Samba4 Windows AND Linux authentication

Introduction

This post describes all the millions of configuration files you need to set up on a CLIENT LINUX server / machine in order to ssh to it with your domain credentials. I have this working in a LAB environment with the following caveats:

  1. SELINUX disabled (work on this required)
  2. Firewall Disabled (not hard to fix this if required)
  3. DNS Setup not working completely for Forwarding to external Nameserver by Samba4.  Don't know why. (more investigation required)
  4. You will need to have a user called binduser which has permissions in AD to look up other users.  I am sure there is documentation on this around somewhere :)

Install packages

yum -y install samba-winbind pam_ldap pam_krb5 nss-pam-ldapd oddjob-mkhomedir bind-utils

Configure openldap (/etc/openldap/ldap.conf)

[root@linuxclient ~]# cat /etc/openldap/ldap.conf 
#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

#BASE   dc=example,dc=com
#URI    ldap://ldap.example.com ldap://ldap-master.example.com:666

#SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never

TLS_CACERTDIR /etc/openldap/cacerts
URI ldap://pdc.vbox.local/
BASE dc=vbox,dc=local

Configure PAM_LDAP (/etc/pam_ldap.conf)

[root@linuxclient ~]# cat /etc/pam_ldap.conf 
uri ldap://pdc.vbox.local/
base dc=vbox,dc=local
binddn cn=binduser,cn=Users,dc=vbox,dc=local
bindpw SECRET
scope sub
nss_base_passwd cn=Users,dc=vbox,dc=local
nss_base_shadow cn=Users,dc=vbox,dc=local
nss_base_group cn=Users,dc=vbox,dc=local
nss_map_objectclass posixAccount user
nss_map objectclass shadowAccount user
nss_map objectclass posixGroup group
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute uniqueMember member
nss_map_attribute shadowLastChange pwdLastSet
pam_login_attribute uid
pam_filter objectClass=user
pam_password md5
pam_member_attribute member
ssl no
tls_cacertdir /etc/openldap/cacerts
am_sasl_mech DIGEST-MD5

Configure KRB5 (/etc/krb5.conf)

[root@linuxclient ~]# cat /etc/krb5.conf 
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/admind.log

[libdefaults]
 default_realm = VBOX.LOCAL
 dns_lookup_realm = true
 dns_lookup_kdc = true

[domain_realm]
.vbox.local = VBOX.LOCAL
vbox.local = VBOX.LOCAL

[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
validate = false
}

[realms]
VBOX.LOCAL = {
}

VBOX.LOCAL = {
}

Configure the NSLC Daemon (/etc/nslcd.conf)

[root@linuxclient ~]# cat /etc/nslcd.conf                                                                                                                                                       
binddn cn=binduser,cn=Users,dc=vbox,dc=local                                                                                                                                                  
bindpw SECRET                                                                                                                                                                                
scope sub                                                                                                                                                                                       
base dc=vbox,dc=local                                                                                                                                                                           
scope  group  sub                                                                                                                                                                               
scope  hosts  sub                                                                                                                                                                               
pagesize 1000                                                                                                                                                                                   
referrals off
filter passwd (&(objectClass=user)(!(objectClass=computer)))
map    passwd uid              sAMAccountName
map    passwd homeDirectory    unixHomeDirectory
map    passwd gecos            displayName

filter shadow (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
map    shadow shadowLastChange pwdLastSet
map    shadow uid              sAMAccountName

filter group (&(objectClass=group)(gidNumber=*))
map group uniqueMember member

uid nslcd
gid ldap
uri ldap://pdc.vbox.local/
ssl no
tls_cacertdir /etc/openldap/cacerts

Configure Authconfig for SSH (/etc/sysconfig/authconfig)

set: USEKERBEROS=yes 
[root@linuxclient ~]# cat /etc/sysconfig/authconfig 
IPADOMAINJOINED=no
USEMKHOMEDIR=yes
USEPAMACCESS=no
CACHECREDENTIALS=yes
USESSSDAUTH=no
USESHADOW=yes
USEWINBIND=no
USESSSD=no
USEDB=no
FORCELEGACY=no
USEFPRINTD=no
USEHESIOD=no
FORCESMARTCARD=no
USELDAPAUTH=no
IPAV2NONTP=no
USELDAP=yes
USECRACKLIB=yes
USEIPAV2=no
USEWINBINDAUTH=yes
USESMARTCARD=no
USELOCAUTHORIZE=yes
USENIS=no
USEKERBEROS=yes
USESYSNETAUTH=no
PASSWDALGORITHM=sha512
USEPASSWDQC=no

