Howto: Sled 10 Auth To Windows Server 2003 R2 Ad

<span style="font-family:Lucida Sans Unicode">
SUSE Linux Enterprise Desktop ( SLED ) 10 Single Sign-On
LDAP / Kerberos Authentication to Active Directory on Windows
Server 2003 R2
Tested by Shannon VanWagner

Problem
You want to connect your SuSE Linux Enterprise Desktop
(SLED) 10 machines to a Windows Server 2003 R2 Domain
Controller for Single-Sign-On authentication and uid/gid
mapping with Active Directory.


Solution
Configure your SuSE Linux Enterprise Desktop (SLED) 10
workstations to use LDAP, Samba, and Kerberos to authenticate
with your Windows Server 2003 R2 Domain Controller with
Identity Management for UNIX enabled.


Environment Factors
For SuSE Linux Enterprise Desktop (SLED) 10 connecting to at
least one Windows Server 2003 R2 Domain Controller with
Active Directory and Identity Management for UNIX.


Here's How to do it

1.) On your Windows Server 2003 R2 Domain Controller -
enable "Identity Management for UNIX" via Add/Remove Programs
> Add Windows Components > Active Directory Services > Identity
Management for UNIX (reboot required)--- this will add a UNIX
Properties tab to each user account in AD Users and Computers that
will allow you to control the user UID, primary group GID, NIS
Server setting, and user shell setting (e.g. /bin/bash).

2.) Create a user in active directory to use for authenticating
via LDAP from the SLED 10 client.. make this user a member of
Domain Guests to avoid any security problems imposed by having
the password in the ldap.conf file. Example: In the ldap.conf example
below, the the LDAP query user is called <linux-ldap-user> and the
password for the user is included as the bindpw.

3.) For any user that will be logging into the SLED 10 client
machine, modify the "UNIX Attributes" tab for their specific user
account in Active Directory. Do this via the Users and Computers
snap-in - add a unique UID for the user, set their primary linux
group, set the home folder, and set the default shell.

4a.) On the SLED 10 client ensure that you have installed
the following packages

• nss_ldap
• pam_ldap
• pam_mount (not sure this is needed)
• yast2-samba-client (not sure this is needed)
• samba-krb-printing (not sure this is needed)
• samba-winbind


4b.) On the SLED 10 client setup your config files as follows
- see the file comment headers for the file names and locations
(replace items such as "domain.com" with settings specific to your
environment):


########################################
# /etc/hosts
########################################
# This file describes a number of hostname-to-address
# mappings for the TCP/IP subsystem. It is mostly
# used at boot time, when no name servers are running.
# On small systems, this file can be used instead of a
# "named" name server.
# Syntax:
#
# IP-Address Full-Qualified-Hostname Short-Hostname
#

127.0.0.1 localhost
10.10.10.1 WIN-DC-HOSTNAME.DOMAIN.COM WIN-DC-HOSTNAME
# special IPv6 addresses
::1 localhost ipv6-localhost ipv6-loopback

fe00::0 ipv6-localnet

ff00::0 ipv6-mcastprefix
ff02::1 ipv6-allnodes
ff02::2 ipv6-allrouters
ff02::3 ipv6-allhosts
127.0.0.2 client-hostname.DOMAIN.COM client-hostname


#########################################
#krb5.conf for connecting with Windows Server 2003#
#########################################
[logging]
kdc = FILE:/var/log/krb5/krb5kdc.log
admin_server = FILE:/var/log/krb5/kadmind.log
default = SYSLOG:NOTICEAEMON

[libdefaults]
ticket_lifetime = 24000
default_realm = DOMAIN.COM
#Lines wrapped for the forum, put statements below each on one-line
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
aes256-cts arcfour-hmac-md5
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
aes256-cts arcfour-hmac-md5
[realms]
DOMAIN.COM = {
kdc = windows-dc-hostname.domain.com
admin_server = windows-dc-hostname.domain.com
default_domain = DOMAIN.COM
}

[domain_realm]
.domain.com = DOMAIN.COM
domain.com = DOMAIN.COM



################################################## #############
##custom ldap.conf for connecting with Server 2003 R2
################################################## #############
host 10.10.10.1
base dc=domain,dc=com
uri ldap://windows-dc-hostname.domain.com/
binddn cn=linux-ldap-user,cn=Users,dc=domain,dc=com
bindpw ldap-user-passwd
scope sub
bind_timelimit 15
timelimit 15
ssl no
referrals no
nss_base_passwd dc=domain,dc=com?sub
nss_base_shadow dc=domain,dc=com?sub
#Lines wrapped for the forum, put statement below on one-line
nss_base_group dc=domain,dc=com?
sub?&(objectCategory=group)(gidnumber=*)
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_objectclass posixGroup group
nss_map_attribute gecos cn
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute uniqueMember member
nss_initgroups_ignoreusers root,ldap



