Active Directory Authentication on Ubuntu Linux

How to configure Ubuntu Linux to use Active Directory authentication - This article discusses AD authentication for Ubuntu Linux.  The process was tested on Ubuntu x86 (32 bit) version 10.10.  Active Directory is a commonly used directory service based on the LDAP directory access protocol and Kerberos authentication.  Both of these protocols have their roots in UNIX and Linux, an so it makes sense that we can configure these protocols on Linux to interoperate with Active Directory.


-->
Note: this article provides configuration help for a version of Ubuntu that will soon be deprecated.  To configure the latest version of Ubuntu, please read Ubuntu 11.10 - Logging into Active Directory

When Ubuntu is first installed, it is configured by default to use its local account database.  To interoperate with Active Directory, we will configure the LDAP and Kerberos protocols, then we'll configure naming and authentication modules, NSS and PAM, to use these protocols to locate and authenticate users in AD.

A few prerequisites, your Ubuntu machine must be configured to use a DNS server that can locate your AD domain, and the data and time on the computer must remain nearly in sync with the AD domain controllers.  I won't get into those here, but be advised that if your clock is off by more than 5 minutes, or if you can't resolve the IP addresses of your AD domain controllers, AD authentication will fail.

Installing the Necessary Modules
The first thing we need to do is install the Kerberos and LDAP modules that we'll need.  To do this, open a terminal window and gain root permissions.  To do this, type sudo bash

Next, we can use apt-get to install the modules, by typing the following commands:

apt-get update
apt-get install krb5-user
apt-get install libpam-krb5
apt-get install libnss-ldap

While installing these modules, you may be prompted to enter some information about your Active Directory.  Don't be too concerned about what you enter, since it will not result in a complete configuration, and we'll have to edit the configuration files later anyway.

Configuring Kerberos
After installing the modules, we can begin configuring Kerberos and LDAP.  Let's start with Kerberos.  With our terminal window still open with root access, edit the Kerberos configuration file by typing: vi /etc/krb5.conf and configure the file as shown below:

[libdefaults]
 default_realm = MYDOMAIN.COM
 krb4_config = /etc/krb.conf
 krb4_realms = /etc/krb.realms
 kdc_timesync = 1
 ccache_type = 4
 forwardable = true
 proxiable = true
[realms]
 MYDOMAIN.COM = {
  kdc = mydomain.com:88
  admin_server = mydomain.com
  default_domain = mydomain.com
 }
[domain_realm]
 .mydomain.com = MYDOMAIN.COM
 mydomain.com = MYDOMAIN.COM
[login]
 krb4_convert = true
 krb4_get_tickets = false

Change the domain names to match your Active Directory.  Be advised that case matters.  Kerberos Realm names are shown in upper case.  DNS domain names are shown in lower case.  To test the configuration, you can attempt to get a Kerberos ticket.  To do this, type kinit myuser@myrealm . You should be prompted for your password.  If you are successful, you will recieve a ticket-granting ticket from Active Directory.  You can view this ticket by typing klist . If you are not successful, then you either made a mistake in the krb5.conf file, or your Ubuntu machine's DNS configuration or clock is incorrect.  Fix the problem before you proceed any further.  After the test is successful, you can type kdestroy to remove the ticket.  Next, we'll configure LDAP.

Configuring LDAP
Edit the LDAP configuration file by typing vi /etc/ldap.conf and configure the file as shown below:

base dc=mydomain,dc=com
uri ldap://adserver1.mydomain.com ldap://adserver2.mydomain.com
ldap_version 3
binddn cn=aduser,cn=users,dc=mydomain,dc=com
bindpw adUserPassword
bind_policy soft
bind_timelimit 120
timelimit 120
idle_timelimit 3600
network timeout 20
referrals on
scope sub
pam_login_attribute sAMAccountName
pam_filter objectCategory=User
pam_groupdn cn=adGroup,cn=Users,dc=mydomain,dc=com
pam_password ad
pam_member_attribute member
nss_base_passwd dc=mydomain,dc=com?Sub?&(objectClass=User)(uidNumber=*)
nss_base_shadow dc=mydomain,dc=com?Sub?&(objectClass=User)(uidNumber=*)
nss_base_group  dc=mydomain,dc=com?Sub?&(objectClass=Group)(gidNumber=*)
nss_map_objectclass     posixAccount    User
nss_map_objectclass     shadowAccount   User
nss_map_attribute       uid             sAMAccountName
nss_map_attribute       cn              sAMAccountName
nss_map_attribute       uniqueMember    member
nss_map_attribute       homeDirectory   unixHomeDirectory
nss_map_attribute       gecos           name
nss_map_objectclass     posixGroup      Group
nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nz,myLocalUser

You will need to change the following to suit your environment:
  • base: this is the distinguished name of your domain
  • uri: these should be valid DNS names of your domain controllers
  • binddn: this should be the distinguished name of a user account in your AD that you will use to connect to AD.  The user requires no special priviledges.
  • bindpw: this is the password of the user used for binddn.
  • pam_groupdn: this is the distinguished name of the AD group that the users must be a member of in order to log onto this Ubuntu machine.  If you want all users to be able to logon, you can comment out this line by placing a # at the beginning of the line.
  • nss_initgroups_ignoreusers: add any local Ubuntu accounts to this list to avoid doing LDAP lookups when these users logon.
Using LDAP as a Source of User Accounts
To tell Ubuntu to use LDAP to find user accounts, we need to edit the configuration of NSS, the name service switch module, to use both LDAP and the local user database.  Type vi /etc/nsswitch.conf and configure the file as shown:

# /etc/nsswitch.conf
#
passwd:         files ldap 
group:          files ldap
shadow:         files ldap
hosts:          files mdns4_minimal dns mdns4
networks:       files
protocols:      db files
services:       db files
ethers:         db files
rpc:            db files
netgroup:       nis ldap

As you can see, we've added ldap to the passwd, group, shadow, and netgroup entries.  Now we can test our LDAP configuration, but first, we need to discuss the Active Directory user accounts that we'll use to logon to Ubuntu.

Active Directory User Configuration
In order to use AD users to logon to Ubuntu, the users must have uidNumber, gidNumber, loginShell, and unixHomeDirectory attributes defined in AD.  NSS will then be able to retrieve these attributes when the user logs onto Ubuntu.  I'll post tools to set these attributes in AD, but in the mean time you can use ADSIEDIT to set these attributes.

Testing your LDAP and NSS Configuration
Once you have AD users with the required attributes, and you've performed the configurations above, you can test if you can see AD users in the user list.  To do this, type getent passwd . You should see both local Ubuntu users as well as any AD users that have the necessary attributes.  If you don't see AD users, you've made a mistake in the files.

Adding Kerberos and LDAP to PAM
PAM (the pluggable authentication module) controls what authentication methods are used when a user attempts to logon to Ubuntu.  We need to add Kerberos and LDAP to the list of methods PAM will use.  In Ubuntu, this is pretty easy.  Type pam-auth-update and make sure Kerberos and LDAP are selected as well as everything else in the list, then select OK.

This will mostly configure PAM correctly, however we need to add one line to the configuration.  Type vi /etc/pam.d/common-session and add the following line to the configuration:

session required pam_mkhomedir.so skel=/etc/skel/ umask=0077

This will tell PAM to automatically create the user's home directory when they first logon.

Logging On
Now you should be able to log onto Ubuntu using an Active Directory user, assuming that the user has the required attributes set, and is a member of the group specified in pam_groupdn in ldap.conf if one is specified.  After logon, open a terminal window and type klist to verify that you automatically got a Kerberos ticket from Active Directory.  This will allow you to connect to Windows file shares without being prompted for credentials.

Configuring Ubuntu as a Windows File Server
Often the point of configuring Active Directory authentication for Ubuntu is to use Ubuntu as a file server for Windows users.  To do this we'll install Samba, the SMB file sharing module.  To install Samba, type apt-get install samba then edit the configuration by typing vi /etc/samba/smb.conf . Configure the file as shown below:

[global]
        security = ads
        realm = MYDOMAIN.COM
        workgroup = MYDOMAIN
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        winbind enum users = yes
        winbind enum groups = yes
        template homedir = /home/%D/%U
        template shell = /bin/bash
        client use spnego = yes
        client ntlmv2 auth = yes
        encrypt passwords = yes
        winbind use default domain = yes
        restrict anonymous = 2
[temp]
        path = /temp
        read only = no
[etc]
 path = /etc
 read only = yes

Now, we need to join the Ubuntu machine to Active Directory.  To do this, type net ads join -U myuser@myrealm . Enter your password when prompted.  The user must have the right to join computers to Active Directory.  A bug may indicate that the join failed, but this error may be false and the join was successful.  To verify that the join was successful, look in the Computers container in Active Directory and find a computer account with the name of the Ubuntu host.  If it exists, then the join was successful.

Now you can create a file share.  Let's create a /temp directory and share it to Windows users.  Create the directory by typing mkdir /temp and then let's set the permissions so everyone has access, by typing chmod 777 /temp .  Next, let's edit the Samba configuration to add the directory as a file share by typing vi /etc/samba/smb.conf and add the following lines to the end of the file:

[temp]
path = /temp
read only = no

After editing the file, restart Samba by typing /etc/init.d/samba restart

Now, from a Windows machine, logged on with an AD user with the correct attributes and group membership, click on the start button, click run, type \\ubuntuhostname\temp and click OK.  A window should open to the share, and you should be automatically authenticated via Kerberos.  Any files or folders you create in the share will be set with the correct permissions, using your UID and GID from Active Directory.

Final Word
If during this process you run into trouble, try getting your Ubuntu machine up to date by typing apt-get upgrade which will get your machine up to date for your current Ubuntui kernel, and or type apt-get dist-upgrade which will get you up to the latest kernel.  Good luck!

2 comments:

World_emp said...

Excellent GUIDE! Just tested it successfully on Ubuntu 12.04.02

Only thing I noticed is that it's very slow to login/off and to shut down, when I'm accessing AD users...

Brian said...

Yeah, you can speed things up by setting your LDAP base to an OU - large domains are slower to search through, or by tweaking your search strings. Anyway, this method of AD integration is depricated. The newer way, using SSSD, is shown here: http://www.itadmintools.com/2012/02/ubuntu-1110-logging-into-active.html

Post a Comment

Related Posts Plugin for WordPress, Blogger...