I’ll break the information down according by the article to which the information pertains. If the information pertains to all the articles equally, it is included in the “All Articles†portion. Links back to the original articles are included.
All Articles
User Accounts vs. Computer Accounts
One thing in common across all these articles is the need to create special accounts in Active Directory. I originally recommended the use of computer accounts, but over the course of time additional integration tasks with Kerberos have led me to believe that the user of user accounts, not computer accounts, is the best way to handle this. In a very early Linux-AD integration article, I discussed the use of computer accounts instead of user accounts, and the use of the ktpass.exe command to extract a keytab from a computer account. At that time, it seemed reasonable to recommend computer accounts—we were only discussing a single service principal (the host itself), and using a computer account made sense.
However, because of the fact that additional accounts will have to be created for additional service principals (for example, if you are interested in using Kerberos-based SSO with Apache) and because you can’t have multiple computer accounts with the same name, it’s just as well to use a user account with a naming convention that describes the purpose of each account. For example, something like “host-fqdn†for the host/fqdn@REALM service principal (used for scenarios involving pam_krb5 and “native†Kerberos/GSSAPI authentication), and “http-fqdn†for the HTTP/fqdn@REALM service principal (used by mod_auth_kerb for Apache-Kerberos integration). This provides an easy way to distinguish between these accounts, and allows for the multiple accounts that are required in these kinds of scenarios.
Finally, the use of user accounts will eliminate some spurious error messages that ktpass.exe generates when run against a computer account. Note that these error messages are not substantive; things will still work with a computer account. It’s just that ktpass.exe appears to have been intended to run against a user account.
Updated ktpass.exe Command Line
In addition, because of differences in the encryption types supported by Active Directory and many Unix/Linux implementations, I have found that using the “+DesOnly†switch with ktpass.exe seems to help.
An updated ktpass.exe, accounting for the change to a user account and the desire to use DES encryption types, would look something like this:
ktpass.exe -princ host/fqdn@REALM -mapuser DOMAIN\account -crypto des-cbc-md5 +DesOnly -pass Password123 -ptype KRB5_NT_PRINCIPAL -out c:\filename.keytab
Please note that this command, particularly the service principal name (as specified by the “-princ†parameter) is CASE SENSITIVE. For example, the host SPN (i.e., “host/fqdn@REALMâ€) that is used by pam_krb5 and “native†Kerberos/GSSAPI authentication is lowercase. However, the HTTP SPN (used by mod_auth_kerb with Apache) needs to be uppercase. In both cases, the Kerberos realm (which should be equivalent to the Active Directory DNS domain name) must be in uppercase.
Linux-AD Integration (Pre-R2)
The original article is found here.
In addition to the switch from a computer account to a user account as described above, the only real change to this article pertains to the /etc/ldap.conf file that configures the nss_ldap library. Remember that in almost all of these scenarios, we are using Kerberos for authentication and LDAP for account information, i.e., storing the information that would normally be stored in /etc/passwd.
The original article calls for /etc/ldap.conf to include this line:
nss_base_group dc=mydomain,dc=com
To help optimize LDAP traffic against Active Directory, change the /etc/ldap.conf as follows:
nss_base_group dc=mydomain,dc=com?sub? &(objectCategory=group)(gidnumber=*)
(This should all be on a single line.) This will help reduce the query load on Active Directory by limiting the types of objects for which searches will be issued; in addition, the “objectCategory†type is indexed, which also also greatly speed operations.
Speaking of indexing, if the pam_login_attribute is not modified (it defaults to uid), you’ll also need to index the uid attribute in order to avoid heavy CPU utilization and delays in responses from Active Directory. This was mentioned in the updated Linux-AD R2 instructions. Alternately, you can change the pam_login_attribute in /etc/ldap.conf to an indexed attribute, like sAMAccountName.
Last, you may find it useful to edit /etc/ldap.conf and change the gecos field mapping from name to cn (i.e., use “nss_map_attribute gecos cn†instead of “nss_map_attribute gecos nameâ€).
Linux-AD Integration (R2)
The latest version of these instructions are found posted here.
Again, other than the change to a user account instead of a computer account (as described above), the changes mentioned in the previous section also apply here:
- Changing the nss_base_group in /etc/ldap.conf
- Changing the nss_map_attribute for gecos in /etc/ldap.conf
- Changing the pam_login_attribute to an indexed attribute in Active Directory (such as sAMAccountName) or indexing the uid attribute
Otherwise, the revised instructions are reasonably accurate and seem to work pretty well.
Kerberos-Based SSO with Apache
This article is found here, and already incorporates most of the changes mentioned in this posting. No suggested changes are needed at this time.
Solaris 10 and AD Integration
This article can be found posted here.
This one is a pretty recent article (published within the last week or so), and so already incorporates most of the changes suggested here. The information that I don’t have yet, however, is exactly how to incorporate some of the other suggested changes. For example, I’m not yet sure how to use the ldapclient command to modify the LDAP client profile (Solaris 10 doesn’t use nss_ldap by default) to include the refined group query. I suspect that this command would work correctly:
ldapclient mod -a serviceSearchDescriptor=group:dc=example,dc=com?sub ?&(objectCategory=group)(gidNumber=*)
Of course, the ldapclient command syntax would change depending upon if this was an initial setup or a change to an existing setup.
Likewise, I’m not sure which login attribute the Solaris LDAP libraries are looking for—uid, sAMAccountName, or something else entirely? If anyone with more Solaris 10 experience than me has the answers to these questions, I’d love to know.
