WORK IN PROGRESS

Setting up Active Directory based authentication on linux servers

Authenticate users coming in over SSH against Active Directory and local auth. sudo and su access requires that users be part of the local wheel group, or the linuxadmins group in AD. linuxadmins should also be added to the sudoers file so that users in that group can successfully use sudo

Considerations on the Windows Active Directory side

It seems that from the linux side, you absolutely must be able to get a valid answer to this dns query in order to successfully join the domain and authenticate against Active Directory. Without this working, you will not be able to pull any user, or group info:

host -t srv _kerberos._tcp.ad
_kerberos._tcp.ad.home has SRV record 0 0 88 adserver.home.
_kerberos._tcp.ad.home has SRV record 0 100 88 adserver.ad.home.

Required packages

WIP - Will be refined

sambasamba-winbind-devel samba4-dc-libs samba-winbind-krb5-locator samba-winbind-clients samba-winbind samba-common samba-client pam_ldap pam-devel pam_krb5 pam krb5-devel krb5-libs krb5-server krb5-server-ldap krb5-workstation


krb5.conf

AD.HOME is the hostname for my test Active Directory server. I have internal DNS setup so that ad.home and adserver.home resolve to an IP

# cat /etc/krb5.conf
[libdefaults]
    ticket_lifetime = 24000
 default_realm = AD.HOME
    default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5 aes256-cts arcfour-hmac-md5 des3-hmac-sha1
    default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5 aes256-cts arcfour-hmac-md5 des3-hmac-sha1
 dns_lookup_realm = true
 dns_lookup_kdc = true
[realms]

 AD.HOME = {
  kdc = AD.HOME
  admin_server = AD.HOME
    default_domain = AD.HOME
 }

[logging]
    kdc = FILE:/var/log/krb5/krb5kdc.log
    admin_server = FILE:/var/log/krb5/kadmind.log
    default = SYSLOG:NOTICE:DAEMON

[domain_realm]
    .ad.home = AD.HOME
    ad.home = AD.HOME

smb.conf

[global]
   workgroup = AD
   realm = AD.HOME
   security = ads
   winbind refresh tickets = yes
   idmap config * : range = 16777216-33554431
   template homedir = /home/%U
   template shell = /bin/bash
   winbind use default domain = true
   winbind offline logon = yes

/etc/pam.d/sshd conf

#%PAM-1.0
auth       required     pam_sepermit.so
account    sufficient   pam_succeed_if.so user ingroup wheel
account    sufficient   pam_succeed_if.so user ingroup linuxusers
auth       include      password-auth
account    required     pam_nologin.so
#account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    optional     pam_keyinit.so force revoke
#session    include      password-auth

/etc/pam.d/su conf

#%PAM-1.0
auth    sufficient  pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth   sufficient  pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
account [default=ignore success=2] pam_succeed_if.so quiet uid < 16777216 debug
account [default=ignore success=1] pam_succeed_if.so user ingroup linuxadmins debug
account [default=bad success=ignore] pam_succeed_if.so user ingroup wheel debug
account include system-auth debug
auth    required pam_wheel.so use_uid  debug
auth    include   system-auth debug
account   sufficient  pam_succeed_if.so uid = 0 use_uid quiet debug
account   include   system-auth debug
password  include   system-auth debug
session   include   system-auth debug
session   optional  pam_xauth.so debug

/etc/pam.d/sudo conf

#%PAM-1.0
account [default=ignore success=1] pam_succeed_if.so user ingroup linuxadmins debug
account [default=bad success=ignore] pam_succeed_if.so user ingroup wheel debug
account include system-auth debug
#auth    required pam_wheel.so use_uid
auth       include      system-auth
account    include      system-auth
password   include      system-auth
session    optional     pam_keyinit.so revoke
session    required     pam_limits.so

/etc/nsswitch.conf

passwd:     files winbind
shadow:     files winbind
group:      files winbind
hosts:      files dns
bootparams: nisplus [NOTFOUND=return] files
ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files
netgroup:   files
publickey:  nisplus
automount:  files
aliases:    files nisplus

Joining the AD Domain

An AD Domain Administrator account is required to get a machine to join the domain.
kinit Administrator
Password for Administrator@AD.HOME:
net ads join -U Administrator
Enter Administrator's password:

Successful join

# wbinfo -p
Ping to winbindd succeeded

# wbinfo -m
BUILTIN
LEARN
AD
# wbinfo -t
checking the trust secret for domain AD via RPC calls succeeded

# wbinfo -u
administrator
guest
krbtgt
testuser
test2

# wbinfo -g
domain computers
domain controllers
schema admins
enterprise admins
cert publishers
domain admins
domain users
domain guests
group policy creator owners
ras and ias servers
allowed rodc password replication group
denied rodc password replication group
read-only domain controllers
enterprise read-only domain controllers
dnsadmins
dnsupdateproxy
linuxusers
linuxadmins
# wbinfo --online-status
BUILTIN : online
LEARN : online
AD : online

Things to consider

If you do not allow local user login, and your cached login config is not working correctly, no one will be able to ssh to the server if connectivity to the AD host is lost.