Integrating Unix Into Active Directory While Maintaining UNIX Style Security

7/31/2019 Integrating Unix Into Active Directory While Maintaining UNIX Style Security

1/14

23/12 Integrating Unix into Active Directory while maintaining UNIX style security

1mm t.hubpag es.com/hu b/Ji mmt

flag

Integrating Unix into Active Directory while maintaining UNIX style security

by jimmt2 Followers

Integrating Unix into ActiveDirectory while maintaining UNIX style security

As technology grows IT Administrators are faced with challenges of managing aheterogeneous environment mixed with different operating platforms; Windows,Linux, Apple, etc... especially in business where majority of the infrastructure isWindows and well established Active Directory infrastructure. The challenge with ITis integrating the different systems into a centralized authentication mechanism for user and device management maintaining single sign on for user interoperabilityfor production and corporate applications.

Interoperability with Active Directory and UNIX can be accomplished using different

tools and technologies such as Microsoft Services for UNIX (SFU), Centrify,Likewise, and Samba to allow client authentication. Other methods is using LDAPbased services for UNIX clients and use an AD connector to replicate or act as anauthentication proxy. This document will define the process of integratingcompletely free solutions using Samba and OpenLDAP while maintaining a truesingle managed infrastructure using Active Directory and maintaining the ability tocontinue to use UNIX style security for services relying on UNIX style secur ity suchas NFS mounts.

1. Samba and LDAP

Samba is a free interoperability suite for UNIX that allows UNIX systems to integrate

with Windows networks providing authentication and shared services such as fileand print sharing. Samba provides a good and easily configurable solution out of the box for Linux; in some cases so integrated it's part of the installation process tointegrate into Active Directory as an authentication mechanism, and easilyobtainable for other UNIX platforms.

One of the challenges facing samba is the ability to have consistent unique UIDand GID that follows the user from client to client making securing UNIX systemsusing UNIX style security difficult and challenging. While, newer beta builds haveresolved this issue most administrators are apprehensive on deploying betasoftware in production environments and most commercially supported UNIX do notdistribute out of the box with beta builds.

A solution to UID and GID roaming is to use a LDAP database to store UID andGID maps for Active Directory users and groups using a specified range defined inthe Samba client configuration file. When a user logs in it will obtain the firstavailable UID and then that UID is mapped in the LDAP database. When a clientaccess a service that is secured with UNIX style security Samba will reference theUID from the LDAP to the AD account allowing the user to have access.

1.1 Authentication process


2/14



When the user logs into a workstation, or authenticates to a service hosted onUNIX, the Samba client authenticates to Active Directory, obtains a Kerberos ticket,and retrieves a UID from the OpenLDAP authentication server. Onceauthenticated the user can authenticate to shared services on Windows and UNIX

Active Directory Domain member servers with Samba services enabled with their active directory account; or UNIX Active Directory domain member servers securedwith UNIX style security using their UID and/or GID (See diagrams Fig A, B, and C)


3/14



1.2 Centralized management

Unlike other services using LDAP to proxy Active Directory accounts, nomanagement is necessary on the OpenLDAP servers and access to resourceallocations are done through Active Directory. Access can be granted using PAM(Pluggable Authentication modules) on UNIX to allow access to the console, SSH,FTP, and other services to security groups in Active Directory providing ease of access management and controlled secured environment through standard

account policies.

1.3 High Availability

Active Directory by nature is highly available and as each domain controller isbrought into the forest replication is configured automatically. OpenLDAP supportsdatabase replication allowing for user accessibility to be obtained in the case of server failures. UNIX clients can be configured to authenticate to multipleauthentication servers for both OpenLDAP and Active Directory.

1.4 Operating system Any UNIX style operating system that supports Kerberos authentication and hasSamba ported to it can authenticate to Active Directory and OpenLDAP. Thisdocument primarily focuses on Red Hat Linux. However, configuration of PAM,Samba, and Kerberos configuration files should be consistent on all platforms.Consult documentation for paths to configuration files as this could be different oneach platform and Linux distributions.

2 Configuring LDAP Server

This server will be the first LDAP server in the enterprise to store UID and GUIDmappings to Active Directory accounts.


