Often I find my self working in a department where the skill sets of individuals varies significantly, and my current position is no different. While there is nothing wrong with this, there have been several occasions (like being on vacation), where help desk personnel or other less savvy users are called upon to perform basic functions . When you start dealing with a group of servers, it can be troublesome to maintain a local user base without some form of directory authentication. Since most corporate offices still revolve around Windows at the desktop, Active directory becomes a very logical option.
This will basically document the steps I performed in setting up our Linux machines (Fedora 9, RHEL 5, CentOS 5) to authenticate against our Active Directory domain for SSH, while restricting access to a specific security group so that we can give only specific users access as needed. While I have only used this with Red Hat distros, it may be helpful to others.
Phase 1: Preparing Active Directory
While Windows Services for UNIX is still available, Microsoft was nice enough to include a similar feature with Windows 2003 R2 out of the box. In add/remove Windows components under Active Directory Services, you will find Identity Management for UNIX. This will install the necessary LDAP attributes we need for getting this all to work, and will give you a new tab “UNIX Attributes” for your users.
Phase 2: Preparing Groups
Now create your first security group, note that it is beneficial not to include special characters or spaces in your group name. Once your group has been created edit the UNIX Attributes under properties and set it to the default created NIS Domain, you may leave the Group ID or change as needed.
Phase 3: Preparing Users
Once your security group has been setup (I named mine LinuxUsers), you can setup add your users. Under user properties, you will see a tab “UNIX Attributes” that contain our specific LDAP attributes. Even though we won’t be using NIS, you have to set the NIS Domain to have access to other options. As for the rest of the attributes, I personally prefer to use bash (/bin/bash) and ensure that home directories are all lower case.
Phase 4: Configuring Linux
The hardest part of this setup was getting the correct DN where needed. Due to our number of organizational units, I ended up using jxplore a few times which made finding a specific DN much easier.
Packages: openldap, openldap-devel, pam, pam_krb5, ntp
# yum install openldap, openldap-devel, pam, pam_krb5, ntp |
In order to log in, you must make sure your time is synchronized with your domain controller. Since we use an external ntp server on our domain controller, we are going to sync with the same server before continuing. An optional step would be to setup a cron job to synchronize the date and time consistently. Also note that nptd must be stopped before updating, so in case you had it installed prior make sure the service is stopped.
# /etc/rc.d/init.d/ntpd stop # ntpdate -u pool.ntp.org # /etc/rc.d/init.d/ntpd start |
Now there are several configuration files we must update, I will list the file paths I used and examples, though it may be different. In these examples, MYDOMAIN.COM is our active directory domain, and pdc.mydomain.com is our domain controller.
/etc/krb.conf
(Example)
MYDOMAIN.COM MYDOMAIN.COM pdc.mydomain.com |
/etc/krb5.conf
(Example)
[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = MYDOMAIN.COM dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h forwardable = yes [realms] MYDOMAIN.COM = { kdc = pdc.mydomain.com kdc = bdc.mydomain.com } [domain_realm] .MYDOMAIN.COM = MYDOMAIN.COM MYDOMIN.COM = MYDOMAIN.COM mydomain.com = MYDOMAIN.COM .mydomain.com = MYDOMAIN.COM [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } |
/etc/ldap.conf (NOTE: You must create a normal user for your Linux servers to bind to AD with, also you will need to change these DNs specific to your setup.)
(Example)
# Must be RESOLVABLE host pdc.mydomain.com bdc.mydomain.com # The distinguished name of the search base. base dc=mydomain,dc=com # Bind user you created in AD # The credentials to bind with. binddn CN=ldapuser,OU=Users,DC=mydomain,DC=com bindpw Password123 # The search scope. scope sub # Search timelimit timelimit 30 # Bind/connect timelimit bind_timelimit 30 # Idle timelimit; client will close connections # (nss_ldap only) if the server has not been contacted # for the number of seconds specified below. idle_timelimit 3600 # Group to enforce membership of # The group you setup in AD that contains your linux users pam_groupdn CN=LinuxUsers,OU=Groups,DC=mydomain,DC=com # Group member attribute pam_member_attribute member # Update Active Directory password, by # creating Unicode password and updating # unicodePwd attribute. pam_password ad nss_base_passwd ou=Users,dc=mydomain,dc=com?sub nss_base_shadow ou=Users,dc=mydomain,dc=com?sub nss_base_group ou=Users,dc=mydomain,dc=com?sub # Just assume that there are no supplemental groups for these named users nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman # RFC 2307 (AD) mappings nss_map_objectclass posixAccount user nss_map_objectclass shadowAccount user nss_map_attribute uid sAMAccountName nss_map_attribute homeDirectory unixHomeDirectory nss_map_attribute shadowLastChange pwdLastSet nss_map_objectclass posixGroup group nss_map_attribute uniqueMember member pam_login_attribute sAMAccountName pam_filter objectclass=User pam_password ad # Disable SASL security layers. This is needed for AD. sasl_secprops maxssf=0 # Override the default Kerberos ticket cache location. krb5_ccname FILE:/etc/.ldapcache ssl no |
/etc/nsswitch.conf
Append ldap to the end of the following lines:
- passwd:
- shadow:
- group:
- netgroup:
(Example)
passwd: files ldap shadow: files ldap group: files ldap hosts: files dns bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc: files services: files netgroup: files ldap publickey: nisplus automount: files ldap aliases: files nisplus |
/etc/pam.d/sshd – Add the following ldap and krb5 pam modules, also create users home directory if it does not exist.
auth sufficient pam_krb5.so use_first_pass auth sufficient pam_ldap.so use_first_pass account [default=bad success=ok user_unknown=ignore] pam_ldap.so account [default=bad success=ok user_unknown=ignore] pam_krb5.so password sufficient pam_krb5.so use_authtok password sufficient pam_ldap.so use_authtok session optional pam_krb5.so session optional pam_ldap.so session required pam_mkhomedir.so umask=0022 skel=/etc/skel silent |
(Example)
#%PAM-1.0 auth sufficient pam_krb5.so use_first_pass auth sufficient pam_ldap.so use_first_pass auth include system-auth account [default=bad success=ok user_unknown=ignore] pam_ldap.so account [default=bad success=ok user_unknown=ignore] pam_krb5.so account required pam_nologin.so account include system-auth password sufficient pam_krb5.so use_authtok password sufficient pam_ldap.so use_authtok password include system-auth session optional pam_krb5.so session optional pam_ldap.so session optional pam_keyinit.so force revoke session include system-auth session required pam_loginuid.so session required pam_mkhomedir.so umask=0022 skel=/etc/skel silent |
Verify ldap authentication is working by logging in under a domain account with the correct permissions. You can watch the security log for information on failures.
Phase 5: Giving SUDO permissions (Optional)
Add the group to your sudoers file using %groupname.
(Example)
# Give our Windows Group linuxusers (system admins), ALL commands. %linuxusers ALL=(ALL) ALL |
Pingback: Linux SSH + PAM + LDAP + SSSD+ 2008 R2 AD Deployment at Ohjeah!
Does your above pam config provide fall-through auth? AD to local?
How can I permit or deny access for my AD users to my Linux servers?
In AD I define some hosts for permit access to them in user account (button “login on …” – (attribute – “userWorkstations”) – but it does not work.
Can you help me?
I think it does’t work because I must mapping AD-attribute “userWorkstation” with POSIX(LDAP)-attribut “host” in /etc/ldap.conf…. but I can’t find something like this:
nss_map_attribute host userWorkstations # I try use this line, but it doesn’t work too…