#########################################
# /etc/nsswitch.conf
#########################################
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Legal entries are:
#
# compat Use compatibility setup
# nisplus Use NIS+ (NIS version 3)
# nis Use NIS (NIS version 2), also called YP
# dns Use DNS (Domain Name Service)
# files Use the local files
# [NOTFOUND=return] Stop searching if not found so far
#
# For more information, please read the nsswitch.conf.5 manual page.
#

# passwd: files nis
# shadow: files nis
# group: files nis

passwd: files ldap
shadow: files ldap
group: files ldap

hosts: files dns wins
networks: files dns

services: files
protocols: files
rpc: files
ethers: files
netmasks: files
netgroup: files nis
publickey: files

bootparams: files
automount: files nis
aliases: files



#############################################
## /etc/ntp.conf file
##
## Sample NTP configuration file.
## See package 'ntp-doc' for documentation, Mini-HOWTO and FAQ.
## Copyright © 1998 S.u.S.E. GmbH Fuerth, Germany.
##
## Author: Michael Andres, <ma@suse.de>
##
#############################################

##
## Radio and modem clocks by convention have addresses in the
## form 127.127.t.u, where t is the clock type and u is a unit
## number in the range 0-3.
##
## Most of these clocks require support in the form of a
## serial port or special bus peripheral. The particular
## device is normally specified by adding a soft link
## /dev/device-u to the particular hardware device involved,
## where u correspond to the unit number above.
##
## Generic DCF77 clock on serial port (Conrad DCF77)
## Address: 127.127.8.u
## Serial Port: /dev/refclock-u
##
## (create soft link /dev/refclock-0 to the particular ttyS?)
##
# server 127.127.8.0 mode 5 prefer

##
## Undisciplined Local Clock. This is a fake driver intended for backup
## and when no outside source of synchronized time is available.
##
server 127.127.1.0 # local clock (LCL)
fudge 127.127.1.0 stratum 10 # LCL is unsynchronized

##
## Outside source of synchronized time
##
## server xx.xx.xx.xx # IP address of server
server 10.10.10.1
##
## Miscellaneous stuff
##

driftfile /var/lib/ntp/drift/ntp.drift # path for drift file

logfile /var/log/ntp # alternate log file
# logconfig =syncstatus + sysevents
# logconfig =all

# statsdir /tmp/ # directory for statistics files
# filegen peerstats file peerstats type day enable
# filegen loopstats file loopstats type day enable
# filegen clockstats file clockstats type day enable

#
# Authentication stuff
#
# keys /etc/ntp.keys # path for keys file
# trustedkey 1 2 3 4 5 6 14 15 # define trusted keys
# requestkey 15 # key (7) for accessing server variables
# controlkey 15 # key (6) for accessing server variables




########################################
# /etc/sudoers file.
#######################################
# This file MUST be edited with the 'visudo' command as root.
#
# See the sudoers man page for the details on how to write a sudoers file.
#

# Host alias specification

# User alias specification

# Cmnd alias specification

# Defaults specification

# prevent environment variables from influencing programs in an
# unexpected or harmful way (CVE-2005-2959, CVE-2005-4158,
# CVE-2006-0151)
Defaults always_set_home
Defaults env_reset

# In the default (unconfigured) configuration, sudo asks for the root password.
# This allows use of an ordinary user account for administration of a freshly
# installed system. When configuring sudo, delete the two
# following lines:
#Defaults targetpw # ask for the password of the target user i.e. root
#ALL ALL=(ALL) ALL # WARNING! Only use this together with 'Defaults targetpw'!

