{"id":802,"date":"2007-05-30T18:02:18","date_gmt":"2007-05-30T17:02:18","guid":{"rendered":"http:\/\/www.markwilson.co.uk\/blog\/2007\/05\/using-active-directory-to-authenticate-users-on-a-linux-computer.htm"},"modified":"2008-03-12T20:28:27","modified_gmt":"2008-03-12T20:28:27","slug":"using-active-directory-to-authenticate-users-on-a-linux-computer","status":"publish","type":"post","link":"https:\/\/www.markwilson.co.uk\/blog\/2007\/05\/using-active-directory-to-authenticate-users-on-a-linux-computer.htm","title":{"rendered":"Using Active Directory to authenticate users on a Linux computer"},"content":{"rendered":"

I’m not sure if it’s the gradual improvement in my Linux knowledge, better information on the ‘net, or just that integrating Windows and Unix systems is getting easier but I finally got one of my non-Windows systems to authenticate against Active Directory (AD) today. It may not sound like much of an achievement but I’m pretty pleased with myself.<\/p>\n

Active Directory<\/a> is Microsoft’s LDAP-compliant directory service, included with Windows server products since Windows 2000. The AD domain controller that I used for this experiment was running Windows Server 2003 with service pack 2 (although the domain is still in Windows 2000 mixed mode and the forest is at Windows 2000 functional level) and the client PC was running Red Hat Enterprise Linux (RHEL) 5.<\/p>\n

The first step is to configure the Linux box to use Active Directory. I ran this as part of the RHEL installation but it can also be configured manually, or using system-config-authentication<\/code>. The best way to do this is using LDAP and Kerberos (as described by Scott Lowe)<\/a> but Scott’s advice indicates that would require some AD schema changes to incorporate Unix user information; the method I used is based on Winbind and doesn’t seem to require any changes on the server as Winbind allows a Unix\/Linux box to become a full member of a Windows NT\/AD domain<\/a>.<\/p>\n

\"WinbindThe settings I used can be seen in the screen grab, specifying the Winbind domain (NetBIOS domain name), security model (ADS), Winbind ADS realm (DNS domain name), Winbind domain controller(s) and the template shell (for users with shell access), following which \"Winbind I selected the Join Domain button and supplied appropriate credentials and the machine was successfully joined the domain (an error was displayed in the terminal window indicating that Kerberos authentication failed – not surprising as it hadn’t been configured – but the message continued by reporting that it had fallen back to RPC communications and resulted in a successful join).<\/p>\n

For reference, the equivalent manual process would have been something like:<\/p>\n

    \n
  1. Edit the name service switch file (\/etc\/nsswitch.conf) to include the following:<\/li>\n

    passwd: files winbind
    \nshadow: files winbind
    \ngroup: files winbind
    \nnetgroup: files
    \nautomount: files<\/code><\/p>\n

  2. Edit the Samba configuration file (\/etc\/samba\/smb.conf) to include the following configuration lines in the [global]<\/code> section:<\/li>\n

    workgroup = DOMAINNAME<\/em>
    \nsecurity = ads
    \npassword server = domaincontroller<\/em>.domainname<\/em>.tld<\/em>
    \nrealm = DOMAINNAME<\/em>.TLD<\/em>
    \nidmap uid = 16777216-33554431
    \nidmap uid = 16777216-33554431
    \ntemplate shell = \/bin\/bash
    \nwinbind use default domain = false<\/code><\/p>\n

  3. Edit the PAM authentication configuration (\/etc\/pam.d\/system-auth) to append broken_shadow<\/code> to account required pam_unix.so<\/code> and to insert:<\/li>\n

    auth sufficient pam_winbind.so use_first_pass
    \naccount [default=bad success=ok user_unknown=ignore] pam_winbind.so
    \npassword sufficient pam_winbind.so use_authtok<\/code><\/p>\n

  4. Join the domain:<\/li>\n

    \/usr\/bin\/net join -w DOMAINNAME<\/em> -S domaincontroller<\/em>.domainname<\/em>.tld<\/em> -U username<\/em><\/code><\/p>\n

  5. Restart the winbind and nscd services:<\/li>\n

    service winbind restart
    \nservice nscd restart<\/code><\/ol>\n

    It’s also possible to achieve the same results using authconfig<\/code> (as described by Bill Boswell)<\/a>.<\/p>\n

    Once these configuration changes have been made, AD users should be able to authenticate, but they will not have home directories on the Linux box, resulting in a warning:<\/p>\n

    Your home directory is listed as:<\/em><\/p>\n

    ‘\/home\/<\/em>DOMAINNAME\/<\/em>username‘ <\/em><\/p>\n

    but it does not appear to exist. Do you want to log in with the \/ (root) directory as your home directory? It is unlikely anything will work unless you use a failsafe session.<\/em><\/p>\n

    or just a simple:<\/p>\n

    No directory \/home\/<\/em>DOMAINNAME\/<\/em>username!
    \n<\/em><\/p>\n

    Logging in with home = “\/”.<\/em><\/p>\n

    This is easy to fix, as described in Red Hat knowledgebase article 5367<\/a>, adding session required pam_mkhomedir.so skel=\/etc\/skel umask=0077<\/code> to \/etc\/pam.d\/system-auth. After restarting the winbind service, the first subsequent login should be met with:<\/p>\n

    Creating directory ‘\/home\/<\/em>DOMAINNAME\/<\/em>username‘<\/em><\/p>\n

    The parent directory must already exist; however some control can be exercised over the naming of the directory – I added template homedir = \/home\/%D\/%U<\/code> to the [global]<\/code> section in \/etc\/samba\/smb.conf (more details can be found in Red Hat knowledgebase article 4760<\/a>).<\/p>\n

    At this point, AD users can log on (using DOMAINNAME<\/em>\\username<\/em> at the login prompt) and have home directories dynamically created but (despite selecting the cache user information and local authorization is sufficient for local users options in system-config-authentication<\/code>) if the computer is offline (e.g. a notebook computer away from the network), then login attempts will fail and the user is presented with the following warning:<\/p>\n

    Incorrect username or password. Letters must be typed in the correct case.<\/em><\/p>\n

    or:<\/p>\n

    Login incorrect<\/em><\/p>\n

    In order to allow offline working, I followed some advice relating to another Linux distribution (Mandriva disconnected authentication and authorisation<\/a>) but it still worked for me on RHEL. All that was required was the addition of winbind offline logon = yes<\/code> to the [global]<\/code> section of \/etc\/samba\/smb.conf along with some edits to the \/etc\/pam.d\/system-auth file:<\/p>\n