4/14



2.1 Perquisite

OpenLDAP 2.3x or later (Stable) installed from your distribution media or downloaded from http://www.openldap.org/software/download/

Static IP address configured

Hostname defined in DNS

Computer account created in Active directory for OpenLDAP Server

Samba 3.x or later (Stable) installed from your distribution media or downloaded form http://samba.org

2.2 Configuring Server 2.2.1 Host file

Add the following entries to your host file. Replace Hostname with actual hostname of the client and domain.com with the proper domain (Example: JIMMT.COM)

127.0.0.1 hostname.domain.com hostname

127.0.0.1 domain.com domain

2.2.2 Resolv.conf

Ensure that proper search are identified for all domains and proper DNS server(s)are defined in /etc/resolv.conf (Example below)

search jimmt.com

nameserver 192.168.0.1

nameserver 10.0.0.2

2.3 Samba Client

Before we can populate the LDAP database we will configure the Samba client onthe OpenLDAP server. There are different ways to setup Samba to authenticate toactive directory. Most modern Linux distributions include script or applications toautomatically configure the samba configuration, operating system configurationsuch as PAM, and join to the domain. We will go over the automated process asdefined in Red Hat and manual configuration

2.3.1 RedHat (Automated)

1. Log into Red Hat Enterprise Desktop

2. Open terminal session and execute system-config-authentication

3. On the first tab User Information select Winbind and click the ConfigureWinbind button

1. Enter the Domain name; example JIMMT

2. Select ADS under Security model drop down menu

3. Enter Fully qualified domain name of the Active Directory realm inWinbind ADS Realm Example JIMMT.COM

4. Select a shell from the Template Shell drop down menu

5. Click ok

4. Select Authentication tab and select Kerberos and click ConfigureKerberos button


5/14



1. Enter the fully qualified domain name of the Active Directory in the Realmfield; example JIMMT.COM

2. Enter a fully qualified domain name of a domain controller in the KDCsand Admin Servers fields; example JIMMTADDC01.JIMMT.COM

3. Check both Use DNS to resolve hosts to realms and Use DNS to locateKDCs for realms

5. Select Winbind and click the Configure Winbind button

1. Verify all information is correct. If not follow step 3 (1 5)

6. Select Options tab and check Create home directories on first login

7. Go back to Authentication tab and select Winbind and click the ConfigureWinbind button

1. Click Join Domain

8. Click Ok to exit the configuration utility

Validate domain membership1. Open terminal session and execute wbinfo u Should see output of users

listed in the domain. Note this could take a long time depending on user database.

2. In the same terminal session execute kinit [email protected]

3. In the same terminal session execute klist -5

4. If you have any issues please view manual configuration and verifyconfiguration files were updated properly

2.3.1 RedHat and othe r ope rating system ManualNOTE: RedHat was used to document this process. Refer to distribution manualfor path to configuration files for other distributions

1. Rename /etc/samba/smb.conf to smb.conf.bak2. Create a new smb.conf file in /etc/samba/ and add the following changing the

items in BLUE to match your domain and configuration.

[global]

# The default workgroup

workgroup = JIMMT

# security = ads is used when connecting to Active Directory

security = ads

# The Kerberos domain

realm = JIMMT.COM

encrypt passwords = true

# The ranges for uid and gid assigned to users/groups from ActiveDirectory

idmap uid = 16777216-33554431

idmap gid = 16777216-33554431


6/14



# The shell used for users from Active Directory

template shell = /bin/bash

# Let users from the default domain appear as just

winbind use default domain = true

1. Save configuration file

2. Rename /etc/krb5.conf to krb5.conf.bak3. Create a new krb5.conf file in /etc/ and add the following changing the items in

BLUE to match domain and configuration

[logging]

default = FILE:/var/log/krb5libs.log

admin_server = FILE:/var/log/kadmind.log

[libdefaults]

default_realm = JIMMT.COM

dns_lookup_realm = true *Note: If you have issues doing lookups set tofalse

dns_lookup_kdc = true *Note: if you have issues doing lookups set tofalse

ticket_lifetime = 24h

forwardable = yes

[realms]

JIMMT.COM = {

#NOTE: You can have more than one KDC and admin_server

kdc = JIMMTADDC01.JIMMT.COM:88

kdc = JIMMTADDC02.JIMMT.COM:88

admin_server = JIMMTADDC01.JIMMT.COM:749

admin_server = JIMMTADDC02.JIMMT.COM:749

default_domain = JIMMT.COM

}

[domain_realm]

.jimmt.com = JIMMT.COM

jimmt.com = JIMMT.COM

[appdefaults]

pam = {

degbug = false

ticket_lifetime = 36000


7/14



renew_lifetime = 36000

forwardable = true

krb4_convert = false

}

4. Edit the name switch library configuration file; /etc/nsswitch.conf and modify passwd, shadow, and group to files winbind

passwd: files winbind

shadow: files winbind

group: files winbind

5. Change PAM authentication module to allow winbind authentication. Edit /etc/pam.d/system-auth-ac

1. Under Authentication (AUTH) add

auth sufficient pam_krb5.so use_first_pass

auth sufficient pam_winbind.so cached_login use_first_pass

2. Under Account change

account required pam_unix.so

to

account required pam_unix.so broken_shadow

3. Under Account Add

account sufficient pam_krb5.so

account sufficient pam_winbind.so cached_login

account sufficient pam_ldap.so

4. Under Password add

password sufficien t pam_krb5.so use_authtok password sufficien t pam_winbind.so cached_login use_authtok

5. Under Session add

session optional pam_mkhomedir.so

session optional pam_mkhomedir.so

6. Execute from terminal net ads join U

7. Start the winbind service; /sbin/service winbind start


8/14



Validate domain membership

1. Open terminal session and execute wbinfo u

Should see output of users listed in the domain. Note this could take along time depending on user database.

[root]# wbinfo -u

Administrator

guest

support_xxxxx

krbtgt

jimmt

smitht

1. In the same terminal session execute kinit [email protected] .

When prompted for password enter the password. If successful youwill return to the prompt.

2. In the same terminal session execute klist -5

[root]# klist -5

Ticket cache: FILE:/tmu/krbcc 0

Default principal: [email protected]

Valid starting Expires Service principal

11/12/09 16:30:00 11/13/09 02:00:00 krbtgt/[email protected]

renew until 11/13/09 16:30:00

3. If you have any issues please review manual configuration and verifyconfiguration files were updated properly

8. Set winbind to auto-start on boot /sbin/chkconfig winbind on --level 2,3,5

9. Turn off nsc as it conflicts with winbind cache feature; /sbin/chkconfig nscd off

2.4 OpenLDAP

2.4.1 Configuration files

1. Check where the Openldap slapd.conf configuration file is located. Should bein /etc/openldap or /etc/ldap. Reference this location for configuration settingsbelow and replace / with the proper path (openldap or ldap)

2. Make a backup copy of the slapd.conf file in /etc/

3. Check /etc//schema for samba3.schema or samba.schema

1. If not found copy from /usr/share/doc/samba-3.x.x/LDAP/ to /etc//schema


9/14



4. Create an Administrator password using slappasswd and record the stringoutput

5. Edit the open LDAP server configuration file slapd.conf found in /etc/

6. In the top section add include /etc//schema/samba3.schema or /etc//schema/samba.schema at the end of the existing includestatements

7. In the top section add include /etc//schema/nis.schema(if not already defined) at the end of the existing include statements

8. After PID and ARG file settings add sizelimit unlimited

9. Comment out the remaining settings in the file by placing a # in front of eachline

10. At the end of the file add the following statements:

access to dn.base=

by * read

access to dn.base=cn=Subschema

by * read

access to *

by dn=cn=manager,ou=idmap write

database bdb

suffix ou=idmap

checkpoint 1024 5

cachesize 10000

rootdn cn=manager,ou=idmap

rootpw

directory /var/lib/ldap

index objectClass eq

index sambaSID eq

index sambaPrimaryGroupSID eq

index sambaDomainName eq

11. Save the configuration file

12. Change ownership on slapd.conf to ldap:ldap (chown ldap:ldap slapd.conf


10/14


10/1mm t.hubpag es.com/hu b/Ji mmt

13. Stop the LDAP service by executing /sbin/service ldap stop

2.4.2 Database

We need to create a Skelton for the LDAP database and import

1. Create a new file samba-idmap.ldif

2. Edit samba-idmap.ldif and add the following:

dn: ou=idmap

objectClass: organizationalUnit

ou: idmap

description: Posix and Samba LDAP Identity Database

dn: cn=manager,ou=idmap

objectClass: organizationalRole

cn: Manager

description: Directory Manager

3. Save the file

4. Copy DB_CONFIG.example to /var/lib/ldap/DB_CONFIG

5. Change ownership of /var/lib/ldap to ldap:ldap (chown -R ldap:ldap /var/lib/ldap)

6. Import the file by executing:

slapadd < /path to samba-idmap.ldif/samba-idmap.ldif

7. Start the LDAP server by executing /sbin/service ldap start * If services fail tostart do step 5 again.

8. Verify you can connect to the LDAP server using the password previously set inslapd.conf NOTE: this will be the password given to slappasswd and not thestring. Use the following command:

ldapsearch -x -b ou=idmap -h localhost -D cn=manager,ou=idmap -w

If setup properly the output should be similar to this:

