All geek questions in one place

Bind Linux to Active Directory with kerberos

We are trying to link a Linux machine (debian 4.0) with W2k3 AD. We configured kerberos correctly so that we can get TGT. And users authenticate properly. However, PAM seems like a sticky gate. For example, when we try to use SSH for a Linux machine as one of the AD users, authentication succeeds (according to auth.log), but I never get a wrapper. By default, the environment is configured correctly, and PAM even correctly creates Homedir. As a reference, we weakly adhered to:

https://help.ubuntu.com/community/ActiveDirectoryHowto

+4
source share
4 answers

If you are sure that everything except PAM is working correctly, I suggest passing the debug parameter to pam_krb5.so to see if this tells you what is happening.

I also suggest verifying that nss-ldap is configured correctly using

getent passwd avalidusername
+1
source

I used Likewise to do something similar on our servers. Here is the process we use to configure it:

Install similarly:

 $ sudo apt-get update $ sudo apt-get install likewise-open

Join the domain (Assuming the domain is "domain.local")

 $ sudo domainjoin-cli join domain.local Administrator $ sudo update-rc.d likewise-open defaults $ sudo /etc/init.d/likewise-open start

Assuming you are using sudo And you want AD users to have sudoer privileges, you need to edit the sudoers file. This can be done using the following command:

 $ sudo visudo

then add the following to the end of the file (this assumes that the DOMAIN domain and all users who must have sudo are in a group called "linux_admin" in the active directory):

 %DOMAIN\\linux_admin ALL=(ALL) ALL
0
source

POSIX accounts require a vaild shell in the user account. When using LDAP, the loginShell attribute refers to this. You need to use PAM and map the corresponding loginShell attribute in your configuration or active MS Services for UNIX to DC, which will extend the AD schema to include the necessary POSIX attributes.

See http://www.ietf.org/rfc/rfc2307.txt for a reference to RFC2307, which defines this for LDAP.

0
source

Simple solution .. pam_krb5 + ldap project

The PAM plug-in module is pam_krb5, which provides a very convenient configuration for using authentication of the Linux client and the existing Active Directory domain and / or OpenLDAP server.

0
source

Source: https://habr.com/ru/post/1277526/

More articles:


All Articles