July 2007

User Account Control (UAC) is a feature new to Windows Vista and Windows Server 2008 that is designed to help protect Windows-based systems against processes running with administrative permissions.  It’s a great idea, but the implementation is, in my humble opinion, a bit flawed.

Here’s a great example.  In working on interoperability and integration documentation for Windows Server 2008, I came across a problem that prevents you from using Samba to join Linux or UNIX systems to Active Directory for the purpose of centralizing authentication to those systems (more information available in this article).  OK, no big deal; we’ve done it before with ktpass.exe, right?  We’ll just drop back to using ktpass.exe and do it “old school”.

Here’s the output from ktpass.exe when running on a Windows Server 2008-based server with UAC enabled:

C:\>ktpass.exe -princ HOST/vsxsoltest01.vmwarelab.net@ADNG.VMWARELAB.NET
-mapuser ADNG\VSXSOLTEST01$ -crypto all -pass Password123
-ptype KRB5_NT_PRINCIPAL -out c:\vsxsoltest01.keytab
 
Targeting domain controller: vswdcng02.adng.vmwarelab.net
 
Using legacy password setting method
 
Failed to set property “servicePrincipalName” to
“HOST/vsxsoltest01.vmwarelab.net” on Dn
“CN=VSXSOLTEST01,CN=Computers,DC=adng,DC=vmwarelab,DC=net”: 0×32.
 
WARNING: Unable to set SPN mapping data.
 
If VSXSOLTEST01$ already has an SPN mapping installed for
HOST/vsxsoltest01.vmwarelab.net, this is no cause for concern.
 
WARNING: Account VSXSOLTEST01$ is not a user account (uacflags=0×1021).
 
WARNING: Resetting VSXSOLTEST01$’s password may cause
authentication problems if VSXSOLTEST01$ is being used as a server.
 
 
Reset VSXSOLTEST01$’s password [y/n]? y
 
Aborted.

This is running as an account that is not the built-in Administrator account, but is a member of Domain Admins, Schema Admins, Enterprise Admins, and the built-in Administrators group.

Take that same command and run it on the same server after disabling UAC, and it runs just fine.  No errors, no warnings, no problems.  Clearly, UAC is interfering with ktpass.exe.

If you have a need to integrate Linux and/or UNIX systems into Active Directory for authentication, keep this in mind:  you’ll need to disable UAC (and reboot the server) before you can use ktpass.exe to map service principals onto accounts.

Samba, as I’m sure you already know, is an open source implementation of SMB/CIFS for UNIX, Linux, and similar operating systems.  I’ve found Samba to be extremely helpful in providing some assistance for integration into Active Directory, as evidenced by these articles:

• Solaris 10-AD Integration, Version 3
• Linux-AD Integration, Version 4

Both of these articles utilize Samba’s Active Directory support to help automate the process of joining non-Windows systems to Active Directory for the purpose of authenticating logon requests against Active Directory.

So when it came time to start working on integrating Linux or Solaris into Active Directory on Windows Server 2008, I naturally assumed that I’d be able to use Samba in the same way as I had before.  Unfortunately, that’s not the case.  Due to changes in Windows, and due to the fact that previous versions of Windows were non-standard (i.e., didn’t follow the RFCs—surprise, surprise), using Samba to join an Active Directory domain running on Windows Server 2008 currently does not work.

This thread on the Samba mailing list provides some additional information, and this Google search turns up a few hits that also provide additional information on the problem.  Until this particular issue is resolved, we won’t be able to use the “net ads join” commands (and potentially some others as well) against Active Directory domains running on Windows Server 2008.  Looks like it’s back to ktpass.exe again!

In the event that your organization is considering a migration later this year (or next?) to Windows Server 2008 (formerly “Longhorn”), here are some instructions for integrating Linux login requests against Active Directory on Windows Server 2008.  These instructions are based on Linux-AD Integration, Version 4 and utilize Kerberos, LDAP, and Samba.

When this process is complete, AD users can be enabled for use on Linux systems on the network and login to those Linux systems using the same username and password as throughout the rest of Active Directory.

If you are looking for information on using Linux with a previous version of Windows before Windows Server 2008, please refer back to my AD integration index and select the appropriate article.  The only significant changes in the process involve the mapping of the LDAP attributes; otherwise, the procedure is very similar between the two versions of Windows.

