Linux, Active Directory, and Windows Server 2003 R2 Revisited

Scott,

Couple of questions:

1. In ldap.conf you say “binddn ldap@example.com” should I interpret that to be “binddn myusername@example.com“, where “myusername” is the single user account that I created early on in the section “Finally, you’ll also need to create an account in Active Directory that will be used to bind to Active Directory for LDAP queries. “?

Is it possible for you to post these instructions with colored text highlighting values that are specific to our environments? (I’m just a dumb windows admin trying to play in a linux world.

2. Does the “pam_mkhomedir.so” go in the system-auth file? And if so what does it look like?

3. Any chance of having you post your actual configuration files, I’m using Centos 4.3 as well.

Thank you very much, I don’t have this working yet, but your blog has been the most helpful thing I’ve found around.

Ron

I have tried:

ktpass -princ HOST/linux01.example.com@EXAMPLE.COM -mapuser EXAMPLE\LINUX01$ -crypto DES-CBC-MD5 +DesOnly -pass * -ptype KRB5_NT_SRV_HST -out c:\krb5.keytab

and got the following output:

Targeting domain controller: myAD.example.com
Successfully mapped HOST/linux01.example.com to LINUX01$.
WARNING: Account LINUX01$ is not a user account (uacflags=0×1021).
WARNING: Resetting LINUX01$’s password may cause authentication problems if LINUX$ is being used as a server.

Reset LINUX$’s password [y/n]? Y
Key created.
Output keytab to c:\krb5.keytab:
Keytab version: 0×502
keysize 59 HOST/linux01.ruckh.net@RUCKH.NET ptype 3 (KRB5_NT_SRV_HST) vno 2 etype 0×3 (DES-CBC-MD5) keylength 8 (0xc151ab730bbf917f)

Account LINUX01$ has been set for DES-only encryption.

I copy the keytab file over to linux server, but get this in /var/log/messages:

TGT failed verification using key for ‘HOST/linux01.example.com@example.com’

Something tells me the keytab file is not working correctly.

If I set validate to false in the pam section of /etc/krb5.conf user authentication works and no error in the /var/log/messages.

I can run kinit username; where user is an AD user. After successfully typing password I am returned to a shell prompt with no errors. I assume the kerberos stuff is working. After running kinit I can run klist and display the which was generated from the kinit command.

Any suggestions?

Thanks.

Great set of instructions here. Thanks for posting. I’ve found this really helpful.

1. I’m getting the same results for the post above. I am able to authenticate with ‘validate=false’. However, when I set ‘validate=true’, authentication completes but the TGT validation fails — thus rejecting the login. I’ve verified that the key version number is the same per the output of ktpass and klist -keK.

2. Is it necessary for the user to be listed in /etc/passwd in order for them to log in? I thought this was the whole purpose of this exercise…to stop making user accounts on individual boxes. If I remove a user from /etc/passwd, they are no longer able to log into the individual box. If so, how do you handle a fairly large environment?

3. The name from the gecos field does not show up. Is there a way to query this under AD to find out what attribute it stores the name under?

TIA.

I ended up using the following batch file to create keytab file:

@echo off

:: %1 is the username
:: %2 is the realm

ktpass -princ nssldap/%1@%2 -mapuser %1@%2 -pass secret -out %1.keytab

In this case my AD account is a user account and not a machine account.

Ok, I finally have an acceptable configuration that is working. It uses secure communication between Linux boxes and LDAP server, and user is able to change password from Linux or Windows. Once I get all the chicken scratches organized into some sensible documentation I will post the final configuration here.

Thanks for all the feedback.
Scott

Ryan,

With Win2k3 R2 there is a gecos field but it is unpopulated. If you want to use the gecos field in AD open up adsiedit go to the user and populate the gecos field to be whatever you want it to be. Otherwise, set the `nss_map_attribute gecos’ value (in your /etc/ldap.conf file) to whatever AD field you would like to use.

Scott,
My one problem I am having right now is that if I check the must change password at next login in and then try logging into a linux box, I can not change the password. I am prompted to change the password, but something not workie so good. If that value is unchecked the user can log in, issue the passwd command, and can successfully change password. Once I get everything working as expected, I definitely plan on posting final configs.

