Thursday, November 29, 2012

Authenticate RHEL 5 Linux users by Windows 2008 R2 AD

My previous post was tested on Windows 2003 AD, which use non-RFC compliant scheme, Windows 2003 R2 or later is RFC2307bis compliant, the following is tested on Windows 2008 R2, but it should be working for Windows 2003 R2 and Windows 2008 as well.
The following use nss_ldap to do AD authentication by Kerberos, if you use RHEl 5.6 or later, you may consider  System Security Services Daemon (SSSD), which offer many great features.
 Setup Windows AD
Windows 2008 R2 AD has built-in component to perform the same function of “Windows services for Unix” in Windows 2003, it is named “identity management for Unix”
Install “identity management for Unix” by clicking “Add Role Services” under role of “Active Directory Domain services”. Choose all three sub-components in identity management for Unix.(note: QLOGIC SANsurfer software conflicts with RPC services, remove it before install identity management for Unix)
Setup ldapbind user, create test user, test group and set Unix attributes as the previous post
Setup configuration files
1.    Configure /etc/ldap.conf
nss_map_attribute in Windows 2008 R2 is different to Windows 2003, the following is a sample file
#cat /etc/ldap.conf
base OU=_USERS,DC=AD,DC=example,DC=com
BINDDN CN=svc_ldap_client,OU=MGT,OU=_USERS,DC=AD,DC=example,DC=com
BINDPW Pass123

timelimit 60
bind_timelimit 10
#by default, if ldap server is not reachable, it will retry long time before giving up,
# nss_reconnect_tries 1 limit it to be less than a minute. 
nss_reconnect_tries 1
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_objectclass posixGroup  group
nss_map_attribute uid sAMAccountName
#nss_map_attribute uidNumber uidNumber
#nss_map_attribute gidNumber gidNumber
nss_map_attribute gecos         name
nss_map_attribute homeDirectory unixHomeDirectory
#nss_map_attribute loginShell loginShell
nss_map_attribute shadowLastChange pwdLastSet
nss_base_password OU=_USERS,DC=AD,DC=example,DC=com
nss_base_shadow OU=_USERS,DC=AD,DC=example,DC=com
nss_base_group OU=_GROUPS, DC=AD,DC=example,DC=com
pam_login_attribute sAMAccountName
pam_filter objectclass=User
pam_password ad
nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm is alias DNS name load balanced to DCs
uri ldap://
ssl no
tls_cacertdir /etc/openldap/cacerts

2.Configure /etc/krb5.conf, no difference to Windows 2003 AD

#cat /etc/krb5.conf 
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log
 default_realm =   AD.EXAMPLE.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 forwardable = yes
  kdc =
[domain_realm] = AD.EXAMPLE.COM = AD.EXAMPLE.COM
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false

3.You also need to modify files in /etc/pam.d/ /etc/nsswitch.conf, once you have copied the ldap.conf and krb5.conf files, run the following command to automate the tasks.

$authconfig --enablecache  --enableldap --usemd5 --useshadow  --enablelocauthorize --enablekrb5  --enablemkhomedir  --update

1 comment: