Kerberos

In the event that your organization is considering a migration later this year (or next?) to Windows Server 2008 (formerly “Longhorn”), here are some instructions for integrating Linux login requests against Active Directory on Windows Server 2008.  These instructions are based on Linux-AD Integration, Version 4 and utilize Kerberos, LDAP, and Samba.

When this process is complete, AD users can be enabled for use on Linux systems on the network and login to those Linux systems using the same username and password as throughout the rest of Active Directory.

If you are looking for information on using Linux with a previous version of Windows before Windows Server 2008, please refer back to my AD integration index and select the appropriate article.  The only significant changes in the process involve the mapping of the LDAP attributes; otherwise, the procedure is very similar between the two versions of Windows.

Preparing Active Directory (One-Time)

The process of installing and configuring Windows Server 2008 is beyond the scope of this article (although I may touch on that in the near future in a separate article).  Therefore, I won’t provide detailed instructions on how to perform some of these tasks, but instead provide a high-level overview.

Enable Editing/Display of UNIX Attributes

In order to store UNIX attributes in Active Directory, the schema must be extended.  To extend the schema, first install Active Directory (add the Active Directory Domain Services role to an installed server, then use the Active Directory Installation Wizard to setup Active Directory) and then add the “Identity Management for UNIX” role service (this can be done in Server Manager).

Once that role service has been installed, then the AD schema now includes a partially RFC 2307-compliant set of UNIX attributes, such as UID, UID number, GID number, login shell, etc.  (Note that it may be that these attributes are already included in the schema for Windows Server 2008; I did not check the schema before installing the Identity Management for UNIX role service.  With Windows Server 2003 R2, the schema was present at the time of installation, but the attributes were not visible until installing the UNIX identity services.)

At this point a new tab, labeled “UNIX Attributes,” will appear in the properties dialog box for users and groups in Active Directory.  You’ll use this tab to edit the UNIX-specific attributes that are required for logins to Linux-based systems.

Create an LDAP Bind Account

You’ll also need to create an account in Active Directory that will be used to bind to Active Directory for LDAP queries.  This account does not need any special privileges; in fact, making the account a member of Domain Guests and not a member of Domain Users is perfectly fine.  This helps minimize any potential security risks as a result of this account.  Just be sure that you know the account’s user principal name (UPN) and password.

Prepare Active Directory (Each User)

Each Active Directory account that will authenticate via Linux must be configured with a UID and other UNIX attributes.  This is accomplished via the new “UNIX Attributes” tab on the properties dialog box of a user account.

After all the user accounts have been configured, then we are ready to configure Active Directory objects for each of the Linux server(s) that we’ll be integrating with AD.

Prepare Active Directory (Each Server)

Prior to using Samba to join Linux computers to Active Directory and generate a keytab automatically, we had to use the ktpass.exe utility on Windows to generate a keytab.  Due to some current Samba-Windows Server 2008 interoperability issues, we can’t use Samba.  That means we’ll be back to using ktpass.exe to map service principals onto accounts in Active Directory.  Unfortunately, you’ll need to first disable User Account Control (UAC) on your server, since UAC interferes with ktpass.exe.  (Nice, huh?)

Once you’ve disabled UAC (and rebooted your server), then you can map the service principal names (SPNs) using the following steps:

1. Create a computer account (or a user account; either will work) with the name of the Linux server.
2. Use the following command to map the needed SPN onto this account (backslashes indicate line continuation):
   ktpass.exe -princ HOST/server.fqdn@REALM.COM \
-mapuser DOMAIN\AccountName$ -crypto all \
-pass Password123 -ptype KRB5_NT_PRINCIPAL \
-out filename.keytab
3. Copy this file to the Linux server (using SCP or SFTP is a good option) and merge it with the existing keytab (if it exists) using ktutil.  If there is no existing keytab, simply copy the file to /etc/krb5.keytab and you should be good to go.

Now that Active Directory has computer objects (and, more importantly, SPNs) for the Linux servers and the AD users have been enabled for UNIX (by populating the UNIX attributes), we’re ready to start configuring the Linux server(s) directly.

Prepare Each Linux Server

Follow the steps below to configure the Linux server for authentication against Active Directory.  (Note that this configuration was tested on a system running CentOS—a variation of Red Hat Enterprise Linux—version 4.3.)

1. Edit the /etc/hosts file and ensure that the server’s fully-qualified domain name is listed first after its IP address.
2. Make sure that the appropriate Kerberos libraries, OpenLDAP, pam_krb5, and nss_ldap are installed.  If they are not installed, install them.
3. Be sure that time is being properly synchronized between Active Directory and the Linux server in question.  Kerberos requires time synchronization.  Configure the NTP daemon if necessary.
4. Edit the /etc/krb5.conf file to look something like this, substituting your actual host names and domain names where appropriate:
   [logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
 
[libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_realm = true
dns_lookup_kdc = true
 
[realms]
EXAMPLE.COM = {
kdc = host.example.com:88
admin_server = host.example.com:749
default_domain = example.com
}
 
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
 
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
 
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
5. Edit the /etc/ldap.conf file to look something like this, substituting the appropriate host names, domain names, account names, and distinguished names (DNs) where appropriate.  (Please note that the nss_base_group line should not be broken across two lines when you edit it; it has been wrapped here for readability.)
   host 10.10.10.10
base dc=example,dc=com
uri ldap://server.example.com/
binddn ldap@example.com
bindpw adldapbindpw
scope sub
ssl no
nss_base_passwd dc=example,dc=com?sub
nss_base_shadow dc=example,dc=com?sub
nss_base_group dc=mydomain,dc=com?sub?
&(objectCategory=group)(gidnumber=*)
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_objectclass posixGroup group
nss_map_attribute gecos cn
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute uniqueMember member
6. Configure PAM (this varies according to Linux distributions) to use pam_krb5 for authentication.  Many modern distributions use a stacking mechanism whereby one file can be modified and those changes will applied to all the various PAM-aware services.  For example, in Red Hat-based distributions, the system-auth file is referenced by most other PAM-aware services.  Here’s a properly edited /etc/pam.d/system-auth file taken from CentOS 4.4 (some lines have been wrapped for readability; do not wrap them when editing the file):
   #%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time
# authconfig is run.
auth required /lib/security/pam_env.so
auth sufficient /lib/security/pam_unix.so
   likeauth nullok
auth sufficient /lib/security/pam_krb5.so
auth required /lib/security/pam_deny.so
 
account sufficient /lib/security/pam_unix.so
account sufficient /lib/security/pam_krb5.so
account sufficient /lib/security/pam_succeed_if.so
   uid < 100 quiet
account required /lib/security/pam_deny.so
 
password requisite /lib/security/pam_cracklib.so
   retry=3
password sufficient /lib/security/pam_unix.so
   nullok use_authtok md5 shadow
password required /lib/security/pam_deny.so
 
session required /lib/security/pam_limits.so
session required /lib/security/pam_unix.so
7. Edit the /etc/nsswitch.conf file to include “ldap” as a lookup source for passwd, shadow, and groups.

At this point we are now ready to test our configuration and, if successful, to perform the final step:  to join the Linux server to Active Directory for authentication.

Test the Configuration

To test the Kerberos authentication, use the “kinit” command, as in “kinit <AD username>@<AD domain DNS name>”; this should return no errors.  A “klist” at that point should then show that you have retrieved a TGT (ticket granting ticket) from the AD domain controller.  If this fails, go back and troubleshoot the Kerberos configuration.  In particular, if you are seeing references to failed TGT validation, check to make sure that both your Linux servers and AD domain controllers have reverse lookup (PTR) records in DNS and that the Linux server’s /etc/hosts file listed the FQDN of the server first instead of just the nodename.

<aside>Some readers and some other articles have suggested the use of the AD domain DNS name in the /etc/krb5.conf file instead of an AD domain controller specifically; I recommend against this.  First, I believe it may contribute to TGT validation errors; second, it is possible to list multiple KDCs (AD DCs) in the configuration.  Since the only major reason to use the AD domain DNS name instead of the DNS name of one or more DCs would be fault tolerance, then it doesn’t really gain anything.</aside>

To test the LDAP lookups, use the “getent” command, as in “getent passwd <AD username>”; this should return a listing of the account information from Active Directory.  If this does not work, users will not be able to login, even if Kerberos is working fine.  If you run into errors or failures here, go back and double-check the LDAP configuration.  One common source of errors is the name of the LDAP bind account, so be sure that is correct.

