Active Directory (LDAP) + Linux = passwords?
May 26, 2006 11:11 AM Subscribe
Where do I find doccos that tell me how to authenticate my PAM-capable unix boxen against Microsoft's Active Directory?
Microsoft says "well, just upgrade your 2003 Server Enterprise to 2003 Server Enterprise R2 !" which sounds like paying >$10,000 just so I can get a couple-hundred byte snap-in for AD.
I've seen very little documentation on this, although I'd think it would be very popular in a hetrogenous office network. You've already got a Domain Controller, running Active Directory, that everyone's workstation authorizes against. You've got a farm of Linux machines that can do the pam_ldap thing, and Active Directory speaks LDAP. However, just pointing pam_ldap at AD doesn't work because AD is missing stuff.
Microsoft says "well, just upgrade your 2003 Server Enterprise to 2003 Server Enterprise R2 !" which sounds like paying >$10,000 just so I can get a couple-hundred byte snap-in for AD.
I've seen very little documentation on this, although I'd think it would be very popular in a hetrogenous office network. You've already got a Domain Controller, running Active Directory, that everyone's workstation authorizes against. You've got a farm of Linux machines that can do the pam_ldap thing, and Active Directory speaks LDAP. However, just pointing pam_ldap at AD doesn't work because AD is missing stuff.
Response by poster: My google-fu was not strong enough: search results delivered "use Mortice-Kern Systems MKS AD4Unix", with dead links to the software at every article (even those claiming to have local copies), and articles telling me I should buy Server 2003 R2.
Your sample result wasn't directly useful, but the links from it were useful, esp. for someone using un-R2 Server 2003. I've no idea why Microsoft wouldn't let me see that 58-page docco before.
posted by Mozai at 11:55 AM on May 26, 2006
Your sample result wasn't directly useful, but the links from it were useful, esp. for someone using un-R2 Server 2003. I've no idea why Microsoft wouldn't let me see that 58-page docco before.
posted by Mozai at 11:55 AM on May 26, 2006
This result of a Google search for "active directory linux" looks pretty complete. PADL, who maintains pam_ldap and nss_ldap, has this to day.
posted by mendel at 12:31 PM on May 26, 2006
posted by mendel at 12:31 PM on May 26, 2006
Best answer: Strangely enough, I just set up a Linux box running Kubuntu to authenticate against the Active Directory at work today, and was considering posting a question almost exactly like this one...
Until I stumbled across the howto on the Ubuntu wiki. I followed the steps and it works flawlessly as far as I can tell. There are probably other things that could be done, like rigging it up such that passwd will change the user's password in the AD, but aside from that, it works great for me. It uses Winbind and Samba rather than LDAP, though. (Of course, it may be that Winbind uses LDAP as well. I'm not sure, and I don't really want to know. I'm just a simple unfrozen caveman, and Windows networking frightens and confuses me. It authenticates against our Windows Server 2003 AD, and that's all I really need to know.)
Even if you don't use Debian or Ubuntu, the configuration information in the howto should still be useful as long as you can figure out what packages in your distro of choice correspond to the ones mentioned in the howto.
And if your DC is also the DHCP and DNS server, you may also be interested to find out how to make your Linux boxen update their names in DNS like the Windows ones do.
posted by zztzed at 4:17 PM on May 26, 2006
Until I stumbled across the howto on the Ubuntu wiki. I followed the steps and it works flawlessly as far as I can tell. There are probably other things that could be done, like rigging it up such that passwd will change the user's password in the AD, but aside from that, it works great for me. It uses Winbind and Samba rather than LDAP, though. (Of course, it may be that Winbind uses LDAP as well. I'm not sure, and I don't really want to know. I'm just a simple unfrozen caveman, and Windows networking frightens and confuses me. It authenticates against our Windows Server 2003 AD, and that's all I really need to know.)
Even if you don't use Debian or Ubuntu, the configuration information in the howto should still be useful as long as you can figure out what packages in your distro of choice correspond to the ones mentioned in the howto.
