or clock is incorrect. Fix the problem before you proceed any further. After the test is successful, you can type kdestroy to remove the ticket. Next, we'll configure LDAP.
Configuring LDAP
Edit the LDAP configuration file by typing vi /etc/ldap.conf and configure the file as shown below:
To tell Ubuntu to use LDAP to find user accounts, we need to edit the configuration of NSS, the name service switch module, to use both LDAP and the local user database. Type vi /etc/nsswitch.conf and configure the file as shown:
As you can see, we've added ldap to the passwd, group, shadow, and netgroup entries. Now we can test our LDAP configuration, but first, we need to discuss the Active Directory user accounts that we'll use to logon to Ubuntu.
Active Directory User Configuration
In order to use AD users to logon to Ubuntu, the users must have uidNumber, gidNumber, loginShell, and unixHomeDirectory attributes defined in AD. NSS will then be able to retrieve these attributes when the user logs onto Ubuntu. I'll post tools to set these attributes in AD, but in the mean time you can use ADSIEDIT to set these attributes.
New on ITAdminTools.com
ITAdminTools now offers Linux Active Directory User Manager, the GUI for managing Linux users in Active Directory.
Testing your LDAP and NSS Configuration
Once you have AD users with the required attributes, and you've performed the configurations above, you can test if you can see AD users in the user list. To do this, type getent passwd . You should see both local Ubuntu users as well as any AD users that have the necessary attributes. If you don't see AD users, you've made a mistake in the files.
Adding Kerberos and LDAP to PAM
PAM (the pluggable authentication module) controls what authentication methods are used when a user attempts to logon to Ubuntu. We need to add Kerberos and LDAP to the list of methods PAM will use. In Ubuntu, this is pretty easy. Type pam-auth-update and make sure Kerberos and LDAP are selected as well as everything else in the list, then select OK.
This will mostly configure PAM correctly, however we need to add one line to the configuration. Type vi /etc/pam.d/common-session and add the following line to the configuration:
session required pam_mkhomedir.so skel=/etc/skel/ umask=0077
This will tell PAM to automatically create the user's home directory when they first logon.
Logging On
Now you should be able to log onto Ubuntu using an Active Directory user, assuming that the user has the required attributes set, and is a member of the group specified in pam_groupdn in ldap.conf if one is specified. After logon, open a terminal window and type klist to verify that you automatically got a Kerberos ticket from Active Directory. This will allow you to connect to Windows file shares without being prompted for credentials.
Configuring Ubuntu as a Windows File Server
Often the point of configuring Active Directory authentication for Ubuntu is to use Ubuntu as a file server for Windows users. To do this we'll install Samba, the SMB file sharing module. To install Samba, type apt-get install samba then edit the configuration by typing vi /etc/samba/smb.conf . Configure the file as shown below:
Now, we need to join the Ubuntu machine to Active Directory. To do this, type net ads join -U myuser@myrealm . Enter your password when prompted. The user must have the right to join computers to Active Directory. A bug may indicate that the join failed, but this error may be false and the join was successful. To verify that the join was successful, look in the Computers container in Active Directory and find a computer account with the name of the Ubuntu host. If it exists, then the join was successful.
Now you can create a file share. Let's create a /temp directory and share it to Windows users. Create the directory by typing mkdir /temp and then let's set the permissions so everyone has access, by typing chmod 777 /temp . Next, let's edit the Samba configuration to add the directory as a file share by typing vi /etc/samba/smb.conf and add the following lines to the end of the file:
After editing the file, restart Samba by typing /etc/init.d/samba restart
Now, from a Windows machine, logged on with an AD user with the correct attributes and group membership, click on the start button, click run, type \\ubuntuhostname\temp and click OK. A window should open to the share, and you should be automatically authenticated via Kerberos. Any files or folders you create in the share will be set with the correct permissions, using your UID and GID from Active Directory.
Final Word
If during this process you run into trouble, try getting your Ubuntu machine up to date by typing apt-get upgrade which will get your machine up to date for your current Ubuntui kernel, and or type apt-get dist-upgrade which will get you up to the latest kernel. Good luck!
Source: http://www.itadmintools.com/2011/04/active-directory-authentication-on.html
This article discusses AD authentication for Ubuntu Linux. The process was tested on Ubuntu x86 (32 bit) version 10.10. Active Directory is a commonly used directory service based on the LDAP directory access protocol and Kerberos authentication. Both of these protocols have their roots in UNIX and Linux, an so it makes sense that we can configure these protocols on Linux to interoperate with Active Directory.
Note: this article provides configuration help for a version of Ubuntu that will soon be deprecated. To configure the latest version of Ubuntu, please read Ubuntu 11.10 - Logging into Active Directory
When Ubuntu is first installed, it is configured by default to use its local account database. To interoperate with Active Directory, we will configure the LDAP and Kerberos protocols, then we'll configure naming and authentication modules, NSS and PAM, to use these protocols to locate and authenticate users in AD.
