# AD / Samba / PAM for single-sign-on?

## househead

The organisation I work for has a WIndows 2003 domain, using AD, I have a linux workstation with a samba server, and I have configured smb.conf for AD integration using winbind. Winbind and samba are working correctly in that wbinfo -u, wbinfo -g, getent passwd and gentent groups all show the desired results. The machine has been joined to the domain (net ads join), and I can browse and offer shares to and from my colleagues. All the config files (smb.conf / krb5.conf / nsswitch.conf) are setup correctly AFAICS. 

I want to take this a step further and permit console and gdm logins for any member of the domain. I have spent the majority of the day trying to get my head around PAM and kerberos etc and I don't seem to be any closer to understanding it enough. There seems to be lots of different (often distro-specific) howto's around, detailing different settings for the /etc/pam.d/* and nsswitch.conf files, and I am getting mixed results. I have conceeded that it may be best to learn each of the concepts from the ground up, after all, this is a killer-app in the corporate world. I've recently started a new job as an os lab technician for a public sector os project, it would be an excellent learning experience.

Just a few q's to start me off...

In /etc/pam.d/login, should I be using pam_winbind.so or pam_krb5.so to authenticate to AD?

Can this be properly achieved without using ad4unix? If so, what does ad4unix achive that a non-ad4unix setup would?

I can post config files used tomorrow if there are peeps on here who can help.

TIA

MB

----------

## nobspangle

I have managed to get this to work once but never reliably, I was using pam_winbind.so, I managed logins to the console and to gdm but never via ssh.

----------

## househead

 *nobspangle wrote:*   

> I have managed to get this to work once but never reliably, I was using pam_winbind.so, I managed logins to the console and to gdm but never via ssh.

 

Did you need to change the schema at all on the AD server? I've seen write-ups describing the ad4unix or M$ services for unix, but there is no way whatsoever I can go down this route, at least not on the company infrastructure. If I can pull this off, I will write a guide with gentoo as the platform. It would be invaluable IMO.

BTW, do you have any remaining config files?

----------

## BlueScreeN

I have exactly this setup.

Win-2003 AD domain running native mode, NO schema changes and 2 Gentoo servers integrated in AD through Samba and Winbind.

Both file sharing through Samba and interactive logins are possible, I have tested with KDM, SSH and console login.

The only catch is, the users need have an entry in /etc/passwd , I tried to get OpenLDAP to work for this, but gave up and wrote a dirty little shell script instead.

/etc/pam.d/system-auth

```

auth       required     /lib/security/pam_env.so

auth       sufficient   /lib/security/pam_krb5.so forwardable

auth       sufficient   /lib/security/pam_unix.so use_first_pass likeauth nullok shadow

auth       required     /lib/security/pam_deny.so

account    sufficient   /lib/security/pam_unix.so

account    sufficient   /lib/security/pam_krb5.so

account    required     /lib/security/pam_deny.so

password   required     /lib/security/pam_cracklib.so retry=3

password   sufficient   /lib/security/pam_krb5.so

password   sufficient   /lib/security/pam_unix.so nullok md5 shadow use_authtok

password   required     /lib/security/pam_deny.so

session    required     /lib/security/pam_limits.so

session    required     /lib/security/pam_unix.so

session    optional     /lib/security/pam_krb5.so

#session    required    /lib/security/pam_mkhomedir.so skel=/etc/skel umask=0022 silent

```

If you remove the # on the last line, pam will automatically create home directories for your users.

/etc/nsswitch.conf

```

passwd:      compat winbind

shadow:      compat

group:       compat winbind

hosts:       files dns

networks:    files dns

services:    db files

protocols:   db files

rpc:         db files

ethers:      db files

netmasks:    files

netgroup:    files

bootparams:  files

automount:   files

aliases:     files

```

/etc/krb5.conf

```

[libdefaults]

        default_realm = NAME.OF.AD.DOMAIN

[realms]

        NAME.OF.AD.DOMAIN = {

        kdc = dc1.dnsdomain.org:88

        kdc = dc2.dnsdomain.org:88

        }

```

Hack to get all users from AD over to /etc/passwd

```

#!/bin/sh

/usr/bin/net ads user -P > /usr/local/sbin/ad.txt

FILENAME=/usr/local/sbin/ad.txt

for user in $(cut -d: -f1 $FILENAME)

do

        /usr/sbin/adduser $user -s /bin/bash

done

```

I run this script from cron every 30 minutes, the downside is that it will not cleanup users in /etc/passwd if I delete them from AD.

