Documente Academic
Documente Profesional
Documente Cultură
Project #2
Multi Platform centralized authentication
Team Orange
Greg McCarthy, Tony Vu, Bilal Babwani, Boris Plotkin
Created for Harvey Rudoler
Table of Contents
Table of Contents...2
Introduction...3
Kerberos8
Configuration....8
Testing...9
Joining AD domain..10
Prerequisites....10
Configuring Samba.10
Join11
Testing..11
PAM...12
Glossary..14
Introduction In this manual we explain how to setup a Windows Active Directory domain with DNS, and
then we will walk you through how to join a machine running a Linux based OS. In our environment we used
Ubuntu 8.04. We used the samba and winbind to join the domain and used Kerberos to keep the authentication
encrypted. PAM was configured to make winbind authentication the first line of authentication. We then configured
pam_access.so and /etc/access to disallow a specific active directory group from logging into the Linux machine.
Follow the Manual very carefully and make sure to include everything. If any steps are left out it is possible that
the configuration will not work and the authentication will fail.
Domain Controller and Active Directory Installation - Now we will begin the process of
creating a New Domain. When a domain is created in Windows Server 2003, Active Directory is installed. Active
Directory can be thought of as a centralized database of all objects on the domain. For example, Users,
Computers and Groups are all types of objects.
1)
Click on Start, Run, type dcpromo and hit Enter. The screenshots below will instruct you how to
properly configure Windows Server 2003 as a Domain Controller.
2)
Enter the name of the domain you wish to create. In this example we will be creating one called
ORANGE.COM
5)
Enter the NetBIOS name. This cannot be more than 15 characters. In this case it was ORANGE
6)
Accept the default location for the Active Directory Log and Database.
7)
Click Next, and Finish. The process will take some time but when it completes you have
successfully created a new domain with Active Directory.
User and Group Creation
We are now going to create the Users and Groups required to fulfilling the obligations of the outline. We will only
create two Users and one Group in this example. One User will be a Member of the users Group, which will allow
him to log into the Linux workstations. This other user will not be a member of disallow and therefore will be
Click Start, the Administrative Tools, followed by Active Directory Users and Computers. This will
bring up the management console for all objects in the domain.
User.
8) Find your User that you wish to restrict access to Linux workstations and double click it. This will bring
up the User Properties Dialog.
9) Click the Member Of tab, click Add and enter disallow as the group name. This will make the user a
member of the group disallow.
Kerberos provides the tools of authentication and strong cryptography over the network to help secure
information. As previously mentioned, our project consisted of joining the Linux distribution Ubuntu with a
Windows Active Directory Domain.
Installing utilities: There are 4 packages weve installed for our project, please refer to appendix for brief info.
Configuration
Please remember the instructions are based on our test environment, if your network differs addition research will
be required for configuration. Our Active Directory Domain was orange.com and Domain Controller was
ORANGE.COM, please change these two according to your network environment.
1. Before we start we must ensure connectivity and recognition between the Active Directory domain controller
and the Ubuntu/Linux client who will be joined.
In the terminal type ping ORANGE.COM
[this is using the FQDN, refer to appendix]
The output result should appear similar to:
ping ORANGE.COM (10.0.0.1) 36(72) bytes of data.
64 bytes from ORANGE.COM (10.0.0.1): icmp_seq=1 ttl=128 time=0.176ms
That shows a successful resolution of the FQDN to an IP Address and the confirmation of connectivity.
Note: if you receive a message Request Timed out, most likely the issue is the DNS server or client
configuration errors. Ensure the /etc/resolv.conf contains a pointer to the DNS server: Also ensure that
the Windows domain controller has an a record for the ubuntu machine pointing to the correct IP
address
i)
2. Kerberos must ensure its time is synchronized with the Active Directory Domain Controller.
a) Type sudo vi /etc/default/ntpdate [file contains ntpdate application configuration, for time synch]
b) Type i [means insert mode]
c) Then enter the following lines the way displayed:
# servers to check
NTPSERVERS=TONY-PC.ORANGE.COM
# additional options for ntpdate
NTPOPTIONS=-u
d) Press the [Esc] key
[takes you out of insert mode]
e) Type x, then <Enter>
[x = saves the changes the exits the current file]
f) Enter the command sudo /etc/init.d/ntpdate restart to restart the NTP client
g) This will be displayed in the terminal afterwards:
Synchronizing clock to orange.com... [ ok ]
This means the time configuration was successful
3. We must ensure FQDN is accurately functioning; this is done editing the local host file in the Ubuntu Linux
client.
a) Type sudo vi /etc/hosts
b) Type i
[means insert mode]
c) Then enter the following line the way displayed:
127.0.0.1 ubuntu.orange.com localhost ubuntu
d) Press the [Esc] key
[takes you out of insert mode]
e) Type x, then <Enter>
[x = saves the changes the exits the current file]
f) Test the config by pinging your own FQDN.
ex. We typed ping orange.com Result should be similar to that of step 1 but with your FQDN
4. i) We chose to use the krb5-config package, and during installation was present prompts:
What are the Kerberos servers for your realm?
Tony-pc.orange.com
What is the administrative server for your Kerberos realm?