A few prerequisites, your Ubuntu machine must be configured to use a DNS server that can locate your AD domain, and the data and time on the computer must remain nearly in sync with the AD domain controllers. I won't get into those here, but be advised that if your clock is off by more than 5 minutes, or if you can't resolve the IP addresses of your AD domain controllers, AD authentication will fail.
Installing the Necessary Modules
The first thing we need to do is install the Kerberos and LDAP modules that we'll need. To do this, open a terminal window and gain root permissions. To do this, type sudo bash
Next, we can use apt-get to install the modules, by typing the following commands:
apt-get update
apt-get install krb5-user
apt-get install libpam-krb5
apt-get install libnss-ldap
While installing these modules, you may be prompted to enter some information about your Active Directory. Don't be too concerned about what you enter, since it will not result in a complete configuration, and we'll have to edit the configuration files later anyway.
Configuring Kerberos
After installing the modules, we can begin configuring Kerberos and LDAP. Let's start with Kerberos. With our terminal window still open with root access, edit the Kerberos configuration file by typing: vi /etc/krb5.conf and configure the file as shown below:
[libdefaults] default_realm = MYDOMAIN.COM krb4_config = /etc/krb.conf krb4_realms = /etc/krb.realms kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true
[realms]
MYDOMAIN.COM = {
kdc = mydomain.com:88
admin_server = mydomain.com
default_domain = mydomain.com
}
[domain_realm] .mydomain.com = MYDOMAIN.COM mydomain.com = MYDOMAIN.COM
[login] krb4_convert = true krb4_get_tickets = false
Change the domain names to match your Active Directory. Be advised that case matters. Kerberos Realm names are shown in upper case. DNS domain names are shown in lower case. To test the configuration, you can attempt to get a Kerberos ticket. To do this, type kinit myuser@myrealm . You should be prompted for your password. If you are successful, you will recieve a ticket-granting ticket from Active Directory. You can view this ticket by typing klist . If you are not successful, then you either made a mistake in the krb5.conf file, or your Ubuntu machine's DNS configuration or clock is incorrect. Fix the problem before you proceed any further. After the test is successful, you can type kdestroy to remove the ticket. Next, we'll configure LDAP.
Configuring LDAP
Edit the LDAP configuration file by typing vi /etc/ldap.conf and configure the file as shown below:
base dc=mydomain,dc=com uri ldap://adserver1.mydomain.com ldap://adserver2.mydomain.com ldap_version 3
binddn cn=aduser,cn=users,dc=mydomain,dc=com bindpw adUserPassword bind_policy soft bind_timelimit 120
timelimit 120 idle_timelimit 3600 network timeout 20
referrals on scope sub
pam_login_attribute sAMAccountName pam_filter objectCategory=User pam_groupdn cn=adGroup,cn=Users,dc=mydomain,dc=com pam_password ad pam_member_attribute member
nss_base_passwd dc=mydomain,dc=com?Sub?&(objectClass=User)(uidNumber=*) nss_base_shadow dc=mydomain,dc=com?Sub?&(objectClass=User)(uidNumber=*) nss_base_group dc=mydomain,dc=com?Sub?&(objectClass=Group)(gidNumber=*) nss_map_objectclass posixAccount User nss_map_objectclass shadowAccount User nss_map_attribute uid sAMAccountName nss_map_attribute cn sAMAccountName nss_map_attribute uniqueMember member nss_map_attribute homeDirectory unixHomeDirectory nss_map_attribute gecos name nss_map_objectclass posixGroup Group nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nz,myLocalUser
You will need to change the following to suit your environment:
- base: this is the distinguished name of your domain
- uri: these should be valid DNS names of your domain controllers
- binddn: this should be the distinguished name of a user account in your AD that you will use to connect to AD. The user requires no special priviledges.
- bindpw: this is the password of the user used for binddn.
- pam_groupdn: this is the distinguished name of the AD group that the users must be a member of in order to log onto this Ubuntu machine. If you want all users to be able to logon, you can comment out this line by placing a # at the beginning of the line.
- nss_initgroups_ignoreusers: add any local Ubuntu accounts to this list to avoid doing LDAP lookups when these users logon.
To tell Ubuntu to use LDAP to find user accounts, we need to edit the configuration of NSS, the name service switch module, to use both LDAP and the local user database. Type vi /etc/nsswitch.conf and configure the file as shown:
# /etc/nsswitch.conf #
passwd: files ldap group: files ldap shadow: files ldap
hosts: files mdns4_minimal dns mdns4 networks: files
protocols: db files services: db files ethers: db files rpc: db files
netgroup: nis ldap
As you can see, we've added ldap to the passwd, group, shadow, and netgroup entries. Now we can test our LDAP configuration, but first, we need to discuss the Active Directory user accounts that we'll use to logon to Ubuntu.
