Create an LDAP Bind Account

You’ll also need to create an account in Active Directory that will be used to bind to Active Directory for LDAP queries. This account does not need any special privileges; in fact, making the account a member of Domain Guests and not a member of Domain Users is perfectly fine. This helps minimize any potential security risks as a result of this account.

Prepare Active Directory (Each User)

Each Active Directory account that will authenticate via Linux must be configured with a UID and other UNIX attributes. This is accomplished via the new “UNIX Attributes” tab on the properties dialog box of a user account. (Installing the “Server for NIS” component enables this, as mentioned previously.) Be sure to set login shell, home directory, UID, and primary UNIX group ID.

After all the user accounts have been configured, then we are ready to configure the Linux server(s) for authentication against Active Directory.

Configure the SLED Workstation

On the SLED 10 client setup your config files as illustrated in the following configuration files. See the file comment headers for the file names and locations (replace items such as “domain.com” with settings specific to your environment).

We’ll start first with the /etc/hosts file:

###############

# /etc/hosts

###############

# This file describes a number of hostname-to-address

# mappings for the TCP/IP subsystem. It is mostly

# used at boot time, when no name servers are running.

# On small systems, this file can be used instead of a

# “named” name server.

# Syntax:

#

# IP-Address Full-Qualified-Hostname Short-Hostname

#

127.0.0.1 localhost

10.10.10.1 WINDOWS-DC-HOSTNAME.DOMAIN.COM WINDOWS-DC-HOSTNAME

# special IPv6 addresses

::1 localhost ipv6-localhost ipv6-loopback

fe00::0 ipv6-localnet

ff00::0 ipv6-mcastprefix

ff02::1 ipv6-allnodes

ff02::2 ipv6-allrouters

ff02::3 ipv6-allhosts

127.0.0.2 client-hostname.DOMAIN.COM client-hostname

Next, we configure the krb5.conf file:

###############

# krb5.conf for connecting with Windows Server 2003#

###############

[logging]

kdc = FILE:/var/log/krb5/krb5kdc.log

admin_server = FILE:/var/log/krb5/kadmind.log

default = SYSLOG:NOTICE:DAEMON

[libdefaults]

ticket_lifetime = 24000

default_realm = DOMAIN.COM

default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5 aes256-cts arcfour-hmac-md5

default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5 aes256-cts arcfour-hmac-md5

[realms]

DOMAIN.COM = {

kdc = windows-dc-hostname.domain.com

admin_server = windows-dc-hostname.domain.com

default_domain = DOMAIN.COM

}

[domain_realm]

.domain.com = DOMAIN.COM

domain.com = DOMAIN.COM

Once Kerberos is configured, we configure LDAP:

###############

# custom ldap.conf for connecting with Server 2003 R2

###############

host 10.10.10.1

base dc=domain,dc=com

uri ldap://windows-dc-hostname.domain.com/

binddn cn=linux-ldap-user,cn=Users,dc=domain,dc=com

bindpw ldap-user-passwd

scope sub

bind_timelimit 15

timelimit 15

ssl no

referrals no

nss_base_passwd dc=domain,dc=com?sub

nss_base_shadow dc=domain,dc=com?sub

nss_base_group dc=domain,dc=com?sub?&(objectCategory=group)(gidnumber=*)

nss_map_objectclass posixAccount user

nss_map_objectclass shadowAccount user

nss_map_objectclass posixGroup group

nss_map_attribute gecos cn

nss_map_attribute homeDirectory unixHomeDirectory

nss_map_attribute uniqueMember member

nss_initgroups_ignoreusers root,ldap

And then configure the Name Switch Service to use LDAP:

###############

# /etc/nsswitch.conf

###############

# An example Name Service Switch config file. This file should be

# sorted with the most-used services at the beginning.

#

# The entry ‘[NOTFOUND=return]’ means that the search for an

# entry should stop if the search in the previous entry turned

# up nothing. Note that if the search failed due to some other reason

# (like no NIS server responding) then the search continues with the

# next entry.

#

# Legal entries are:

#

# compat Use compatibility setup

# nisplus Use NIS+ (NIS version 3)

# nis Use NIS (NIS version 2), also called YP

# dns Use DNS (Domain Name Service)

# files Use the local files

# [NOTFOUND=return] Stop searching if not found so far

#

# For more information, please read the nsswitch.conf.5 manual page.

#

# passwd: files nis

# shadow: files nis

# group: files nis

passwd: files ldap

shadow: files ldap

group: files ldap

hosts: files dns wins

networks: files dns

services: files

protocols: files

rpc: files

ethers: files

netmasks: files

netgroup: files nis

publickey: files

bootparams: files

automount: files nis

aliases: files

Almost there—next we need to make sure that time synchronization is working, since this is a prerequisite for Kerberos authentication. To make sure time synchronization is working, we’ll configure NTP:

