Ubuntu single sign on integration with a Windows 2008 domain

Introduction

A common goal in any organization is to integrate the unix and windows hosts. There are a few ways to do this and some have been written about before. The use of Samba's winbind is popular and is documented here - [ActiveDirectoryWinbindHowto]. There is also a legacy document for configuring older Ubuntu installations with legacy win2k3 servers here - [ActiveDirectoryHowto].

This document has been tested on Windows Server 2008 and Ubuntu 10.04. For successful integration we have 3 components. We need a Kerberos ticket for the host to encrypt all user password authentications. We need LDAP to allow for user token lookups to verify a users entry in passwd and group. Finally we need to install the plugin authentication module (PAM) to allow for krb5/ldap authentication over a network.

Basic unix prep work

Configure static IP on your unix host

The full networking documentation can be found here https://help.ubuntu.com/8.04/serverguide/C/networking.html.

For those that just need a hint edit /etc/network/interfaces as appropriate to set a static IP address.

Verify the /etc/resolv.conf settings on your host. You need to be able to contact and lookup your domain controllers, and search your domain name and any subdomains you use.

Setup NTP to allow for time resolution

For correct Kerberos authentication, you need the time on your DC and unix host to agree. Setting up an NTP server/client environment is beyond the scope of this document, but you want your DC and unix client to be getting time updates from the same source on a regular basis.

Overview

  • Install ntp daemon - sudo apt-get install ntp

  • Shut down the ntp daemon /etc/init.d/ntp stop

  • Edit the /etc/ntp.conf configuration to read time from suitable time source
  • Run ntpdate against your preferred time source as a one time time fix

  • Start the ntp daemon /etc/init.d/ntp start

Active Directory Unix Attributes (Windows work)

At this point, you will need administrative access to your Windows environment.

The first step is to add the ability to manage unix specific attributes in ADUC.

  • under the Server Roles for Active Directory in Windows 2008, there is now an option to enable identity services for Unix. Enable the administrative tools. This will give you the Unix Attributes tab in ADUC. You need to create a NIS domain on the Windows side to edit the attributes in ADUC. You can still use other methods if you do not want to run NIS on your DC (or you can turn it off once it updates AD's database with the information.

Ongoing user manipulation

We now have additional schema attributes under the AD objects. To be able to see LDAP users under unix you need to make some changes:

  • In active directory users and computers, go to the properties of an example unix user. Then go to the unix attributes tab
  • Select the NIS domain, choose an appropriate UID. Choose a suitable group.

Setup Kerberos under Ubuntu (Unix Work)

Install the following kerberos packages. During the config it will ask you for a default realm, this should be the default AD domain the machine is in (all CAPS).

sudo apt-get install libpam-krb5

Verify the configuration with kinit (beware of capitalization in the example) -

examplehost# kinit testuser@DOMAIN.COM        ## PASSWORD ENTERED CORRECTLY
examplehost#

examplehost# kinit testuser@DOMAIN.COM        ## PASSWORD ENTERED INCORRECTLY
Password for testuser@DOMAIN.COM:
kinit(v5): Preauthentication failed while getting initial credentials

examplehost# kinit testuser@domain.com        ## INCORRECT CAPITALIZATION
Password for testuser@domain.com:
kinit(v5): KDC reply did not match expectations while getting initial credentials

If this does not work you can try explicitly configuring Kerberos, however if you are able to resolve domain resources (SRV records for Domain Controllers) this step should not be neccissary. An example is shown below for DOMAIN.COM pointing at DC1 and DC2 for its config. If you don't care which Domain Controllers you authenticate to in your domain (they are all local or you have a fast network) you can simply use the domain DNS name and kerberos will use DNS round-robin to reach them.

/etc/krb5.conf -

[libdefaults]
        default_realm = DOMAIN.COM
        dns_lookup_kdc = true
        verify_ap_req_nofail = false

[realms]
        DOMAIN.COM = {
        kdc = dc1.domain.com
        kdc = dc2.domain.com
        admin_server = dc1.domain.com
        }

[domain_realm]
        .domain.com = DOMAIN.COM

[logging]
        default = FILE:/var/log/kerberos
        kdc = FILE:/var/log/kerberos
        kdc_rotate = {
        period = 1d
        version = 10
        }

[appdefaults]
        kinit = {
        renewable = true
        forwardable= true
        }

Setting up LDAP/Kerberos Queries for passwd

Install the needed packages

sudo apt-get install libpam-ldapd libnss-ldapd

You will be prompted for configuration, but this is irrelevant as we will be overwriting all this stuff. You can also skip the /etc/nsswitch.conf changes - better to do this manually so you know what is going on. The heavy lifting of our ldap client is performed by nslcd that is a dependency installed by libnss-ldapd

Cleanup the spurious config file installed by this apt command - sudo mv /etc/ldap/ldap.conf /etc/ldap/ldap.conf.old;sudo mv /etc/ldap.conf /etc/ldap.conf.old

Also note that when you go searching round the net, we do not use any of the following files -

/etc/ldap.conf
/etc/ldap/ldap.conf
/etc/ldap/slapd*
/etc/pam_ldap.conf
/etc/libnss_ldap.conf

Edit and fix /etc/nslcd.conf which is the one and only place this setup relies on. Note that the ldap query user password is in this file in plain text, so this configuration file should be locked down and not permit interactive logins. If you have multiple domains you can use your Global Catalogs as your LDAP servers. Change the uri lines to ldap://gc.example.com:3268

uid nslcd
gid nslcd

uri ldap://dc1.example.com ldap://dc2.example.com

base dc=example,dc=com
scope sub

binddn CN=ldapquery,OU=Users,DC=example,DC=com
bindpw ldaplookuppassword

filter passwd (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
map passwd uid sAMAccountName
map passwd uidnumber uidNumber
map passwd homedirectory unixHomeDirectory
map passwd loginshell loginShell
map passwd gecos displayName
filter shadow (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
map shadow uid sAMAccountName
filter group (objectClass=group)
map group uniqueMember member

sudo /etc/init.d/nslcd restart

sudo /etc/init.d/nscd restart

Edit nsswitch.conf to use ldap:

passwd: compat ldap
group: compat ldap

Conclusion

At this point, you can test ldap using getent passwd. You should see details from your AD in the output.

If you got this far, your Kerberos testing was also successful.

The missing piece of the puzzle is PAM. The heavy lifting of this has already been done thanks to the APT system. As such files under /etc/pam.d/common-* have already been updated with stanzas to match ldap and krb5. (you can grep for them and look a little deeper if you like)

At this point, you should be able to login to your ubuntu host using AD credentials as long as your login has the unix attributes set for uid and home directory.

Security

This document will end up with plain text passwords being sent if pam_ldap is used before pam_krb5. You may want to consider removing pam_ldap from /etc/pam.d/common-auth. Kerberos should handle the authentication, LDAP is for authorization. Alternatively once the initial configuration is working you can add TLS support in your /etc/nslcd.conf

Debugging

There is some debugging info in /var/log/syslog that should show you if you are successfully binding to ldap.

In addition, be very aware of /etc/init.d/nscd. The caching daemon can mean that the changes you make are not immediately apparent. My advice would be to shut it down until your config is tested, then allow it to start when you reboot for testing.

External Links

A description of how one admin got Precise Pangolin to work with AD (config for PAM, nscd and/or sssd, and Heimdal Kerberos) can be found at * http://jurjenbokma.com/ApprenticesNotes/Linux-AD-auth.html


CategoryEnterprise

ADWin2k8KerberosLDAP (last edited 2013-10-07 16:14:43 by jeremypage)