This wordpress blog has been the best resource for me, so hopefully I can also share my failures and successes in hopes that someone can find it useful.

I tried to use your TGT authentication steps once again, but can not get it to work.

I created a Computer account in Active Directory (VMLNX01). I enabled: Assign this computer account as a pre-Windows 2000 computer.

I ran the following command a received the following output:

ktpass -princ HOST/vmlnx01.ruckh.net@RUCKH.NET -mapuser RUCKH\VMLNX01$ -crypto DES-CBC-MD5 +DesOnly -pass secret -ptype KRB5_NT_SRV_HST -out c:\vmlnx01.keytab

Targeting domain controller: gemneyedc.ruckh.net
Successfully mapped HOST/vmlnx01.ruckh.net to VMLNX01$.
WARNING: Account VMLNX01$ is not a user account (uacflags=0×1021).
WARNING: Resetting VMLNX01$’s password may cause authentication problems if VMLNX01$ is being used as a server.

Reset VMLNX01$’s password [y/n]? y
Key created.
Output keytab to c:\vmlnx01.keytab:
Keytab version: 0×502
keysize 59 HOST/vmlnx01.ruckh.net@RUCKH.NET ptype 3 (KRB5_NT_SRV_HST) vno 2 etype 0×3 (DES-CBC-MD5) keylength 8 (0×86f176c88cfde93e)

Account VMLNX01$ has been set for DES-only encryption.

I copied that file to the Linux server and copied it to the /etc/krb5.keytab file.

Although I can run kinit with a user and get a ticket, when I try to login I get the following error in /var/log/messages:

TGT failed verification using key for ‘HOST/vmlnx01.ruckh.net@RUCKH.NET’

Am I using the correct syntax?

As I have already posted, when I create a user account and run the following batch file to create keytab file everything works.

@echo off

:: %1 is the username
:: %2 is the realm

REM change the ‘*’ character to the real password in case you want to loop this.
REM else you will be prompted for the password.

ktpass -princ nssldap/%1@%2 -mapuser %1@%2 -pass secure -out %1.keytab

I am trying to distinguish the difference between your method and others I have come across.

Also, I am trying to understand why what works for you is not working for me.

Do you run kinit for the host in the keytab file?

When I am using the other method I have a crontab entry that looks like the following:

/usr/kerberos/bin/kinit -k nssldap/krb5_vmlnx01 -c /tmp/krb5cc_0 2>&1 > /dev/null

I am just trying to understand this step so I can make some decisions on which method makes more sense.

Your input is appreciated.

Thanks.
Scott

The output below shows KVNO as 2

ktutil: l
slot KVNO Principal
—- —- ———————————————————————
ktutil: rkt /etc/krb5.keytab
ktutil: l
slot KVNO Principal
—- —- ———————————————————————
1 2 HOST/vmlnx01.ruckh.net@RUCKH.NET

kinit -k HOST/vmlnx01.ruckh.net@RUCKH.NET

kinit(v5): Preauthentication failed while getting initial credentials

Adding -kvno 3 to the command line did not help.

This article shows yet another syntax for creating UNIX keytab file:

http://support.microsoft.com/default.aspx?scid=kb;en-us;324144

I would rather have a machine account, rather then a user account if possible.

Thanks
Scott

Scott,

Thanks for the tips. I have everything working except the TGT validation. I’m going to give you an example here of my environment in hopes that you can pin point the mistake I’m making. For security reasons I have masked the real domain.tld. It just is obviously not working

The line below is one long line. I’ve made sure that the SPN is correct, including case:

C:\Documents and Settings\Administrator\Desktop>ktpass -princ HOST/devnull.ad.mydomain.net@AD.MYDOMAIN.NET -mapuser AD\DEVNULL$ -crypto DES-CBC-MD5 +DesOnly -ptype KRB5_NT_SRV_HST -kvno 3 -pass secure -out devnull.keytab

I’ve also forced the version number to ‘3′ as you’ve stated that its only worked when the value equals 3.