Active Directory User Configuration
In order to use AD users to logon to Ubuntu, the users must have uidNumber, gidNumber, loginShell, and unixHomeDirectory attributes defined in AD. NSS will then be able to retrieve these attributes when the user logs onto Ubuntu. I'll post tools to set these attributes in AD, but in the mean time you can use ADSIEDIT to set these attributes.
New on ITAdminTools.comITAdminTools now offers Linux Active Directory User Manager, the GUI for managing Linux users in Active Directory.
Testing your LDAP and NSS Configuration
Once you have AD users with the required attributes, and you've performed the configurations above, you can test if you can see AD users in the user list. To do this, type getent passwd . You should see both local Ubuntu users as well as any AD users that have the necessary attributes. If you don't see AD users, you've made a mistake in the files.
Adding Kerberos and LDAP to PAM
PAM (the pluggable authentication module) controls what authentication methods are used when a user attempts to logon to Ubuntu. We need to add Kerberos and LDAP to the list of methods PAM will use. In Ubuntu, this is pretty easy. Type pam-auth-update and make sure Kerberos and LDAP are selected as well as everything else in the list, then select OK.
This will mostly configure PAM correctly, however we need to add one line to the configuration. Type vi /etc/pam.d/common-session and add the following line to the configuration:
session required pam_mkhomedir.so skel=/etc/skel/ umask=0077
This will tell PAM to automatically create the user's home directory when they first logon.
Logging On
Now you should be able to log onto Ubuntu using an Active Directory user, assuming that the user has the required attributes set, and is a member of the group specified in pam_groupdn in ldap.conf if one is specified. After logon, open a terminal window and type klist to verify that you automatically got a Kerberos ticket from Active Directory. This will allow you to connect to Windows file shares without being prompted for credentials.
Configuring Ubuntu as a Windows File Server
Often the point of configuring Active Directory authentication for Ubuntu is to use Ubuntu as a file server for Windows users. To do this we'll install Samba, the SMB file sharing module. To install Samba, type apt-get install samba then edit the configuration by typing vi /etc/samba/smb.conf . Configure the file as shown below:
[global]
security = ads
realm = MYDOMAIN.COM
workgroup = MYDOMAIN
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%D/%U
template shell = /bin/bash
client use spnego = yes
client ntlmv2 auth = yes
encrypt passwords = yes
winbind use default domain = yes
restrict anonymous = 2
[temp]
path = /temp
read only = no
[etc]
path = /etc
read only = yes
Now, we need to join the Ubuntu machine to Active Directory. To do this, type net ads join -U myuser@myrealm . Enter your password when prompted. The user must have the right to join computers to Active Directory. A bug may indicate that the join failed, but this error may be false and the join was successful. To verify that the join was successful, look in the Computers container in Active Directory and find a computer account with the name of the Ubuntu host. If it exists, then the join was successful.
Now you can create a file share. Let's create a /temp directory and share it to Windows users. Create the directory by typing mkdir /temp and then let's set the permissions so everyone has access, by typing chmod 777 /temp . Next, let's edit the Samba configuration to add the directory as a file share by typing vi /etc/samba/smb.conf and add the following lines to the end of the file:
[temp] path = /temp read only = no
After editing the file, restart Samba by typing /etc/init.d/samba restart
Now, from a Windows machine, logged on with an AD user with the correct attributes and group membership, click on the start button, click run, type \\ubuntuhostname\temp and click OK. A window should open to the share, and you should be automatically authenticated via Kerberos. Any files or folders you create in the share will be set with the correct permissions, using your UID and GID from Active Directory.
Final Word
If during this process you run into trouble, try getting your Ubuntu machine up to date by typing apt-get upgrade which will get your machine up to date for your current Ubuntui kernel, and or type apt-get dist-upgrade which will get you up to the latest kernel. Good luck!
Related Posts:
- Gnome 3 and the Future of the Linux Desktop
- Linux Mint 12 vs Ubuntu 11.10
- Rolling Commentary on Popular Linux Distributions
- Learning Man's Linux - Arch Linux
- Another Alternative - Linux Mint Debian Edition (LMDE)
- A Look at Popular Linux Distributions
- Setting Up Gnome Classic on Fedora 16
- Tweaking Gnome Classic on Ubuntu and Mint
- Linksys Wireless Card on Ubuntu and Mint
- Installing VMware Tools on Fedora Linux
You might also like:
Source: http://www.itadmintools.com/2011/04/active-directory-authentication-on.html
Comments
Post a Comment