Linux/Windows Integration John Dickerson – ECSS ● Domain Authentication ● Samba and Active Directory ● Directory Services ● CIFS on Linux ● Applications April 10, 2009

9/28/ Domain Authentication ● Two methods for authentication: – Kerberos – Uses the IASTATE.EDU realm via the IASTATE Windows domain. – Tickets will not work with Vincent IASTATE.EDU realm. – Used primarily on university-owned systems. – NTLMv2 – An alternative authentication method for systems where Kerberos will not work (e.g. Systems not in the domain). – Often used by “visitor” systems (e.g. Personal laptops) to authenticate to the domain.

9/28/ Kerberos Prerequisites ● First things first: Set up DNS and NTP (time) ● In /etc/resolv.conf (may be done by DHCP) ● domain iastate.edu nameserver nameserver nameserver ● In /etc/ntp.conf: ● server time.iastate.edu ● restrict time.iastate.edu mask nomodify notrap noquery

9/28/ Setting up Kerberos ● One method: use the 'authconfig' utility ● Can be run during kickstart (RedHat's automatic build system) – # authconfig –enablekrb5 -krb5realm IASTATE.EDU \ – –krb5kdc windc4.iastate.edu,windc3.iastate.edu, \ – windc2.iastate.edu,windc1.iastate.edu

9/28/ PAM stuff ● Authconfig updates the default PAM stack: ● In /etc/pam.d/system-auth: ● auth required pam_env.so ● auth sufficient pam_unix.so nullok try_first_pass ● auth sufficient pam_krb5.so use_first_pass ● auth required pam_deny.so ● [Note: Just the 'auth' group of the PAM stack is shown above, though all PAM management groups (account, auth, password, session) are modified]

9/28/ Setting up Kerberos ● Brute force method: Edit /etc/krb5.conf: – [realms] – IASTATE.EDU = { – kdc = windc1.iastate.edu – kdc = windc2.iastate.edu – kdc = windc3.iastate.edu – kdc = windc4.iastate.edu – } – [domain_realm] – iastate.edu = IASTATE.EDU –.iastate.edu = IASTATE.EDU – [appdefaults] – pam = { – debug = false – ticket_lifetime = – renew_lifetime = – forwardable = true – krb4_convert = false – } These are in seconds. Adjust as necessary.

9/28/ NTLMv2 ● A fallback when kerberos isn't available. ● Particularly for non-domain machines. ● It's important to enable support for this on both clients and servers. ● Modify /etc/samba/smb.conf: ● [global] ● security = ads ● client ntlmv2 auth = yes ●...

9/28/ Samba ● The Swiss Army knife of Windows integration: ● CIFS file sharing ● CIFS print sharing ● Look up users and groups from the domain ● Create member servers in the Windows domain ● Create kerberos host principals in the Windows domain

9/28/ Samba and AD Integration ● First, configure /etc/samba/smb.conf: ● [global] ● workgroup = IASTATE ● wins server = , ● security = ads ● client auth ntlmv2 = yes ● realm = IASTATE.EDU ● use kerberos keytab = yes ● password server = windc4.iastate.edu,\ windc3.istate.edu, windc2.iastate.edu,\ windc1.iastate.edu ● winbind enum users = yes ● winbind enum groups = yes ● winbind use default domain = yes ● winbind nested groups = yes ● idmap config IASTATE:backend = ad ● idmap domains = IASTATE Creates /etc/krb5.keytab

9/28/ Samba and AD Integration ● Then, join the host to the domain: ● # hostname myhost.engineering.iastate.edu ● # net ads join -U jedicker \ createcomputer=ENGR/Servers password: ************ ● In order to join the domain, the user whose credentials are being used (jedicker) must have authority to create a computer account in the specified organizational unit (ENGR). In this case, all servers are stored under the ENGR/Servers sub-OU.