At this point, SSH logins to the Linux system using an account present in Active Directory (one which has had its UNIX attributes specified properly) should be successful.  This will be true as long as you used the ktpass.exe command earlier to map the SPN onto the computer object in Active Directory.  Even if you didn’t copy the keytab over to the Linux server, logins will work.  Why?  Because the PAM Kerberos configuration, by default, does not require a client keytab, and does not attempt to validate the tickets granted by the TGT.  This means that as long as the SPN(s) are mapped to the accounts in AD, the keytab is not necessarily required.

(Note, however, that not using a keytab and/or not requiring a keytab does leave the Linux server open to potentially spoofed Kerberos tickets from a fake KDC.  In addition, “native” Kerberos authentication—i.e., using a Kerberos ticket to authenticate instead of typing in a password—won’t work without a keytab.)

Deal with Home Directories

Unlike Windows systems, home directories are required on Linux-based systems.  As a result, we must provide home directories for each AD user that will log in to a Linux-based system.  We basically have three options here:

• Manually create home directories and set ownership/permissions properly before users will be able to log in.
• Use the pam_mkhomedir.so PAM module to automatically create local home directories “on the fly” as users log in.  To do this, you would add an entry for pam_mkhomedir.so in the session portion of the PAM configuration file.
• Use the automounter to automatically mount home directories from a network server.  This process is fairly complicated (too involved to include the information here), so I’ll refer you to this article on using NFS and automounts for home directories.  This has the added benefit of providing a foundation for unified home directories across both Windows and Linux systems.

Once you’ve settled on and implemented a system for dealing with home directories, you are finished!  UNIX-enabled users in Active Directory can now login to Linux-based systems with their Active Directory username and password.

What’s not addressed in this article?  Password management.  In this configuration, users will most likely not be able to change their password from the Linux servers and have that change properly reflected in Active Directory.  In addition, “native” Kerberos authentication using Kerberos tickets won’t work unless the keytab is present.  In my testing, I ran into a number of issues with the keytab and TGT validation, but I’m not sure if those are errors in my process or the result of the beta status of Windows Server 2008.

I welcome your corrections, additions, or suggestions in the comments below.

Thanks to some very helpful individuals in the #solaris channel on irc.freenode.net, I’ve been able to get ADS support working in Samba on Solaris 10, and thus have been able to incorporate the use of Samba in the Solaris 10-AD integration instructions.

To refer to earlier versions of the Solaris 10-AD integration instructions, see this article or this article. I would expect that you won’t need to refer to those posts, though, and will be able to get most of what you need directly from this post.

Assumptions

This procedure assumes that you are using Windows Server 2003 R2; if you are using a previous version, the LDAP attribute mapping will need to be modified to match the schema extensions found in Microsoft’s Services for Unix (SfU) add-on product. This will require changes to the “ldapclient manual” command shown below, which handles the schema/attribute mapping. (I only have a single article written that includes pre-R2 attribute mapping, and that’s this Linux-AD article. The schema mapping should be very, very similar between that article and Solaris 10.)

Preparing Active Directory (One-Time)

These steps only need to be performed once. Note that if you have performed any of these steps as part of authenticating Linux or Solaris to Active Directory, they do not need to be performed again. Simply make note of the information used earlier and re-use that information again this time.

1. Install the “Server for NIS” component on at least one Active Directory domain controller (DC), so that the Active Directory schema can be extended to become partially RFC 2307-compliant. Installing this component will also add a “UNIX Attributes” tab to objects inside the Active Directory Users and Computers MMC console. You may also need to install the Server for NIS administrative tools on your workstation to see the “UNIX Attributes” tab.
2. Use the Schema Management MMC snap-in to index the uid attribute, which is not indexed by default. This will speed up the login process and reduce the overall load on your DCs. (For more information, refer to the Linux-Windows Server 2003 R2 integration instructions.) It may be possible to change the attribute that Solaris is looking for, but I haven’t found a way to do that yet.
3. Create an account in Active Directory that will be used to bind to Active Directory for LDAP queries. This account does not need any special privileges; in fact, making the account a member of Domain Guests and not a member of Domain Users is perfectly fine. I recommend giving this account a simple, short name; this will make specifying the DN of the account later easier to do.
4. Create a global security group in Active Directory Users & Computers and set the UNIX attributes for this group.

Once these one-time steps have been completed, we can proceed to configuring the individual users that will be authenticating to Active Directory from your Solaris server(s).

Preparing Active Directory (Each User)

Each Active Directory account that will authenticate via Solaris must be configured with a uid and other UNIX attributes. This is accomplished via the new “UNIX Attributes” tab on the properties dialog box of a user account (this tab was made visible by the installation of the Server for NIS component). The attributes that must be populated are:

• NIS domain: It’s required on this tab in order to populate the other fields, but we won’t be using it.
• UID: This is actually the UID number. Each user must have a unique UID; I believe that the Server for NIS defaults at a starting UID of 10000, which is pretty safe for most systems.
• GID: In addition, each member must have a GID (group ID); simply specify the group that was created earlier.
• Login Shell: Specify a login shell (such as “usr/bin/csh” or “/sbin/sh”) for each user.
• Home Directory: Specify the home directory (such as “/export/home/slowe”) that will be used for this user. Keep in mind that these values may apply across multiple systems and platforms, and the path must be valid on all systems and platforms.

Based on my experience so far, the values for Solaris will often be very different than what might be specified for Linux-based logins. The only workarounds I’ve found to address these issues is the clever use of symlinks and the use of NFS automounts for home directories.

After all the user accounts have been configured, then we are ready to perform the additional tasks within Active Directory and on the Solaris server(s) that will enable the authentication.

Configuring Reverse DNS

On the DNS server handling the reverse lookup zones for the subnet on which the Solaris server is located, add a PTR record for the Solaris server and it’s IP address. This will ensure that reverse DNS lookups work as expected. Make sure that each Solaris server that will be authenticating against Active Directory has a reverse lookup record in DNS, and ensure that both forward and reverse lookups work from each of the Solaris server(s).

Configuring Solaris (Each Server)

The following steps need to be performed on each Solaris server that will authenticate against Active Directory.

Configuring the hosts file

To enable reliable TGT validation (this ensures that the Kerberos ticket returned by a KDC actually came from the KDC and not a spoofed server), you’ll need to edit the hosts file. On Solaris 10, this is found in /etc/inet/hosts and is read-only, even for root. Edit this file (changing permissions as necessary) so that the line with the server’s IP address looks something like this:

10.1.1.1      hostname.example.com hostname loghost

What we’re doing here is making sure that the server’s fully qualified domain name (not just the short hostname) is the first name entry on the line for the server’s IP address.

There may or may not be other entries in the file; leave those entries untouched (unless you know you need to modify them).

Installing Blastwave Packages

This is the key to getting ADS support into Samba on Solaris 10. I won’t go into excruciating detail on this since this process is amply covered elsewhere, but here’s the basic idea of the process:

• Use the standard wget (found in /usr/sfw/bin) to download the pkg-get file used by Blastwave.
• Use pkgadd to install pkg-get.
• Configure pkg-get to use the unstable packages (makes sure you get the latest builds).
• Use pkg-get to install the CSWsamba package and all requisite packages (there were quite a few dependency packages during my testing).

Once the CSWsamba package and related packages are installed, we’ll need to configure Samba by creating /opt/csw/etc/samba/smb.conf with the following contents:

workgroup = <NetBIOS name of AD domain>
security = ads
realm = <DNS name of AD domain in UPPERCASE>
use kerberos keytab = true
password server = <Space-delimited list of AD DCs>

At this point, we are ready to configure Kerberos and then proceed with testing the configuration and join the Active Directory domain.

Configuring Kerberos

Solaris keeps its Kerberos configuration in the /etc/krb5 directory as krb5.conf. Edit this file using your editor of choice to look something like the one below. Depending upon how you configured Solaris during the installation, some of this configuration may already be present.

[libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_kdc = true
 
[realms]
EXAMPLE.COM = {
kdc = dc01.example.com
kdc = dc02.example.com
admin_server = dc01.example.com
}
 
[domain_realm]
.example.com = EXAMPLE.COM
.subdomain.example.com = EXAMPLE.COM
 
[logging]
default = FILE:/var/krb5/kdc.log
kdc = FILE:/var/krb5/kdc.log
kdc_rotate = {
period = 1d
version = 10
}
 
[appdefaults]
kinit = {
renewable = true
forwardable= true
}

There will also be a file named cswkrb5.conf in the /etc directory; you can configure this file with the contents of the [libdefaults], [reamls], and [domain_realms] sections as listed above. You don’t need to include the [logging] or [appdefaults] sections in this file.

Note that you can’t simply copy and paste from here to the Solaris configuration files, as you’ll need to customize your version for your particular network, hostnames, domain names, etc. If you must copy and paste from here, put it into a text editor first to customize it for your implementation.

Configuring LDAP

We’ll use the native Solaris “ldapclient” utility to configure the LDAP support in Solaris. The command you’ll type in looks something like this (please don’t copy and paste this, as it contains generic/incorrect information that won’t work!):

ldapclient manual \\
-a credentialLevel=proxy \\
-a authenticationMethod=simple \\
-a proxyDN=cn=proxyuser,cn=Users,dc=example,dc=com \\
-a proxyPassword=Password1 \\
-a defaultSearchBase=dc=example,dc=com \\
-a domainName=example.com \\
-a "defaultServerList=172.16.1.10" \\
-a attributeMap=group:userpassword=userPassword \\
-a attributeMap=group:memberuid=memberUid \\
-a attributeMap=group:gidnumber=gidNumber \\
-a attributeMap=passwd:gecos=cn \\
-a attributeMap=passwd:gidnumber=gidNumber \\
-a attributeMap=passwd:uidnumber=uidNumber \\
-a attributeMap=passwd:homedirectory=unixHomeDirectory \\
-a attributeMap=passwd:loginshell=loginShell \\
-a attributeMap=shadow:shadowflag=shadowFlag \\
-a attributeMap=shadow:userpassword=userPassword \\
-a objectClassMap=group:posixGroup=group \\
-a objectClassMap=passwd:posixAccount=user \\
-a objectClassMap=shadow:shadowAccount=user \\
-a serviceSearchDescriptor=passwd:dc=example,dc=com?sub \\
-a serviceSearchDescriptor=group:dc=example,dc=com?sub

The easiest way to handle this would probably be to copy it into a blank text file, edit it to include the specific details for your network, and then paste it into a terminal session on the Solaris server.

After this command has been run, Solaris will create the LDAP configuration in /var/ldap and will update /etc/nsswitch.conf to use LDAP. However, because we only want to use LDAP for specific purposes, we’ll need to go back and edit /etc/nsswitch.conf again. Just remove “ldap” from all entries in /etc/nsswitch.conf except for passwd and group.

While you’re editing /etc/nsswitch.conf, be sure to add a “dns” entry at the end of the line for hosts:

hosts      files dns

This will help ensure that Solaris is properly configured to use DNS for host name resolution.

I think it’s necessary at this point to restart the LDAP client service:

svcadm restart svc:/network/ldap/client:default

Use the “svcs -a | grep ldap” command to verify the exact name of the LDAP client service on your Solaris server.

Configuring the DNS Client

You’ll also need to make sure that the DNS client is enabled and running. Using “svcs -a | grep dns” will help you identify the correct service, which you can then enable with svcadm:

svcadm enable svc:/network/dns/client:default

Test DNS resolution using the “nslookup” command. As mentioned previously, be sure to test both forward and reverse lookups.

Configuring PAM

The /etc/pam.conf file controls the PAM (Pluggable Authentication Mechanism) configuration on Solaris. You’ll need to edit the /etc/pam.conf file to look something like what’s shown below. I’ve edited away all the non-essential sections, so only change the sections listed below.

# Default definition for Authentication management
#
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth sufficient pam_krb5.so.1
other auth required pam_unix_cred.so.1
other auth required pam_unix_auth.so.1
#
# Default definition for Account management
#
other account requisite pam_roles.so.1
other account sufficient pam_unix_account.so.1
other account required pam_ldap.so.1
#

With this configuration in place, Solaris will use Kerberos authentication and will retrieve account information via LDAP.

Reboot the Solaris Server

I know this sounds stupid, but even after restarting LDAP and enabling/starting/restarting the DNS client, things still didn’t work for me in the lab. However, after rebooting the Solaris server, it worked like a champ. So, just in case, reboot the Solaris server after completing the configuration.

Testing the Configuration

Once all of the configuration steps have been completed, you can test the configuration with the following commands:

• You can use “getent passwd <Name of AD user>” from the Solaris server; this command should return UID number, GID number, UNIX home directory, and login shell.
• You can use “kinit <Name of AD user>” to test Kerberos authentication. A succesful Kerberos test will not return any feedback, and the “klist” command will show a ticket granting ticket (TGT) from the Active Directory DC/KDC.

If either of these tests are unsuccessful, review the log files on the Solaris server and resolve the problems before continuing. Both of these tests will need to be successful in order for authentication to work correctly.

If the tests are successful, then you should now be able to join the Solaris server to Active Directory using Samba.

Joining the Solaris Server to Active Directory

This is the final step. Don’t try this step until you’ve successfully tested the configuration. After this step is completed, you are finished and AD users will be able to login to the Solaris server (assuming the AD users have been properly configured).

To join the Solaris server to Active Directory, follow these steps:

1. Verify the Samba configuration as outlined earlier. Key to the configuration are the “security = ads” and “use kerberos keytab = true” directives.
2. Use “kdestroy” to destroy any existing Kerberos credentials you may have; then run “kinit <Domain administrative account>@AD.DOMAIN.NAME” to get a Kerberos ticket for an account that is a domain administrator account.
3. Run “net ads join” to join the Solaris server to Active Directory. This command will automatically create a computer object in Active Directory and add the appropriate SPNs (service principal names) to the computer object. In addition, it will populate the local Kerberos key table (/etc/krb5.keytab, by default) with the correct entries for authentication against Active Directory. You may see an error about a missing userPrincipalName, but this does not appear to affect any functionality.

At this point, all properly configured AD users (those users who have UNIX attributes) should be able to login to the Solaris server using their Active Directory username and password. Of course, this assumes that you’ve already dealt with home directories (or are automounting home directories).

As with previous instructions, these instructions don’t address password management (the ability to change an AD password from Solaris) and don’t address how to handle home directories. Hey, I’ve got to leave a few challenges for others to tackle, right?

How I Tested

This testing was done using Solaris 10 11/06 (Update 3) running on VMware ESX Server 3.0.1. Active Directory was running on a pair of servers with Windows Server 2003 R2, also virtual machines on ESX Server. Authentication testing was performed using SSH from a client system running Mac OS X.

The last update to the Solaris 10-Active Directory integration instructions was in October of last year, over six months ago.  Since that time, Sun has released another update to Solaris (Solaris 10 11/06, or Update 3) and I have been able to gather some additional information on using an Active Directory-aware version of Samba to help with the process (much like described in the latest version of the Linux-AD instructions).

The new version will use Kerberos for authentication, LDAP for account information, and Samba to do the “heavy lifting” of joining Active Directory, creating the necessary objects, and creating the keytab and keytab entries on Solaris.

I hope to post the updated integration instructions within the next few days, before I have to leave for a business trip to Canada.

The information below comes from site reader Shannon VanWagner, who had the time to research this and come back with the information necessary to integrate SuSE Linux Enterprise Desktop (SLED) 10 into Active Directory (on Windows Server 2003 R2) using Kerberos, LDAP, and Samba.  I haven’t tested these instructions (no copy of SLED with which to test), but I imagine that they should be fine.  It’s really just the SLED-specific tweaks to the existing AD integration instructions, anyway.