###############

# /etc/ntp.conf file

#

# Sample NTP configuration file.

# See package ‘ntp-doc’ for documentation, Mini-HOWTO and FAQ.

# Copyright © 1998 S.u.S.E. GmbH Fuerth, Germany.

#

# Author: Michael Andres,

#

###############

#

# Radio and modem clocks by convention have addresses in the

# form 127.127.t.u, where t is the clock type and u is a unit

# number in the range 0-3.

#

# Most of these clocks require support in the form of a

# serial port or special bus peripheral. The particular

# device is normally specified by adding a soft link

# /dev/device-u to the particular hardware device involved,

# where u correspond to the unit number above.

#

# Generic DCF77 clock on serial port (Conrad DCF77)

# Address: 127.127.8.u

# Serial Port: /dev/refclock-u

#

# (create soft link /dev/refclock-0 to the particular ttyS?)

#

# server 127.127.8.0 mode 5 prefer

#

# Undisciplined Local Clock. This is a fake driver intended

# for backup and when no outside source of synchronized time

# is available.

#

server 127.127.1.0 # local clock (LCL)

fudge 127.127.1.0 stratum 10 # LCL is unsynchronized

#

# Outside source of synchronized time

#

# server xx.xx.xx.xx # IP address of server

server 10.10.10.1

#

# Miscellaneous stuff

#

driftfile /var/lib/ntp/drift/ntp.drift # path for drift file

logfile /var/log/ntp # alternate log file

# logconfig =syncstatus + sysevents

# logconfig =all

# statsdir /tmp/ # directory for statistics files

# filegen peerstats file peerstats type day enable

# filegen loopstats file loopstats type day enable

# filegen clockstats file clockstats type day enable

#

# Authentication stuff

#

# keys /etc/ntp.keys # path for keys file

# trustedkey 1 2 3 4 5 6 14 15 # define trusted keys

# requestkey 15 # key (7) for accessing server variables

# controlkey 15 # key (6) for accessing server variables

At this point we have Kerberos authentication configured, LDAP configured, NSS configured to use LDAP, and time synchronization configured and running. Now we need to get Samba configured to help automate the process of integrating into Active Directory.

###############

# /etc/samba/smb.conf file

###############

# smb.conf is the main Samba configuration file. You find a full

# commented version at /usr/share/doc/packages/samba/examples/

# smb.conf.SUSE if the samba-doc package is installed.

# Date: 2007-02-07

[global]

workgroup = DOMAIN-SHORTNAME

realm = DOMAIN.COM

security = ads

encrypt passwords = yes

use kerberos keytab = true

password server = windows-dc-hostname.domain.com

netbios name = client-hostname

winbind use default domain = yes

winbind separator = +

idmap uid = 1000-59999

idmap gid = 1000-59999

winbind enum users = yes

winbind enum groups = yes

deadtime = 10

winbind cache time = 10

winbind nested groups = yes

template homedir = /home/%U

template shell = /bin/bash

client use spnego = yes

socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384

idmap backend = ad

ldap idmap suffix = dc=domain,dc=com

ldap admin dn = cn=Administrator,cn=Users,dc=domain,dc=com

ldap suffix = dc=domain,dc=com

dns proxy = no

domain master = no

preferred master = no

max log size = 100

log file = /var/log/samba/%m.log

printing = cups

printcap name = cups

printcap cache time = 750

cups options = raw

map to guest = Bad User

include = /etc/samba/dhcp.conf

logon path = \%L\profiles\.msprofile

logon home = \%L\%U\.9xprofile

logon drive = P:

usershare allow guests = no

[admin]

comment = Windows Admin Access

path = /

valid users = “@Domain_Admins”

admin users = “@Domain_Admins”

read only = No

create mask = 0664

browseable = No

inherit permissions = Yes

[printers]

comment = All Printers

path = /var/tmp

printable = Yes

create mask = 0600

browseable = No

[print$]

comment = Printer Drivers

path = /var/lib/samba/drivers

write list = @ntadmin root

force group = ntadmin

create mask = 0664

directory mask = 0775

SLED uses PAM (Pluggable Authentication Mechanism) to control authentication and authorization, so we next need to configure PAM to use Kerberos and LDAP, where necessary. There are a number of files that need to be configured to make this happen:

