Thursday, May 16, 2013

Samba4 Windows AND Linux authentication

Introduction

This post describes all the millions of configuration files you need to set up on a CLIENT LINUX server / machine in order to ssh to it with your domain credentials. I have this working in a LAB environment with the following caveats:

  1. SELINUX disabled (work on this required)
  2. Firewall Disabled (not hard to fix this if required)
  3. DNS Setup not working completely for Forwarding to external Nameserver by Samba4.  Don't know why. (more investigation required)
  4. You will need to have a user called binduser which has permissions in AD to look up other users.  I am sure there is documentation on this around somewhere :)

Install packages

yum -y install samba-winbind pam_ldap pam_krb5 nss-pam-ldapd oddjob-mkhomedir bind-utils

Configure openldap (/etc/openldap/ldap.conf)

[root@linuxclient ~]# cat /etc/openldap/ldap.conf 
#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

#BASE   dc=example,dc=com
#URI    ldap://ldap.example.com ldap://ldap-master.example.com:666

#SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never

TLS_CACERTDIR /etc/openldap/cacerts
URI ldap://pdc.vbox.local/
BASE dc=vbox,dc=local

Configure PAM_LDAP (/etc/pam_ldap.conf)

[root@linuxclient ~]# cat /etc/pam_ldap.conf 
uri ldap://pdc.vbox.local/
base dc=vbox,dc=local
binddn cn=binduser,cn=Users,dc=vbox,dc=local
bindpw SECRET
scope sub
nss_base_passwd cn=Users,dc=vbox,dc=local
nss_base_shadow cn=Users,dc=vbox,dc=local
nss_base_group cn=Users,dc=vbox,dc=local
nss_map_objectclass posixAccount user
nss_map objectclass shadowAccount user
nss_map objectclass posixGroup group
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute uniqueMember member
nss_map_attribute shadowLastChange pwdLastSet
pam_login_attribute uid
pam_filter objectClass=user
pam_password md5
pam_member_attribute member
ssl no
tls_cacertdir /etc/openldap/cacerts
am_sasl_mech DIGEST-MD5

Configure KRB5 (/etc/krb5.conf)

[root@linuxclient ~]# cat /etc/krb5.conf 
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/admind.log

[libdefaults]
 default_realm = VBOX.LOCAL
 dns_lookup_realm = true
 dns_lookup_kdc = true

[domain_realm]
.vbox.local = VBOX.LOCAL
vbox.local = VBOX.LOCAL

[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
validate = false
}

[realms]
VBOX.LOCAL = {
}

VBOX.LOCAL = {
}

Configure the NSLC Daemon (/etc/nslcd.conf)

[root@linuxclient ~]# cat /etc/nslcd.conf                                                                                                                                                       
binddn cn=binduser,cn=Users,dc=vbox,dc=local                                                                                                                                                  
bindpw SECRET                                                                                                                                                                                
scope sub                                                                                                                                                                                       
base dc=vbox,dc=local                                                                                                                                                                           
scope  group  sub                                                                                                                                                                               
scope  hosts  sub                                                                                                                                                                               
pagesize 1000                                                                                                                                                                                   
referrals off
filter passwd (&(objectClass=user)(!(objectClass=computer)))
map    passwd uid              sAMAccountName
map    passwd homeDirectory    unixHomeDirectory
map    passwd gecos            displayName

filter shadow (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
map    shadow shadowLastChange pwdLastSet
map    shadow uid              sAMAccountName

filter group (&(objectClass=group)(gidNumber=*))
map group uniqueMember member

uid nslcd
gid ldap
uri ldap://pdc.vbox.local/
ssl no
tls_cacertdir /etc/openldap/cacerts

Configure Authconfig for SSH (/etc/sysconfig/authconfig)

set: USEKERBEROS=yes
[root@linuxclient ~]# cat /etc/sysconfig/authconfig 
IPADOMAINJOINED=no
USEMKHOMEDIR=yes
USEPAMACCESS=no
CACHECREDENTIALS=yes
USESSSDAUTH=no
USESHADOW=yes
USEWINBIND=no
USESSSD=no
USEDB=no
FORCELEGACY=no
USEFPRINTD=no
USEHESIOD=no
FORCESMARTCARD=no
USELDAPAUTH=no
IPAV2NONTP=no
USELDAP=yes
USECRACKLIB=yes
USEIPAV2=no
USEWINBINDAUTH=yes
USESMARTCARD=no
USELOCAUTHORIZE=yes
USENIS=no
USEKERBEROS=yes
USESYSNETAUTH=no
PASSWDALGORITHM=sha512
USEPASSWDQC=no

Update authconfig

authconfig --updateall

Check PAM Configuration

[root@linuxclient ~]# cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_krb5.so use_first_pass
auth        sufficient    pam_winbind.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_krb5.so
account     [default=bad success=ok user_unknown=ignore] pam_winbind.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient    pam_krb5.so use_authtok
password    sufficient    pam_winbind.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     optional      pam_oddjob_mkhomedir.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_krb5.so

Configure DNS Settings

You need various AD names to resolve. Especially for kerberos... Note: There is a problem here. The Domain controller must FORWARD dns traffic it knows nothing about.
[root@linuxclient ~]# cat /etc/resolv.conf 
#nameserver must be the IP address of the domain controller.
domain vbox.local
nameserver 192.168.56.101

Reboot

A reboot is required to make sure everything works.
Post a Comment