Preparing Active Directory (One-Time)

Enabling Editing/Display of UNIX Attributes

On your Windows Server 2003 R2 Domain Controller, enable “Identity Management for UNIX” via Add/Remove Programs > Add Windows Components > Active Directory Services > Identity Management for UNIX.  Note that this will require a reboot and does require Schema Admin privileges.  This will add a UNIX Properties tab to each user account in AD Users and Computers that will allow you to control the user UID, primary group GID, NIS Server setting, and user shell setting (e.g. /bin/bash).

(As an aside, I’ll refer readers back to my earlier article on various ways of making the “UNIX Attributes” tab appear.)

Create an LDAP Bind Account

You’ll also need to create an account in Active Directory that will be used to bind to Active Directory for LDAP queries.  This account does not need any special privileges; in fact, making the account a member of Domain Guests and not a member of Domain Users is perfectly fine.  This helps minimize any potential security risks as a result of this account.

Prepare Active Directory (Each User)

Each Active Directory account that will authenticate via Linux must be configured with a UID and other UNIX attributes.  This is accomplished via the new “UNIX Attributes” tab on the properties dialog box of a user account.  (Installing the “Server for NIS” component enables this, as mentioned previously.)  Be sure to set login shell, home directory, UID, and primary UNIX group ID.

After all the user accounts have been configured, then we are ready to configure the Linux server(s) for authentication against Active Directory.

Configure the SLED Workstation

On the SLED 10 client setup your config files as illustrated in the following configuration files.  See the file comment headers for the file names and locations (replace items such as “domain.com” with settings specific to your environment).

We’ll start first with the /etc/hosts file:

###############
# /etc/hosts
###############
# This file describes a number of hostname-to-address
# mappings for the TCP/IP subsystem. It is mostly
# used at boot time, when no name servers are running.
# On small systems, this file can be used instead of a
# “named” name server.
# Syntax:
#
# IP-Address Full-Qualified-Hostname Short-Hostname
#
127.0.0.1 localhost
10.10.10.1 WINDOWS-DC-HOSTNAME.DOMAIN.COM WINDOWS-DC-HOSTNAME
# special IPv6 addresses
::1 localhost ipv6-localhost ipv6-loopback

fe00::0 ipv6-localnet

ff00::0 ipv6-mcastprefix
ff02::1 ipv6-allnodes
ff02::2 ipv6-allrouters
ff02::3 ipv6-allhosts
127.0.0.2 client-hostname.DOMAIN.COM client-hostname

Next, we configure the krb5.conf file:

###############
# krb5.conf for connecting with Windows Server 2003#
###############
[logging]
kdc = FILE:/var/log/krb5/krb5kdc.log
admin_server = FILE:/var/log/krb5/kadmind.log
default = SYSLOG:NOTICE:DAEMON

[libdefaults]
ticket_lifetime = 24000
default_realm = DOMAIN.COM
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5 aes256-cts arcfour-hmac-md5
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5 aes256-cts arcfour-hmac-md5
[realms]
DOMAIN.COM = {
kdc = windows-dc-hostname.domain.com
admin_server = windows-dc-hostname.domain.com
default_domain = DOMAIN.COM
}

[domain_realm]
.domain.com = DOMAIN.COM
domain.com = DOMAIN.COM

Once Kerberos is configured, we configure LDAP:

###############
# custom ldap.conf for connecting with Server 2003 R2
###############
host 10.10.10.1
base dc=domain,dc=com
uri ldap://windows-dc-hostname.domain.com/
binddn cn=linux-ldap-user,cn=Users,dc=domain,dc=com
bindpw ldap-user-passwd
scope sub
bind_timelimit 15
timelimit 15
ssl no
referrals no
nss_base_passwd dc=domain,dc=com?sub
nss_base_shadow dc=domain,dc=com?sub
nss_base_group dc=domain,dc=com?sub?&(objectCategory=group)(gidnumber=*)
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_objectclass posixGroup group
nss_map_attribute gecos cn
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute uniqueMember member
nss_initgroups_ignoreusers root,ldap

And then configure the Name Switch Service to use LDAP:

###############
# /etc/nsswitch.conf
###############
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry ‘[NOTFOUND=return]’ means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Legal entries are:
#
# compat Use compatibility setup
# nisplus Use NIS+ (NIS version 3)
# nis Use NIS (NIS version 2), also called YP
# dns Use DNS (Domain Name Service)
# files Use the local files
# [NOTFOUND=return] Stop searching if not found so far
#
# For more information, please read the nsswitch.conf.5 manual page.
#
# passwd: files nis
# shadow: files nis
# group: files nis

passwd: files ldap
shadow: files ldap
group: files ldap

hosts: files dns wins
networks: files dns

services: files
protocols: files
rpc: files
ethers: files
netmasks: files
netgroup: files nis
publickey: files

bootparams: files
automount: files nis
aliases: files

Almost there—next we need to make sure that time synchronization is working, since this is a prerequisite for Kerberos authentication.  To make sure time synchronization is working, we’ll configure NTP:

###############
# /etc/ntp.conf file
#
# Sample NTP configuration file.
# See package ‘ntp-doc’ for documentation, Mini-HOWTO and FAQ.
# Copyright © 1998 S.u.S.E. GmbH Fuerth, Germany.
#
# Author: Michael Andres,
#
###############
#
# Radio and modem clocks by convention have addresses in the
# form 127.127.t.u, where t is the clock type and u is a unit
# number in the range 0-3.
#
# Most of these clocks require support in the form of a
# serial port or special bus peripheral. The particular
# device is normally specified by adding a soft link
# /dev/device-u to the particular hardware device involved,
# where u correspond to the unit number above.
#
# Generic DCF77 clock on serial port (Conrad DCF77)
# Address: 127.127.8.u
# Serial Port: /dev/refclock-u
#
# (create soft link /dev/refclock-0 to the particular ttyS?)
#
# server 127.127.8.0 mode 5 prefer
#
# Undisciplined Local Clock. This is a fake driver intended
# for backup and when no outside source of synchronized time
# is available.
#
server 127.127.1.0 # local clock (LCL)
fudge 127.127.1.0 stratum 10 # LCL is unsynchronized

#
# Outside source of synchronized time
#
# server xx.xx.xx.xx # IP address of server
server 10.10.10.1

#
# Miscellaneous stuff
#
driftfile /var/lib/ntp/drift/ntp.drift # path for drift file

logfile /var/log/ntp # alternate log file
# logconfig =syncstatus + sysevents
# logconfig =all

# statsdir /tmp/ # directory for statistics files
# filegen peerstats file peerstats type day enable
# filegen loopstats file loopstats type day enable
# filegen clockstats file clockstats type day enable

#
# Authentication stuff
#
# keys /etc/ntp.keys # path for keys file
# trustedkey 1 2 3 4 5 6 14 15 # define trusted keys
# requestkey 15 # key (7) for accessing server variables
# controlkey 15 # key (6) for accessing server variables

At this point we have Kerberos authentication configured, LDAP configured, NSS configured to use LDAP, and time synchronization configured and running.  Now we need to get Samba configured to help automate the process of integrating into Active Directory.

