APL701

Project #2
Multi Platform centralized authentication

Team Orange
Greg McCarthy, Tony Vu, Bilal Babwani, Boris Plotkin
Created for Harvey Rudoler

Table of Contents
Table of Contents...2

Introduction...3

Domain Controller and Active Directory Installation..3

User and Group Creation...5

Kerberos8
Configuration....8
Testing...9

Joining AD domain..10
Prerequisites....10
Configuring Samba.10
Join11
Testing..11

PAM...12

Automatic Kerberos Ticket Refresh..12

How to Restrict selected Linux logins.13

Glossary..14

Introduction In this manual we explain how to setup a Windows Active Directory domain with DNS, and
then we will walk you through how to join a machine running a Linux based OS. In our environment we used
Ubuntu 8.04. We used the samba and winbind to join the domain and used Kerberos to keep the authentication
encrypted. PAM was configured to make winbind authentication the first line of authentication. We then configured
pam_access.so and /etc/access to disallow a specific active directory group from logging into the Linux machine.
Follow the Manual very carefully and make sure to include everything. If any steps are left out it is possible that
the configuration will not work and the authentication will fail.

Domain Controller and Active Directory Installation - Now we will begin the process of
creating a New Domain. When a domain is created in Windows Server 2003, Active Directory is installed. Active
Directory can be thought of as a centralized database of all objects on the domain. For example, Users,
Computers and Groups are all types of objects.

1)

Click on Start, Run, type dcpromo and hit Enter. The screenshots below will instruct you how to
properly configure Windows Server 2003 as a Domain Controller.

2)

Select this option to create a domain controller for a new domain.

3)

Select this option to create a domain in a new forest.

4)

Enter the name of the domain you wish to create. In this example we will be creating one called
ORANGE.COM
5)

Enter the NetBIOS name. This cannot be more than 15 characters. In this case it was ORANGE

6)

Accept the default location for the Active Directory Log and Database.
7)

Accept the default location for the SYSVOL folder.

8)

We will be creating a domain with Windows 2000 clients and newer.

9)

Enter your restore mode password.

10)

Click Next, and Finish. The process will take some time but when it completes you have
successfully created a new domain with Active Directory.
User and Group Creation
We are now going to create the Users and Groups required to fulfilling the obligations of the outline. We will only
create two Users and one Group in this example. One User will be a Member of the users Group, which will allow
him to log into the Linux workstations. This other user will not be a member of disallow and therefore will be

unable to log into the Linux workstations.

1)

Click Start, the Administrative Tools, followed by Active Directory Users and Computers. This will
bring up the management console for all objects in the domain.

2) Right click Users, and select New, then

3) Enter the credentials for this new user.

User.

4) Enter a password and select the options

you deem appropriate for this user.

5) Click Finish and you have just created a

User. You can repeat these steps for all
the users that you wish to create.

6) Right click Users, then select New, followed

by Group.

7) We will create a Group called

disallowed. Users in this group will be
restricted from logging into Linux
workstations.

8) Find your User that you wish to restrict access to Linux workstations and double click it. This will bring
up the User Properties Dialog.

9) Click the Member Of tab, click Add and enter disallow as the group name. This will make the user a
member of the group disallow.

Kerberos provides the tools of authentication and strong cryptography over the network to help secure
information. As previously mentioned, our project consisted of joining the Linux distribution Ubuntu with a
Windows Active Directory Domain.
Installing utilities: There are 4 packages weve installed for our project, please refer to appendix for brief info.

krb5-user: Basic programs to authenticate using MIT Kerberos.

libpam-krb5: PAM module for MIT Kerberos.
krb5-config: Configuration files for Kerberos Version 5.
libkadm55: MIT Kerberos administration runtime libraries.

Type sudo aptget install krb5-user libpam-krb5 krb5-config libkadm55

Note: warning this may take time

Configuration
Please remember the instructions are based on our test environment, if your network differs addition research will
be required for configuration. Our Active Directory Domain was orange.com and Domain Controller was
ORANGE.COM, please change these two according to your network environment.