I then copy the devnull.keytab over to the linux (CentOS 4.3) box via SCP from my DC.
The devnull.keytab file gets moved over to /etc/krb5.keytab.

klist -keK shows:

Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
—- ————————————————————————–
3 HOST/devnull.ad.mydomain.net@AD.MYDOMAIN.NET (DES cbc mode with RSA-MD5) (0×612683c7c85b26f8)

My /etc/ldap.conf shows:

host 192.168.0.200
base dc=ad,dc=mydomain,dc=net
uri ldap://192.168.44.200/
binddn ldap@ad.mydomain.net
bindpw abc123!@
scope sub
ssl no
pam_filter objectClass=User
nss_base_passwd dc=ad,dc=mydomain,dc=net?sub
nss_base_shadow dc=ad,dc=mydomain,dc=net?sub
nss_base_group dc=ad,dc=mydomain,dc=net?sub
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_objectclass posixGroup group
nss_map_attribute gecos name
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute uniqueMember member

My /etc/krb5.conf has:

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = AD.MYDOMAIN.NET
dns_lookup_realm = true
dns_lookup_kdc = true

[domain_realm]
.ad.mydomain.net = AD.MYDOMAIN.NET
ad.mydomain.net = AD.MYDOMAIN.NET

[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
pam = {
debug = true
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
validate = true
}

NOTE: The proper SRV records exist in dns.

Now when I get validate=true, I get the following in my /var/log/secure file:

Aug 22 13:54:47 devnull login: pam_krb5[8573]: configured realm ‘AD.MYDOMAIN.NET’
Aug 22 13:54:47 devnull login: pam_krb5[8573]: flags: forwardable
Aug 22 13:54:47 devnull login: pam_krb5[8573]: flag: no ignore_afs
Aug 22 13:54:47 devnull login: pam_krb5[8573]: flag: user_check
Aug 22 13:54:47 devnull login: pam_krb5[8573]: flag: no krb4_convert
Aug 22 13:54:47 devnull login: pam_krb5[8573]: flag: validate
Aug 22 13:54:47 devnull login: pam_krb5[8573]: flag: warn
Aug 22 13:54:47 devnull login: pam_krb5[8573]: ticket lifetime: 36000
Aug 22 13:54:47 devnull login: pam_krb5[8573]: renewable lifetime: 36000
Aug 22 13:54:47 devnull login: pam_krb5[8573]: banner: Kerberos 5
Aug 22 13:54:48 devnull login: pam_krb5[8573]: ccache dir: /tmp
Aug 22 13:54:48 devnull login: pam_krb5[8573]: keytab: /etc/krb5.keytab
Aug 22 13:54:48 devnull login: pam_krb5[8573]: called to authenticate ‘johndoe’
Aug 22 13:54:48 devnull login: pam_krb5[8573]: authenticating ‘johndoe@AD.MYDOMAIN.NET’
Aug 22 13:54:48 devnull login: pam_krb5[8573]: trying previously-entered password for ‘johndoe’
Aug 22 13:54:48 devnull login: pam_krb5[8573]: authenticating ‘johndoe@AD.MYDOMAIN.NET’ to ‘krbtgt/AD.MYDOMAIN.NET@AD.MYDOMAIN.NET’
Aug 22 13:54:48 devnull login: pam_krb5[8573]: krb5_get_init_creds_password(krbtgt/AD.MYDOMAIN.NET@AD.MYDOMAIN.NET) returned 0 (Success)
Aug 22 13:54:48 devnull login: pam_krb5[8573]: validating credentials
Aug 22 13:54:48 devnull login: pam_krb5[8573]: TGT failed verification using key for ‘HOST/devnull.ad.mydomain.net@AD.MYDOMAIN.NET’
Aug 22 13:54:48 devnull login: pam_krb5[8573]: got result 0 (Success)
Aug 22 13:54:48 devnull login: pam_krb5[8573]: authentication fails for ‘johndoe’ (johndoe@AD.MYDOMAIN.NET): Authentication failure (Success)
Aug 22 13:54:48 devnull login: pam_krb5[8573]: pam_authenticate returning 7 (Authentication failure)
Aug 22 13:54:50 devnull login: FAILED LOGIN 1 FROM (null) FOR johndoe, Authentication failure

Now if I set validate=false, logins will work just fine. Thoughts, ideas? =)

Thanks.