###############
# /etc/samba/smb.conf file
###############
# smb.conf is the main Samba configuration file. You find a full
# commented version at /usr/share/doc/packages/samba/examples/
# smb.conf.SUSE if the samba-doc package is installed.
# Date: 2007-02-07
[global]
workgroup = DOMAIN-SHORTNAME
realm = DOMAIN.COM
security = ads
encrypt passwords = yes
use kerberos keytab = true
password server = windows-dc-hostname.domain.com
netbios name = client-hostname
winbind use default domain = yes
winbind separator = +
idmap uid = 1000-59999
idmap gid = 1000-59999
winbind enum users = yes
winbind enum groups = yes
deadtime = 10
winbind cache time = 10
winbind nested groups = yes
template homedir = /home/%U
template shell = /bin/bash
client use spnego = yes
socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
idmap backend = ad
ldap idmap suffix = dc=domain,dc=com
ldap admin dn = cn=Administrator,cn=Users,dc=domain,dc=com
ldap suffix = dc=domain,dc=com
dns proxy = no
domain master = no
preferred master = no
max log size = 100
log file = /var/log/samba/%m.log
printing = cups
printcap name = cups
printcap cache time = 750
cups options = raw
map to guest = Bad User
include = /etc/samba/dhcp.conf
logon path = \%L\profiles\.msprofile
logon home = \%L\%U\.9xprofile
logon drive = P:
usershare allow guests = no
[admin]
comment = Windows Admin Access
path = /
valid users = “@Domain_Admins”
admin users = “@Domain_Admins”
read only = No
create mask = 0664
browseable = No
inherit permissions = Yes
[printers]
comment = All Printers
path = /var/tmp
printable = Yes
create mask = 0600
browseable = No
[print$]
comment = Printer Drivers
path = /var/lib/samba/drivers
write list = @ntadmin root
force group = ntadmin
create mask = 0664
directory mask = 0775

SLED uses PAM (Pluggable Authentication Mechanism) to control authentication and authorization, so we next need to configure PAM to use Kerberos and LDAP, where necessary.  There are a number of files that need to be configured to make this happen:

###############
# /etc/pam.d/common-account - authorization settings common to all services
###############
# This file is included from other service-specific PAM config
# files, and should contain a list of the authorization modules
# that define the central access policy for use on the system.
# The default is to only deny service to users whose accounts
# are expired.
#
account sufficient pam_krb5.so
account required pam_unix2.so

###############
# /etc/pam.d/common-auth - authentication settings common to all services
###############
# This file is included from other service-specific PAM config
# files, and should contain a list of the authentication modules
# that define the central authentication scheme for use on the
# system (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default
# is to use the traditional Unix authentication mechanisms.
#
auth required pam_env.so
auth sufficient pam_krb5.so
auth required pam_unix2.so

###############
# /etc/pam.d/common-password - password-related modules common to all services
###############
# This file is included from other service-specific PAM config
# files, and should contain a list of modules that define the
# services to be used to change user passwords. The default is
# pam_unix2 in combination with pam_pwcheck.
# The “nullok” option allows users to change an empty password, else
# empty passwords are treated as locked accounts.
#
# To enable Blowfish or MD5 passwords, you should edit
# /etc/default/passwd.
#
# Alternate strength checking for passwords should be configured
# in /etc/security/pam_pwcheck.conf.
#
# pam_make can be used to rebuild NIS maps after password change.
#
password required pam_pwcheck.so nullok
password required pam_unix2.so nullok use_first_pass use_authtok
#password required pam_make.so /var/yp

###############
# /etc/pam.d/common-session - session-related modules common to all services
###############
# This file is included from other service-specific PAM config
# files, and should contain a list of modules that define tasks
# to be performed at the start and end of sessions of *any*
# kind (both interactive and non-interactive). The default is
# pam_unix2.
#
session required pam_limits.so
session required pam_unix2.so
session required pam_mkhomedir.so umask=0077 skel=/etc/skel

All these files are in turn referenced by a “master” PAM configuration file, like this:

#%PAM-1.0
###########line above is part of this file#################
#/etc/pam.d/su config file
###########################################################
#auth sufficient pam_rootok.so
auth include common-auth
account include common-account
password include common-password
session include common-session
session optional pam_xauth.so

Once all these configuration files are in place, we can proceed with the following steps:

1. Run “getent passwd” (you should only see SLED 10 local users in this listing).
2. Run “kdestroy” to destroy any cached Kerberos tickets you may currently have.
3. Run “kinit domain-admin-user@DOMAIN.COM” to create a new Kerberos ticket for the machine with Domain Admin credentials; you can then run “klist” to verify the Kerberos ticket.
4. Run “net ads join -U domain-admin-user@DOMAIN.COM” to join the machine to the domain using the Kerberos ticket of the domain administrative user
5. Restart the applicable services and daemons:
   /etc/init.d/smb stop
   /etc/init.d/winbind stop
   /etc/init.d/smb start
   /etc/init.d/winbind start
6. Run “getent passwd”; the output should now list domain users and their associated UIDs. Likewise, “getent group” should output domain groups and GIDs.
7. The “wbinfo -u” and “wbinfo -g” commands should list domain users and domain groups, respectively.
8. Finally, run “su <domain-username>”.  It should prompt you for the user’s password, create a home dir for that user if necessary, and then switch you to the user.

We’re not really sure if it’s necessary, but you can add the LDAP bind account (used to bind to LDAP for queries) to the list of SMB users with the “smbpasswd -w” command.  It may prove over time that this command isn’t necessary.  (Anyone want to double-check this for us?)

Finally, using YaST (System > RunLevel Editor), enable the NTP, SMB, and Winbind daemons (I’m fairly sure that Winbind isn’t necessary).  Also, disable the nscd daemon to avoid caching problems and unwanted interaction with Winbind.

At this point, if you were successful in using su to switch to a Windows user, you should be able to reboot the machine and login to the machine as a Windows user (be sure to use a Windows server that has UNIX attributes assigned in Active Directory).

NOTE: If you happen to get yourself locked out of the system, it will be likely an /etc/nsswitch.conf file problem.  Simply boot to the SLED 10 installation disc using the “Recover System” option, then issue these commands to change the /etc/nsswitch.conf file:

mount -w /dev/hda1 /mnt (where “/dev/hda1” is your system partition)
vi /mnt/etc/nsswitch.conf (remove the “ldap” from
passwd, group, and shadow - should only say “files” or “compat”)

You can now reboot and login as root so you can troubleshoot the problem.

Some additional resources and information:
http://forums.suselinuxsupport.de/index.php?showtopic=53004
http://forums.fedoraforum.org/archive/index.php/t-29825.html

Thanks again to Shannon VanWagner for sharing this information with me so that I could post it here.  As always, feel free to post any questions, clarifications, or corrections in the comments below.

Unable to cope with the slow performance of Cyberduck any longer (even though I love everything else about the application), I started looking at other Mac FTP/SFTP clients.  Since performance was the key driving factor causing me to seek a new client, I thought it would probably be important to perform some informal performance comparisons between the major candidates—Interarchy, Transmit, and Fetch (and, for reference, Cyberduck as well).

First, the parameters of the test:

• The source system was, of course, a Mac.  Specifically, a MacBook Pro running Mac OS X 10.4.8 with all available and applicable updates installed.
• The destination system was a server running ESX Server 3.0.1.  It looks like ESX Server 3.0.1 uses OpenSSH 3.6.1p2.
• I transferred an ISO of Windows Server 2003 R2 x64; the file was about 592MB in size.  I deleted the file from the destination server after each transfer.

The results of the test were as follows:

Transmit 3.5.5: 39 seconds
Fetch 5.2: 39 seconds
Interarchy 8.2.2: 29 seconds
Cyberduck 2.7.2: 9 minutes 53 seconds

I hadn’t truly realized just how much slower Cyberduck was until I ran this test.  The difference is quite dramatic.  As you can see, the test results between Transmit, Fetch, and Interarchy were pretty close; Interarchy edged the others out but only by a small margin.

Given that the performance is pretty much the same between the three replacement candidates comes down to aesthetics and features.  I love the Kerberos support in Fetch (I’m a Kerberos fan—in case you hadn’t noticed by all the articles I write about leveraging the Kerberos support in Active Directory for cross-platform integration), but really don’t like the interface.  Likewise, Transmit is nice, has a Quicksilver plug-in and a Dashboard widget, Keychain support, Spotlight integration, etc., but something about the interface doesn’t seem to fit.  I’m not sure what it is.  This is not a knock against Transmit or Panic; I paid for and use Unison, Panic’s Usenet/NNTP client.

Interarchy’s interface has its quirks, but I suppose I’m getting used to them now because I don’t notice them as much.  I just found and installed the Interarchy Quicksilver plug-in yesterday, which solves one complaint, but I still wish Interarchy would expand its Growl support.

Each of the apps has its advantages and disadvantages, as you can see.

What would be the ideal solution?  The ideal solution would be a way to tune Cyberduck’s performance so that it was in the same ballpark as the other applications (not necessarily faster, just in the same general area).  I don’t suppose anyone has any performance tuning tips for Cyberduck?

This procedure allows Linux-based systems to authenticate against Active Directory.  We use Kerberos for authentication, LDAP for account information, and Samba to help automate the process along the way.  When this process is complete, AD users can be enabled for use on Linux systems on the network and login to those Linux systems using the same username and password as throughout the rest of Active Directory.