1. Before we start we must ensure connectivity and recognition between the Active Directory domain controller
and the Ubuntu/Linux client who will be joined.
In the terminal type ping ORANGE.COM
[this is using the FQDN, refer to appendix]
The output result should appear similar to:
ping ORANGE.COM (10.0.0.1) 36(72) bytes of data.
64 bytes from ORANGE.COM (10.0.0.1): icmp_seq=1 ttl=128 time=0.176ms
That shows a successful resolution of the FQDN to an IP Address and the confirmation of connectivity.
Note: if you receive a message Request Timed out, most likely the issue is the DNS server or client
configuration errors. Ensure the /etc/resolv.conf contains a pointer to the DNS server: Also ensure that
the Windows domain controller has an a record for the ubuntu machine pointing to the correct IP
address
i)

a) Type sudo vi /etc/resolv.conf

b) Type i
[means insert mode]
c) Then enter the following lines the way displayed:
search orange.com
nameserver tony-pc.orange.com
d) Press the [Esc] key [takes you out of insert mode]
e) Type x, then <Enter>
[x = saves the changes the exits the current file]

2. Kerberos must ensure its time is synchronized with the Active Directory Domain Controller.
a) Type sudo vi /etc/default/ntpdate [file contains ntpdate application configuration, for time synch]
b) Type i [means insert mode]
c) Then enter the following lines the way displayed:
# servers to check
NTPSERVERS=TONY-PC.ORANGE.COM
# additional options for ntpdate
NTPOPTIONS=-u
d) Press the [Esc] key
[takes you out of insert mode]
e) Type x, then <Enter>
[x = saves the changes the exits the current file]
f) Enter the command sudo /etc/init.d/ntpdate restart to restart the NTP client
g) This will be displayed in the terminal afterwards:
Synchronizing clock to orange.com... [ ok ]
This means the time configuration was successful

3. We must ensure FQDN is accurately functioning; this is done editing the local host file in the Ubuntu Linux
client.
a) Type sudo vi /etc/hosts
b) Type i
[means insert mode]
c) Then enter the following line the way displayed:
127.0.0.1 ubuntu.orange.com localhost ubuntu
d) Press the [Esc] key
[takes you out of insert mode]
e) Type x, then <Enter>
[x = saves the changes the exits the current file]
f) Test the config by pinging your own FQDN.
ex. We typed ping orange.com Result should be similar to that of step 1 but with your FQDN
4. i) We chose to use the krb5-config package, and during installation was present prompts:
What are the Kerberos servers for your realm?
Tony-pc.orange.com
What is the administrative server for your Kerberos realm?
Tony-pc.orange.com
Note: replace tony-pc.orange.com with the Active Directory Domain Controller in charge of the Domain
ii) In case you missed the step above and or accidentally entered the wrong information, you can always
manually inspect and alter the configuration file: /etc/krb5.conf.
a) Type sudo vi /etc/krb5.conf
b) Type i
[means insert mode]
c) Then enter the following line the way displayed:
[logging]
default = FILE:/var/log/krb5.log
[libdefaults]
default_realm = ORANGE.COM
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
[realms]
ORANGE.COM = {
kdc = tonypc.orange.com
admin_server = tonypc.orange.com
default_domain = ORANGE.COM }
[domain_realm]
example.com = ORANGE.COM
example.com = ORANGE.COM
d) Press the [Esc] key
[takes you out of insert mode]
e) Type x, then <Enter>
[x = saves the changes the exits the current file]

Testing
a) Use the kinit tool from the krb5-user package, to get a ticket [proof of valid authentication]
in the command prompt, type:
kinit Administrator@ORANGE.COM
Password for Administrator@ORANGE.COM: *******
Note: Domain names must be in UPPERCASE letters

b) To check if the ticket request was valid, use the klist command
in the command prompt, type klist
an output result example:
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator@ORANGE.COM
Valid starting Expires
Service principal
11/30/08 10:27:51 11/30/08 08:32:43 krbtgt/ORANGE.COM@ORANGE.COM
renew until 12/21/08 20:28:51
c) If you see the above, congratulations, Kerberos is correctly operating. If not you may want to
review some of the installation and configuration.
The ticket that was created can now be deleted by typing in terminal kdestroy