9/28/ Did the join work? ● Check 'wbinfo': ● # wbinfo -t ● checking the trust secret via RPC calls succeeded ● # wbinfo -g ● (should list all the groups in the domain) ● # wbinfo -n jedicker ● S User (1) ● Check the /etc/krb5.keytab file – # ktutil – ktutil: read_kt /etc/krb5.keytab – ktutil: list – slot KVNO Principal – 1 2 – 2 2 – 3 2 – 4 2 – 5 2 – 6 2

9/28/ Winbind ● Configured via /etc/samba/smb.conf ● Its main function is to map user and group SIDs to Unix uids and gids. ● Each client must be joined to the domain

9/28/ Samba and Share ACLs ● To limit access to a share using a domain group [preferably a “Windows Sync” group] ● In /etc/samba/smb.conf: ● [private] ● comment = Private Data ● path = /export/data/private ● browseable = yes ● writable = yes ● hosts allow = *.engineering.iastate.edu ● valid users

9/28/ Directory Services, Hesiod ● Works fine for mapping users. Not so well for groups. ● /etc/hesiod.conf ● Works well, fast. No need to authenticate :-) ● Tricky to map AD groups (needs ASW Windows Sync groups, and NFS group) ● Can't enumerate group members. ● Not really “integrated” with Windows.

9/28/ Directory Services, LDAP ● Use LDAP in NSS (nss_ldap) ● First: Configure nss_ldap for querying the domain controllers. ● Then: Modify NSS (/etc/nsswitch.conf) to use LDAP for users and groups. ● Requires authentication from (anonymous LDAPS binds not supported on our domain controllers) ● Requires PKI (ca cert bundle for domain controller SSL certs) ● A very helpful blog: integration-version-4/

9/28/ Set up nss_ldap ● Modify /etc/ldap.conf ● (Not to be confused with /etc/openldap/ldap.conf) base dc=IASTATE,dc=EDU uri ldaps://windc4.iastate.edu \ ldaps://windc1.iastate.edu \ ldaps://windc2.iastate.edu \ ldaps://windc3.iastate.edu binddn cn=MY LDAP USER,ou=Users,ou=ENGR,dc=IASTATE,dc=EDU bindpw {thepassword} scope sub nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon nss_map_objectclass posixAccount user nss_map_objectclass shadowAccount user nss_map_attribute uid sAMAccountName nss_map_attribute homeDirectory unixHomeDirectory nss_map_attribute shadowLastChange pwdLastSet nss_map_objectclass posixGroup group nss_map_attribute uniqueMember member pam_login_attribute sAMAccountName pam_filter objectclass=User This is a plaintext password!

9/28/ Set up NSS ● Modify /etc/nsswitch.conf: passwd: files ldap ● group: files ldap ● files: files dns ● Now check to see if it's working: # getent passwd jedicker ● # getent group engr_coll_profsci ● [Note: looking up groups via 'getent' will only work if the group has been created as a “Windows Sync” group in ASW, and that group has the “NFS group” parameter on]

9/28/ Winbind for users/groups ● Partly depends on NSS. In /etc/nsswitch.conf: ● passwd: files winbind ● group: files winbind hosts: files dns ● In /etc/samba/smb.conf winbind enum users = yes winbind enum groups = yes winbind use default domain = yes winbind nested groups = yes ● idmap config IASTATE:backend = ad ● idmap domains = IASTATE ● idmap config IASTATE:backend = rid ● idmap config IASTATE:base_rid = 1000 ● idmap config IASTATE:range =

9/28/ CIFS on Linux Clients ● Smbclient (also nautilus connect-to-server) – Supports kerberos auth ● mount.cifs – sec=krb5 supposedly works in RHEL5.3, unverified) – Uses cifs.upcall to pass krb5 tickets to kernel(?). Keyutils(?) ● pam_cifs – A PAM module that can mounts a CIFS share. pam_script – Can do just about anything (esp. for access control)

9/28/ Applications ● OpenOffice 3 supports Office 2007 file formats. ● ● Firefox and authentication to IIS using domain auth is broken (e.g. Sharepoint)

9/28/ Applications ● WINE – Anyone doing this? ●