Linux-Windows Single Sign-On

Here I’m going to post very useful Linux-Windows Single Sign-On configuration, for who wants to authenticate their linux Machines over the Active Directory.

####Setup and Configure Winbind

  • Name Service Switch (NSS):

    This is a set of capabilities built into the Linux C libraries that allow an application to select a source to validate authentication credentials.

  • Pluggable Authentication Modules (PAM):

    This extends the standard Unix password authentication mechanism to include central authentication databases such as LDAP, Kerberos, AD and so on.

  • Winbind with Samba:

    The winbind service uses Samba for configuration information. For AD interoperability, make sure your system is running a current version of Samba (3.05 or newer).

  • Kerberos:

    Winbind uses Kerberos to get tickets for accessing AD. A Windows domain controller acts as the Key Distribution Center (KDC).

To configure winbind in Centos, launch the Authentication Configuration (as superuser (root). System-config-authentication but it doesn’t make all the required configuration settings.

Check the Use Winbind option In the Winbind Settings window, set the Security Model to ads and fill in the Winbind Domain, Winbind ADS Realm and Winbind Domain Controllers. See sample settings below.

    Domain: flat (NetBIOS) name for the domain (COMPANY)
    Security Model: ADS
    ADS Realm: FQDN for the domain (company.com)
    Domain Controllers: Fully Qualified Domain Name (FQDN) for a domain controller (dc1.company.com)
    Template Shell: /bin/bash

There’s a Join Domain option, but don’t select it. It might not work, and you won’t get sufficient feedback to help resolve problems. For now, just click OK to save the changes you just entered.

####NOTE:

To ensure the success of the Active Directory integration, make sure that your Active Directory DNS is working, you are using the Active Directory DNS, you can ping the domain controllers and that the difference between the domain controllers’ clock is not more than five minutes.

When the authconfig window closes, the console window should show that winbind starts. If this fails, try starting the service manually with the following command:

    /etc/init.d/winbind start

If winbind starts, it will appear on a ps process list like this:

    # ps -A | grep winbind<br/>3132 ? 00:00:00 winbindd<br/>3133 ? 00:00:00 winbindd

####Configuration Files

Authconfig makes changes to three configuration files.

  • Name Service Switch (NSS):

    This is a set of capabilities built into the Linux C libraries that allow an application to select a source to validate authentication credentials.

  • nsswitch (/etc/nsswitch.conf)

    The critical entries are passwd and group. Other Linux flavors don’t bother assigning winbind to other services. comments and irrelevant information removed

    passwd: files winbind
    shadow: files winbind
    group: files winbind
    hosts: files dns
    bootparams: nisplus [NOTFOUND=return] files
    ethers: files
    netmasks: files
    networks: files
    protocols: files
    rpc: files
    services: files
    netgroup: files
    publickey: nisplus
    automount: files
    aliases: files nisplus
  • system-auth (/etc/pam.d/system-auth):

    PAM uses a stackable authentication scheme, and each element in the stack must be separately configured.

    #%PAM-1.0
    # This file is auto-generated.
    # User changes will be destroyed the next time authconfig is run.
    auth required /lib/security/$ISA/pam_env.so
    auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
    auth sufficient /lib/security/$ISA/pam_winbind.so use_first_pass
    auth required /lib/security/$ISA/pam_deny.so
    account sufficient /lib/security/$ISA/pam_succeed_if.so uid <>
    account required /lib/security/$ISA/pam_unix.so
    account [default=bad success=ok user_unknown=ignore] /lib/security/$ISA/pam_winbind.so
    password requisite /lib/security/$ISA/pam_cracklib.so retry=3
    password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
    password sufficient /lib/security/$ISA/pam_winbind.so use_authtok
    password required /lib/security/$ISA/pam_deny.so
    session required /lib/security/$ISA/pam_limits.so
    session required /lib/security/$ISA/pam_unix.so
  • smb.conf (/etc/samba/smb.conf):

    The idmap entries are important because winbind uses them to maintain a correspondence between AD account names and the User IDs and Group IDs used by Linux. Fedora assigns a large range of potential IDs. Typically, other Linux flavors assign a range of 10000-20000.