Tony-pc.orange.com
Note: replace tony-pc.orange.com with the Active Directory Domain Controller in charge of the Domain
ii) In case you missed the step above and or accidentally entered the wrong information, you can always
manually inspect and alter the configuration file: /etc/krb5.conf.
a) Type sudo vi /etc/krb5.conf
b) Type i
[means insert mode]
c) Then enter the following line the way displayed:
[logging]
default = FILE:/var/log/krb5.log
[libdefaults]
default_realm = ORANGE.COM
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
[realms]
ORANGE.COM = {
kdc = tonypc.orange.com
admin_server = tonypc.orange.com
default_domain = ORANGE.COM }
[domain_realm]
example.com = ORANGE.COM
example.com = ORANGE.COM
d) Press the [Esc] key
[takes you out of insert mode]
e) Type x, then <Enter>
[x = saves the changes the exits the current file]
Testing
a) Use the kinit tool from the krb5-user package, to get a ticket [proof of valid authentication]
in the command prompt, type:
kinit Administrator@ORANGE.COM
Password for Administrator@ORANGE.COM: *******
Note: Domain names must be in UPPERCASE letters
b) To check if the ticket request was valid, use the klist command
in the command prompt, type klist
an output result example:
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator@ORANGE.COM
Valid starting Expires
Service principal
11/30/08 10:27:51 11/30/08 08:32:43 krbtgt/ORANGE.COM@ORANGE.COM
renew until 12/21/08 20:28:51
c) If you see the above, congratulations, Kerberos is correctly operating. If not you may want to
review some of the installation and configuration.
The ticket that was created can now be deleted by typing in terminal kdestroy
Configuring Samba:
1. Configuring Samba is essential for communication between the Linux and Windows systems
a) Type sudo vi /etc/samba/smb.conf
b) Type i [means insert mode]
c) Add the following lines in the file as displayed:
[global]
security = ads
realm = ORANGE.COM
password server = 142.204.145.54
#
note that workgroup is the 'short' domain name
workgroup = ORANGE
#
winbind separator = +
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%D/%U
template shell = /bin/bash
client use spnego = yes
client ntlmv2 auth = yes
encrypt passwords = yes
winbind use default domain = yes
restrict anonymous = 2
d) Press the [Esc] key
[takes you out of insert mode]
e) Type x, then <Enter> [x = saves the changes the exits the current file]
Note: If you are in a multi domain environment then winbind use default domain should be set to no.
Therefore the domain name is required when logging in, because currently authentication only requires a
10
valid username and password. The default delimiter between the domain name and username is \, to
change this input the line "winbind separator = x" x=the delimiter you want
f) Every time we alter the samba configuration file, it is best practice to restart the service. Since samba
affects winbind, we must also restart winbind as well for the new changes to take affect.
Use the following commands
sudo /etc/init.d/winbind stop
sudo /etc/init.d/samba restart
sudo /etc/init.d/winbind start
Joining:
1. a) Use the kinit tool, to request for a valid ticket. In the command prompt, type:
sudo kinit Administrator@ORANGE.COM
sudo net ads join
Output:
Note: Domain names must be in UPPERCASE letters. If the Kerberos authentication ticket was valid,
then you should not be asked for a password, and if prompted leave it blank just press <enter>.
Testing:
Setup Authentication:
nsswitch
1.
a) Type sudo vi /etc/nsswitch.conf
b) Type i [means insert mode]
c) Navigate to the following lines and alter as displayed below:
passwd:
compat winbind
group:
compat winbind
shadow:
compat winbind
host:
files dns
d) Press the [Esc] key
[takes you out of insert mode]
e) Type x, then <Enter>
[x = saves the changes the exits the current file]
2. The domain should be successfully joined at this point, in order to check execute the commands
wbinfo u
You should get a list of the users of the domain
wbinfo g
You should get a list of the groups of the domain
Note: if nothing is displayed this may be because there are no users or groups apart of the domain, check
Active Directory Users and Computers on the Windows machine. Otherwise, you may have to review some of
the previous steps to ensure accuracy of compliance.
3. Another test we can perform is for the winbind nsswitch module, we use a tool called getent. Displays the
database you have chosen, such as /etc/passwd.
a) Type in terminal sudo getent passwd
b) Type in terminal sudo getent group
Sample output for a):
root:x:0:0:root:/root:/bin/bash
...
ORANGE\bguser:x:10000:10000:bguser:/home/ ORANGE/bguser:/bin/bash
ORANGE\apluser:x:10001:10001:apluser:/home/ ORANGE/apluser:/bin/bash
11
Note: The users from AD have to exist in /etc/passwd on the Ubuntu workstation
you can also use libnss-ldap to get the account info from AD. However, we used wbinfo.
12
13
Glossary of Terms
Active Directory: A technology created by Microsoft that provides a variety of network services, including
LDAP, DNS and Kerberos
Domain: A logical group of computers running under the same domain name
Domain name: A symbolic representation of a computer through a name.
dpkg: The software at the base of the Debian package management system. Allows for installation, removal and
checking of .deb packages
FQDN: Fully Qualified Domain Name, the combination of the computer name and domain name. The DNS server
uses this to point to the computer.
GDM: Stands for Gnome display manager, it is used by the Gnome x window system for graphical logins. If you
are using a KDE system it is the KDM
Kerberos: A computer network authentication protocol, which allows individuals communicating over a nonsecure network to prove their identity to one another in a secure manner.
Local Login: Any type of login that happens at the host computer where the OS is installed, this includes the
graphical login screen and the console
LDAP: Lightweight directory access protocol, an application protocol for querying and modifying directory services
running over TCP/IP
pam_krb5.so: Allows smooth integration of Kerberos 5 password- checking with applications built using PAM.
Samba: A free software re-implementation of SMB/CIFS networking protocol. Allows for communications
between Windows and Linux machines.
Winbind: A network account sharing/authentication daemon. It is used to make NT account s visible to the UNIX
system.
14