These instructions are designed for use with Windows Server 2003 R2.  If you are looking for information on using Linux with a previous version of Windows, please refer back to this article.  The only significant changes in the process involve the mapping of the LDAP attributes; otherwise, the procedure is very similar between the two versions of Windows.

Preparing Active Directory (One-Time)

Enable Editing/Display of UNIX Attributes

Based on my research, it appears that the partially RFC 2307-compliant schema is installed with Windows Server 2003 R2; this means that the schema does not need to be extended to include UNIX-specific attributes such as uid, gid, login shell, etc.  However, while the attributes are there in the schema, there is no way to edit those attributes, and these attributes must be populated correctly in order for this process to work.

The easiest way to enable the editing of these attributes is to install the “Server for NIS” component on at least one domain controller.  This will cause a new tab, labeled “UNIX Attributes,” to appear in the properties dialog box for users and groups.  You’ll use this tab to edit the UNIX-specific attributes that are required for logins to Linux-based systems.  Please note that due to the way this tab is displayed, you’ll need Schema Admin privileges in order to install the “Server for NIS” component on your domain controller.  (More information on this issue is available here.)

You could just as well use LDP, LDIF files, ADSI Edit, or any number of other methods to display and edit these attributes.  To make this process as seamless as possible, however, you’ll want to integrate the management of these attributes into Active Directory Users and Computers using the method described above.

Create an LDAP Bind Account

You’ll also need to create an account in Active Directory that will be used to bind to Active Directory for LDAP queries.  This account does not need any special privileges; in fact, making the account a member of Domain Guests and not a member of Domain Users is perfectly fine.  This helps minimize any potential security risks as a result of this account.

Prepare Active Directory (Each User)

Each Active Directory account that will authenticate via Linux must be configured with a UID and other UNIX attributes.  This is accomplished via the new “UNIX Attributes” tab on the properties dialog box of a user account.  (Installing the “Server for NIS” component enables this, as mentioned previously.)

After all the user accounts have been configured, then we are ready to configure the Linux server(s) for authentication against Active Directory.

Prepare Each Linux Server

Follow the steps below to configure the Linux server for authentication against Active Directory.

1. Edit the /etc/hosts file and ensure that the server’s fully-qualified domain name is listed first after its IP address.
2. Make sure that the appropriate Kerberos libraries, OpenLDAP, pam_krb5, and nss_ldap are installed.  If they are not installed, install them.
3. Be sure that time is being properly synchronized between Active Directory and the Linux server in question.  Kerberos requires time synchronization.  Configure the NTP daemon if necessary.
4. Edit the /etc/krb5.conf file to look something like this, substituting your actual host names and domain names where appropriate:

   [logging]
    default = FILE:/var/log/krb5libs.log
    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmind.log
   
   [libdefaults]
    default_realm = EXAMPLE.COM
    dns_lookup_realm = true
    dns_lookup_kdc = true
   
   [realms]
    EXAMPLE.COM = {
     kdc = host.example.com:88
     admin_server = host.example.com:749
     default_domain = example.com
    }
   
   [domain_realm]
    .example.com = EXAMPLE.COM
    example.com = EXAMPLE.COM
   
   [kdc]
    profile = /var/kerberos/krb5kdc/kdc.conf
   
   [appdefaults]
    pam = {
      debug = false
      ticket_lifetime = 36000
      renew_lifetime = 36000
      forwardable = true
      krb4_convert = false
    }

5. Edit the /etc/ldap.conf file to look something like this, substituting the appropriate host names, domain names, account names, and distinguished names (DNs) where appropriate.  (Please note that the nss_base_group line should not be broken across two lines when you edit it; it has been wrapped here for readability.)  (Note:  These schema mappings assume that you are using the newer schema extensions provided by Windows Server 2003 R2.  If you are using SFU 3.5 instead, you will need to use the schema mappings described here.)

   host 10.10.10.10
   base dc=example,dc=com
   uri ldap://server.example.com/
   binddn ldap@example.com
   bindpw adldapbindpw
   scope sub
   ssl no
   nss_base_passwd dc=example,dc=com?sub
   nss_base_shadow dc=example,dc=com?sub
   nss_base_group dc=mydomain,dc=com?sub?
       &(objectCategory=group)(gidnumber=*)
   nss_map_objectclass posixAccount user
   nss_map_objectclass shadowAccount user
   nss_map_objectclass posixGroup group
   nss_map_attribute gecos cn
   nss_map_attribute homeDirectory unixHomeDirectory
   nss_map_attribute uniqueMember member

6. Configure PAM (this varies according to Linux distributions) to use pam_krb5 for authentication.  Many modern distributions use a stacking mechanism whereby one file can be modified and those changes will applied to all the various PAM-aware services.  For example, in Red Hat-based distributions, the system-auth file is referenced by most other PAM-aware services.  Here’s a properly edited /etc/pam.d/system-auth file taken from CentOS 4.4 (some lines have been wrapped for readability; do not wrap them when editing the file):

   #%PAM-1.0
   # This file is auto-generated.
   # User changes will be destroyed the next time authconfig is run.
   auth     required   /lib/security/$ISA/pam_env.so
   auth     sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
   auth     sufficient /lib/security/$ISA/pam_krb5.so
   auth     required   /lib/security/$ISA/pam_deny.so
   
   account  sufficient /lib/security/$ISA/pam_unix.so
   account  sufficient /lib/security/$ISA/pam_krb5.so
   account  sufficient /lib/security/$ISA/pam_succeed_if.so
       uid < 100 quiet
   account  required   /lib/security/$ISA/pam_deny.so
   
   password requisite  /lib/security/$ISA/pam_cracklib.so retry=3
   password sufficient /lib/security/$ISA/pam_unix.so nullok
       use_authtok md5 shadow
   password  required  /lib/security/$ISA/pam_deny.so
   
   session  required   /lib/security/$ISA/pam_limits.so
   session  required   /lib/security/$ISA/pam_unix.so

7. Edit the /etc/nsswitch.conf file to include “ldap” as a lookup source for passwd, shadow, and groups.

At this point we are now ready to test our configuration and, if successful, to perform the final step:  to join the Linux server to Active Directory for authentication.

Test the Configuration

To test the Kerberos authentication, use the “kinit” command, as in “kinit <AD username>@<AD domain DNS name>”; this should return no errors.  A “klist” at that point should then show that you have retrieved a TGT (ticket granting ticket) from the AD domain controller.  If this fails, go back and troubleshoot the Kerberos configuration.  In particular, if you are seeing references to failed TGT validation, check to make sure that both your Linux servers and AD domain controllers have reverse lookup (PTR) records in DNS and that the Linux server’s /etc/hosts file listed the FQDN of the server first instead of just the nodename.

<aside>Some readers and some other articles have suggested the use of the AD domain DNS name in the /etc/krb5.conf file instead of an AD domain controller specifically; I recommend against this.  First, I believe it may contribute to TGT validation errors; second, it is possible to list multiple KDCs (AD DCs) in the configuration.  Since the only major reason to use the AD domain DNS name instead of the DNS name of one or more DCs would be fault tolerance, then it doesn’t really gain anything.</aside>

To test the LDAP lookups, use the “getent” command, as in “getent passwd <AD username>”; this should return a listing of the account information from Active Directory.  If this does not work, users will not be able to login, even if Kerberos is working fine.  If you run into errors or failures here, go back and double-check the LDAP configuration.  One common source of errors is the name of the LDAP bind account, so be sure that is correct.

Join the Linux Server to Active Directory

This is the final step.  Don’t try this step until you’ve successfully tested the configuration.  After this step is completed, you are finished and AD users will be able to login to Linux-based systems (assuming the AD users have been properly configured for Linux logins).

