# Authenticating Linux to Active Directory

## nash11

hay anyone here ever been able to get Linux to Authenticate Linux to Windows Active Directory? Here at work we have a large Domain running Windows Active Directory and I would like to see if I can Authenticate users to it. what I want is to login the linux server via the authentication of the windows AD . I know this can be done in Mac OS X, and a google search yeilded some results for linux. the setup is pretty complicated though and there are multiple programs I think I need to run, but not really sure what does what.

anyone have any experience with this? thx in advance.

----------

## gerdesj

 *nash11 wrote:*   

> hay anyone here ever been able to get Linux to Authenticate Linux to Windows Active Directory? Here at work we have a large Domain running Windows Active Directory and I would like to see if I can Authenticate users to it. what I want is to login the linux server via the authentication of the windows AD . I know this can be done in Mac OS X, and a google search yeilded some results for linux. the setup is pretty complicated though and there are multiple programs I think I need to run, but not really sure what does what.
> 
> anyone have any experience with this? thx in advance.

 

A casual Google on this will be a little confusing.

What you probably need is Samba.

Note that modern Samba's do not need to have krb5.conf setting up.  It is quite easy to do, quick run down (this is off the top of my head so double check things):

emerge samba and winbind (USE=kerberos will be needed as well)

I suggest getting SWAT up and running because it has links to the docs and a nice neat configuration interface - emerge xinetd if it isn't on your system. Edit /etc/xinetd.d/swat and allow from wherever and disable=false, restart xinetd and browse to http://<host>:901, login as root):

/etc/samba/smb.conf (you will have other options as well and share definitions): 

[global]

        workgroup = <NetBIOS name of the domain>

        realm = <DOMAIN.NAME>

        security = ADS

        update encrypted = Yes

        obey pam restrictions = Yes

        unix password sync = Yes

        idmap uid = 10000-20000

        idmap gid = 10000-20000

        template primary group = users

        template shell = /bin/bash

        winbind use default domain = Yes

/etc/conf.d/samba:

daemon_list="smbd nmbd winbind"

/etc/nss.switch (add in Winbind):

passwd:      compat winbind

shadow:      compat

group:       compat winbind

#/etc/init.d/samba start

#net ads join -U <username>

(prompts for password, the username is a valid AD user that can add a machine account to the domain)

#net ads info should give some usefull output.

Now do:

#getent passwd

#getent group

and you should see that the AD users and groups are now listed.

Next change /etc/pam.d/samba:

#%PAM-1.0

# * pam_smbpass.so authenticates against the smbpasswd file

# * changed Redhat's 'pam_stack' with 'include' for *BSD compatibility

#    (Diego "Flameeyes" Petteno'): enable with pam>=0.78 only

#auth       required     pam_smbpass.so nodelay

##account    include      system-auth

##session    include      system-auth

#account    required     pam_stack.so service=system-auth

#session    required     pam_stack.so service=system-auth

#password   required     pam_smbpass.so nodelay smbconf=/etc/samba/smb.conf

# Use Winbind instead

auth            sufficient      pam_winbind.so

auth            required        pam_unix.so nullok

account         sufficient      pam_winbind.so

account         required        pam_unix.so

session         required        pam_unix.so

password        required        pam_unix.so

session         required        pam_mkhomedir.so skel=/etc/skel/ umask=0066

Now you should be able to browse from a Windows box to \\<linuxbox> and it will automagically log you in and create a home directory in /home/DOMAIN/username.

You can do a similar thing with PAM for login as well eg using ssh, telnet and the console.  Warning though, before you mess with /etc/pam.d/system-auth, make sure you have at least one terminal or console logged in as root so that you can undo any unfortunate mistakes!  You can lock yourself out of the system and have to use single user mode to get back in.  Also backup the /etc/pam.d directory somewhere safe before messing with it.

Put a .maildir in /etc/skel and you have the basis for a neat mail system for Windows machines.  Just add an imapd (eg Courier) and an mta (eg Exim) and off you go.

Look into ntlm_auth if you want to do some interesting things with Squid.

Cheers

Jon

----------

## think4urs11

 *gerdesj wrote:*   

>  *nash11 wrote:*   hay anyone here ever been able to get Linux to Authenticate Linux to Windows Active Directory? Here at work we have a large Domain running Windows Active Directory and I would like to see if I can Authenticate users to it. what I want is to login the linux server via the authentication of the windows AD . I know this can be done in Mac OS X, and a google search yeilded some results for linux. the setup is pretty complicated though and there are multiple programs I think I need to run, but not really sure what does what.
> 
> anyone have any experience with this? thx in advance. 
> 
> A casual Google on this will be a little confusing.
> ...

