# PAM and ActiveDirectory best practices

## VinzC

Hi.

I'd like to link some GNU/Linux servers with Active Directory so as to be able to login locally with a domain user account, kind of. The long story is I'd like to use PAM and Active Directory for authentication and session handling. I'd like to rely upon Kerberos for PAM passwd and auth services but I wonder what direction for session/profile management.

A concrete case is vsftp. I'd like to use domain accounts as well as local accounts with vsftp. Since vsftp uses PAM for authentication and PAM supports Kerberos, the passwd and auth service are one part of the solution. The second part is I'd like to chown uploaded files with the user account who uploaded these files. While it's possible with local accounts, I wonder how with Active Directory.

Should I use winbind or should I add Unix-specific schema information to the domain controller to provide all of my AD user accounts with a UID/GID? As I'd like not to settle the heavy weaponry for just a few user accounts (hence I'm already drifting off samba, I think...) I expect UNIX schemas are the smart way, right?

Thanks for any hint/suggestion.

EDIT: I've just noticed AD supports (but doesn't fill) UNIX attributes uidNumber and gidNumber. It looks like Windows Services for UNIX comprises the required tools. I'll check that.

----------

## msalerno

I have just finished implementing this at my workplace.  Your questions are not too clear though.

Great article you should read: http://technet.microsoft.com/en-us/magazine/2008.12.linux.aspx

Authentication:

Winbind -vs- Kerberos & Ldap - I chose winbind due to the fact that I do not have to bind any service to a single AD server.

IDMAP (UID/GID/Shell/GCOS/Homedir) - RID & template -vs- RFC 2307 - I chose the RID method, but I would have preferred to go with the RFC 2307 method.

If you have any specific questions, lay them out and I'll do my best to answer them.

You might want to look into the ~arch version of samba.

net-fs/samba-libs-3.4.3  USE="addns ads aio cups ldap netapi pam smbclient smbsharemodes syslog tools winbind -caps -cluster -debug -examples -samba4" 0 kB

net-fs/samba-client-3.4.3  USE="ads aio avahi cups ldap syslog winbind zeroconf -caps -cluster -debug -minimal -samba4" 0 kB

net-fs/samba-server-3.4.3  USE="acl ads aio avahi cups fam ldap syslog winbind zeroconf -caps -cluster -debug -doc -examples -quota -samba4 -swat" 0 kB

net-fs/samba-3.4.3  USE="client server" 0 kB

----------

## VinzC

Thanks a lot msalerno.

I'll try the RFC2307 as, if I've understood, Active Directory (on Windows 2003 domain controllers) already supports uidNumber and gidNumber, which I just need to map appropriately with NSS.

The article you pointed to provides valuable information indeed. I'll dig into it more deeply but I think I've made up my mind with the final solution as compiling Samba on every UNIX machine that needs authentication against Active Directory is a little bit overkill to me. It's more flexible, okay, but in this case I don't mind binding against one particular DC -- there is only one in the site I'm planning to install the FTP server. Password expiry is not a problem as clients are Windows only hence handle that appropriately. So I'll probably take the Kerberos/LDAP path in the end.

Looking at what IDMAP is, I came across this article. The article mentions SFU (Services For UNIX), which I've installed. It also states there are plugins to provide access to UNIX properties but I've seen none so far -- I might have not installed the appropriate components.

----------

## msalerno

SFU is pretty much deprecated.  If you are going the route of RFC2307, there is no need to install SFU.  Windows 2003 R2 already includes the RFC2307 extensions in AD, even if you are running an older version, I would recommend expanding the AD schema to use RFC2307 rather than SFU.

----------

## VinzC

 *msalerno wrote:*   

> SFU is pretty much deprecated.  If you are going the route of RFC2307, there is no need to install SFU.  Windows 2003 R2 already includes the RFC2307 extensions in AD, even if you are running an older version, I would recommend expanding the AD schema to use RFC2307 rather than SFU.

 

As a matter of fact, I could figure it out by myself...  :Laughing:  Right now I've set up Kerberos and it works with LDAP queries and GSSAPI. Next I'm trying to configure LDAP NSS for PAM.

I've also found out that there are actually numeric values for primary groups in Active Directory, which could spare me from “inventing” gid's in spite of uid's. That's the primaryGroupID (attribute of class user) and PrimaryGroupToken (attribute of class group). The primaryGroupID attribute designates a user's primary group (of course!), which refers to the group's primaryGroupToken attribute. I'm only interested in a user's primary group, so that comes handy.

Thanks to adsiedit.msc...

----------

## msalerno

If you don't want to have to configure uid/gid 's for each user, then you might want to consider the RID method, rather than the RFC.  Your call.

----------

## VinzC

 *msalerno wrote:*   

> If you don't want to have to configure uid/gid 's for each user, then you might want to consider the RID method, rather than the RFC.  Your call.

 

But I need Samba for that, right?

----------

## msalerno

You need winbind for that.  There is no need to run SMB or NMB.

----------

## VinzC

I think I'm going the Winbind way. After all, if I want Active Directory users to also put files on the server, I'll use Samba instead. It'll probably be faster to setup...

----------

## VinzC

I've used Winbind as suggested and now the server is fully setup. It works fine both ways: LAN access with Samba for Active Directory users, FTP for the rest of the world.

Thanks for your help.

----------

