Novell Home

SLES 9 Authentication to Active Directory

Novell Cool Solutions: Tip
By Cameron Seader

Digg This - Slashdot This

Posted: 27 Jul 2006
 

This document is intended for those that would like to setup Authentication for a SLES 9 client server to a Windows Active Directory Server. Follow the instructions below and you will have this working in no time. Note: The versions of software used in this document may not be significant to getting this working.

We created a Windows 2003 Server and installed ADS on it and named it server.example.com. After which we installed Windows Services for Unix http://www.microsoft.com/technet/interopmigration/unix/sfu/default.mspx which can be downloaded from the above site.

After loading Windows Services for Unix we can now adjust a user, or create a new user so that it can be used by Linux. Follow the screen shots below in order to adjust the user properly.

  1. Open Active Directory Users and Computers


  2. Open the Properties of a User account you would like to activate for Linux Authentication. In this example we use geeko as the user.




  3. Once you have properties open we will then need to click on the new UNIX Attributes Tab.




  4. Notice the NIS Domain: field, we will need to select the domain from that field, in this example we choose example.com, and modified it according to the screen shot below.




  5. You may also choose to adjust the options according to your own environment. I would suggest setting the Primary group name/GID field to 100 so as to stay with the standard users group in SLES and SLED, unless your standard is set to something else otherwise.

Now that the User has been modified in Active Directory for Authentication to Linux we can move on to the next step.

We then created a SLES 9 SP3 server.

After the Installation was done we Installed Samba Suite (Complete) and Kerberos Client.

First We Configured Samba 3 to authenticate with ADS. The configuration file is as follows:

smb.conf is the main samba configuration file. We initially used YaST to setup our Samba Client and then went back to the smb.conf to make adjustments. You can find a full commented version at /usr/share/doc/packages/samba/examples/smb.conf.SuSE

#smb.conf
[global]
workgroup = EXAMPLE
os level = 2
time server = yes
unix extensions = yes
encrypt passwords = yes
log level = 1
syslog = 0
printing = CUPS
printcap name = CUPS
password server = server.example.com
socket options = SO_KEEPALIVE IPTOS_LOWDELAY TCP_NODELAY
wins support = no
veto files = /*.eml/*.nws/riched20.dll/*.{*}/
security = ads
realm = EXAMPLE.COM
netbios name = hostname_of_linux_server
winbind separator = +
winbind uid = 10000-20000 #adjust to your environment
winbind gid = 10000-20000 #adjust to your environment
winbind cache time = 15
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%D/%U #you can adjust this by removing the %D which is for Domain
template shell = /bin/bash
logon path = \\server\%U 
unix password sync = Yes
passwd program = /usr/bin/passwd %u
passwd chat = *New*password* %n\n *Retype*new*password* %n\n *password:*all*authentication*tokens*updated*successfully
Pam password change = yes

[ homes]
comment = Home Directories
valid users = %S
browseable = no
writeable = yes
create mask = 0640
directory mask = 0750
[netlogon]
comment = logon share
valid users = %S
path = \\%L\%U 
browseable = yes

[printers]
comment = All Printers
path = /var/tmp
printable = yes
create mask = 0600
browseable = no
[print$]
comment = Printer Drivers
path = /var/lib/samba/drivers
write list = @ntadmin root
force group = ntadmin
create mask = 0664
directory mask = 0775

After the smb.conf file was made we configured the Kerberos Client. You can setup the Kerberos Client in YaST and it will setup what needs to be setup for you. Here is what the /etc/krb5.conf file looks like. We used YaST to set this piece up.

#/etc/krb5.conf

[libdefaults]
default_realm = EXAMPLE.COM
clockskew = 300
[realms]
EXAMPLE.COM = {
kdc = server.example.com
admin_server = server.example.com
kpasswd_server = server.example.com
}
OTHER.REALM = {
kdc = OTHER.COMPUTER
}
[domain_realm]
.example.com = EXAMPLE.COM
[logging]
default = SYSLOG:NOTICE:DAEMON
kdc = FILE:/var/log/kdc.log
kadmind = FILE:/var/log/kadmind.log
[appdefaults]
pam = {
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = false
retain_after_close = false
minimum_uid = 0
debug = false
}

NOTE: Before starting any Daemons Please Make sure that both the client and the server ping each other using their hostnames as well as FQDN's.

After this was done edit the /etc/nsswitch.conf file. Here is what our nsswitch.conf file looks like:

/etc/nsswitch.conf

An example Name Service Switch config file. This file should be sorted with the most-used services at the beginning. The entry '[NOTFOUND=return]' means that the search for an entry should stop if the search in the previous entry turned up nothing. Note that if the search failed due to some other reason like no NIS server responding) then the search continues with the next entry.

#
# compat Use compatibility setup
# nisplus Use NIS+ (NIS version 3)
# nis Use NIS (NIS version 2), also called YP
# dns Use DNS (Domain Name Service)
# files Use the local files
# db Use the /var/db databases
# [NOTFOUND=return] Stop searching if not found so far
#
# For more information, please read the nsswitch.conf.5 manual page.
#
# passwd: files nis
# shadow: files nis
# group: files nis
passwd: compat winbind
group: compat winbind
hosts: files dns
networks: files dns
services: files
protocols: files
rpc: files
ethers: files
netmasks: files
netgroup: files
publickey: files
Now we can start the Daemons 
rcsmb start 
rcwinbind start 

NOTE: Kindly Disable the nscd Caching Daemon from all runlevels and stop nscd daemon if it is running with the following commands:

  • rcnscd stop
  • chkconfig nscd off

After the Daemons have started see if you can retrieve the Domain Information with the following commands:

  • wbinfo -u
  • wbinfo -g

In order for a user to Login we need to edit the /etc/pam.d/login file as follows:

#%PAM-1.0
auth required pam_securetty.so
auth required pam_env.so
auth sufficient pam_winbind.so
auth sufficient pam_unix2.so nullok use_first_pass
auth required pam_deny.so
auth required pam_nologin.so
account sufficient pam_winbind.so
account required pam_unix2.so
password required pam_pwcheck.so nullok
password required pam_unix2.so nullok use_first_pass use_authtok
session required pam_mkhomedir.so skel=/etc/skel/ umask=0077
#session sufficient pam_unix2.so none # debug or trace
session sufficient pam_limits.so

Notice the Highlighted pam_mkhomedir.so line. This helps to create a home directory in Unix if one does not already exists with umask 077 so that only the user has access to it.

Now you should be able to login with a windows username.

If you would like to login to this same server via other methods such as ssh, then you will need to make changes to the file /etc/pam.d/sshd as such.

Enjoy!!


Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com

© 2014 Novell