Joining AD domain joining the Ubuntu client to the Windows AD

Prerequisites:
1. In order to join the domain we need winbind and samba packages. Usually they are preloaded
with the Linux system, however, we will check for them just in case.
a) Execute this command dpkg l | grep winbind
b) The result of the command should produce the service name and version like so
ii winbind
2:3.2.3-lubuntu3
i. If you see something like the above, then the service is installed, continue to step c)
ii. If you see anything else or nothing, then you must install the package, type
sudo aptget install winbind
c) Repeat steps a) & b) replacing winbind with samba

Configuring Samba:
1. Configuring Samba is essential for communication between the Linux and Windows systems
a) Type sudo vi /etc/samba/smb.conf
b) Type i [means insert mode]
c) Add the following lines in the file as displayed:
[global]
security = ads
realm = ORANGE.COM
password server = 142.204.145.54
#
note that workgroup is the 'short' domain name
workgroup = ORANGE
#
winbind separator = +
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%D/%U
template shell = /bin/bash
client use spnego = yes
client ntlmv2 auth = yes
encrypt passwords = yes
winbind use default domain = yes
restrict anonymous = 2
d) Press the [Esc] key
[takes you out of insert mode]
e) Type x, then <Enter> [x = saves the changes the exits the current file]
Note: If you are in a multi domain environment then winbind use default domain should be set to no.
Therefore the domain name is required when logging in, because currently authentication only requires a

10

valid username and password. The default delimiter between the domain name and username is \, to
change this input the line "winbind separator = x" x=the delimiter you want
f) Every time we alter the samba configuration file, it is best practice to restart the service. Since samba
affects winbind, we must also restart winbind as well for the new changes to take affect.
Use the following commands
sudo /etc/init.d/winbind stop
sudo /etc/init.d/samba restart
sudo /etc/init.d/winbind start

Joining:
1. a) Use the kinit tool, to request for a valid ticket. In the command prompt, type:
sudo kinit Administrator@ORANGE.COM
sudo net ads join
Output:

Using short domain name ORANGE

Joined 'ubuntu' to realm 'ORANGE.COM'

Note: Domain names must be in UPPERCASE letters. If the Kerberos authentication ticket was valid,
then you should not be asked for a password, and if prompted leave it blank just press <enter>.

Testing:
Setup Authentication:

nsswitch

1.
a) Type sudo vi /etc/nsswitch.conf
b) Type i [means insert mode]
c) Navigate to the following lines and alter as displayed below:
passwd:
compat winbind
group:
compat winbind
shadow:
compat winbind
host:
files dns
d) Press the [Esc] key
[takes you out of insert mode]
e) Type x, then <Enter>
[x = saves the changes the exits the current file]
2. The domain should be successfully joined at this point, in order to check execute the commands
wbinfo u
You should get a list of the users of the domain
wbinfo g
You should get a list of the groups of the domain
Note: if nothing is displayed this may be because there are no users or groups apart of the domain, check
Active Directory Users and Computers on the Windows machine. Otherwise, you may have to review some of
the previous steps to ensure accuracy of compliance.
3. Another test we can perform is for the winbind nsswitch module, we use a tool called getent. Displays the
database you have chosen, such as /etc/passwd.
a) Type in terminal sudo getent passwd
b) Type in terminal sudo getent group
Sample output for a):
root:x:0:0:root:/root:/bin/bash
...
ORANGE\bguser:x:10000:10000:bguser:/home/ ORANGE/bguser:/bin/bash
ORANGE\apluser:x:10001:10001:apluser:/home/ ORANGE/apluser:/bin/bash

11

Sample output for b):

root:x:0:
daemon:x:1:
bin:x:2:
...
ORANGE\apluser:x:10005:users
ORANGE\bguser:x:10006:users
ORANGE\linux:x:10000:

PAM Pluggable Authentication Modules

Allows authentication modules to be independent from programs, allowing compatibility among different
authentication schemas, configuration may vary according to the local system setup and the discretion of the
administrator.
The configuration directory for PAM is /etc/pam.d
The command cd /etc/pam.d will take you there you will notice a few configuration files
1. We started with the commonauth file
a) Type sudo vi commonauth
b) Type i
[means insert mode]
c) Then enter the following lines the way displayed:
auth sufficient
pam_krb5.so ccache=/tmp/krb5cc_%u
auth sufficient
pam_unix.so likeauth nullok use_first_pass
auth required
pam_deny.so
d) Press the [Esc] key [takes you out of insert mode]
e) Type x, then <Enter>
[x = saves the changes the exits the current file]
2. Next was the commonsession file
a) Type sudo vi commonsession
b) Type i
[means insert mode]
c) Then enter the following lines the way displayed:
session required
pam_unix.so
session required
pam_mkhomedir.so skel=/etc/skel/ umask=0077
d) Press the [Esc] key [takes you out of insert mode]
e) Type x, then <Enter>
[x = saves the changes the exits the current file]

Note: The users from AD have to exist in /etc/passwd on the Ubuntu workstation
you can also use libnss-ldap to get the account info from AD. However, we used wbinfo.

Automatic Kerberos Ticket Refresh

1. To ensure the Kerberos ticket is refreshed automatically, we will add this task in sambas configuration:
a) Type sudo vi /etc/samba/smb.conf
b) Type i
[means insert mode]
c) Add the following line to the end of the file:
idmap uid = 10000-20000
d) Press the [Esc] key [takes you out of insert mode]
e) Type x, then <Enter>
[x = saves the changes the exits the current file]

12

2. We must also add to the /etc/pam.d/commonauth

a) Type sudo vi /etc/pam.d/commonauth
b) Type i
[means insert mode]
c) Navigate to where the below lines are and alter the lines accordingly:
(notice the 2nd and 3rd line is not changed, but shown to indicate location of altered line):
auth sufficient pam_winbind.so krb5_auth krb5_ccache_type=FILE
auth sufficient pam_unix.so nullok_secure use_first_pass
auth required pam_deny.so
d) Press the [Esc] key [takes you out of insert mode]
e) Type x, then <Enter>
[x = saves the changes the exits the current file]

How to Restrict selected Linux logins.

In order to restrict login access to users that you have decided up you must edit two files. The files are
located at /etc/pam.d/gdm and /etc/pam.d/login. You must add the line account required
pam_access.so, make sure that the line is written above @include common-account which should be in
the file already, If it is not already there then add both lines. It should look like the figure below:
account required pam_access.so
@include common-account
Next you must edit the /etc/security/access.conf file and add which users/groups you would like to
restrict. In this situation we decided that restricting a group called disallow would be simplest. All users
that need to be restricted must be moved into group on the Windows Active Directory, this can be
done before or after but the restrictions will not work until it is done.
The /etc/security/access.conf file is very long and looks intimidating but all the lines are commented
out by default. You can create a brand new blank file if you prefer but I suggest adding the lines in the
figure below to the end of the file.
- : disallow : ALL
+ : ALL : ALL
The first line restricts all users in the disallow group from accessing any local login resource. The
second line allows all other users, this is done by default and is only there for redundency.
Restart the system and if you attempt to login with anyone from the disallow group you will not be
allowed and will be given an authentication failed error.

13

Glossary of Terms

Active Directory: A technology created by Microsoft that provides a variety of network services, including
LDAP, DNS and Kerberos
Domain: A logical group of computers running under the same domain name
Domain name: A symbolic representation of a computer through a name.
dpkg: The software at the base of the Debian package management system. Allows for installation, removal and
checking of .deb packages
FQDN: Fully Qualified Domain Name, the combination of the computer name and domain name. The DNS server
uses this to point to the computer.
GDM: Stands for Gnome display manager, it is used by the Gnome x window system for graphical logins. If you
are using a KDE system it is the KDM
Kerberos: A computer network authentication protocol, which allows individuals communicating over a nonsecure network to prove their identity to one another in a secure manner.
Local Login: Any type of login that happens at the host computer where the OS is installed, this includes the
graphical login screen and the console
LDAP: Lightweight directory access protocol, an application protocol for querying and modifying directory services
running over TCP/IP
pam_krb5.so: Allows smooth integration of Kerberos 5 password- checking with applications built using PAM.
Samba: A free software re-implementation of SMB/CIFS networking protocol. Allows for communications
between Windows and Linux machines.
Winbind: A network account sharing/authentication daemon. It is used to make NT account s visible to the UNIX
system.

14