I've had this setup running in production environment with ~250 users for a couple of weeks, without problems, I however set the login shell to /bin/false in the script because I don't need console logins, I only use this for a web based application,where I nedd user authentication.

----------

## ausmusj1

If you are still looking for this, I just got this working last Friday. Uses WinBind, and WinBind's UID/GID mapping capabilities, so no entry in /etc/passwd is needed. Here are my config files:

/etc/pam.d/system-auth

```

auth       required     pam_env.so

auth       sufficient   pam_winbind.so

auth       sufficient   pam_unix.so likeauth nullok use_first_pass

auth       required     pam_deny.so

account    sufficient   pam_succeed_if.so uid < 100

account    sufficient   pam_winbind.so

account    required     pam_unix.so

account    [default=bad success=ok user_unknown=ignore]pam_winbind.so

password   required     pam_cracklib.so retry=3

password   sufficient   pam_unix.so nullok md5 shadow use_authtok

password   sufficient   pam_winbind.so use_authtok

password   required     pam_deny.so

session    required     pam_limits.so

session    required     pam_unix.so

session    required     pam_mkhomedir.so skel=/etc/skel umask=0077

```

/etc/nsswitch.conf

```

passwd:      db files nis winbind

shadow:      db files nis winbind

group:       db files nis winbind

hosts:       files dns

networks:    files dns

services:    db files winbind

protocols:   db files winbind

rpc:         db files

ethers:      db files

netmasks:    files

netgroup:    files winbind

bootparams:  nisplus [NOTFOUND=return] files

automount:   files

aliases:     files nisplus

```

/etc/krb5.conf

```

[libdefaults]

        ticket_lifetime = 600

        default_realm = DOMAIN.COM

        default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc

        default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc

[realms]

#       EXAMPLE.COM = {

#       kdc = kerberos.example.com:88

#       kdc = kerberos2.example.com:88

#       admin_server = kerberos.example.com:749

#       }

        NAME.OF.DOMAIN = {

        kdc = FQDN.OF.AD.SERVER1:88

        kdc = FQDN.OF.AD.SERVER2:88

        admin_server = FQDN.OF.AD.SERVER1:749

        }

[domain_realm]

        .domain.com = DOMAIN.COM

        domain.com = DOMAIN.COM

[kdc]

        profile = /etc/kdc.conf

[logging]

        kdc = FILE:/var/log/krb5kdc.log

        admin_server = FILE:/var/log/kadmin.log

        default = FILE:/var/log/krb5lib.log

```

/etc/kdc.conf

```

[kdcdefaults]

        kdc_ports = 88,750

[realms]

        #EXAMPLE.COM = {

        #database_name = /etc/krb5kdc/principal

        #admin_keytab = /etc/krb5kdc/kadm5.keytab

        #acl_file = /etc/krb5kdc/kadm5.acl

        #dict_file = /etc/krb5kdc/kadm5.dict

        #key_stash_file = /etc/krb5kdc/.k5.EXAMPLE.COM

        #kadmind_port = 749

        #max_life = 10h 0m 0s

        #max_renewable_life = 7d 0h 0m 0s

        #master_key_type = des3-hmac-sha1

        #supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal

        #}

        DOMAIN.COM = {

        database_name = /etc/krb5kdc/principal

        admin_keytab = /etc/krb5kdc/kadm5.keytab

        acl_file = /etc/krb5kdc/kadm5.acl

        dict_file = /etc/krb5kdc/kadm5.dict

        key_stash_file = /etc/krb5kdc/.k5.EXAMPLE.COM

        kadmind_port = 749

        max_life = 10h 0m 0s

        max_renewable_life = 7d 0h 0m 0s

        master_key_type = des3-hmac-sha1

        supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal

        }

```

/etc/samba/smb.con (Relavent pieces only)

```

[global]

  realm = DOMAIN.COM

  workgroup = DOMAIN_SHORT_NAME

  security = ads

  password server = FQDN.OF.AD.CONTROLLER

  encrypt passwords = yes

  unix password sync = Yes

  pam password change = yes

  winbind use default domain = yes

  template homedir = /home/%D/%U

  obey pam restrictions = yes

  template shell = /bin/bash

  winbind enable local accounts = yes

  idmap uid = 16777216-33554431

  idmap gid = 16777216-33554431

```

/etc/conf.d/samba (Relavent pieces only)

```

daemon_list="smbd nmbd winbind"

```

This is all working great for me. My next problem is, since this is on a laptop, how to make it so that once you have logged into the machine when it is connected to the corporate network, you can do so again when it isn't, with the same domain account and same files/ownerships...