###############

# /etc/pam.d/common-account - authorization settings common to all services

###############

# This file is included from other service-specific PAM config

# files, and should contain a list of the authorization modules

# that define the central access policy for use on the system.

# The default is to only deny service to users whose accounts

# are expired.

#

account sufficient pam_krb5.so

account required pam_unix2.so

###############

# /etc/pam.d/common-auth - authentication settings common to all services

###############

# This file is included from other service-specific PAM config

# files, and should contain a list of the authentication modules

# that define the central authentication scheme for use on the

# system (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default

# is to use the traditional Unix authentication mechanisms.

#

auth required pam_env.so

auth sufficient pam_krb5.so

auth required pam_unix2.so

###############

# /etc/pam.d/common-password - password-related modules common to all services

###############

# This file is included from other service-specific PAM config

# files, and should contain a list of modules that define the

# services to be used to change user passwords. The default is

# pam_unix2 in combination with pam_pwcheck.

# The “nullok” option allows users to change an empty password, else

# empty passwords are treated as locked accounts.

#

# To enable Blowfish or MD5 passwords, you should edit

# /etc/default/passwd.

#

# Alternate strength checking for passwords should be configured

# in /etc/security/pam_pwcheck.conf.

#

# pam_make can be used to rebuild NIS maps after password change.

#

password required pam_pwcheck.so nullok

password required pam_unix2.so nullok use_first_pass use_authtok

#password required pam_make.so /var/yp

###############

# /etc/pam.d/common-session - session-related modules common to all services

###############

# This file is included from other service-specific PAM config

# files, and should contain a list of modules that define tasks

# to be performed at the start and end of sessions of *any*

# kind (both interactive and non-interactive). The default is

# pam_unix2.

#

session required pam_limits.so

session required pam_unix2.so

session required pam_mkhomedir.so umask=0077 skel=/etc/skel

All these files are in turn referenced by a “master” PAM configuration file, like this:

#%PAM-1.0

###########line above is part of this file#################

#/etc/pam.d/su config file

###########################################################

#auth sufficient pam_rootok.so

auth include common-auth

account include common-account

password include common-password

session include common-session

session optional pam_xauth.so

Once all these configuration files are in place, we can proceed with the following steps:

  1. Run “getent passwd” (you should only see SLED 10 local users in this listing).
  2. Run “kdestroy” to destroy any cached Kerberos tickets you may currently have.
  3. Run “kinit domain-admin-user@DOMAIN.COM” to create a new Kerberos ticket for the machine with Domain Admin credentials; you can then run “klist” to verify the Kerberos ticket.
  4. Run “net ads join -U domain-admin-user@DOMAIN.COM” to join the machine to the domain using the Kerberos ticket of the domain administrative user
  5. Restart the applicable services and daemons:
    /etc/init.d/smb stop
    /etc/init.d/winbind stop
    /etc/init.d/smb start
    /etc/init.d/winbind start
  6. Run “getent passwd”; the output should now list domain users and their associated UIDs. Likewise, “getent group” should output domain groups and GIDs.
  7. The “wbinfo -u” and “wbinfo -g” commands should list domain users and domain groups, respectively.
  8. Finally, run “su ”. It should prompt you for the user’s password, create a home dir for that user if necessary, and then switch you to the user.

We’re not really sure if it’s necessary, but you can add the LDAP bind account (used to bind to LDAP for queries) to the list of SMB users with the “smbpasswd -w” command. It may prove over time that this command isn’t necessary. (Anyone want to double-check this for us?)

Finally, using YaST (System > RunLevel Editor), enable the NTP, SMB, and Winbind daemons (I’m fairly sure that Winbind isn’t necessary). Also, disable the nscd daemon to avoid caching problems and unwanted interaction with Winbind.

At this point, if you were successful in using su to switch to a Windows user, you should be able to reboot the machine and login to the machine as a Windows user (be sure to use a Windows server that has UNIX attributes assigned in Active Directory).

NOTE: If you happen to get yourself locked out of the system, it will be likely an /etc/nsswitch.conf file problem. Simply boot to the SLED 10 installation disc using the “Recover System” option, then issue these commands to change the /etc/nsswitch.conf file:

mount -w /dev/hda1 /mnt (where “/dev/hda1” is your system partition)

vi /mnt/etc/nsswitch.conf (remove the “ldap” from

passwd, group, and shadow - should only say “files” or “compat”)

You can now reboot and login as root so you can troubleshoot the problem.

Some additional resources and information:
http://forums.suselinuxsupport.de/index.php?showtopic=53004
http://forums.fedoraforum.org/archive/index.php/t-29825.html

Subscribe to receive free email updates:

0 Response to "Create an LDAP Bind Account"

Poskan Komentar