    [global]
    workgroup = COMPANY
    server string = Samba Server
    printcap name = /etc/printcap
    load printers = yes
    log file = /var/log/samba/%m.log
    max log size = 50
    security = ads
    socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
    dns proxy = no
    idmap uid = 16777216-33554431
    idmap gid = 16777216-33554431
    template shell = /bin/bash
    winbind use default domain = yes
    password server = dc1.company.com
    realm = COMPANY.COM

Also, in smb.conf, note the home directory path inserted by authconfig, /home/%D/%U. A user, call him winuser1, from an AD domain, call it company.com, would get a home directory path of /home/COMPANY/ winuser. Authconfig does not create the domain folder under /home. You must create it manually.

  • krb5 (/etc/krb5.conf):

    Krb5 issue tickets for authenticat again AD

    [logging]
    default = FILE:/var/log/krb5libs.log
    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmind.log

    [libdefaults]
    default_realm = COMPANY.COM
    dns_lookup_realm = false
    dns_lookup_kdc = false
    ticket_lifetime = 24h
    forwardable = yes

    [realms]
    DC1.COMPANY.COM = {
    kdc = kerberos.DC1.COMPANY.COM :88
    kdc = kerberos.DC1.COMPANY.COM
    admin_server = kerberos.DC1.COMPANY.COM:749
    default_domain = DC1.COMPANY.COM
    }

    COMPANY.COM = {
    kdc = DC1.COMPANY.COM
    }

    [domain_realm]
    .dc1.Company.com = DC1.COMPANY.COM
    dc1.Company.com = DC1.COMPANY.COM

    dc1.company.com = DC1.COMPANY.COM
    .dc1.company.com = DC1.COMPANY.COM
    [kdc]
    profile = /var/kerberos/krb5kdc/kdc.conf

    [appdefaults]
    pam = {
    debug = false
    ticket_lifetime = 36000
    renew_lifetime = 36000
    forwardable = true
    krb4_convert = false
    }

####Joining an AD Domain

You can now join the Linux workstation to the AD domain using the Linux net command. Here’s the syntax, with everything after the first line generated by net:

    # net ads join -U administrator
    administrator's password:
    Using short domain name -- COMPANY
    Joined `Your Machine Name` to realm `COMPANY.COM`

####Configure PAM At this point, a Windows user trying to authenticate at the Linux desktop would get a series of errors because a local home directory isn’t present. as PAM module—mkhomedir automatically creates the home directory Let’s include that. To include this module as part of the login process, change two configuration files under /etc/pam.d :

  • login (/etc/pam.d):

    This file controls authentication from a console prompt.

    #%PAM-1.0
    auth required pam_securetty.so
    auth required pam_stack.so service=system-auth
    auth required pam_nologin.so
    account required pam_stack.so service=system-auth
    password required pam_stack.so service=system-auth
    session required pam_selinux.so multiple
    session required pam_stack.so service=system-auth
    session optional pam_console.so
    session required pam_mkhomedir.so skel=/etc/skel/ umask=0077
  • gdm (/etc/pam.d/gdm):

    This file controls login from a graphical screen.

    #%PAM-1.0
    auth required pam_env.so
    auth required pam_stack.so service=system-auth
    auth required pam_nologin.so
    account required pam_stack.so service=system-auth
    password required pam_stack.so service=system-auth
    session required pam_stack.so service=system-auth
    session optional pam_console.so
    session required pam_mkhomedir.so skel=/etc/skel/ umask=0077

After changing the PAM files, restart the desktop. This is a quick way to ensure that authconfig made the correct boot settings for the required services. Thats all, now you can login in to your machine with AD login information.

###Comments

Anonymous

this post is very usefull thx!


Welcome to my Blog

Finally I got chance to get on with blogging. This is what I really wanted to do for long time ago. So here I like to share my knowledge, thoughts and views . Please feel free to comments on them .

###Comments

Anonymous

Nice work Pitta. Keep up the good work…All the best

Dhanushka