 

no you don't - actually it is *much* cleaner to use only kerberos&co. There's simply no need at all to install Samba just because of authentication against AD.

as a first start see e.g. (3rd hit on google btw)

http://www.windowsnetworking.com/articles_tutorials/Authenticating-Linux-Active-Directory.html

----------

## nash11

Thx suggestions ,

I have search through from the web , there are some methods could do the authentication the linux with windows active directory , it includes LDAP , Pam.d , Winbind , Samba , NIS etc , it is very confused , all these method seems have relationship but not exactly the same architecture , can anyone advise what is the different of these methods ? which one of them is better ? thx

----------

## Rikai

Many of those things you listed to together.

The Samba package can be configured with winbind support, which is one way to authenticate against an active directory server. It's a bit more complicated than Kerberos, it seems, but I use it so that I can get group information from activer directory as well. I don't know if that can be done with Kerberos.

Whether you choose Kerberos or winbind to do the authentication, you will need to set up PAM so that when a user logs in, they are required to be authenticated against the AD. Samba and Kerberos packages should add the PAM modules you'll need when they are emerged. The file you'll need to look at is /etc/pam.d/login. You'll need to add a line that says something like "auth required <module>", where <module> depends on if you use winbind or kerberos.

I'm pretty sure that's how everything goes. I use samba/winbind on my network here at work to authenticate users for our Squid proxy, so that the users don't need to sign on a second time after logging into windows to use the internet, and so that users in different groups can have different levels of access. So what I need in my network is probably a bit different than what you need for yours, I remember reading about a lot of this stuff when setting up my proxy, so hopefully this is correct (and helpful).

----------

## nash11

thx reply ,

I am trying to setup the samba in linux side , can advise what I need to do at windows ( AD sever ) side ? do I need to export some directory and release any permission for linux client to login ? thx.

----------

## Rikai

Nope, you should not need to do anything on the windows side of things.

----------

## dlambeth

I've been struggling for nearly a month trying to get this working. Anybody successful at getting active directory authentication to work?

Thank ahead,

----------

## gerdesj

 *dlambeth wrote:*   

> I've been struggling for nearly a month trying to get this working. Anybody successful at getting active directory authentication to work?
> 
> Thank ahead,

 

Please see my post at the top.  I've just run through it and about the only thing I can see missing is adding winbind to /etc/conf.d/samba.  Oh and ensuring that the clock is synchronized between the Samba box and AD DC (4 seconds is the allowed dispersion).

I've got several of systems running this.  Could you be a bit more specific about what the problems are that you are getting.  For example can you do a "net ads join -U administrator" OK.

Cheers

Jon

----------

## dlambeth

Yeah, I've gone through the directions on how to set it up, and twice checked everything. I manage to get it working okay then something happens after a while. It just decides to stop, clock is okay. I would try to rejoin to the domain and I would get errors like the following.

Cannot resolve network address for KDC in realm darwinsdomain.com while getting initial credentials

and 

Failed to join domain: Operations error

ADS join did not work, falling back to RPC...

Joined domain DARWINSDOMAIN.

It seems this fork of the project is just plain broken, it's very inconsistent. I really wish the developers would have left the authentication scheme alone, I had no problems using NTLM auth in the previous versions.

Uggg, what a headache.

----------

## dlambeth

Bumping this up.

----------

## P0w3r3d

Hi there..

here at my university we developed a software to add/remove a GNU/Linux from an AD domain, only entering the domain, and a user and password which can add the pc

it is called capoeira, but we haven't it in internet.. I 'll contact one of the developers and bring him here

----------

## dlambeth

Yes, that would be great. I am working on a prototype hardware appliance and I need this functionality. 

Thanks ahead,

 :Wink: 

----------

## gerdesj

 *dlambeth wrote:*   

> Bumping this up.

 

I have several Gentoo boxes (>10) happily joined to various ADs reliably for the last 3+ years using winbind for authentication to the system itself and Squid proxy.  I think it is a stable solution to the 'AD isn't exactly standard' problem ...

The error seem to indicate that your DNS is broken in some way.  There should be a load of SRV records for the AD, pointing to the DCs.  What type of DNS are you using? (MS, Novell, BIND etc?)

Have a look at this: http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/cnet/cncf_imp_nndb.mspx?mfr=true  "Verifying Your Basic DNS Configuration" from MS.

Adding a Samba system is only:

#net ads join -U administrator

and off you go but the DNS must be correct.

Cheers

Jon

----------

## dlambeth

DNS is setup correctly, I have verified all of that. It seems everything is correctly setup yet I am still unable to get "ads" to work. I can join the domain via RPC with no problems, but ADS just will not work. I did have it working twice before, but it did not last long and it lost connection to directory. 

My server(s) run a pretty pristine directory services, I don't have and NS or AD related problems. If I were to take an educated guess I would think it's a Kerberos issue. Someone stated that the machines time clocks needed to be withing 4 seconds of each other, but frankly I don't see how that could ever be achieved without some sync program which I'm not aware of.

