From focus

Contents 1 Setting up Linux to use AD 1.1 Configuring AD Itself 1.1.1 AD Schema 1.1.2 Identity Management for UNIX 1.1.3 Users 1.1.4 Groups 1.2 Configuring the Linux Box 1.2.1 LDAP 1.2.2 NSSwitch 1.2.3 Kerberos 1.2.4 PAM 1.3 SSHD Config 1.4 Apache Kerberos SSO 1.5 Last Notes

Setting up Linux to use AD

Configuring AD Itself

AD Schema

At least one of your DCs must be 2003R2 or higher. This is so that the RFC2307 LDAP bits are in there.

If not, you can add a new DC that's 2003R2 or higher and run: adprep /forestprep on the others following Microsoft's instruction for doing so (link needed?), and that'll put the new bits into the existing AD schema.

Identity Management for UNIX

In the server manager, expand Roles and choose Active Directory Domain Services and look at the Role Services. If it doesn't have Identity Management for UNIX installed (all 3 parts) then you'll need to add it (Add Role Services) - This will require a restart (surprise surprise). Once you've rebooted, you should have a 'UNIX Attributes' tab on users' property pages. I did not. I had to follow this post to make it work.

Users

At this point you should be able to add UNIX attributes to your users. Open a user and choose the one and only available NIS Domain from the dropdown. You can now add UID, shell, homedir, GID. You'll also need to go to the user's Account tab and enable Use Kerberos DES encryption types for this account.

Groups

Do the same as for users: Choose the NIS domain and add a UNIX GID. You do not need to add NIS members - it'll use the Windows style members. Nested groups seem to work. I'm kinda surprised though since an LDAP search show the nested group as the member rather than expanding them so I'm not sure whether LDAP's working this out or if I have something cached.

Configuring the Linux Box

LDAP

Create a user in your AD schema to allow Linux to bind to AD. (Alternatively, you can turn on anonymous bind but that's bad (probably)). Put the user in the Domain Guests group and remove from Domain Users. Make it's password something horrible and never expires.

Now setup your linux box. For brevity - here is my ldap.conf

host <domain controller>
base dc=example,dc=com
scope sub
binddn <a user in domain guests group - create one>
bindpw <the password for that user>
# Only put in these next two lines if you want to join your computer to the domain for Samba stuff
# Personally, I don't.
#nss_base_passwd OU=Users,OU=...
#nss_base_shadow OU=Users,OU=...

timelimit 120
bind_timelimit 120
idle_timelimit 3600
nss_initgroups_minimum_uid 500

# RFC 2307 (AD) mappings
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_attribute uid sAMAccountName
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute shadowLastChange pwdLastSet
nss_map_objectclass posixGroup group
nss_map_attribute uniqueMember member
pam_login_attribute sAMAccountName
pam_filter objectclass=User
pam_password ad

tls_checkpeer no
tls_cacertdir /etc/openldap/cacerts

ssl no
referrals no

And here's my /etc/openldap/ldap.conf

HOST <domain controller>
BASE dc=example,dc=com
TLS_CACERTDIR /etc/openldap/cacerts
TLS_REQCERT never

I've turned off SSL 'coz that was causing a couple of weird issues. It doesn't need to be on if you're using Kerberos anyway. If you do turn it on, the TLS_REQCERT never is probably a huge security hole but our AD servers don't appear to be running certificate managers and now that SSL's off, I'm not gonna bother looking into it.

NSSwitch

passwd:     files ldap
shadow:     files ldap
group:      files ldap

netgroup:   files ldap

automount:  files ldap
aliases:    files

Kerberos

Your /etc/krb5.conf file should look something like this:

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = EXAMPLE.COM
 dns_lookup_realm = true
 dns_lookup_kdc = true
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true

[realms]
 EXAMPLE.COM = {
 }

[domain_realm]
 example.com = EXAMPLE.COM
 .example.com = EXAMPLE.COM

PAM

system-auth should look something like this:

auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_krb5.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_krb5.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so md5 shadow nis nullok try_first_pass use_authtok
password    sufficient    pam_krb5.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_krb5.so

I also had to link gdm-password and gdm? to system-auth (not sure why).

SSHD Config

Make sure your /etc/ssh/sshd_config has the following settings:

KerberosAuthentication yes
KerberosTicketCleanup yes
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes

Apache Kerberos SSO

I might fill this in more, but for now: http://blog.scottlowe.org/2006/08/10/kerberos-based-sso-with-apache/

Last Notes

I mashed cracklib using the instructions at the end of this so that it wasn't so whiney about dictionary words being in people's passwords.