May 2, 2008...5:54 pm

Linux Winbind to Active Directory

Jump to Comments

This article will show you how to connect your Linux workstation/server for DOMAIN Active Directory authentication using Winbind method.

NOTE: It is also possible to set up authentication using pure LDAP+Kerberos but it needs some additional configuration on DOMAIN AD (Services for Unix).

What you will need

  • Account in domain.local domain
  • Samba
  • Winbind
  • krb5-user
  • libpam-krb5

Used terms

  • AD – Active Directory
  • DC – Domain Controller
  • domain.local – AD domain
  • ad1.domain.local – DC FQDN
  • 192.168.1.16 – DC IP
  • domain.local – Kerberos Realm
  • linux-srv – computer name of my Linux workstation
  • linux.domain.local – FQDN of my Linux workstation

Installation

Installation of required packages is not subject of this article. You need solve it by yourself. This article was successfully tested on Debian GNU/Linux but generally it will works on any other Linux.

Testing connectivity

The first step to configuring your Linux client for participation in an Active Directory (AD) network is to confirm network connectivity and name resolution for the Active Directory domain controller. An easy way to verify both of these is to ping the fully-qualified domain name (FQDN) of the AD DC on your network.

linux-srv:~# ping -c 3 ad1.domain.local
PING ad1.domain.local (192.168.1.16) 56(84) bytes of data.
64 bytes from ad1.domain.local (192.168.1.16): icmp_seq=1 ttl=127 time=0.197 ms
64 bytes from ad1.domain.local (192.168.1.16): icmp_seq=2 ttl=127 time=0.240 ms
64 bytes from ad1.domain.local (192.168.1.16): icmp_seq=3 ttl=127 time=0.321 ms

--- ad1.domain.local ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2008ms
rtt min/avg/max/mdev = 0.197/0.252/0.321/0.054 ms
linux-srv:~#

Time settings

Time is essential for Kerberos, which is used for authentication in Active Directory networks. The easiest way to ensure correct time synchronization is to use a NTP-Server. Every Active Directory Domain Controller is also an NTP server, so for best results, use the FQDN of an AD DC in ntpdate application, which syncs time at startup or on demand or use any other favorite NTP server.

linux-srv:~# ntpdate ad1.domain.local
21 Jan 09:56:52 ntpdate[2193]: adjust time server 192.168.1.16 offset -0.033589 sec

FQDN

A valid FQDN is essential for Kerberos and Active Directory. Active Directory is heavily dependent upon DNS. Here, we will edit the local hosts file on your Linux workstation to make sure that your FQDN is resolvable.

File /etc/hosts

127.0.0.1    linux-srv.domain.local

Set up Kerberos

Now edit your Kerberos configuration file and add following options. Make sure to pay attention at the capitalization, it is very important or things will not work.

File /etc/krb5.conf

[libdefaults]
        default_realm = domain.local
        kdc_timesync = 1
        ccache_type = 4
        forwardable = true
        proxiable = true
[realms]
        domain.local = {
                kdc = ad1.domain.local
                kdc = ad2.domain.local
                admin_server = ad1.domain.local
        }
[domain_realm]
        .domain.local = domain.local
        domain.local = domain.local

Request a Ticket-Granting Ticket (TGT) by issuing the kinit command

linux-srv:~# kinit Administrator
Password for Administrator@domain.local:

Check if ticket request was valid using the klist command.

linux-srv:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator@domain.local

Valid starting     Expires            Service principal
01/21/08 09:20:57  01/21/08 19:20:37  krbtgt/domain.local@domain.local
        renew until 01/22/08 09:20:57

Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

At this point, your Kerberos installation and configuration is operating correctly. You can release your test ticket by issuing the kdestroy command.

Join AD domain

First of all, edit your Samba configuration to be an AD member.