Hope That Helps

-James

----------

## BlueScreeN

Great m8  :Cool: 

I'll look in to this again after my vacation, so I can skip my scripting for /etc/passwd.

As for the offline login credentials, I think you might be able to use this pam module.

http://www.padl.com/OSS/pam_ccreds.html

I havent tried it though, if you do, let me kow how it works out.

//Bluescreen.

----------

## ausmusj1

Got it!!!

Here's a mini-how-to:

1.  Configure your samba/pam system so that local login via an AD account works correctly (for help, see my above post w/ config files)

2.  emerge nss-db and a cron daemon

3.  download, compile, install pam_ccreds and nss_updatedb from http://www.padl.com

4.  set up a cron job to run 

```
nss_updatedb winbind
```

 every 2 (or X) hours - this pulls user and group info from your AD server and caches it locally - for this to work I had to link in the nss_winbind.so files from /usr/lib/security to /lib/security - probably just a configure switch that needs to be fixed on nss_updatedb - feedback?

5.  set up your /etc/nsswitch.conf and /etc/pam.d/system-auth files as listed below

6.  I also had to increase the login timeout in /etc/login.defs to 120, as I haven't yet figured out a way to tell winbindd to timeout quickly

7.  You're done!

/etc/nsswitch.conf:

```

passwd:      files winbind [NOTFOUND=return] db

shadow:      files winbind [NOTFOUND=return] db

group:       files winbind [NOTFOUND=return] db

hosts:       files dns

networks:    files dns

services:    files winbind [NOTFOUND=return] db

protocols:   files winbind [NOTFOUND=return] db

rpc:         files [NOTFOUND=return] db

ethers:      files [NOTFOUND=return] db

netmasks:    files

netgroup:    files winbind [NOTFOUND=return] db

bootparams:  nisplus [NOTFOUND=return] files

automount:   files

aliases:     files nisplus

```

/etc/pam.d/system-auth:

```

auth       required     pam_env.so

auth       sufficient   pam_unix.so likeauth nullok

auth       [authinfo_unavail=ignore system_err=ignore open_err=ignore user_unknown=ignore success=1]    pam_winbind.so use_first_pass

auth       [user_unknown=2 authinfo_unavail=2 success=ok]     pam_ccreds.so action=validate use_first_pass

auth       [default=done]     pam_ccreds.so action=store use_first_pass

auth       [default=done]     pam_ccreds.so action=update use_first_pass

auth       required     pam_deny.so

account    sufficient   pam_succeed_if.so uid < 100

account    [authinfo_unavail=ignore default=done]   pam_winbind.so

account    [user_unknown=ignore default=done]   pam_unix.so

account    [default=done]   pam_permit.so

password   required     pam_cracklib.so retry=3

password   sufficient   pam_unix.so nullok md5 shadow use_authtok

password   sufficient   pam_winbind.so use_authtok

password   required     pam_deny.so

session    required     pam_limits.so

session    required     pam_unix.so

session    required     pam_mkhomedir.so skel=/etc/skel umask=0077

```

Disclaimer: I have not verified that this works in the situation that a user has cached credentials, the changes their password on the AD server (such as through a Windows box), then tries to login to linux again while the system is able to speak with the AD server. Theoretically, it should update the cached credentials, but, since this is my first foray into PAM-land, if any pam experts can tell me if that will happen (should be the pam_ccreds.so action=update line above), that would be great!

HTH, and if you have any feedback or improvements, let me know!

Thanks-

James

----------

## househead

Excellent, thanks for the replies, I shall try this ASAP and report back on success.

Ta

----------

## majunbu

I am so close to getting this whole thing working to authenticate to a M$ AD server but I keep running into a road block. Now just for background Samba is working great joined the domain can browse the user list and group list and Kerberose is working fine and all.  But the issue is when it comes time to login with an AD account I get 

```
 Creating directory '/home/DOMAIN/useraccount'.

Permission denied

```

message and I am dropped back to the login prompt at the console.  Now I must be missing something simple here since PAM is trying to create the user accounts home directory by /home/domain name/ then account name but it is failing which tells me at least that the authentication process is working to a certain extent but just can complete due to the fact it can't create the home directory which causes a failure.  Do i have to do something to give the pam_mkhomedir.so the proper permissions to create that home directory?