Ryan

I realized I made a typo in the above command, using ktpass.

It should read:

C:\Documents and Settings\Administrator\Desktop>ktpass -princ HOST/ad.mydomain.net@AD.MYDOMAIN.NET -mapuser AD\DEVNULL$ -crypto DES-CBC-MD5 +DesOnly -ptype KRB5_NT_SRV_HST -kvno 3 -pass secure -out devnull.keytab

Thanks again.

Ryan

I wonder my problem is related to this:

http://support.microsoft.com/default.aspx?scid=kb;en-us;919557&sd=rss&spid=3198 ?

It looks like the exact problem I am having.

It is still strange that this bat file works with a user account:

@echo off

:: %1 is the username
:: %2 is the realm

REM change the ‘*’ character to the real password in case you want to loop this.
REM else you will be prompted for the password.

ktpass -princ nssldap/%1@%2 -mapuser %1@%2 -pass SECRET -out %1.keytab

Yes, the Microsoft hotfix fixed the problem. Case sensitivity was not the problem (I had actually already tried your suggestion earlier). If you remember, the usage of SSL is where our environments are different. Sure enough that bug in ktpass was the difference. I had been banging my head on this one for a few days.

Now, if I can get the “User must change password at next logon” working from the Linux side I will be satisfied. That is really something that is bugging me. I can set the password using the passwd command, but not at login. I am going to have to trace some packets and see what the difference is. The same prompts are displayed, but obviously something is different.

I may be attempting the impossible, but I have not yet given up the fight.

Thanks.
Scott

The main problem with setting the, “User must change password at next login”, is that with this setting enabled the user is not able to bind to Active Directory (LDAP), and therefore is not able to change their password.

When this setting is disabled, the user can bind to LDAP and the password can be changed.

The reason this would be a great feature is because not all users actually have a means of changing their password with native Windows tools. If this is truly a single-sign-on solution where the user it logging into Windows and can change AD password it is not a big deal. Unfortunately that luxury is not true for all environments.

I think I am about to take off the gloves and declare defeat.

Scott

If I use

password sufficient /lib/security/$ISA/pam_krb5.so debug minimum_uid=499 use_authok

in /etc/pam.d/system-auth

and turn off TGT validation in /etc/krb5.conf

[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
validate = false
}

then I am able to reset passwords from Linux machines. I can reset passwords using passwd, and can enable “User must change password at next logon” in Active Directory, and force a password a change. It all works fine.

If validate is left to be true, then a pam_krb5 error message is logged in /var/log/messages

pam_krb5[31327]: TGT failed verification using key for ”

Which is strange because that same key was successful seconds earlier when authenticating the users account for logging into the system.

Why would the keytab be successful for authorization but not successful when used with the passwd command?

kpasswd works fine from a shell prompt.

Unfortunately, when logging in through ssh, and when password is expired (or forced to change at first login), `passwd’ is automatically called during the login process.

Is there a way to change that default behavior and have kpasswd called instead for only kerberos logins?

I was wondering how significant the Service Principal Name is with this whole process. As I was able to login with at least three different variations of the SPN and keytab file, I was making the assumption that it was not that important. Although the error suggests otherwise.

Scott

I am using Openldap client to authenticate Linux servers to my AD implementation. I can authenticate, but I cannot use passwd to set the password. The error message is as follows:

-bash-3.00$ passwd
Changing password for user scott.
Enter login(LDAP) password:
New UNIX password:
Retype new UNIX password:
LDAP password information update failed: Can’t contact LDAP server
00002077: SvcErr: DSID-03190DC8, problem 5003 (WILL_NOT_PERFORM), data 0

passwd: Permission denied
-bash-3.00$

If anyone knows what is the cause of this, please let me know. IT appeard to be coming back from my 2003 AD Domain Controller.