I included my configuration files below for you to glance at, they seem okay to me but perhaps I'm missing something.

Thanks for your help,

ERRORS:

----------

## gerdesj

 *dlambeth wrote:*   

> If I were to take an educated guess I would think it's a Kerberos issue. Someone stated that the machines time clocks needed to be withing 4 seconds of each other, but frankly I don't see how that could ever be achieved without some sync program which I'm not aware of.
> 
> 

 

I'll pick over your config when I have some time.  

(s)ntp will sync time.  To both of those, 4s is a lifetime!  They just have to all point at the same source.  If you are unable to get to the public pool.ntp.org, set up a box or two internally with ntpd (or openntpd) and then point all of your systems at those to get a consistent time across the lot.

On Windows, either play with "net time /SETSNTP:<list of servers>" or install ntpd or use something like Automachron. See: http://www.meinberg.de/english/sw/ntp.htm for a good ntpd implementation with a nice monitor.  On Gentoo emerge -va opentpd or emerge -va ntpd.

Also, I have heard that >Win 2003 SP2 support proper ntp (ie not the naff MS simple version) out of the box.  Personally I run ntpd on Windows systems and a mix of ntpd and openntpd on Linux.

You should be able to get time sync to within <50 milliseconds on all devices unless they have a really crap clock.

Cheers

Jon

Example ntp.conf:

server 0.pool.ntp.org

server 1.pool.ntp.org

server 2.pool.ntp.org

server 3.pool.ntp.org

server 127.127.1.0

fudge  127.127.1.0 stratum 5

driftfile       /var/lib/ntp/ntp.drift

restrict default nomodify nopeer

restrict 127.0.0.1

restrict 192.168.100.0 mask 255.255.255.0 nomodify nopeer notrap

----------

## dlambeth

I have all of that done already as well, my clock seems to be within 4 seconds of the server that's the best it will do. I'm using kernel linux-2.6.23-hardened-r12, maybe there is an issue with this version. I still think the old NTLM/Squid auth worked much better, and was much easier to configure.

I'm going to try to get another workstation to work with ADS to see if it's my distro or now.

Cheers!

----------

## dlambeth

************RESOLVED********************

https://bugzilla.novell.com/show_bug.cgi?id=331036#c3

After doing some research, I found out the it's an mDNS issue. You cannot join a linux box up to a domain with a .local domain. My domain is osdevices.local, and for this reason it will not work. What a bunch of crap, now I would have to rebuild my domain all over again to achieve this goal. 

Oh well, let the formatting begin.

Cheers!

----------

## gerdesj

 *dlambeth wrote:*   

> ************RESOLVED********************
> 
> https://bugzilla.novell.com/show_bug.cgi?id=331036#c3
> 
> After doing some research, I found out the it's an mDNS issue. You cannot join a linux box up to a domain with a .local domain. My domain is osdevices.local, and for this reason it will not work. What a bunch of crap, now I would have to rebuild my domain all over again to achieve this goal. 
> ...

 

Well spotted!  It is a shame and up until a few years ago .local was MS's recommendation for internal domains.  Then all of a sudden it was quietly removed from their docs presumably when it was noticed that the autoconf thing uses it (Apple et al).  Sadly this still doesn't seem to have permeated through to some MCSEs who still insist on using it citing "best practice".  I believe it is still in the MCSE training which shows how often that is reviewed ...

Make your internal and external DNS and your AD have the same name and many problems will just go away.

Cheers

Jon

----------

## dlambeth

I hear ya...

It's also a shame because there are many domain out there that use the .local, and my prototype firewall appliance is supposed to work with AD, but now I'm not sure what I'm going to do.

D'oh!

----------

## gerdesj

 *dlambeth wrote:*   

> I hear ya...
> 
> It's also a shame because there are many domain out there that use the .local, and my prototype firewall appliance is supposed to work with AD, but now I'm not sure what I'm going to do.
> 
> D'oh!

 

Thinking about it, I have wired up a Samba to a .local domain (about two weeks ago).  Can you not bin mDNS on the Linux box?

Cheers

Jon

----------

## dlambeth

It's broken according to that article. I hope they fix it, I really screwed if I can use .local domains.

----------

## gerdesj

 *dlambeth wrote:*   

> It's broken according to that article. I hope they fix it, I really screwed if I can use .local domains.

 

The article mentioned is for Novell's distro.  You are using Gentoo (aren't you?) which does not need mDNS.  Trust me, I've done it!

----------

## dlambeth

Hmm...I'll have to look into it again.

Thanks,

----------

## dlambeth

Ugggh still no luck getting ADS to work. Looks like I'm stuck falling back to older version or SQUID and NTLM_AUTH which works great! At least until the bugs have been ironed out in ADS.

Cheers!

----------