# Runas alias specification

# User privilege specification
root ALL=(ALL) ALL
%Domain_Admins All=(ALL)ALL
%windows_group_of_your_choice ALL=(ALL)ALL

# Uncomment to allow people in group wheel to run all commands
# %wheel ALL=(ALL) ALL

# Same thing without a password
# %wheel ALL=(ALL) NOPASSWD: ALL

# Samples
# %users ALL=/sbin/mount /cdrom,/sbin/umount /cdrom
# %users localhost=/sbin/shutdown -h now


################################################
#/etc/samba/smb.conf file
################################################
# smb.conf is the main Samba configuration file. You find a full commented
# version at /usr/share/doc/packages/samba/examples/smb.conf.SUSE if the
# samba-doc package is installed.
# Date: 2007-02-07
[global]
workgroup = DOMAIN-SHORTNAME
realm = DOMAIN.COM
security = ads
encrypt passwords = yes
use kerberos keytab = true
password server = windows-dc-hostname.domain.com
netbios name = client-hostname
winbind use default domain = yes
winbind separator = +
idmap uid = 1000-59999
idmap gid = 1000-59999
winbind enum users = yes
winbind enum groups = yes
deadtime = 10
winbind cache time = 10
winbind nested groups = yes
template homedir = /home/%U
template shell = /bin/bash
client use spnego = yes
socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
idmap backend = ad
ldap idmap suffix = dc=domain,dc=com
ldap admin dn = cn=Administrator,cn=Users,dc=domain,dc=com
ldap suffix = dc=domain,dc=com
dns proxy = no
domain master = no
preferred master = no
max log size = 100
log file = /var/log/samba/%m.log
printing = cups
printcap name = cups
printcap cache time = 750
cups options = raw
map to guest = Bad User
include = /etc/samba/dhcp.conf
logon path = \\%L\profiles\.msprofile
logon home = \\%L\%U\.9xprofile
logon drive = P:
usershare allow guests = no
[admin]
comment = Windows Admin Access
path = /
valid users = "@Domain_Admins"
admin users = "@Domain_Admins"
read only = No
create mask = 0664
browseable = No
inherit permissions = Yes
[printers]
comment = All Printers
path = /var/tmp
printable = Yes
create mask = 0600
browseable = No
[print$]
comment = Printer Drivers
path = /var/lib/samba/drivers
write list = @ntadmin root
force group = ntadmin
create mask = 0664
directory mask = 0775


#####################################
#/etc/samba/smbusers file
#####################################
# This file allows you to map usernames from the clients to the server.
# Unix_name = SMB_name1 SMB_name2 ...
#
# See section 'username map' in the manual page of smb.conf for more
# information.
#
# This file is _not_ included in the default configuration as it makes the
# usage of an user named administrator impossible.

;root = administrator
;nobody = guest pcguest smbguest


#
# /etc/pam.d/common-account - authorization settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authorization modules that define
# the central access policy for use on the system. The default is to
# only deny service to users whose accounts are expired.
#
account sufficient pam_krb5.so
account required pam_unix2.so


#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
# traditional Unix authentication mechanisms.
#
auth required pam_env.so
auth sufficient pam_krb5.so
auth required pam_unix2.so


#
# /etc/pam.d/common-password - password-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define the services to be
# used to change user passwords. The default is pam_unix2 in combination
# with pam_pwcheck.

# The "nullok" option allows users to change an empty password, else
# empty passwords are treated as locked accounts.
#
# To enable Blowfish or MD5 passwords, you should edit
# /etc/default/passwd.
#
# Alternate strength checking for passwords should be configured
# in /etc/security/pam_pwcheck.conf.
#
# pam_make can be used to rebuild NIS maps after password change.
#
password required pam_pwcheck.so nullok
password required pam_unix2.so nullok use_first_pass use_authtok
#password required pam_make.so /var/yp


#
# /etc/pam.d/common-session - session-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define tasks to be performed
# at the start and end of sessions of *any* kind (both interactive and
# non-interactive). The default is pam_unix2.
#
session required pam_limits.so
session required pam_unix2.so
session required pam_mkhomedir.so umask=0077 skel=/etc/skel



#%PAM-1.0
###########line above is part of this file#################
#/etc/pam.d/su config file
##############################################
#auth sufficient pam_rootok.so
auth include common-auth
account include common-account
password include common-password
session include common-session
session optional pam_xauth.so