As I continue to expand my knowledge of using Kerberos to integrate these various platforms and applications, I’ll post additional information here. I know that a number of you have been posting questions in the comments for these various articles; keep the questions coming. I may not know the answer right away, but I’ll sure do my best to find out!
Tags: ActiveDirectory, Apache, Interoperability, Kerberos, Microsoft, Networking, UNIX
9 comments
Comments feed for this article
Trackback link
http://blog.scottlowe.org/2006/08/21/more-on-kerberos-authentication-against-active-directory/trackback/
Tuesday, August 29, 2006 at 10:09 am
Blake
I have been working on implementing the Kerberos/LDAP solution to authenticate RH Linux against our AD. We are currently using a straight LDAP ‘authentication’ mechanism.
I have the Kerberos working - but I seem to have lost a piece of functionaliry. In the straight LDAP auth, I have the following lines in ldap.conf:
# Group to enforce membership of
#pam_groupdn cn=PAM,ou=Groups,dc=example,dc=com
# Group member attribute
#pam_member_attribute uniquemember
This allows us to control who can log onto which host by Windows group. (we have one group for each host). This doesn’t seem to work with the Kerberos/LDAP solution. Is there any way I can control this in a similar fashion? I have spent some time looking into pam_access, which seems to mention group membership. But I haven’t been able to make it work.
Blake
Tuesday, August 29, 2006 at 9:28 pm
slowe
Blake,
You’re on the right track; you should be able to use pam_groupdn and pam_member_attribute to do exactly what you’re describing, even with Kerberos authentication. (Keep in mind when I say “Kerberos authentication,” I mean the use of pam_krb5 to provide Kerberos authentication against Active Directory, not GSSAPI authentication using Kerberos.)
I know this is a stupid question, but the pam_groupdn and pam_member_attribute lines aren’t commented out (#) in the production /etc/ldap.conf file, are they?
Wednesday, August 30, 2006 at 8:36 am
Blake
No, they aren’t commented out.
I have had some luck controlling this by editing /etc/pam.d/sshd and /etc/security/access.conf as describted at http://www.cyberciti.biz/tips/openssh-root-user-account-restriction-revisited.html. This seems to work for sshd and local logins. However I’d like to use the ldap.conf to control this exclusively is possible - one fewer thing to think about.
Blake
Wednesday, August 30, 2006 at 2:15 pm
Blake
Is there any way you can send me your ldap.conf file (and any other configs that are necessary for this functionality?) I put these 2 lines in ldap.conf:
(a copy paste from the live file)
# Group to enforce membership of
#pam_groupdn cn=PAM,ou=Groups,dc=example,dc=com
pam_groupdn cn=DELPHI,ou=Groups,ou=People,dc=longwood,dc=edu
# Group member attribute
#pam_member_attribute uniquemember
pam_member_attribute member
I take myself out of the DELPHI group, yet it lets me login fine via ssh. In a LDAP-only environment, we have this working on other machines. But on my test box with Kerberos it lets anybody on.
Blake
Saturday, October 7, 2006 at 11:55 pm
Dale Sides
More Info on Solaris LDAP: According to the SUN “System Administration Guide: Naming and Directory Services”; Solaris requires the LDAP server to be configured to conform to RFC 2307. With that said I believe your question pertaining to “which login attribute the Solaris LDAP libraries are looking for—uid, sAMAccountName, or something else entirely?” is the attributeMap=passwd:uidnumber=uidNumber entry the reason I think this is that the documentation states that it MUST conform to the NIS schema of RFC 2307 and the first entry for OID 1.3.6.1.1. is as follows :
( nisSchema.1.0 NAME ’uidNumber’
DESC ’An integer uniquely identifying a user in an
administrative domain’
EQUALITY integerMatch SYNTAX ’INTEGER’ SINGLE-VALUE )
In the schema there is a supplemental entry for POSIX account information and it references the uidNumber entry
( nisSchema.2.0 NAME ’posixAccount’ SUP top AUXILIARY
DESC ’Abstraction of an account with POSIX attributes’
MUST ( cn $ uid $ uidNumber $ gidNumber $ homeDirectory )
MAY ( userPassword $ loginShell $ gecos $ description ) )
Since there is no mention of AD specific entries like sAMAccountName in the NIS Schema I would have to believe it is the uidNumber. And if you do any of the user related queries from with Solaris to an AD LDAP server like getent passwd username it returns the same info as the old ypcat commands did against NIS specifically the uid number.
Hope that helps,
Dale
Sunday, October 8, 2006 at 9:24 pm
slowe
Dale,
Yes, of course–that makes perfect sense that sAMAccountName wouldn’t be used, since that is a strictly Microsoft sort of thing. Now that I think about it, I would strongly imagine that they are using uid for the logon attribute, since that seems to be the default for most Unix-like operating systems.
Thanks for the updated information!
Tuesday, September 25, 2007 at 8:54 am
Erik
Hello,
I have implemented kerberos together with ldaps - loging from linux to Microsoft AD.
Question: How can i ponit for kerberos to allow login with unix account ( uid) instead of sammaccountname? We dont want to login with example “john.exmaple” (SAMACC) but with “jexample” (UID). Thanx
Tuesday, September 25, 2007 at 8:42 pm
slowe
Erik,
As best we’ve been able to tell (refer to reader Ian’s comments on the Solaris-AD integration and Linux-AD integration articles about changing the login name for Kerberos), it can’t be done. LDAP can be changed, but Kerberos cannot.
If you find a workaround, I’d love to hear about it!
Thanks for reading!
Saturday, September 13, 2008 at 7:53 am
rohan
Error ( Samba active directory in windows 2003) ads user add root : server is unwilling perform