Update authconfig

authconfig --updateall

Check PAM Configuration

[root@linuxclient ~]# cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_krb5.so use_first_pass
auth        sufficient    pam_winbind.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_krb5.so
account     [default=bad success=ok user_unknown=ignore] pam_winbind.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient    pam_krb5.so use_authtok
password    sufficient    pam_winbind.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     optional      pam_oddjob_mkhomedir.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_krb5.so

Configure DNS Settings

You need various AD names to resolve. Especially for kerberos... Note: There is a problem here. The Domain controller must FORWARD dns traffic it knows nothing about. 
[root@linuxclient ~]# cat /etc/resolv.conf 
#nameserver must be the IP address of the domain controller.
domain vbox.local
nameserver 192.168.56.101

Reboot

A reboot is required to make sure everything works.

Comments

Post a Comment

Popular posts from this blog

Extending the AD Schema on Samba4 - Part 2

Importing LDIF files into Samba4 and Active Directory This is part 2 of the Extending AD Schema on Samba4 series.  The examples below are tested using the Samba4 LAB I created.  If you want more information on how that works then please read  http://david-latham.blogspot.co.nz/2012/12/samba4-ga-release-virtualbox-lab.html For part one, please read http://david-latham.blogspot.co.nz/2012/12/extending-ad-schema-on-samba4.html Unfortunately the format of an ldif file for creating new attributes and classes in the Schema Configuration are differ between Samba4 and Microsoft. The tools are slightly different too.  So this article will attempt to make it all clear. Find all the latest versions of code on this post at  https://github.com/linuxplayground/yubikey-ldap/tree/master/microsoft-schema Samba4 - ldbadd & ldbmodify As far as I can tell the only way to create a new class with a custom attribute in Samba4 (on the Linux command line) is first add ...
Read more

Automatically mount NVME volumes in AWS EC2 on Windows with Cloudformation and Powershell Userdata

Introduction This post explains how I go about with AWS Cloudformation and Powershell userdata scripts. attaching EBS volumes to Windows EC2 instances identifying them in the OS initializing them formatting them and assigning labels and drive letters. Prerequisites You should know something about Cloudformation and Powershell. The AWS Image you use for your EC2 instance should be one provided by AWS and should have the following utility already deployed to  C:\ProgramData\Amazon\Tools\ebsnvme-id.exe AWS Cloudformation Step I typically do not declare EBS Volumes together with the EC2 Instance declaration in Cloudformation but prefer to declare them as separate resources along with their own ebs attachment resources.  Here is an example EC2 instance with three additional volume declarations on top of the root volume which is automatically mounted on C:\ WindowsServerInstance: Type: AWS::EC2::Instance Properties: BlockDeviceMappings: - DeviceName: /dev/sda...
Read more

Extending the AD Schema on Samba4 - Part 1

Image
My last post on Samba4 showed how easy it is to install and configure an AD Service on Linux.  If you've not read it then please have a look. ( http://david-latham.blogspot.co.nz/2012/12/samba4-ga-release-virtualbox-lab.html ) This post show's how to extend the Samba4 Active Directory Schema.  Specifically for YubiKey integration. YubiKey's can be purchased for a relativlely low price from Yubico.  Please visit their website (www.yubico.com) for more information. LDAP Integration is very well covered by Michal Ludvig on his website and github.  ( http://www.logix.cz/michal/devel/yubikey-ldap/ ) In fact we are planning to leverage his implementation at our work and are considering donating towards what's obviously a very good cause. Now seeing as though LDAP and AD are so similar and exhibit many of the same APIs, I began to wonder how this might fit in with Samba4.  Eventually we might end up using Samba4 for our domain and so I needed to figure out if ...
Read more