To join the Linux server to Active Directory, follow these steps:

1. Verify the Samba configuration.  Be sure the following settings are specified in /etc/samba/smb.conf:

   workgroup = <NetBIOS name of AD domain>
   security = ads
   realm = <DNS name of AD domain>
   use kerberos keytab = true
   password server = <Space-delimited list of AD DCs>

2. Use “kdestroy” to destroy any existing Kerberos credentials you may have; then run “kinit <Domain administrative account>@AD.DOMAIN.NAME” to get a Kerberos ticket for an account that is a domain administrator account.
3. Run “net ads join” to join the Linux server to Active Directory.  This command will automatically create a computer object in Active Directory and add the appropriate SPNs (service principal names) to the computer object.  In addition, it will populate the local Kerberos key table (/etc/krb5.keytab, by default) with the correct entries for authentication against Active Directory.

Only one small detail remains:  how to deal with home directories for users logging into Linux systems.

Deal with Home Directories

Unlike Windows systems, home directories are required on Linux-based systems.  As a result, we must provide home directories for each AD user that will log in to a Linux-based system.  We basically have two options here:

• Use the pam_mkhomedir.so PAM module to automatically create local home directories “on the fly” as users log in.  To do this, you would add an entry for pam_mkhomedir.so in the session portion of the PAM configuration file.
• Use the automounter to automatically mount home directories from a network server.  This process is fairly complicated (too involved to include the information here), so I’ll refer you to this article on using NFS and automounts for home directories.  This has the added benefit of providing a foundation for unified home directories across both Windows and Linux systems.

(There is a third option as well:  manually create home directories before users can log in.)

Once you’ve settled on and implemented a system for dealing with home directories, you are finished!  UNIX-enabled users in Active Directory can now login to Linux-based systems with their Active Directory username and password.

What’s not addressed in this article?  Password management.  In this configuration, users will most likely not be able to change their password from the Linux servers and have that change properly reflected in Active Directory.  I’ll try to work on that for version 5 of the instructions.

I hope you find this information helpful.  As always, feel free to post corrections, additions, or suggestions in the comments below.

To help make it easier to find the various Active Directory integration articles I’ve written, I’m including links below to the latest version of each article.  As new versions of an article are published, I can simply update this link to point to the new version.

I’ve grouped the integration articles according to product below.

Linux

Latest version for Windows Server 2008 (“Longhorn”)

Latest version for Windows Server 2003 R2

Latest version for Windows 2000 Server and Windows Server 2003 (pre-R2)

SuSE Linux Enterprise Desktop (SLED)-specific version

Solaris 10

Latest version for Solaris 10 x86

Firewalls

Latest version for Cisco PIX VPN

Latest version for WatchGuard Firebox VPN

VMware ESX Server

Latest version for ESX Server 2.5.x

Latest version for ESX Server 3.0.x

OpenBSD

Latest version for OpenBSD 3.9

Networking Equipment and Protocols

Latest version for 802.1x

Latest version for Cisco IOS

As new articles are published or existing articles are revised with new versions, I’ll update this post accordingly.

Suggestions to use Samba in Linux-AD integration scenarios appeared in the comments for the following articles:

Linux, Active Directory, and Windows Server 2003 R2 Revisited
Kerberos-Based SSO with Apache

The idea was that Samba could be used to help automate the process of creating the appropriate service principals in Active Directory.  Previously, I had recommended the use of ktpass.exe and separate user accounts for each service principal (i.e., HOST/ or host/, HTTP/, etc.) because of the limitations of ktpass.exe and adding service principals in Active Directory.  However, a number of readers pointed out that Samba’s “net ads join” and “net ads keytab” commands could help automate and streamline this process.

Since one of my Linux servers had crashed anyway, I decided to try out the Samba toolset while integrating this new Linux server into my existing Active Directory infrastructure.  Here’s what I found and the process that I used to successfully integrate the new Linux server into AD with the Samba tools.

1. First, the Kerberos client had to be configured properly.  I’ll refer you back to any one of the various Linux-AD integration articles I’ve written for more information on how to setup the /etc/krb5.conf file.  You should be able to do a successful “kinit username@AD.DOMAIN.NAME” when /etc/krb5.conf is configured correctly.
2. Next, Samba must be properly configured.  I used the following settings in /etc/samba/smb.conf:

   workgroup = <NetBIOS name of AD domain>
   security = ads
   realm = <DNS name of AD domain>
   use kerberos keytab = true
   password server = <Space-delimited list of AD DCs>

3. For full Linux-AD integration, you must configure the nss_ldap client.  Again, I’ll refer you to any one of the various AD integration articles I’ve written for more details on a suggested nss_ldap configuration.  When nss_ldap is correctly configured, you should be able to do a “getent password <username>” and get back a list of properties (including UID, home directory, login shell, etc.) for that username.
4. Use “kdestroy” to kill any Kerberos credentials you may have established during testing, and then run “kinit <administrative account>@AD.DOMAIN.NAME” to get a Kerberos ticket for an administrative user in the AD domain.
5. If the DNS domain of your Linux server will be different than the DNS domain of the AD domain (for example, perhaps your Linux server will be web1.linux.corp.com whereas Active Directory uses ad.corp.com), then create a computer account in Active Directory.  If the Linux server’s DNS domain will be the same as the DNS domain for AD, then we can have Samba create it for us.  (I ran into problems here since the Linux server does use a different DNS domain than Active Directory, and pre-creating the computer account was the only way to make it work.)
6. Run “net ads join” to join the Linux server to Active Directory.  As part of this process, it will add various SPNs to the computer account in Active Directory automatically and create the appropriate entries in the local Kerberos keytab (/etc/krb5.keytab, by default).  No more ktpass.exe!

At this point, you can configure PAM appropriately (again, refer to one of the previous integration articles for full details on PAM configuration) and login to the Linux server with an Active Directory account.

I used this process to integrate a new CentOS 4.4 server into Active Directory without any problems whatsoever.  I used the Kerberos, LDAP, nsswitch.conf, and PAM configurations from this Linux-AD integration article within the framework of the steps listed above and ran into only one problem (that was the issue with the differing DNS domains).  Otherwise, it worked just fine.

Thanks to those readers who suggested the use of Samba!

This solution builds upon the integration of Solaris 10 and Linux (again, CentOS specifically, but I’ll use Linux here instead of mentioning the specific distribution) into Active Directory for authentication and authorization as outlined in these related articles:

Refined Solaris 10-AD Integration Instructions
Linux, Active Directory, and Windows Server 2003 R2 Revisited

In these articles, we describe a configuration whereby we can use Kerberos against Active Directory for authentication, and LDAP against Active Directory for user and group lookups.  This allows us to centralize the user account information (username, UID number, home directory, login shell, etc.) into Active Directory so that when an account is provisioned in AD it is also available to associated UNIX and Linux systems (as applicable).  Using the information in this article, we can extend that integration to auto-mounted shared home directories between Solaris and Linux.

We’ll accomplish this by using the UNIX interoperability tools included in Windows Server 2003 R2; namely, the Server for NFS, Server for NIS, and the User Name Mapping Server.  On the Solaris and Linux side, we’ll use autofs.

OK, let’s dive right in.

Configuring Solaris

Configuring Solaris is pretty straightforward; it’s pretty much designed out of the box to use auto-mounted home directories.  This is one area where Solaris shows its enterprise pedigree (that’s not a knock against Linux, just an observation about Solaris).

The only real change that needs to be made is to the /etc/auto_home file, which specifies the auto-mounted home directory mappings.  The easiest thing to do is use a wildcard mapping, like this:

*   nfssrvr.example.com:/home/&

Here, the asterisk (*) and the ampersand (&) will be replaced with the appropriate information.  So, if a user name “bjones” logs on, then the the /home/bjones NFS share on the server nfssrvr.example.com would be mounted on /home/bjones on the Solaris server.  Useful, eh?

Note that autofs may be disabled in your installation of Solaris; it wasn’t in mine, but I’ve seen references elsewhere that this is not typical.  Use these commands to check the status and enable autofs, if necessary:

svcs -a | grep autofs
svcadm -v enable svc:/system/filesystem/autofs

At this point, Solaris should be ready to go.  Let’s look at the Linux configuration.

Configuring Linux

The Linux configuration is only slightly more complicated than the Solaris configuration.  Whereas Solaris uses /etc/auto_master to define the automounted filesystems, autofs on Linux uses /etc/auto.master, and it does not (by default, as far as I can tell) define a map for automounted home directories.