  As to any logs showing me more info on the failure I am coming up dry.  I am a little frustrated since the logs I can get to don't really explain anything going on with this error message or shead any more light on it which is kinda of weird.

Any help would be greatly appreciated since my head already hurts from beating it against the keyboard.  :Confused: 

----------

## majunbu

Well nevermind about my previous post.  I got it to work. I thought it was failing because of the process attempting to create a DOMAIN folder and then a sub folder named with the user account.  I went ahead and created the DOMAIN folder with full RWX access across the board and attempted to log in and it worked.  :Very Happy: 

----------

## BlueScreeN

I'm back from vacation and started digging in this again.

Almost there now.

Filesharing AD <-> Linux is working, however I can't do local logins since i skipped my script for batching over accounts to /etc/passwd

I get this in my logs.

```

Aug 15 15:36:52 linus pam_winbind[8396]: user 'testuser' granted access

Aug 15 15:36:52 linus sshd[8396]: pam_succeed_if: requirement "uid < 100" not met by user "testuser"

Aug 15 15:36:52 linus pam_winbind[8396]: user 'testuser' granted access

Aug 15 15:36:52 linus sshd[8391]: Accepted keyboard-interactive/pam for testuser from 192.168.1.1 port 2226 ssh2

Aug 15 15:36:52 linus sshd(pam_unix)[8397]: session opened for user testuser by (uid=0)

Aug 15 15:36:52 linus sshd[8391]: fatal: login_get_lastlog: Cannot find account for uid 10003

Aug 15 15:36:52 linus sshd[8391]: syslogin_perform_logout: logout() returned an error

Aug 15 15:36:52 linus sshd(pam_unix)[8397]: session closed for user testuser

```

Any ideas ?

//BlueScreeN.

----------

## BlueScreeN

Ok, so I had my brain switched off for a moment.

I changed.

```

  idmap uid = 16777216-33554431 

  idmap gid = 16777216-33554431 

```

to

```

  idmap uid = 10000-33554431 

  idmap gid = 10000-33554431 

```

In smb.conf, and now all is well.

//Bluescreen.

----------

## elekaj34

Hi,

I've done the instructions in this post, but when I try to login, I get this :

 *Quote:*   

> pam_winbind[3736]: request failed: Name pipe not available, PAM error was 4, NT error was NT_PIPE_NOT_AVAILABLE
> 
> pam_winbind[3736]: internal module error (retval=4, user='elekaj')
> 
> Password: (I enter my password again)
> ...

 

My computer is joined to the domain. The domain is a server with Samba (on RedHat 9). My computer runs Gentoo Linux, with Samba 3.0.14a-r2.

Where is my error ?

Thanks

Elekaj

----------

## BlueScreeN

Try this command to see if your Kerberos is ok.

```

getent passwd

```

That should return all your accounts from your KDC.

If it doesn't, make sure your KDC is running and reacheable, check name resolution.

I assume you are running your Kerberos KDC on the RedHat machine?

I have only tried this with a Windows KDC (W2003-AD) but I don't see why it wouldn't work with a *Nix KDC, running MIT or Heimdal.

//BlueScreeN.

----------

## M.A.

Worked for me, thanks for the info!

I have only one little issue when logging through ssh: if the user comes from AD, it asks for the password TWICE, and both times you should type the correct one to enter...

Anyone with this? Any clues? Thanks.

----------

## BlueScreeN

Check your /etc/pam.d/system-auth

Make sure you have "use_first_pass" in the correct places.

I don't know if the order of lines in that file matters as well.

//Bluescreen.

----------

## M.A.

Thanks, you gave me the clue. That was that parameter "use_first_pass" but in /etc/pam.d/sshd as it happened only with ssh. In fact, I cannot enter through ssh if I put "use_first_pass" in system-auth. Anyway, thank you!

----------

## humbletech99

question.  *Quote:*   

> /etc/conf.d/samba (Relavent pieces only)
> 
> Code:
> 
> daemon_list="smbd nmbd winbind" 

 

is it supposed to be "... winbind", or "... winbindd" which is the executable name?

Ok tested it out, it's supposed to be just "... winbind" and then you can set the winbind options below, -B seems to be recommended so I've added this. If anyone thinks different, please let me know...

----------

