March 27, 2013 at 16:08Linux in an Active Directory Domain
- Tutorial
Administrators sometimes face the challenge of integrating Linux servers and workstations into an Active Directory domain environment. Usually required:
1. Provide access to services on the Linux server to domain users.
2. Launch administrators server on Linux under their domain credentials.
3. Set up a Linux workstation login for domain users, and it is advisable that they can taste all the charms of SSO at the same time (for example, I don’t really like to enter my long-password often).
Typically, to provide Linux to a system, users and groups from an Active Directory domain use winbind or configure nss libraries to work with an Active Directory domain controller using the LDAP protocol. But today we will go the other way: we will usePowerBroker Identity Services (The product is also known as Likewise).
There are two versions of the product: Enterprise and Open. To implement my tasks, the Open version was enough for me, so everything written below will relate to it.
You can get the Open version on the manufacturer’s website , but a link will be provided in exchange for your name, company name and e-mail.
There are 32 and 64 packages in rpm and deb formats. (As well as packages for OS X, AIX, FreeBSD, SOlaris, HP-UX)
Open source sources are available at git repositories: git: //source.pbis.beyondtrust.com/pbis.git
I installed PBIS on Debian Wheezy amd64 :
The contents of the package are installed in / opt / pbis. Also, a new runscript lwsmd appears on the system, which actually launches the PBIS agent.
The PAM module pap_lsass.so is added to the system.
Utilities (mostly console) necessary for the functioning of PBIS, as well as making life easier for the administrator, are located in / opt / pbis / bin
Before entering the domain, make sure that access controllers and domain names are correctly deployed to ip. (Otherwise, you must configure resolv.conf)
Two commands are provided for entering the domain: / opt / pbis / bin / domainjoin-cli and / opt / pbis / bin / domainjoin-gui. One of them works on the command line, the second uses libgtk to display the graphical interface.
To enter the domain you will need to specify: the domain name, username and password of the domain user with rights to enter the PC into the domain, the container for placing the computer object in the domain - all the same as when entering the domain windows PC.
After entering the domain, a reboot is required.
Please note - PBIS can work with Active Directory sites. The PBIS client will work with the controllers of the site in which it is located!
After the reboot, both id and getent will give you users and groups of the domain (national characters are processed correctly. Spaces are replaced with the character "^").
An entry with the name of your PC will appear in the domain DNS zone.
Do not rush to log in as a domain user. At first it makes sense (but not necessary) to configure PBIS.
One of the differences between the Enterprise version is the ability to manage these settings through the GPO.
It is worth paying attention to HomeDirPrefix, HomeDirTemplate.
I also set “RequireMembershipOf” right away - only users, group members, or SIDs from this list can log into computers.
A description of each parameter can be obtained, for example, like this:
The parameter value is set for example like this:
Please note - PBIS does not use SFU attributes or other other Acrive Directory attributes to get the user's loginShell, as well as its uid and gid.
loginShell for domain users is set in the PBIS settings, and setting different loginShell for different users is possible only in the Enterprise version.
uid is formed as a hash of the user's SID.
gid - as a hash of the user's primaryGroup SID.
Thus, on two PCs, the user will always get the same uid and gid.
Now you can log in as a domain user. After entering the domain user, pay attention to the output of klist - PBIS will receive the necessary kerberos tickets for the user. After that, you can seamlessly access resources on the windows PC (The main thing is that the software used supports GSSAPI). For example: now I have no additional password requests (and my password has not been saved anywhere!) I open any domain smb resources in Dolphin. Also, Firefox (when setting up network.negotiate-auth.trusted-uris) allows you to use SSO when accessing Web portals with domain authorization (naturally, if SSO is configured on the server)
Could be so! PBIS populates /etc/krb5.keytab and keeps it up to date. Therefore, server software that supports GSSAPI can be configured for SSO.
For example, to access the server via ssh, in the configuration file / etc / ssh / sshd_config (the path on your system may differ)
UsePAM yes
(PBIS provides a module for PAM as well)
It will also be logical to add the “AllowGroups” directive and specify the domain groups with spaces for users whose You intend to give access to the ssh server.
On a Linux client PC, the ssh client configuration is sufficient to include:
Naturally, kerberos should be configured on the Linux client computer. The simplest way to fulfill this condition is to enter the client computer into the domain and work on behalf of the domain user.
When using Putty on a client Windows PC (domain member), in the SSH properties of the connection, set the flag “Attempt GSSAPI authentification (SSH-2 only)” (This item is called differently in different versions).
Also, in the Connection -> Data section, you can put the switch in the "Use system username" position.
If you intend to organize ssh access for administrators to linux servers in this way, it is a good idea to prohibit root login via ssh on them and add linux administrators (or even better their domain group) into the sudoers file.