Preparing Active Directory (One-Time)

The process of installing and configuring Windows Server 2008 is beyond the scope of this article (although I may touch on that in the near future in a separate article).  Therefore, I won’t provide detailed instructions on how to perform some of these tasks, but instead provide a high-level overview.

Enable Editing/Display of UNIX Attributes

In order to store UNIX attributes in Active Directory, the schema must be extended.  To extend the schema, first install Active Directory (add the Active Directory Domain Services role to an installed server, then use the Active Directory Installation Wizard to setup Active Directory) and then add the “Identity Management for UNIX” role service (this can be done in Server Manager).

Once that role service has been installed, then the AD schema now includes a partially RFC 2307-compliant set of UNIX attributes, such as UID, UID number, GID number, login shell, etc.  (Note that it may be that these attributes are already included in the schema for Windows Server 2008; I did not check the schema before installing the Identity Management for UNIX role service.  With Windows Server 2003 R2, the schema was present at the time of installation, but the attributes were not visible until installing the UNIX identity services.)

At this point a new tab, labeled “UNIX Attributes,” will appear in the properties dialog box for users and groups in Active Directory.  You’ll use this tab to edit the UNIX-specific attributes that are required for logins to Linux-based systems.

Create an LDAP Bind Account

You’ll also need to create an account in Active Directory that will be used to bind to Active Directory for LDAP queries.  This account does not need any special privileges; in fact, making the account a member of Domain Guests and not a member of Domain Users is perfectly fine.  This helps minimize any potential security risks as a result of this account.  Just be sure that you know the account’s user principal name (UPN) and password.

Prepare Active Directory (Each User)

Each Active Directory account that will authenticate via Linux must be configured with a UID and other UNIX attributes.  This is accomplished via the new “UNIX Attributes” tab on the properties dialog box of a user account.

After all the user accounts have been configured, then we are ready to configure Active Directory objects for each of the Linux server(s) that we’ll be integrating with AD.

Prepare Active Directory (Each Server)

Prior to using Samba to join Linux computers to Active Directory and generate a keytab automatically, we had to use the ktpass.exe utility on Windows to generate a keytab.  Due to some current Samba-Windows Server 2008 interoperability issues, we can’t use Samba.  That means we’ll be back to using ktpass.exe to map service principals onto accounts in Active Directory.  Unfortunately, you’ll need to first disable User Account Control (UAC) on your server, since UAC interferes with ktpass.exe.  (Nice, huh?)

Once you’ve disabled UAC (and rebooted your server), then you can map the service principal names (SPNs) using the following steps:

1. Create a computer account (or a user account; either will work) with the name of the Linux server.
2. Use the following command to map the needed SPN onto this account (backslashes indicate line continuation):
   ktpass.exe -princ HOST/server.fqdn@REALM.COM \
-mapuser DOMAIN\AccountName$ -crypto all \
-pass Password123 -ptype KRB5_NT_PRINCIPAL \
-out filename.keytab
3. Copy this file to the Linux server (using SCP or SFTP is a good option) and merge it with the existing keytab (if it exists) using ktutil.  If there is no existing keytab, simply copy the file to /etc/krb5.keytab and you should be good to go.

Now that Active Directory has computer objects (and, more importantly, SPNs) for the Linux servers and the AD users have been enabled for UNIX (by populating the UNIX attributes), we’re ready to start configuring the Linux server(s) directly.

Prepare Each Linux Server

Follow the steps below to configure the Linux server for authentication against Active Directory.  (Note that this configuration was tested on a system running CentOS—a variation of Red Hat Enterprise Linux—version 4.3.)

