Monday September 11, 2006

Integrating Linux with Active Directory Authentication, with Winbind and PAM

This is repost of a document that used to be located at http://www.timkennedy.net/docs/Linux+Active_Directory.html. I just figured I'd make it a blog post, so people can comment inline, rather than just in email.

Linux integration with Active Directory Authentication with Winbind and PAM (Pluggable Authentication Modules)

Q. What separates this effort from the all the other Samba + Active Directory + User Authentication documents that are already available?

A. We don't use shares, we use ADS only as the authoritative repository for authentication data, and we needed a way to restrict to specific users or groups, or combinations thereof, the ability to login to hosts.

This document assumes you have a basic familiarity with PAM and Fedora CoreLinux, and the ability to install RPM based packages using YUM. Other than the installation of the packages, and possibly the location of some files, most of the information contained within should be portable to other flavors of Linux(or provide the basis for other flavors of Unix).

The large portion of the data presented here is taken directly from Chapter 21 of the Samba Documentation "Winbind: Use of Domain Accounts", under Part 3 Advanced Configuration.

The Winbindd Daemon is a part of the Samba Installation. The winbindd daemon listens on a UNIX domain socket for AAA requests generated by NSS or PAM. Winbindd allows a *nix system to use PAM requests, translated into MSRPC calls, to directly query a Windows PDC for user and group information. Winbind then maps the NT accounts and groups onto UNIX uids/gids.

To install Winbind on Fedora Core Linux, if you have YUM working:

If you don't have YUM working, you'll need to locate the RPMs for SAMBA and Winbind and install them. Try http://rpmseek.com.

change in /etc/nsswitch.conf:

to:

edit the file /etc/samba/smb.conf, and replace:
DOMAIN with your domain
CONTROLLER1 with the ip address of your 1st DC
CONTROLLER2 with the ip address of your 2nd DC
DOMAIN.TLD with your realm DOMAIN and TLD

join the linux server to the domain:

NOTE: The username you use must have administrative privileges onthe domain.

Now, start winbindd:

Winbind by default runs as two processes. One answers client queries, and the other updates the winbind cache with the most current answer for the query the first process just answered for.

make sure you have a backup of /etc/pam.d directory:

These are the relevant lines for the various pam controlled methods: account, auth, password, and session.
Just place these lines into the pam.d file of any service for which you'd like to control authorization by ADS.

And this goes into /etc/pam.d/system-auth:

Now. All of that sets up your linux box to allow Active Directory Domain users to log in, with a bash shell, into a homedir in /home/DOMAIN/user. It will even create the home directories for any user that doesn't already have one, provided the session portion of the file contains the call to system-auth.

Now. let's say you want to be able to limit access to the server to only users from certain groups. well, it actually turned out to be kind of simple to do. As we know, all users and groups from active directory are mapped to unix uids and gids. Well, we can make that work for us.

First, let's see what groups I'm in (tkennedy):

by replacing the account entries in /etc/pam.d/sshd with:

With that entry you can limit ssh access to the server to only members of the Unix Admins group.

By using lines like that in other per-service pam.d files, you can set up quite complex authentication rules to control logins on a per service/per group basis.

Any questions?