These are not the only scenarios for using PBIS. if the article seems interesting to you - in the next article I will write how to organize a samba file server in a domain for domain users without winbind.
For more information on the topic, visit the PowerBroker Identity Services community forum: forum.beyondtrust.com
UPD . The benefits of PowerBroker Identity Services include:
UPD 2 Feedback came from user sdemon72 . Maybe someone will be useful.
UPD 3: Why can’t I apply the free version of PBIS in a large company?
In the free version, there is only one algorithm for generating UNIX iD (uid and gid) by the domain user's SID. So it does not ensure the uniqueness of
these identifiers. When you have a very old domain or just a lot of users, the risk is very high that two or more users will get the same identifiers in a system with OpenPBIS. In the paid version there is a choice between id generation algorithms, but it costs significantly more than a similar product from Quest Software ; (.
1. Provide access to services on the Linux server to domain users.
2. Launch administrators server on Linux under their domain credentials.
3. Set up a Linux workstation login for domain users, and it is advisable that they can taste all the charms of SSO at the same time (for example, I don’t really like to enter my long-password often).
Typically, to provide Linux to a system, users and groups from an Active Directory domain use winbind or configure nss libraries to work with an Active Directory domain controller using the LDAP protocol. But today we will go the other way: we will usePowerBroker Identity Services (The product is also known as Likewise).
Installation
There are two versions of the product: Enterprise and Open. To implement my tasks, the Open version was enough for me, so everything written below will relate to it.
You can get the Open version on the manufacturer’s website , but a link will be provided in exchange for your name, company name and e-mail.
There are 32 and 64 packages in rpm and deb formats. (As well as packages for OS X, AIX, FreeBSD, SOlaris, HP-UX)
Open source sources are available at git repositories: git: //source.pbis.beyondtrust.com/pbis.git
I installed PBIS on Debian Wheezy amd64 :
wget http://download.beyondtrust.com/PBISO/7.1.0/1203/pbis-open-7.1.0.1203.linux.x86_64.deb.sh
./pbis-open-7.1.0.1203.linux.x86_64.deb.sh
The contents of the package are installed in / opt / pbis. Also, a new runscript lwsmd appears on the system, which actually launches the PBIS agent.
The PAM module pap_lsass.so is added to the system.
Utilities (mostly console) necessary for the functioning of PBIS, as well as making life easier for the administrator, are located in / opt / pbis / bin
Entering the domain.
Before entering the domain, make sure that access controllers and domain names are correctly deployed to ip. (Otherwise, you must configure resolv.conf)
Two commands are provided for entering the domain: / opt / pbis / bin / domainjoin-cli and / opt / pbis / bin / domainjoin-gui. One of them works on the command line, the second uses libgtk to display the graphical interface.
To enter the domain you will need to specify: the domain name, username and password of the domain user with rights to enter the PC into the domain, the container for placing the computer object in the domain - all the same as when entering the domain windows PC.
After entering the domain, a reboot is required.
Please note - PBIS can work with Active Directory sites. The PBIS client will work with the controllers of the site in which it is located!
After reboot.
After the reboot, both id and getent will give you users and groups of the domain (national characters are processed correctly. Spaces are replaced with the character "^").
An entry with the name of your PC will appear in the domain DNS zone.
Do not rush to log in as a domain user. At first it makes sense (but not necessary) to configure PBIS.
/opt/pbis/bin/config --list
will list the available options.
[Eventlog]
AllowDeleteTo
AllowReadTo
AllowWriteTo
MaxDiskUsage
MaxEventLifespan
MaxNumEvents
[Lsass]
Domainsepator
SpaceReplacement
EnableEventlog
LogInvalidPasswords
Providers
[Lsass - PAM]
Displaymotd
PAMLogLevel
UserNotAllowedError
[Lsass - Active Directory provider]
AssumeDefaultDomain
CreateHomeDir
CreateK5Login
SyncSystemTime
TrimUserMembership
LdapSignAndSeal
LogADNetworkConnectionEvents
NssEnumerationEnabled
NssGroupMembersQueryCacheOnly
NssUserMembershipQueryCacheOnly
RefreshUserCredentials
CacheEntryExpiry
DomainManagerCheckDomainOnlineInterval
DomainManagerUnknownDomainCacheTimeout
MachinePasswordLifespan
MemoryCacheSizeCap
HomeDirPrefix
HomeDirTemplate
RemoteHomeDirTemplate
Homedirumask
LoginShellTemplate
Skeletondirs
UserDomainPrefix
DomainManagerIgnoreAllTrusts
DomainManagerIncludeTrustsList
DomainManagerExcludeTrustsList
RequireMembershipOf
SmartcardEnabled
SmartcardRequiredForLogin
[Lsass - Local provider]
Local_AcceptNTLMv1
Local_HomeDirTemplate
Local_HomeDirUmask
Local_LoginShellTemplate
Local_SkeletonDirs
[User Monitor]
UserMonitorCheckInterval
[System Initialization]
Lsassautostart
EventlogAutostart
GpagentautostartOne of the differences between the Enterprise version is the ability to manage these settings through the GPO.
