CentOS 5.6 + Windows 2003 R1 Active Directory authentication with LDAP

I wanted to share another small recipe on how to setup CentOS 5.6 to authenticate Linux users against Windows 2003 Server (Not R2). However this time with LDAP instead of Samba.

The main reasons why you would like to use LDAP instead of Samba/Winbind:
- You do not need Microsoft Client Access Licences (CALs). At least it is not checked :)
- No need to use Samba (if you do not like for a reason or another).

Active Directory server preparation

AD server needs some preparation before it can be used in this setup. You need to have Windows 2008 R2 CD/DVD around for some steps.
  1. Run adprep /forestprep from the Windows 2008 R2 disc.
  2. Run adprep /domainprep from the Windows 2008 R2 disc.
  3. Install Remote Server Administration Tools for Windows 7 with Service Pack 1 aka RSAT. You need to install ADUC (Active Directory Users And Computers) ie. AD DS + AD LDS Tools and GPMC (Group Policy Management Console) parts of it. RSAT can be found here.
  4. Edit with the tools you just installed each AD user that you need available in unix and make sure they have following parameters set:
    • uidNumber (some id number which is free in unix, e.g. 1000)
    • uid (userid: e.g. hkroger)
    • gidNumber (the id of the user's main group, e.g. 1000)
    • loginShell (e.g. /bin/bash)
    • unixHomeDirectory (e.g. /home/hkroger)
    • sAMAccountName (userid: e.g. hkroger)
  5. Every group should have:
    • gidNumber (the numeric id of the group, e.g. 1000)
  6. Create a new user called unixauth with some password. This will be used for LDAP connection itself.

Setup LDAP

Let's install necessary packages and setup basic auth config setup:
# yum install nss_ldap openldap-clients pam_ccreds -y
# authconfig --enableldap --enableldapauth --ldapserver=
--ldapbasedn="DC=mycompany,DC=local" --disablesmbauth --disablewinbind --disablewinbindauth
--disablewins --enablepreferdns --enablecache --enablemkhomedir --kickstart --update

Then let's create a new /etc/ldap.conf file
cat <<EOF > /etc/ldap.conf
uri ldap://
ldap_version 3
binddn unixauth@MYCOMPANY.LOCAL
bindpw myunixauthuserpassword
ssl off
scope sub

nss_base_passwd DC=MYCOMPANY,DC=LOCAL?sub?&(objectClass=user)(uidNumber=*)
nss_base_shadow DC=MYCOMPANY,DC=LOCAL?sub?&(objectClass=user)(uidNumber=*)
nss_base_group DC=MYCOMPANY,DC=LOCAL?sub?&(objectClass=group)(gidnumber=*)

nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_objectclass posixGroup group

nss_map_attribute gecos sAMAccountName
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute shadowExpire accountExpires
nss_map_attribute shadowLastChange pwdLastSet
nss_map_attribute uniqueMember member

timelimit 5
bind_timelimit 5
idle_timelimit 5
bind_policy hard
nss_reconnect_tries 1
nss_reconnect_sleeptime 1
nss_reconnect_maxsleeptime 8
nss_reconnect_maxconntries 2

nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm
tls_cacertdir /etc/openldap/cacerts
pam_password ad
debug 0

If you want to make a special group of users also sudoes you can enable a group in sudoers file like this. In our example the group is called unix_admin:
grep -q unix_admin /etc/sudoers || echo %unix_admin ALL=\(ALL\) ALL >> /etc/sudoers

Next we need to tweak system authentication files so that LDAP is actually used:
cat <<EOF > /etc/pam.d/system-auth
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth [authinfo_unavail=ignore success=1 default=2] pam_ldap.so use_first_pass
auth [default=done default=die] pam_ccreds.so action=validate use_first_pass
auth [default=done] pam_ccreds.so action=store
auth [default=bad] pam_ccreds.so action=update
auth required pam_deny.so

account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
#account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account [authinfo_unavail=ignore default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so

password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password sufficient pam_ldap.so use_authtok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_mkhomedir.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_ldap.so

sed -i -e 's/^passwd:.*/passwd: files ldap [NOTFOUND=return]/g' /etc/nsswitch.conf
sed -i -e 's/^shadow:.*/shadow: files ldap/g' /etc/nsswitch.conf
sed -i -e 's/^group:.*/group: files ldap [NOTFOUND=return]/g' /etc/nsswitch.conf

And finally we configure the caching daemon to keep data for 7 days and then restart it. The great idea here is that if there is no connection between your server and the AD server, you can still login onto your server:
sed -i /etc/nscd.conf -e 's/^.*positive-time-to-live.*passwd.*/ positive-time-to-live passwd 604800/g'
sed -i /etc/nscd.conf -e 's/^.*positive-time-to-live.*group.*/ positive-time-to-live group 604800/g'
sed -i /etc/nscd.conf -e 's/.*reload-count.*/ reload-count unlimited/g'

/etc/init.d/nscd restart

And that's it! You should be now able to login onto your CentOS server with your Windows AD account.

Check for more info:



No comments:

Post a Comment