5.) After making the above configuration file changes run the following
commands:
getent passwd (You should only see SLED 10 local users in this listing)
kdestroy (This will destroy any cached Kerberos ticket you have)
kinit domain-admin-user@DOMAIN.COM (This will create a new kerberos ticket
for the machine)
klist (Use this to make sure you have a Kerberos Ticket)
net ads join -U domain-admin-user@DOMAIN.COM (This will join the machine to the domain)
kdestroy (Destroy the kerberos ticket to prevent browsing of net shares as domain admin)
/etc/init.d/smb stop
/etc/init.d/winbind stop
/etc/init.d/smb start
/etc/init.d/winbind start
getent passwd (The output should now list domain users and their associated UIDs)
getent group (Should output domain groups and GIDs as well as local)
wbinfo -u (Should list domain users)
wbinfo -g (Should list domain groups)
su <windows-domain-user> (should prompt you for the user's password, create a home
dir for them if necessary, and then switch you to the user)

6.) Add the windows ldap query user to the smbpasswd -w command
(not sure this is really needed):
smbpasswd -w <password-for-ldap-query-user-as-in-ldap.conf>

7.) "Enable" the ntp, smb, and winbind daemons via YaST>System>RunLevel Editor..
these daemons will need to be enabled on startup for everything to work. Also, disable the
nscd daemon from startup as it causes problems with winbind.
Can use:
chkconfig smb on
chkconfig winbind on
chkconfig nscd off

8.) After you are able to su to a windows user, reboot the machine and then login to
the system as a windows user (with UNIX attribs enabled) to test.

NOTE: If you happen to get yourself locked out of the system, change your
nsswitch.conf file to get back in. Simply boot to the SLED 10 installation disc
using the "Recover System" option, then issue these commands to change the
/etc/nsswitch.conf file back to its original state:
mount -w /dev/hda1 /mnt (where /dev/hda1 is your system partition)
vi /mnt/etc/nsswitch.conf (use vi to remove the "ldap" from passwd, group, and
shadow - should only say "files" or "compat" - this makes the machine look only at the local
files for authentication)
Reboot and then login as root so you can troubleshoot the problem... a good troubleshooting
step is to perform a cat /var/log/messages to see what types of errors your machine is
encountering.

NOTE: If you have some information that can make this article better please post it as a
comment or contact me!!
Good Luck! -Shannon VanWagner

Related Reference Material
http://www.suseforums.net/index.php?showtopic=18932
http://forums.suselinuxsupport.de/index.ph...t=0#entry224708
http://blog.scottlowe.org/2007/01/15/linux...tion-version-4/
http://blog.scottlowe.org/2007/03/22/sled-...tive-directory/
http://forums.fedoraforum.org/archiv...p/t-29825.html
http://www.redmondmag.com/columns/article....ditorialsID=858</span>

Great article.

My question, since i am out of ressource and hairs (!!!!), i am trying to connect my Suse Enterprise Server 10 (SLES) server to the Win2K3 AD to get single sign-on so i can make it a stable file server.
So is this solution will work with SLES?

Read so many books and websites and no one has a 100% working solution or some sort of a good support.

I am sure i'm not the only one trying to do this.
Even read Samba-3 By Example 2nd edition.... and not working.

help.....plz.

ghys,
Please see the newly added step 4a. Also, where are you showing failure? Do you get output from getent passwd that shows domain users? What about wbinfo -u? Are there any winbind/ldap/kerberos errors showing in /var/log/messages? Please provide more detail concerning the problem you are having.

Regards,

Shannon

Hello and thanks for the great post. VERY complete and detailed.

getent passwd = i only get local users

wbinfo -u = gives me a list of users that do reflect the same users as in my AD server.

Message file =
got time offset of 16 seconds so that is not a problem.
got some root user unknown to the underlying authentication module (client not found in Kerberos database)
idmap_init: could not load remote backend 'server.....

no major errors.
I could attach a text file with the content of the messages file

Also is the method posted here valid for a Suse 10 (SLES 10) server?

in your ldap.conf file, do you use clear text username and passwor for this?

sorry i am not used to dig deep into Linux configs.

Many places in the configs you use: <linux-ldap-user>, Users, ldap-user-passwd

do you have to replace these with actual user/pass?

thanks

ghys,

Yes, in ldap.conf you put the username and password in cleartext for the
Windows Active Directory user that you create specifically to make queries
to the directory via LDAP.

For security purposes, when you create the windows ldap user, make it a
member only to the "Domain Guests" group (this means you will have to
set "Domain Guests" as the Primary Group and then remove the ldap user
from the "Domain Users" group).

