[an error occurred while processing this directive] [an error occurred while processing this directive]

Configuring a Linux system to be a full AD member

These instructions assume a good understanding of unix system administration. Read through them first and make sure that you understand the implications of all the parts before you begin, particularly from a system security point of view.

These instructions are old and haven't been updated for over a year. Use the new instructions if you can.

The examples given here apply specifically to Fedora systems, but should be relevant to other distributions and variants of unix.

Please send feedback on any successes or failures on this topic, or to suggest any other improvements.

Aims

The aim of this work is to produce a set of procedures to join non-Windows systems to an Active Directory domain.

Joining the domain should require a similar amount of resource to that required for a Windows machine.
The machine should allow AD users to authenticate against local services.
The machine should be able to use AD groups to authorize access to resources.
There should be no user-accessible passwords that could assist any attack on local or domain resources.

Nearly all of the procedure has been successfully automated. The manual procedure currently consists of configuration of a number of components:

Kerberos;
Samba;
nsswitch;
nss_ldap;
nscd;
PAM;

Extra packages

On a reasonably default Fedora installation I found that I needed to add the following packages:

samba-common,
samba,
samba-client,
nss_ldap,
openldap-clients,
cyrus-sasl-gssapi,

The following command should be sufficient:

yum install samba-common samba samba-client nss_ldap\
openldap-clients cyrus-sasl-gssapi

System Time

Kerberos requires that all machines involved have clocks that are reasonably accurate. You may need to run 'ntpd' or 'ntpdate'.
[TODO - examples of how to configure ntpdate]

Kerberos Configuration

Kerberos is a network authentication protocol that was developed at MIT in 1988. It has widespread support across unix platforms, so if it's not already installed on your system it should be readily available.

On Fedora, the relevant packages are krb5-libs, krb5-workstation, pam_krb5, but they should be installed already.

The main configuration file for Kerberos is /etc/krb5.conf:

[logging]
    default = FILE:/var/log/krb5libs.log
    admin_server = FILE:/var/log/kadmind.log

[libdefaults]
    default_realm = LANCS.LOCAL
    dns_lookup_realm = true
    dns_lookup_kdc = true
    ticket_lifetime = 24h
    forwardable = yes

[domain_realm]
    .lancs.local = LANCS.LOCAL
    lancs.local = LANCS.LOCAL

[appdefaults]
    pam = {
      debug = false
      ticket_lifetime = 36000
      renew_lifetime = 36000
      forwardable = true
      krb4_convert = false
    }

You can test that Kerberos is correctly configured with the following command:

kinit <username>

(replace <username> with a valid AD username). You should be prompted for the password for the username, and you should see no error if the password is correct. You can list your current Kerberos tickets with 'klist' and you can destroy your current Kerberos tickets with 'kdestroy'.

Samba

We don't actually need the samba service, but the tools provided with samba make it very straightforward to join the domain.

We need a minimal samba configuration in /etc/samba/smb.conf:

[global]
    workgroup = LANCS
    hosts allow = 127.0.0.0/8 10.0.0.0/8 148.88.0.0/16 194.80.32.0/21

    log file = /var/log/samba.log
    max log size = 50

    security = ads
    realm = LANCS.LOCAL
    password server = *
    use kerberos keytab = true

    wins server = 148.88.5.82

If you are already using samba, you will need to merge these settings with what you are already using.

Join the domain

Get your creds right first:

kdestroy
kinit <adminusername>

Where <adminusername> is a username with rights to create a computer account. Then:

net ads join createcomputer="<OU>" createupn

Where <OU> should be replaced by an OU that you have rights to create computer accounts in. The OU is relative to the Directory root, with components separated by slashes, e.g. "University/Servers/ISS".

You will be prompted to enter a password. It appears to be safe and correct to just press 'Return'.

Noted on 2008/07/10: Behaviour in Samba 3.2 (Fedora 9) appears to be different, in order for the join to succeed, authentication details need to be suppplied when doing the join itself, i.e.:

net ads join createcomputer="<OU>" createupn -U <user>

Where <user> is your (admin?) username. You will be prompted to enter your password.

You can check that a machine is correctly joined with:

net ads testjoin

Configure Kerberos authentication for LDAP

/usr/local/sbin/kinit_nssldap_ccache:

#!/bin/bash
HOSTNAME=`hostname | sed 's/\.lancs.ac.uk//' | tr '[a-z]' '[A-Z]'`
/usr/kerberos/bin/kinit -k host/${HOSTNAME} -c /tmp/.ldapcache && \
chown nscd /tmp/.ldapcache

Ensure that this works:

chmod +x /usr/local/sbin/kinit_nssldap_ccache
/usr/local/sbin/kinit_nssldap_ccache

This should run without errors, and should leave a file in '/tmp/.ldapcache'.