# extended LDIF

#

# LDAPv3

# base with scope subtree

# filter: (objectclass=*)

# requesting: ALL

#

# idmap

dn: ou=idmap


11/14



objectClass: organizationalUnit

objectClass: sambaUnixIdPool

ou: idmap

description: Posix and Samba LDAP Identity Database

# manager, idmap

dn: cn=manager,ou=idmap

objectClass: organizationalRole

cn: Manager

description: Directory Manager

# search result

search: 2

result: 0 Success

# numResponses: 3

# numEntries: 2

9. Set LDAP to start on boot by executing /sbin/chckconfig ldap on --level 2,3,5

2.5 Configuring WINBIND on Master LDAP server

1. Stop the winbind service by executing /sbin/service winbind stop

2. Dump the existing winbind database into a textfile by executing

net idmap dump /var/cache/samba/winbindd_idmap.tdb > /tmp/idmap.out

3. Move the files /var/cache/samba/winbindd_idmap.tdb andwinbindd_cache.tdb to /var/cache/samba/.old

4. Change the idmap backend for winbind to look at the LDAP server by editing /etc/samba/smb.conf by setting the following to the end of the file: (replaceldapserver.domain.com with the proper fully qualified domain name of the ldapserver)

idmap backend = ldap:ldap://ldapserver.domain.com

ldap admin dn = cn=manager,ou=idmap

ldap suffix = ou=idmap

5. Set the password for ldap admin dn using the smbpasswd command. This willbe the same password that was given to the slappasswd command when settingup the LDAP server

smbpasswd -w

6. Start the winbind service /sbin/service/winbind start 7. Load the idmap dump from Samba into the ldap database by executing *thiscould take some time


12/14



net idmap restore < /tmp/idmap.out

8. Reboot the server

2.5.1 Testing LDAP/Samba1. Open another terminal and log in with an Active Directory account;

or

login:jimmt

Password:

Last login: Wed July 27 11:30:22 on tty3

jimmt\jimmt

Password:


2. Get the UID of a user in the domain by executing getent passwd The output should show username:*:UID:GID:Display Name:

:. If account has not logged in the homedirectory path will show the user executing the command.

[jimmt@jimmtldap01]$ getent passwd jimmt

jimmt:*:16777216:16777216:Jim Tessier:/home/JIMMT/jimmt:/bin/bash

Replace passwd with group to show GID of groups. Output will showgroupname:*:GID:

[jimmt@jimmtldap01]$ getent group "Domain Admins"

domain admins:*:16777217:jimmt,administrator

[jimmt@jimmtldap01]$ getent group UnixAdminsunixadmins:*:16777219:jimmt

3.0 Samba Client configuration

3.1 Samba Client

To setup the UNIX client to authenticate with Active Directory follow the same stepsoutlined in Chapter 2 Configuring LDAP server section 2.3

3.2 Change SAMBA client to use LDAP for UID/GID mapping

1. Change the idmap backend for winbind to look at the LDAP server by editing /etc/samba/smb.conf by setting the following to the end of the file: (replaceldapserver.domain.com with the proper fully qualified domain name of the ldapserver)

idmap backend = ldap:ldap://ldapserver.domain.comldap admin dn = cn=manager,ou=idmapldap suffix = ou=idmap

2. Reboot the client


13/14



Testing Client Authentication and UID/GID roaming1. Open a terminal and log in with an Active Directory account; or

login: jimmt

Password:


login: jimmt\jimmt

Password:


2. Get the UID of a user in the domain by executing getent passwd The output should show username:*:UID:GID:Display Name::. If account has not logged in the homedirectory path will show the user executing the command.

[jimmt@client1~]$getent passwd jimmt

jimmt:*:16777216:16777216:Jim Tessier:/home/JIMMT/jimmt:/bin/bash

Replace passwd with group to show GID of groups. Output will showgroupname:*:GID:

[jimmt@client1~]$getent group "Domain Admins"

domain admins:*16777217:jimmt,administrator

[jimmt@client1~]$getent group UnixAdmins

unixadmins:*:16777219:jimmt

3. Compare to the results on the LDAP server to ensure UID and GID match.

3.3 Optional PAM configurationDepending on your distribution some additional settings to PAM might need to bemodified to allow log on such as SSH and WDM (Window Desktop Manager). If youare unable to to log on via active directory account to SSH or WDM modify thefollowing PAM modules

3.3.1 SSHRefer to your distribution or UNIX vendor manuals for path to PAM modules.

1. Edit /etc/pam.d/sshd and replace the contents with the contents below:

auth include system-auth

account required pam_nologin.so

account include system-auth

password include system-auth

session optional pam_keyinit.so force revoke

session include system-auth

session required pam_loginuid.so

session required pam_mkhomedir.so skel=/etc/skel/ umask=0022


14/14


3.3.2 WDM (KDE, GNOME, XFCE, etc..1. Edit /etc/pam.d/gdm.conf and add the following line to the end of the

configuration file:

session required pam_mkhomedir.so=/etc/home umask=0022

This Hub w as last updated on August 10, 2010

Integrating Unix Into Active Directory While Maintaining UNIX Style Security

Documents