1. Edit the /etc/hosts file and ensure that the server’s fully-qualified domain name is listed first after its IP address.
2. Make sure that the appropriate Kerberos libraries, OpenLDAP, pam_krb5, and nss_ldap are installed.  If they are not installed, install them.
3. Be sure that time is being properly synchronized between Active Directory and the Linux server in question.  Kerberos requires time synchronization.  Configure the NTP daemon if necessary.
4. Edit the /etc/krb5.conf file to look something like this, substituting your actual host names and domain names where appropriate:
   [logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
 
[libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_realm = true
dns_lookup_kdc = true
 
[realms]
EXAMPLE.COM = {
kdc = host.example.com:88
admin_server = host.example.com:749
default_domain = example.com
}
 
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
 
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
 
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
5. Edit the /etc/ldap.conf file to look something like this, substituting the appropriate host names, domain names, account names, and distinguished names (DNs) where appropriate.  (Please note that the nss_base_group line should not be broken across two lines when you edit it; it has been wrapped here for readability.)
   host 10.10.10.10
base dc=example,dc=com
uri ldap://server.example.com/
binddn ldap@example.com
bindpw adldapbindpw
scope sub
ssl no
nss_base_passwd dc=example,dc=com?sub
nss_base_shadow dc=example,dc=com?sub
nss_base_group dc=mydomain,dc=com?sub?
&(objectCategory=group)(gidnumber=*)
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_objectclass posixGroup group
nss_map_attribute gecos cn
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute uniqueMember member
6. Configure PAM (this varies according to Linux distributions) to use pam_krb5 for authentication.  Many modern distributions use a stacking mechanism whereby one file can be modified and those changes will applied to all the various PAM-aware services.  For example, in Red Hat-based distributions, the system-auth file is referenced by most other PAM-aware services.  Here’s a properly edited /etc/pam.d/system-auth file taken from CentOS 4.4 (some lines have been wrapped for readability; do not wrap them when editing the file):
   #%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time
# authconfig is run.
auth required /lib/security/pam_env.so
auth sufficient /lib/security/pam_unix.so
   likeauth nullok
auth sufficient /lib/security/pam_krb5.so
auth required /lib/security/pam_deny.so
 
account sufficient /lib/security/pam_unix.so
account sufficient /lib/security/pam_krb5.so
account sufficient /lib/security/pam_succeed_if.so
   uid < 100 quiet
account required /lib/security/pam_deny.so
 
password requisite /lib/security/pam_cracklib.so
   retry=3
password sufficient /lib/security/pam_unix.so
   nullok use_authtok md5 shadow
password required /lib/security/pam_deny.so
 
session required /lib/security/pam_limits.so
session required /lib/security/pam_unix.so
7. Edit the /etc/nsswitch.conf file to include “ldap” as a lookup source for passwd, shadow, and groups.

At this point we are now ready to test our configuration and, if successful, to perform the final step:  to join the Linux server to Active Directory for authentication.

Test the Configuration

To test the Kerberos authentication, use the “kinit” command, as in “kinit <AD username>@<AD domain DNS name>”; this should return no errors.  A “klist” at that point should then show that you have retrieved a TGT (ticket granting ticket) from the AD domain controller.  If this fails, go back and troubleshoot the Kerberos configuration.  In particular, if you are seeing references to failed TGT validation, check to make sure that both your Linux servers and AD domain controllers have reverse lookup (PTR) records in DNS and that the Linux server’s /etc/hosts file listed the FQDN of the server first instead of just the nodename.

<aside>Some readers and some other articles have suggested the use of the AD domain DNS name in the /etc/krb5.conf file instead of an AD domain controller specifically; I recommend against this.  First, I believe it may contribute to TGT validation errors; second, it is possible to list multiple KDCs (AD DCs) in the configuration.  Since the only major reason to use the AD domain DNS name instead of the DNS name of one or more DCs would be fault tolerance, then it doesn’t really gain anything.</aside>

To test the LDAP lookups, use the “getent” command, as in “getent passwd <AD username>”; this should return a listing of the account information from Active Directory.  If this does not work, users will not be able to login, even if Kerberos is working fine.  If you run into errors or failures here, go back and double-check the LDAP configuration.  One common source of errors is the name of the LDAP bind account, so be sure that is correct.

At this point, SSH logins to the Linux system using an account present in Active Directory (one which has had its UNIX attributes specified properly) should be successful.  This will be true as long as you used the ktpass.exe command earlier to map the SPN onto the computer object in Active Directory.  Even if you didn’t copy the keytab over to the Linux server, logins will work.  Why?  Because the PAM Kerberos configuration, by default, does not require a client keytab, and does not attempt to validate the tickets granted by the TGT.  This means that as long as the SPN(s) are mapped to the accounts in AD, the keytab is not necessarily required.