So if I create a special windows user (in the "Users" container in AD) with
the username LDAPQUERY / password mYpaSsword, and my windows
domain is called MYPLACE.COM, and my Windows Server 2003 R2 DC
with AD and Identity Mgmt for Unix enabled server is at IP 10.10.10.1
and has the hostname of DC01, my ldap.conf file would look like this:

################################################## #############
##custom ldap.conf for connecting with Server 2003 R2
################################################## #############
host 10.10.10.1
base dc=myplace,dc=com
uri ldap://dc01.myplace.com/
#cn=Users refers to the "Users" container in AD
binddn cn=LDAPQUERY,cn=Users,dc=myplace,dc=com
bindpw mYpaSsword
scope sub
bind_timelimit 15
timelimit 15
ssl no
referrals no
nss_base_passwd dc=myplace,dc=com?sub
nss_base_shadow dc=myplace,dc=com?sub
nss_base_group dc=myplace,dc=com?sub?&(objectCategory=group)(gidn umber=*)
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_objectclass posixGroup group
nss_map_attribute gecos cn
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute uniqueMember member
nss_initgroups_ignoreusers root,ldap


As for your error msgs, here's my non-expert presumptions:
<got some root user unknown to the underlying authentication module
(client not found in Kerberos database)>
(shannon) This shows that the machine attempted to authenticate "root"
to Active Directory and failed, presumably because "root" doesn't exist
on your AD.. Good sign that krb auth is working for you

<idmap_init: could not load remote backend 'server>
(shannon) this may be related to LDAP not being able to connect to AD
-- presumably because your ldap.conf file has an error.. hopefully an
easy fix. Be sure to stop both /etc/init.d/smb and /etc/init.d/winbind
then start them in same order after making changes to the ldap.conf
file for changes to take effect.


As for using SLES, I've not yet tested this configuration but I'd imagine
it would work the same way. I'm working on getting Red Hat Server 4
working with this so stay tuned if you think that will help.

Hope this helps....
Shannon

not working .... but still looking at it.
many many thanks for the help and replies.

Question: is this config only working for Windows server 2003 R2 ?
I have a Win2K3 up to date , not a R2.
Checked MS site for changes in R2 and they put a great deal to the interoperability with *nix based systems.
I installed the Unix tools for 2003 server.

I will get a demo download of R2 for a test station, to see if it's going to work.

If i get it to work with my SLES 10, believe me i'll post all relevant info here.
Keep up the GREAT work and hope we cant get a working server soon.

cheers Ghys

Ghys,

Yes there are differences between plain Server 2003 and Server 2003 R2, specifically that 2003 R2 has *.nix support natively and 2003 requires Services For Unix "SFU" to be installed to extend the Active Directory Schema.

At least one major difference is that SFU uses a different Active Directory Schema mapping scenario in your ldap.conf file.

Try this example ldap.conf configuration for 2003 with SFU installed:

######################################
# ldap.conf file example for use with Server 2003 (non-R2)
######################################
host 10.10.10.1
base dc=myplace,dc=com
uri ldap://dc01.myplace.com/
#cn=Users refers to the "Users" container in AD
binddn cn=LDAPQUERYUSER,cn=Users,dc=myplace,dc=com
bindpw LDAPQUERYUSERpaSsword
scope sub
bind_timelimit 15
timelimit 15
ssl no
referrals no
nss_base_passwd dc=myplace,dc=com
nss_base_shadow dc=myplace,dc=com
nss_base_group dc=myplace,dc=com
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_objectclass posixGroup group
nss_map_attribute uid sAMAccountName
nss_map_attribute gecos name
nss_map_attribute userPassword msSFU30Password
nss_map_attribute homeDirectory msSFU30HomeDirectory
nss_map_attribute uniqueMember msSFU30PosixMember
nss_map_attribute uidNumber msSFU30UidNumber
nss_map_attribute gidNumber msSFU30GidNumber
nss_map_attribute loginShell msSFU30LoginShell
nss_map_attribute cn cn
nss_initgroups_ignoreusers root,ldap



Also, see the references links above for more information
Shannon

It's kind of funny to see other Linux distros working without any problem with AD authentication ( Ubuntu, RH ) and Suse has no support and many problems... why?

After your post i did modify the file and re-checked all the config in your how-to. Rebooted the server and waited a long time for user/pass window.

Still no computer liste in the AD computer list. Tht is weird.

Ghys,

Have you tried this setup in your /etc/samba/smb.conf file:

Instead of:
idmap backend = ad

Try:
#Where ldapserver would be the hostname for your Windows 2003 DC with SFU
idmap backend = ldap:ldap://ldapserver.domain.com

Are there any new/different messages in /var/log/messages?

Shannon