File /etc/samba/smb.conf

[global]
    workgroup = DOMAIN
    server string = Linux testing server
    netbios name = linux-srv
    load printers = no
    log file = /var/log/samba/log.%m
    max log size = 50
    interfaces = lo eth0
    bind interfaces only = yes
    ;hosts allow = 192.168.64. 127.
    ;hosts deny = 0.0.0.0/0
    encrypt passwords = yes
    socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
    dns proxy = no
    smb ports = 139
    security = ADS
    realm = domain.local
    password server = 192.168.1.16
    winbind separator = /
    idmap uid = 10000-20000
    idmap gid = 10000-20000
    winbind enum users = yes
    winbind enum groups = yes
    winbind refresh tickets = yes
    template homedir = /home/%U
    template shell = /bin/sh
    client use spnego = yes
    client ntlmv2 auth = yes
    winbind use default domain = yes
    restrict anonymous = 2
    domain master = no
    local master = no
    preferred master = no
    os level = 0
    disable netbios = no
    dos charset = ASCII
    unix charset = UTF8
    display charset = UTF8

Notes:

  • The “winbind use default domain” parameter is useful in single-domain enterprises and makes winbind assume that all user authentications should be performed in the domain to which winbind is joined. Omit this parameter if your environment includes multiple domains or if your account domain differs from the resource domain.
  • The “winbind separator” directive is optional, and the default value is the usual backslash “\” Domain and User separator. You can use “+” if you know of a specific reason “\” will not work in your environment.
  • The “winbind refresh tickets” will automatically refresh the kerberos ticket when pam_winbind is used

Good practice is use testparm command to check your samba configuration.

linux-srv:~# testparm
Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions

Now, be sure to restart the Samba and Winbind services after changing the /etc/samba/smb.conf file.

linux-srv:~# /etc/init.d/winbind stop
linux-srv:~# /etc/init.d/samba restart
linux-srv:~# /etc/init.d/winbind start

Create a valid ticket using kinit. If the Kerberos auth was valid, you should not get asked for a password. However, if you are not working as root and are instead using sudo to perform the necessary tasks, use the command sudo net ads join -U username and supply your password when prompted. Otherwise, you will be asked to authenticate as root@domain.local instead of a valid account name.

Create a valid ticket

linux-srv:~# kinit Administrator

Join the domain before starting samba and winbind:

linux-srv:~# net ads join -U Administrator
Administrator's password:
Using short domain name -- DOMAIN
Joined 'LINUX-SRV' to realm 'domain.local'

Note: In DOMAIN network has users rights to add and remove computers from AD domain. Usually this can do only Administrator.

Final testing

If you have all successfully configured you should be able to get a list of the users of the domain.

linux-srv:~# wbinfo -u

And a list of the groups. Be patient these queries can take time.

linux-srv:~# wbinfo -g

Setup authentication

Now edit /etc/nsswitch.conf and make the following changes:

passwd:         compat winbind
group:          compat winbind

Check the Winbind nsswitch module with getent. You should see users from the AD as well as your Linux workstation.

linux-srv:~# getent passwd
...
...
domainuser70:*:10070:10002:Domain User 70:/home/domainuser70:/bin/sh
...

You can do the same thing for groups.

linux-srv:~# getent group

PAM

With this config you can access the workstation with local accounts or with domain accounts. On the first login of a domain user a home directory will be created. This PAM configuration assumes that the system will be used primarily with domain accounts. If the opposite is true (i.e., the system will be used primarily with local accounts), the order of pam_winbind.so and pam_unix.so should be reversed. When used with local accounts, the configuration shown here will result in a failed authentication to the Windows/Samba DC for each login and su/sudo use. This can litter the DC’s event log. Likewise, if local accounts are checked first, the /var/log/auth.log will be littered with failed logon attempts each time a domain account is accessed.

This PAM configuration does not acquire a Kerberos TGT at login. To acquire a ticket, use kinit after logging in, and consider using kdestroy in a logout script.

File /etc/pam.d/common-account

account sufficient       pam_winbind.so
account required         pam_unix.so

File /etc/pam.d/common-auth

auth sufficient pam_winbind.so
auth sufficient pam_unix.so nullok_secure use_first_pass

File /etc/pam.d/common-session

session required pam_unix.so
session required pam_mkhomedir.so umask=0022 skel=/etc/skel

Automatic Kerberos Ticket Refresh

If you used automatic Kerberos ticket refreshing in your smb.conf file do not forget modify /etc/pam.d/common-auth.

File /etc/pam.d/common-auth

auth sufficient pam_winbind.so krb5_auth krb5_ccache_type=FILE

End

Try to login to your Linux workstation/server. I wish you good luck.

0 Comments

Filed under Linux

Tags: , , , ,

Leave a Reply