How do you control access?

For example, say you have 3 groups (A, B, and C). Users of Group A should have access to all servers, Group B should have access to only a few servers, and Group C will have access to a few servers.

Obviously each server’s ldap.conf file could contain configurations using different AD containers to limit access, but how would you handle access for the below situation?

Severs: Groups that have access

Server 1: Group A, Group B, and Group C
Server 2: Group A
Server 3: Group A and Group C

Thanks.
Scott

I looked at your other blog entry, but I do not think that is what I need. I knew you could already do that. I am trying to accomplish exactly what you have stated above.

Have a domain local group that is specific to a server, and a global group that is more generic that can be added to each domain local group.

As an alternative can you have multiple pam_groupdn entries or something like that?

I guess I will have to do some testing. As you have already done some work with this, I thought you already had a working solution in your bag of tricks.

Thanks.
Scott

I’ve found a couple of sites that talk about the kvno matching what is in AD. Not being a windows guy, I haven’t figured out how to find the “msDS-KeyVersionNumber” attribute in AD. I’ve loaded an LDAP browser and have searched under “CN=mymapuser,CN=Users,DC=mydomain,dc=com” and I just don’t see the attribite there… Am I looking in the wrong place?

disregard… I just found the adsiedit tool.

I am using Windows 2003 R2 and CentOS 4.3
My ldap.conf is not mapping over the password somehow! Please point me in the right direction.

— /etc/ldap.conf —–
nss_base_passwd dc=test,dc=local?sub
nss_base_shadow dc=test,dc=local?sub
nss_base_group dc=test,dc=local?sub
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user

#getent passwd
test01:x:10006:10004:test01:/home/test01:/bin/sh
test02:x:10003:10004:test02:/home/test02:/bin/sh
test03:x:10004:10004:test03:/home/test03:/bin/sh
test04:x:10005:10004:test04:/home/test04:/bin/sh
#getent passwd
test01:x:::::::0
test02:x:::::::0
test03:x:::::::0
test04:x:::::::0

sshd[4954]: pam_ldap: error trying to bind as user “CN=test01,OU=UNIX-Users,OU=UNIX-OU,DC=test,DC=local” (Invalid credentials)

Scott,

I’m glad I found these instructions; it’s just what I was looking for. I have a few questions.

1. You need to be a Schema Admin to extended the schema (obviously). You also need to be a Schema Admin to install the Identity Management pieces because it modifies a few entries in the schema to display the UNIX tab in ADUC. Now, you say you need to install those components “in order to be able to actually set those attributes”. Could you just register the nisprop.dll and leave it at that? Registering that dll will allow those tabs to be displayed.
2. After the components get installed, I noticed the “Server for NIS” service is set to disabled. Do you need to turn that on for this to work? If not, do you really need to install the components if you can register the dll (See #1 above)?
3. What ports would have to be open on a fw to allow this communication to work? I assume the Kerberos port but what about some of the other ports (NetBIOS, LDAP, DNS, etc). Or, another way of putting this is, is this any different from a Windows box trying to log in?

Thanks.

Can you tell me if authenticating an Active Directory user on a RHEL4 client to a 2003R2 server using this method will put an entry in the Windows Security Event Log that specifically identifies the user logging in? I tried to use Identity Mgmt for UNIX for this, but it shows the user authenticating as the domain controller, not the user. I guess this happens since the NIS server is on the domain controller.
I need to have an accurate Security Event Log in this regard.

Thanks for any help.

Scott!

You don’t have to install the “Server for NIS” component to get the UNIX Attributes tab.

All you have to do is install the Identity Management Unix tools from the X:\ADMIN\IDMU.exe setup file.

This makes a simpler process and you aren’t installing a service you don’t need.

Please note that installing just the Administration Components under AD services… Identity Management for Unix in the Windows Componants Wizard does not do the same thing.

Scott, you mentioned that it is
“necessary to set those attributes using the Active Directory Users and Computers console before logins from Linux will work”

Do you know if the tab does anything special?

I was thinking about programatically updating the Attributes due the need of updating thousands of users.

Awesome info. I’m loving your interoperability writeups.

Gabriel and Scott,

I played around with this alot and yeah, you can run the IDMU.exe or register the nisprop.dll. The thing that I got hung up on was that you need to be a Schema Admin when you run the exe or register the dll. If you aren’t, the tabs won’t show up.

Andy

I’m trying to set up a RH ES 4 server so I can log into a W2K3 domain. I followed all the instructions above (including running authconfig) and I can:
1. Issue the id user1 command and get a valid uid.
2. Issue the klist -keK command and I see the Kerberos ticket
3. Issue the kinit user1 command and log in
4. From the login screen, I can log into the machine using a Windows domain account.
5. Issue the kpasswd command and change the user’s password.

So, it all seems to work. However, I don’t understand these errors; especially the middle one where it says “Authentication failure (Success)”. Is it a failure or a success?

Nov 21 13:55:50 test-vlinux1 unix_chkpwd[3628]: password check failed for user (user1)
Nov 21 13:55:50 test-vlinux1 gdm(pam_unix)[3449]: authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=user1
Nov 21 13:55:50 test-vlinux1 gdm-binary[3449]: pam_krb5[3449]: TGT failed verification using key for ‘HOST/test-vlinux1.domainname.local@DOMAINNAME.LOCAL’
Nov 21 13:55:50 test-vlinux1 gdm-binary[3449]: pam_krb5[3449]: authentication fails for ‘user1′ (user1@DOMAINNAME.LOCAL): Authentication failure (Success)
Nov 21 13:55:51 test-vlinux1 gdm(pam_unix)[3449]: session opened for user user1 by (uid=0)
Nov 21 13:55:54 test-vlinux1 gconfd (user1-3693): starting (version 2.8.1), pid 3693 user ‘user1′

Can anyone decipher these for me? Or at least point me in the right direction. Thanks.

Andy

PS. Scott - Sorry about the flood a few weeks ago. Didn’t sound like fun.

Thanks Scott for the great article. I was able to get a couple of test servers integrated into AD without any issues. However, I did notice a couple key linux commands broke b/c of it. SU and Sudo do not work anymore and error out on something like “incorrect/invalid password”. Can you confirm this? I know there are su and sudo files in /etc/pam.d but not sure if they require editing. Any help would be greatly appreciated. Thanks!

– Dave

Hello
getent passwd working ok but very slow, I must waiting. ( Ubuntu 6,10)
In Solaris system it’s works much better.

What should I do to make it faster ?

Scott,

Should it work when using su against another AD account and not root? Same thing with sudo. Should I be able to list AD user accounts in the sudoers files? Thanks

– Dave

Nevermind, I was able to get it running now. Thanks!

Hello
It was problem with DNS, when I added hostname and ip into hosts , it works OK.

Scott,

Thanks for the tips. I got everything working - it turns out part of the problem was the ktpass issue (http://support.microsoft.com/default.aspx?scid=kb;en-us;919557). Man, that was annoying. Anyone who is doing this should get that hotfix; it’s just one less variable.

Now, have you, or anyone else, got this working over SSL? (I’m sure *someone* has; I just need them to say so). It looks like Scott (who posted above) was working on it and posted some of his config files over here: http://www.winlinanswers.com/community/viewtopic.php?t=37. I don’t know if this was his final working configuration.

It would seem you need to:
1. Generate a cert on the Windows AD DC.
2. Export/copy it to a file.
3. Copy that file to the Linux machine and convert it using the openssl command. Ensure you set the proper perms.
4. Edit the /etc/ldap.conf and maybe the /etc/openldap/ldap.conf file.
5. Maybe edit the /etc/pam.d/system-auth config file.

I did 1-3 and seem to have that working (I can issue the open_ssl s_client -connect fqdn_of_the_dc:636 -CAFile cert_path and get valid info). Am I missing any steps? What changes neede to be made in the .conf files?