(Note, however, that not using a keytab and/or not requiring a keytab does leave the Linux server open to potentially spoofed Kerberos tickets from a fake KDC.  In addition, “native” Kerberos authentication—i.e., using a Kerberos ticket to authenticate instead of typing in a password—won’t work without a keytab.)

Deal with Home Directories

Unlike Windows systems, home directories are required on Linux-based systems.  As a result, we must provide home directories for each AD user that will log in to a Linux-based system.  We basically have three options here:

• Manually create home directories and set ownership/permissions properly before users will be able to log in.
• Use the pam_mkhomedir.so PAM module to automatically create local home directories “on the fly” as users log in.  To do this, you would add an entry for pam_mkhomedir.so in the session portion of the PAM configuration file.
• Use the automounter to automatically mount home directories from a network server.  This process is fairly complicated (too involved to include the information here), so I’ll refer you to this article on using NFS and automounts for home directories.  This has the added benefit of providing a foundation for unified home directories across both Windows and Linux systems.

Once you’ve settled on and implemented a system for dealing with home directories, you are finished!  UNIX-enabled users in Active Directory can now login to Linux-based systems with their Active Directory username and password.

What’s not addressed in this article?  Password management.  In this configuration, users will most likely not be able to change their password from the Linux servers and have that change properly reflected in Active Directory.  In addition, “native” Kerberos authentication using Kerberos tickets won’t work unless the keytab is present.  In my testing, I ran into a number of issues with the keytab and TGT validation, but I’m not sure if those are errors in my process or the result of the beta status of Windows Server 2008.

I welcome your corrections, additions, or suggestions in the comments below.

Even though NIS is installed as part of the “Identity Management for UNIX” role service (part of the Active Directory Domain Services role) in Windows Server 2008, it appears that some additional steps are required in order to make it work as expected.  If anyone has any additional information they’d like to share on this particular issue, please speak up in the comments.

After installing NIS through Server Manager (first installing the Active Directory Domain Services role, then installing Active Directory, then adding the Identity Management for UNIX role service in Server Manager), an error popped up when trying to launch the MMC for Identity Management for UNIX.  The error basically stated that no configuration was found and that I needed to run niscnfg.exe.

The first time I ran this program (found in %Systemroot%\IDMU\Setup), it did nothing.  Upon launching the Identity Management for UNIX MMC, I received the same error.  Trying to start the Server for NIS service resulted in an error message informing me that the service was currently set to Disabled and therefore could not be started.  So I set the service to Manual, started it (it started successfully and without reporting any error messages), and ran niscnfg.exe again.  It still didn’t do anything.  I restarted the Identity Management for UNIX MMC and now it seemed to work fine.

It’s great that it now works, but the whole situation just creates more questions:

• So, did niscnfg.exe actually do anything?
• Was the error message misleading, and really what I needed to do was start the NIS server service?
• Why was the Server for NIS service set to Disabled, anyway, even after I’d installed the Identity Management for UNIX role service?

I’m willing to accept that this issue may be due to the fact that the software is still in beta stage.  Any experienced Windows Server 2008 beta testers care to weigh in on this matter?

I’m a multi-protocol kind of guy.  What does that mean?  Basically, it means that I use more than just a web browser.  Typically, I have multiple Internet clients running at any given time—a browser (typically Camino, but sometimes Safari), an RSS reader (NetNewsWire), an IM client (Adium), Cocoalicious (for managing del.icio.us bookmarks), an IRC client (Colloquy), and an e-mail client.  In each of these areas, there are high-quality applications available to choose from.  For example, if I didn’t like Camino or Safari, I could always switch to Opera or Firefox; if I didn’t like NetNewsWire, I could switch to NewsFire, Shrook, or Vienna.  I have options.

I also like to try to follow a small number of Usenet newsgroups.  Unfortunately, this is one area where Mac OS X doesn’t have a good set of high-quality applications.  And that really stinks.

There’s only one commercial Usenet client of which I am aware, and that’s Unison by Panic.  It’s a decent application, but lacks offline support and the ability to connect to multiple servers simultaneously.  In addition, the UI is a bit awkward to me, and I could really use some better searching functionality.  I’ve been using Unison for a while and I’d love to see a major upgrade to the application…so Panic guys, what do you say?