Now configure kinit_nssldap_ccache to run periodically - add the following to root's crontab:

@reboot /usr/local/sbin/kinit_nssldap_ccache
@hourly /usr/local/sbin/kinit_nssldap_ccache

Configure nss_ldap

/etc/ldap.conf:

host lancs-dc0.lancs.local lancs-dc1.lancs.local lancs-dc2.lancs.local lancs-dc3.lancs.local
base ou=University,dc=LANCS,dc=LOCAL
timelimit 120
bind_policy soft
use_sasl on
sasl_secprops maxssf=0
krb5_ccname FILE:/tmp/.ldapcache
nss_paged_results yes
nss_base_passwd ou=Users,ou=University,dc=LANCS,dc=LOCAL
nss_base_group ou=Groups,ou=University,dc=LANCS,dc=LOCAL
nss_map_attribute   uid           msSFU30Name
nss_map_attribute   uidNumber     msSFU30UidNumber
nss_map_attribute   gidNumber     msSFU30GidNumber
nss_map_attribute   loginShell    msSFU30LoginShell
nss_map_attribute   homeDirectory msSFU30HomeDirectory
nss_map_attribute   uniqueMember  member
nss_map_attribute   gecos         displayName
nss_map_objectclass posixAccount  User
nss_map_objectclass posixGroup    Group
#nss_default_attribute
#nss_override_attribute
nss_schema rfc2307bis
nss_initgroups backlink
nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd
# PAM settings
pam_login_attribute msSFU30Name
pam_filter objectclass=User
#pam_groupdn cn=PAM,ou=Groups,dc=example,dc=com
#pam_member_attribute uniqueMember
pam_min_uid 500
pam_max_uid 0

nscd

Turn nscd on:

/sbin/chkconfig nscd on
/etc/init.d/nscd start

TODO: check if tuning the limits in nscd has any worthwhile effect on performance

Configuration of PAM and NSS

Enable Kerberos for authentication, and LDAP for name lookups:

/usr/sbin/authconfig --enablekrb5 --enableldap --update

On non-Fedora systems you will need to edit your PAM configuration and /etc/nsswitch.conf with other relevant tools, or edit them manually.
TODO: more clues about what to do on non-Fedora systems

You should now be able to login using an AD username and password. Also, 'groups should show the AD groups that you are a member of, as well as any local memberships.

Further Notes

Much of this information applies to all platforms and should be on a separate page.

`'homedir'` and '`shell`' attributes

The unix attributes in AD are static, so each user will receive the values on all SFU-enabled clients. There are two particular attributes for which this may be an issue: 'homedir' and 'shell'.

The 'homedir' attribute has a value in the form '/home/unix/nn/username'.

If you want users to see their networked home directories when they log in, you should arrange for automount (or something similar) to do an appropriate mount via NFS. (TODO: kerberised NFS).

If you want users to have local home directories you can mount your own 'home' disk at /home, or arrange for the 'home' filesystem to be accessible on this path by appropriate symbolic links.

The 'shell' attribute has a value of '/usr/bin/local-sh' for all users. If you want all users to have a real shell, you can create a symlink, eg:

ln -s bash /usr/bin/local-sh

If you want to give different behaviour in different contexts (e.g. to allow different shells for different classes of users), local-sh can itself be a script that determines the appropriate shell and then uses exec to launch it.

Forwarding Kerberos Tickets with SSH

So, you have your workstation set up to authenticate via AD. What can you do with it?

Samba Client access

The 'smbclient' command gives command-line access to samba shares. If you use the '-k' flag, it will authenticate via kerberos. DFS redirections appear to work correctly, although there seems to be a name resolution issue with domain-based DFS (for example, //LANCS\DEPTS/... doesn't work, but //LANCS.LOCAL/DEPTS/... does).

The GNOME file browser uses Kerberos automatically, so paths like smb://homes1/18/bloggsf should just work.

SSH

In Fedora, SSH has Kerberos support built in, so to a large extent it will just work.

However, 'ticket forwarding' is disabled by default, and if you turn it on you should only do so for hosts that you trust. Ticket forwarding allows the ticket that you use to access a service to be used to access further services, so if this is turned on you can connect from server A to server B, and then from server B to server C. This can be very convenient, but it must be understood that a connecting to an untrusted host could be a security risk.

You can enable ticket forwarding by enabling the option 'GSSAPIDelegateCredentials'. One way to do this is by editing (or creating) an ssh configuration file '~/.ssh/config':

Host server1
    GSSAPIDelegateCredentials yes

For more details see the manual page for 'ssh_config'

Steve Bennett
last updated: 30/03/2010