Andy

Scott,

A couple of things that you may find interesting/useful - in Linux anyway:

There is a much easier way to generate a host keytab with the Samba toolset - the steps are:

1. Install the Samba server & tools - the main things you need are the Samba ‘net’ utility & the smb.conf (plus libraries, etc).
2. Setup your /etc/krb5.conf as above.
3. Edit the smb.conf file to include the following, substituting actual host names and domain names where appropriate:
workgroup = EXAMPLE
security = ads
realm = example.com
use kerberos keytab = yes
4. As a root user, get a TGT for the Domain Admin (or user with Add Computer privs in AD): kinit Administrator@EXAMPLE.COM
5. Still as root user join the host to the Windows Domain: net ads join

You should now have a nice shiny /etc/krb5.keytab with host entries for your Linux host. Furthermore, you will have a ‘real’ computer account in your AD - much nicer than a ‘mapped’ user account I think.

Gotta thank the Samba guys for this one.

Also, Vintela (a.k.a. Quest) the makers of VAS which I’m sure you are aware of, have a nice set of patches for PuTTY which make single signon from Windows to Unix/Linux a reality. This version of PuTTY uses GSSAPI to negotiate the login authentication - no ssh private keys to manage.

You can get it here: http://rc.vintela.com/topics/putty/

HTH
David

Scott,

I wanted to follow up with you about LDAP over SSL. After some trial and error, I got it working. I had to do the steps I listed above.

For step 3, I converted the cert using the command: openssl x509 -in cert-from-DC.cer -out cert-from-DC.per

For step 4, I added these lines to the ldap.conf file:
uri ldaps://fqdn-of-the-DC
ssl on
tls_checkpeer yes
tls_cacertfile path-to-cert-name
I also had to make sure the host name was a fqdn.

I also had to uncomment out the [realm] section of the krb5.conf file and fill it in with fqdn. Actually, I think I did that to get TGT working. Nonethless, using IP’s didn’t seem to work; I had to have machine names in there.

I’m trying to figure out how this would work if you had mulitple DCs. Can you have multiple names in the ldap.conf file for the ‘host’ and ‘uri’ vales? I’m going to play around with that next. If you have multiple DC’s, might as well use ‘em!

Andy

Scott,

As David G says messing about with the Windows servers to get keytab files is a total unnecessary pain. Samba is the way to go, even for a workstation you just make sure there are no shares defined. A major advantage is that Samba will get renewing the tickets automatically.

The other advantage is that you can get additional service tickets. Want to do GSSAPI Kerberos single signon authentication with Apache, then a simple net ads keytab add HTTP will get you a service principle keytab for HTTP. You can then configure Apache with mod_auth_kerberos and off you go.

What I cannot get working is Kerberos authenticted LDAP searches. Using CentOS it is completely broken on 64 bit machines (several hours of head banging before I worked that one out). However on 32 bit machines I end up with the following error.

ldap_sasl_interactive_bind_s: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error: Miscellaneous failure (Server not found in Kerberos database)

Ideas anyone!!

Actually the su command is only half working. When I login as root and try to su to a local account I get the error message “su: incorrect password”. I’m successfull if I su to an AD account. I’m also not able to login to the console with locally created accounts other than root. I get the error message that the user account has expired. I know it must have something to do with the pam config files su and login but not sure what to change. Thanks

– Dave

Ok, I’m still having problems with using the sudo and su commands as well as others. For some reason local accounts are still trying to be authenticated via kerberos. When I try to su to an AD account it works fine but to any local account it fails with the error message “su: incorrect password”. Here’s the log entry in /var/log/messages when I try to login with the postgres user account.

Dec 12 20:06:07 tlinux01 login(pam_unix)[21909]: authentication failure; logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost= user= postgres
Dec 12 20:06:12 tlinux01 login[21909]: pam_krb5[21909]: authentication fails for ‘postgres’ (postgres@LINUX.LOCAL): User not know n to the underlying authentication module (Client not found in Kerberos database)
Dec 12 20:06:14 tlinux01 login[21909]: FAILED LOGIN 1 FROM (null) FOR postgres, Authentication failure

I’m also not able to login via the console with any local account (except for root). I continually get the error message that the user account has expired.