So we must first edit /etc/auto.master and add the following line:

/home   /etc/auto.home

This tells autofs to look in the file /etc/auto.home to find the automounted directories under /home.  Then we create the /etc/auto.home file with the following line:

*   nfssrvr.example.com:/home/&

(Just like the Solaris box in this case.)  Finally, we can check for the autofs startup status, fix it, and start autofs with the following commands, respectively:

chkconfig --list autofs
chkconfig autofs on
service autofs start

In fact, you will need to restart the autofs daemon (with “service autofs restart”) in order for the changes to /etc/auto.master and /etc/auto.home to be recognized.  (The same goes for Solaris, too, only using the “svcadm -v restart svc:/system/filesystem/autofs” command instead.)

To further streamline any differences between Solaris and Linux, I also created a /export/home on the Linux server, in the event I wanted/needed local home directories as well.  Please note that I would need to modify the /etc/auto.home (on Linux) or /etc/auto_home (on Solaris) as well if this were the case.

Now that Linux and Solaris are both done, let’s have a look at configuring the UNIX interoperability components on Windows.

Configuring Windows (NFS, NIS, and User Name Mapping)

Surprisingly enough, this part was the hardest part for me.  I don’t know if it was the documentation (if it can be called that) or something else, but I had a hard time with this.  Hopefully the information I share here can help someone else avoid this headache.

Configuring the Domain Controllers

On the domain controllers in your Active Directory domain, install the following components:

• Server for NIS and Administration Components (under Active Directory Services > Identity Management for UNIX)
• Microsoft Services for NFS Administration, RPC External Data Representation, RPC Port Mapper, Server for NFS Authentication, and User Name Mapping (under Other Network File and Print Services > Microsoft Services for NFS)

It may be possible to get by with less than that installed, but I couldn’t get it working until all of those are installed.  If you’ve followed my instructions for AD integration, the Server for NIS and Administration Components are probably already installed, as those expose the “UNIX Attributes” tab in Active Directory Users & Computers.

Once these are installed, use these steps to configure them appropriately:

1. Using the Services MMC, make sure that Server for NIS is running.
2. In the Microsoft Services for NFS MMC, right-click on “Microsoft Services for NFS” and select Properties.  Specify the name of the DC as the “User Name Mapping Server”, check the box labeled “Active Directory Lookup”, and specify the name of the Active Directory domain.  Click OK to save those changes and close the dialog box.
3. Still in Microsoft Services for NFS MMC console, right-click User Name Mapping and select Properties.  Go to the “Simple Mapping” tab, check the box marked “Use simple maps”, and then add one of the DCs from the domain that’s running Server for NIS at the bottom of the dialog box.
4. Right-click on both User Maps and Group Maps and select “Show simple maps,” then click Refresh.  You should see a list of the users in Active Directory that have been UNIX-enabled, i.e., have UNIX attributes specified for their account.  At this point, you can close the Microsoft Services for NFS MMC.

The DC should now be ready to go.  It’s time to move to the file server.

Configuring the File Server

We need to install the Server for NFS component on the file server that will host our automounted home directories.  The Server for NFS is found under “Other Network File and Print Services” in Add Windows Components.

Once that has been installed, repeat step #2 above (configuring the User Name Mapping Server and Active Directory lookup) on the file server.

We’re now ready to create some NFS shares.  Right-click the folder you’d like to share via NFS (I created a folder named “home”—I know, not very creative) and shared that via NFS (there’s an NFS Sharing tab when you open the properties for the folder).  When specifying the share name, be wary of the case since UNIX/Linux are cAsE sEnSiTiVe.  (It’s probably best to stick to all lowercase.)  If you want to allow anonymous access and/or root access, configure it appropriately at this point.

Word of warning:  be sure to include UNIX-enabled groups and/or users in the NTFS access control list for the folder and containing files!  This one threw me for a loop.  At first, I didn’t have any UNIX-enabled groups in the ACL and I kept getting “insufficient permissions” errors when trying to mount the share via NFS.  It wasn’t until I ensured that at least one UNIX-enabled group had read permission to the folder that things started working as expected.

To test your NFS share, use this command from Solaris or Linux, respectively:

mount -F nfs nfssrvr.example.com:/home/nfs /mnt/nfs (for Solaris)
mount -t nfs nfssrvr.example.com:/home/nfs /mnt/nfs (for Linux)

If this mounts the NFS share without any problems, then you should be ready to roll.

(Note:  In case you hadn’t already picked this up, one advantage of using a Windows NFS server is that we can also share the same folder via CIFS/SMB and create unified home directories for Solaris, Linux, and Windows.)

Now, upon logging in to either Solaris or Linux (I tested this via SSH), you should get dropped into “/home/username” (assuming that’s where you configured the automounter to mount the NFS share) automatically.

How I Tested

I tested this procedure using Solaris 10 6/06 and CentOS 4.3.  These systems were configured for Active Directory integration and native Kerberos logons via SSH.  I used Windows Server 2003 R2 Standard Edition for the NFS server, and Windows Server 2003 R2 Standard Edition for the Active Directory domain controllers.  All of these systems were created as virtual machines hosted on a VMware Virtual Infrastructure 3 server farm with servers running ESX Server 3.0.1.

To test what kind of logging occurs, I simply used my existing installation of Windows Server 2003 R2 and Active Directory, for which the logging options had not been modified from their “out of the box” settings.  From there, I cleared the security event logs and then attempted an SSH login to a CentOS 4.3 server that has been configured for AD authentication via Kerberos (through PAM, not directly inside SSH).

After the login, I reviewed the event logs and found a large number of entries for the LDAP bind account (the account that is used to bind to Active Directory to retrieve account information, such as UID number, GID number, login shell, home directory, etc.).  These are useless for identifying unique logons to Linux/Unix-based systems.  However, there is one event that is useful—an event ID 672 with the following text:

Authentication Ticket Request:
 	User Name:		bjones
 	Supplied Realm Name:	EXAMPLE.NET
 	User ID:			EXAMPLE\bjones
 	Service Name:		krbtgt
 	Service ID:		EXAMPLE\krbtgt
 	Ticket Options:		0x40800000
 	Result Code:		-
 	Ticket Encryption Type:	0x17
 	Pre-Authentication Type:	2
 	Client Address:		172.16.28.111
 	Certificate Issuer Name:
 	Certificate Serial Number:
 	Certificate Thumbprint:	

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

As you can see, this entry clearly identifies the user that was authenticated as well as the IP address of the host to which the user logged in.  Note that the IP address of the workstation from which the user logon originated is not captured here.

OK, that takes care of the typical Linux system.  Now, what about Solaris 10?  I cleared the security event logs (saving them) and attempted an SSH logon to a Solaris server.  As it turns out, Solaris 10 logs two event entries—event ID 672, as above, as well as event ID 673.  The text for event ID 673 is as follows:

Service Ticket Request:
 	User Name:		bjones@EXAMPLE.NET
 	User Domain:		EXAMPLE.NET
 	Service Name:		host-solarishost01
 	Service ID:		EXAMPLE\host-solarishost01
 	Ticket Options:		0x40800000
 	Ticket Encryption Type:	0x3
 	Client Address:		172.16.28.112
 	Failure Code:		-
 	Logon GUID:		{3a653f45-928c-1f72-2c59-ca951986ac42}
 	Transited Services:	-

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

This provides the same sort of information as well as the name of the service ticket that was requested by the host.  (Keep in mind, too, that Solaris 10 logged both the event ID 672 and event ID 673, whereas CentOS logged only the event ID 672.)

But what about “native” Kerberos authentication, when a Kerberos ticket is used to authenticate the user?  In this case, I tested three different operating systems:  CentOS 4.3, Solaris 10, and OpenBSD 3.9.  In all three cases an event ID 673, similar to above, was logged.  However, this time it was the IP address of my actual workstation—not the IP address of the server—that was included in the event log text.

In all of the tested scenarios, there was information that identified the specific account that was being authenticated.  However, depending upon whether PAM was involved, the Windows event logs may or may not capture the actual IP address of the originating workstation.  In almost all cases, though, the logs on the Linux, Solaris, or OpenBSD server would capture the IP address of the originating workstation, even if the Windows event logs did not.