I thought that Nemo was going to be a real contender, but it crashes on a regular basis, and has a number of bugs that make it pretty much unusable.  It’s a tremendous start, though, and I hope that the developer continues to refine the application.  Once some of these bugs have been squashed, I will definitely consider purchasing the application, but as it is I’m not going to pay for beta software that is truly beta quality.  There are a few unfinished open source efforts, like Xnntp, but those also are incomplete beta-quality products.

So are there any other good, high-quality NNTP/Usenet clients out there that I’m just missing?  Or is this all there is?

The following configuration will enable you to authenticate login requests to Cisco equipment running IOS against Active Directory.  This would, for example, allow you to centralize the authentication of your Cisco-based network infrastructure against Active Directory.

Configuring the Cisco Equipment

The equipment I used in this configuration was a Cisco Catalyst 3560G switch running IOS 12.2(25); please note that the commands listed here may be different in different versions of IOS.  The commands should be roughly equivalent, however, across hardware platforms.

First, we must enable the external authentication mechanisms, then we’ll specify the external authentication servers we’re going to use.  This is listed below:

1. First, to enable external authentication on the switch, use the following commands in global configuration mode:
   s1(config)#aaa new-model
s1(config)#aaa authentication login default group radius local
   This enables the authentication of login requests by RADIUS first, then by a local database (just in case network connectivity is down).  We specify “local” as well because this configuration applies to both telnet requests as well as physical console requests.
2. Next, we specify the external authentication servers that the switch should use:
   s1(config)#radius-server host 10.1.1.254 auth-port 1645
acct-port 1646 key Password
   (This should all be on one line.)  Best practices dictate that you should have at least two RADIUS servers for redundancy.  Note that the “auth-port” and “acct-port” parameters are only necessary if you are using nonstandard ports.  Since Microsoft’s IAS (Internet Authentication Service, which provides the RADIUS interface to Active Directory) uses both sets of standard ports (1645/1812 and 1646/1813) you won’t need to specify these parameters.  The “key” parameter is a shared secret key between the RADIUS client (the switch) and the RADIUS server.  Obviously, you’ll want to use something other than “Password”.

Now we’re ready to move to configuring the Windows servers that we’ll use for RADIUS authentication.

Configuring Internet Authentication Service (IAS)

Configuring IAS is rather simple.  I’ve discussed the use of IAS before (here in discussing Cisco PIX-AD integration and here regarding WatchGuard Firebox-AD integration), and I’ll refer you back to those articles for some of the basics on setting up and configuring IAS.

Note that these instructions are based on the version of IAS included with Windows Server 2003 R2; different versions may behave slightly differently.

To configure IAS in this instance (once it has been installed and registered with Active Directory), we’ll do the following:

• Add the Cisco Catalyst switch as a RADIUS client.  We’ll need to be sure to specify the same shared secret as used in the switch configuration above.  You can specify the Cisco switch either by DNS name (if it is registered in DNS) or by IP address.
• Create a new remote access policy that grants remote access permission.  The conditions on the policy should be “NAS-IP-Address” (set to the IP address of the Cisco equipment) and “Windows-Groups” (set to whatever group should be allowed to authenticate to the switch; I created a group called “Cisco Admins” and used it).
• Configure the profile to use only PAP authentication and no encryption.

Repeat this process on the second Windows server running IAS (you did configure two for redundancy, didn’t you?).

That’s it!  At this point, you should be able to telnet to the Cisco switch (or whatever IOS-based equipment you’ve configured) and log in with your Active Directory username and password.  Once logged in, you can use your enable or enable secret password to enter privileged exec mode.

Now, before you go any farther, add a local account to use in case the network connectivity to the RADIUS server is lost:

s1(config)#username localaccount password password123

(Obviously, you’ll want to use a secure password!)  This will ensure that if you lose network connectivity to the equipment, you can still get in through the serial console connection.  Be warned: without this local account, you can be locked out of the equipment completely if the RADIUS server(s) are inaccessible!

This Cisco document offers some additional information on AAA configurations, so I’ll refer you there for more detailed descriptions of the commands involved.  Enjoy!