This issue also breaks applications that require being runned by a user other than root. For example this broke my PostgreSQL install since it tries to authenticate the postgres user it runs as with kerberos and therefore fails to start since it’s not in AD.

I thought if it fails the LDAP lookup that it falls back to using local authentication. Am I missing something? Thanks

– Dave

Here are my config files:

ldap.conf

host 172.20.16.72
base dc=linux,dc=local
binddn ldap@linux.local
bindpw testing123
scope sub
ssl no
nss_base_passwd dc=linux,dc=local
nss_base_shadow dc=linux,dc=local
nss_base_group dc=linux,dc=local
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_objectclass posixGroup group
nss_map_attribute uid sAMAccountName
nss_map_attribute uidNumber msSFU30UidNumber
nss_map_attribute gidNumber msSFU30GidNumber
nss_map_attribute loginShell msSFU30LoginShell
nss_map_attribute gecos name
nss_map_attribute userPassword msSFU30Password
nss_map_attribute homeDirectory msSFU30HomeDirectory
nss_map_attribute uniqueMember msSFU30PosixMember
nss_map_attribute cn cn

krb5.conf

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = LINUX.LOCAL
dns_lookup_realm = true
dns_lookup_kdc = true

#[realms]
# EXAMPLE.COM = {
# kdc = kerberos.example.com:88
# admin_server = kerberos.example.com:749
# default_domain = example.com
# }

[domain_realm]
.linux.local = LINUX.LOCAL
linux.local = LINUX.LOCAL

[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
pam = {
debug = true
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
validate = false
}

nsswitch.conf

passwd: ldap files
shadow: ldap files
group: ldap files

/etc/pam.d/system-auth

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth sufficient /lib/security/$ISA/pam_krb5.so debug=true
auth required /lib/security/$ISA/pam_deny.so

account sufficient /lib/security/$ISA/pam_krb5.so debug=true
account required /lib/security/$ISA/pam_unix.so
account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
account required /lib/security/$ISA/pam_deny.so

password requisite /lib/security/$ISA/pam_cracklib.so retry=3
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
password required /lib/security/$ISA/pam_deny.so

session required /lib/security/pam_mkhomedir.so skel=/etc/skel umask=0022
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so

/etc/pam.d/su

#%PAM-1.0
auth sufficient /lib/security/$ISA/pam_rootok.so
# Uncomment the following line to implicitly trust users in the “wheel” group.
#auth sufficient /lib/security/$ISA/pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the “wheel” group.
#auth required /lib/security/$ISA/pam_wheel.so use_uid
auth required /lib/security/$ISA/pam_stack.so service=system-auth
account required /lib/security/$ISA/pam_stack.so service=system-auth
password required /lib/security/$ISA/pam_stack.so service=system-auth
# pam_selinux.so close must be first session rule
session required /lib/security/$ISA/pam_selinux.so close
session required /lib/security/$ISA/pam_stack.so service=system-auth
# pam_selinux.so open and pam_xauth must be last two session rules
session required /lib/security/$ISA/pam_selinux.so open
session optional /lib/security/$ISA/pam_xauth.so

/etc/pam.d/sudo

#%PAM-1.0
auth required pam_stack.so service=system-auth
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_limits.so

/etc/pam.d/login

#%PAM-1.0
auth required pam_securetty.so
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_stack.so service=system-auth
session required pam_loginuid.so
session optional pam_console.so
# pam_selinux.so open should be the last session rule
session required pam_selinux.so open

Ok, I think I’ve figured out what the issue is. In my /etc/pam.d/system-auth file I changed this line:

account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet

to be:

account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 1000 quiet

All my AD accounts have a UID greater than 1000 so this seems to work so far. I’m still testing but this seems to have fixed my problem.

Another issue that has cropped up in my testing is that I can’t login with some of my AD accounts after I manually reset the password in AD. I keep getting the error message that the user account has expired. If I create a brand new account in AD I can login but if I manually change the password I can’t login anymore. Any ideas? Thanks

– Dave

Scott,

For some reason I am still having the issue where I can’t login with an AD account after I manually reset the password. The only way around it is to delete the account and re-add it which is not feasible in a production environment.