And if your DC is also the DHCP and DNS server, you may also be interested to find out how to make your Linux boxen update their names in DNS like the Windows ones do.
posted by zztzed at 4:17 PM on May 26, 2006
Response by poster:
In case anyone else finds this: winbind can be harmful. I started on this project at work, installed the samba w/ winbind method on a few machines, got taken away for a week, and returned to find out that UIDs are not consistent! Indeed, the UIDs depend on the sequence that usernames are requested in. If the winbind cache is lost, users next logging in will find that they can't access their home directories (but they can access someone else's...).
There's supposed to be a config switch to prevent this, but it's not present in RedHat's samba packages... so, it's back to LDAP and hacking ActiveDirectory's LDAP schema.
zztzed keeps the "best answer," but for anyone reading this thread: don't use RedHat's packages. Compile your own, (version 3.0.14 or later) and read up on idmap backend = idmap_rid
posted by Mozai at 10:25 AM on July 6, 2006
In case anyone else finds this: winbind can be harmful. I started on this project at work, installed the samba w/ winbind method on a few machines, got taken away for a week, and returned to find out that UIDs are not consistent! Indeed, the UIDs depend on the sequence that usernames are requested in. If the winbind cache is lost, users next logging in will find that they can't access their home directories (but they can access someone else's...).
There's supposed to be a config switch to prevent this, but it's not present in RedHat's samba packages... so, it's back to LDAP and hacking ActiveDirectory's LDAP schema.
zztzed keeps the "best answer," but for anyone reading this thread: don't use RedHat's packages. Compile your own, (version 3.0.14 or later) and read up on idmap backend = idmap_rid
posted by Mozai at 10:25 AM on July 6, 2006
Response by poster:
How I did it:
- yum install ntp pam_krb5 krb5-workstation authconfig nscd
- set the ntp daemon to sync to your domain controller(s)
- make sure "UsePAM yes" is in your /etc/ssh/sshd_config
- get the samba package v3.0.22 or better from Fedora Core 5. If necessary, get the source rpm and compile it on your Fedora Core 4 or Fedora Core 3 machine. Compiling from source needs devel libraries; you can figure it out.
- run 'authconfig' (or 'authconfig-tib' in Fedora Core 5). Turn on "use Winbind" and "local authorization is sufficient"
- It'll ask you for your domain information. Click the "join domain" button after you fill in the blanks. Click "okay" once you've successfully logged in.
- Ta-da. Changes I made to /etc/samba/smb.conf that made my life easier:
winbind use default domain = yes
winbind nested groups = yes
template homedir = /home/%U
- "wbinfo -t" to make sure you can talk to the domain controller
- sometimes, winbind says "no such user/group" even though wbinfo and getent says they're there. Edit /etc/sysconfig/samba, add "WINBINDOPTIONS="-n"", and restart winbind.
- learn how to use 'pam_succeed_if.so" in your /etc/pam.d/* files.
posted by Mozai at 1:18 PM on August 18, 2006
How I did it:
- yum install ntp pam_krb5 krb5-workstation authconfig nscd
- set the ntp daemon to sync to your domain controller(s)
- make sure "UsePAM yes" is in your /etc/ssh/sshd_config
- get the samba package v3.0.22 or better from Fedora Core 5. If necessary, get the source rpm and compile it on your Fedora Core 4 or Fedora Core 3 machine. Compiling from source needs devel libraries; you can figure it out.
- run 'authconfig' (or 'authconfig-tib' in Fedora Core 5). Turn on "use Winbind" and "local authorization is sufficient"
- It'll ask you for your domain information. Click the "join domain" button after you fill in the blanks. Click "okay" once you've successfully logged in.
- Ta-da. Changes I made to /etc/samba/smb.conf that made my life easier:
winbind use default domain = yes
winbind nested groups = yes
template homedir = /home/%U
- "wbinfo -t" to make sure you can talk to the domain controller
- sometimes, winbind says "no such user/group" even though wbinfo and getent says they're there. Edit /etc/sysconfig/samba, add "WINBINDOPTIONS="-n"", and restart winbind.
- learn how to use 'pam_succeed_if.so" in your /etc/pam.d/* files.
posted by Mozai at 1:18 PM on August 18, 2006
Response by poster: authconfig-tui, not authconfig-tib.
posted by Mozai at 1:19 PM on August 18, 2006
posted by Mozai at 1:19 PM on August 18, 2006
This thread is closed to new comments.
posted by kcm at 11:28 AM on May 26, 2006