|
|
## Ubuntu LDAP/Kerberos Windows 2008 AD authentication
|
|
|
----
|
|
|
This wiki page describes how to add your Ubuntu !Server/Wokstation to a Microsoft Windows 2008 AD domain.
|
|
|
|
|
|
### Prerequisites
|
|
|
If your server/workstation uses Centrifydc or Likewise remove these packages. Make sure you can login as root user (without sudo).
|
|
|
|
|
|
### Setup NTP for time synchronization
|
|
|
For a working Kerberos authentication you want to have your Linux time synchronized with the Domain time!
|
|
|
Have your Linux time and your domain controller time synchronize from the same source. The time server at the LUMC = time.lumc.nl
|
|
|
|
|
|
sudo apt-get install -y ntp
|
|
|
sudo ntpdate -u time.lumc.nl
|
|
|
|
|
|
### Setup Kerberos
|
|
|
Install the Kerberos packages, during the config Kerberos install will ask you for a default realm.
|
|
|
* LUMC REALM = LUMCNET.PROD.INTERN (the realm is in capital)
|
|
|
|
|
|
sudo apt-get install krb5-config krb5-user libpam-krb5
|
|
|
|
|
|
Check if you can request a Kerberos ticket with your domain account
|
|
|
* kinit "Domain Username" and type your password
|
|
|
|
|
|
kinit mpvillerius
|
|
|
Password for mpvillerius@LUMCNET.PROD.INTERN:
|
|
|
|
|
|
To check if you have received a ticket type:
|
|
|
|
|
|
klist
|
|
|
|
|
|
Your ticket should look like this:
|
|
|
|
|
|
Ticket cache: FILE:/tmp/krb5cc_0
|
|
|
Default principal: mpvillerius@LUMCNET.PROD.INTERN
|
|
|
|
|
|
Valid starting Expires Service principal
|
|
|
26/07/2012 09:46 26/07/2012 19:46 krbtgt/LUMCNET.PROD.INTERN@LUMCNET.PROD.INTERN
|
|
|
renew until 27/07/2012 09:46
|
|
|
}}}
|
|
|
### Setup LADP
|
|
|
Install the packages:
|
|
|
**sudo apt-get install -y libpam-ldapd libnss-ldapd**
|
|
|
Change the LDAP server URI to:
|
|
|
* lumcnet.prod.intern
|
|
|
Accept LDAP server search base this should be:
|
|
|
* dc=lumcnet,dc=prod,dc=intern
|
|
|
Choose the Name services to configure:
|
|
|
* [*] group
|
|
|
* [*] passwd
|
|
|
* [*] shadow
|
|
|
|
|
|
Shut down the Name Service Cache Daemon
|
|
|
|
|
|
service nscd stop
|
|
|
|
|
|
Replace the /etc/nslcd.conf file with **attached nslcd.conf** file
|
|
|
restart the nslcd service
|
|
|
|
|
|
service nslcd restart
|
|
|
|
|
|
If with debian wheezy you get an error like this :
|
|
|
'''[....] Restarting LDAP connection daemon: nslcdnslcd: /etc/nslcd.conf:43: unknown attribute to map: '!UniqueMember' failed!'''
|
|
|
Comment out the following line in you /etc/nslcd.conf file : **#map group !UniqueMember member**
|
|
|
Test your LDAP with:
|
|
|
|
|
|
getent passwd
|
|
|
|
|
|
this should return all the users local and from LDAP
|
|
|
|
|
|
getent group
|
|
|
|
|
|
This should return all the groups local and from LDAP
|
|
|
### Fine Tune your configuration
|
|
|
By now you should be able to login with you AD account. Only your home dir is not automatically created and you have a default shell /bin/sh.
|
|
|
Change the default shell from dash to bash;
|
|
|
|
|
|
sudo echo "dash dash/sh boolean false" | debconf-set-selections ; dpkg-reconfigure --frontend=noninteractive dash
|
|
|
|
|
|
Set the default SHELL
|
|
|
|
|
|
sudo echo "SHELL=\"/bin/bash\"" >> /etc/environment
|
|
|
|
|
|
To have pam autocreate your home dir : **vi /usr/share/pam-configs/my_mkhomedir** and paste the following:
|
|
|
|
|
|
Name: activate mkhomedir
|
|
|
Default: yes
|
|
|
Priority: 900
|
|
|
Session-Type: Additional
|
|
|
Session:
|
|
|
required pam_mkhomedir.so umask=0022 skel=/etc/skel
|
|
|
|
|
|
To restict SSH access, **vi /usr/share/pam-configs/my_restrictssh** and paste:
|
|
|
|
|
|
Name: activate SSH restriction
|
|
|
Default: yes
|
|
|
Priority: 900
|
|
|
Account-Type: Primary
|
|
|
Account:
|
|
|
required pam_access.so
|
|
|
|
|
|
To restrick access with SSH edit **vi /etc/security/access.conf** add :
|
|
|
|
|
|
-:ALL EXCEPT root vill (domain group name):ALL
|
|
|
|
|
|
This will resctict all users ssh access except local user root,vill and the Domain group, use () around the group name!!
|
|
|
Activate your changes by issuing **pam-auth-update** make sure you have the following selected:
|
|
|
|
|
|
pam-auth-update
|
|
|
|
|
|
|
|
|
[*] activate SSH restriction
|
|
|
[*] activate mkhomedir
|
|
|
[*] Kerberos authentication
|
|
|
[*] Unix authentication
|
|
|
[*] LDAP Authentication
|
|
|
[*] ConsoleKit Session Management
|
|
|
|
|
|
Now test your authentication, log in on the console with your domain account, login with ssh and you domain account, login with your local account.
|
|
|
if works fine you can start the
|
|
|
|
|
|
|