It is worth paying attention to HomeDirPrefix, HomeDirTemplate.
I also set “RequireMembershipOf” right away - only users, group members, or SIDs from this list can log into computers.
A description of each parameter can be obtained, for example, like this:
/opt/pbis/bin/config --detail RequireMembershipOf
The parameter value is set for example like this:
/opt/pbis/bin/config RequireMembershipOf "Администраторы^Linux"
Please note - PBIS does not use SFU attributes or other other Acrive Directory attributes to get the user's loginShell, as well as its uid and gid.
loginShell for domain users is set in the PBIS settings, and setting different loginShell for different users is possible only in the Enterprise version.
uid is formed as a hash of the user's SID.
gid - as a hash of the user's primaryGroup SID.
Thus, on two PCs, the user will always get the same uid and gid.
Now you can log in as a domain user. After entering the domain user, pay attention to the output of klist - PBIS will receive the necessary kerberos tickets for the user. After that, you can seamlessly access resources on the windows PC (The main thing is that the software used supports GSSAPI). For example: now I have no additional password requests (and my password has not been saved anywhere!) I open any domain smb resources in Dolphin. Also, Firefox (when setting up network.negotiate-auth.trusted-uris) allows you to use SSO when accessing Web portals with domain authorization (naturally, if SSO is configured on the server)
But what about SSO when accessing resources on a Linux PC?
Could be so! PBIS populates /etc/krb5.keytab and keeps it up to date. Therefore, server software that supports GSSAPI can be configured for SSO.
For example, to access the server via ssh, in the configuration file / etc / ssh / sshd_config (the path on your system may differ)
GSSAPIAuthentication yes
UsePAM yes
(PBIS provides a module for PAM as well)
It will also be logical to add the “AllowGroups” directive and specify the domain groups with spaces for users whose You intend to give access to the ssh server.
On a Linux client PC, the ssh client configuration is sufficient to include:
GSSAPIAuthentication yes
Naturally, kerberos should be configured on the Linux client computer. The simplest way to fulfill this condition is to enter the client computer into the domain and work on behalf of the domain user.
When using Putty on a client Windows PC (domain member), in the SSH properties of the connection, set the flag “Attempt GSSAPI authentification (SSH-2 only)” (This item is called differently in different versions).
Also, in the Connection -> Data section, you can put the switch in the "Use system username" position.
If you intend to organize ssh access for administrators to linux servers in this way, it is a good idea to prohibit root login via ssh on them and add linux administrators (or even better their domain group) into the sudoers file.
These are not the only scenarios for using PBIS. if the article seems interesting to you - in the next article I will write how to organize a samba file server in a domain for domain users without winbind.
For more information on the topic, visit the PowerBroker Identity Services community forum: forum.beyondtrust.com
UPD . The benefits of PowerBroker Identity Services include:
- Good repeatability (compare the sequence of steps in this article with the winbind setup instructions)
- Caching data from a directory (a domain user can log on to a PC when the domain is not available, if its credentials are in the cache)
- PBIS does not require the formation of additional user attributes in the AD directory
- PBIS understands AD sites and works with its site controllers.
- Greater security (samba creates a computer account with a non-expiring password)
- In the paid version (if such a need arises), the PBIS agent is managed through the GPO (although this can be deleted, if you do not intend to buy it)
UPD 2 Feedback came from user sdemon72 . Maybe someone will be useful.
Hello! I tried your recipe on fresh linuxmint-18-mate-64bit, everything worked out with a few caveats:
1. I had difficulties getting the program through the site (I didn’t want to write a real phone number, but I didn’t send a fake one - I received a letter with doubts about it ), but found a repository with the latest versions: repo.pbis.beyondtrust.com/apt.html
2. When the program launches errors, to avoid them, you need to do the following before starting:
2.1. Install ssh:
sudo apt-get install ssh
2.2. Correct /etc/nsswitch.conf:
hosts: files dns mdns4_minimal [NOTFOUND = return]
(ie transfer dns from the end of the line to the second position)
2.3. Fix /etc/NetworkManager/NetworkManager.conf:
# dns = dnsmasq
(i.e. comment on this line)
2.4. Restart network-manager:
sudo service network-manager restart
After that, everything worked out with a bang! I would be very grateful if you make these additions to the article, because in a search for a subject, it falls in the first lines. I can’t leave comments (prohibits the site), so I write to you personally.
If interested - the story of my research here: linuxforum.ru/topic/40209
Sincerely, Dmitry
UPD 3: Why can’t I apply the free version of PBIS in a large company?
In the free version, there is only one algorithm for generating UNIX iD (uid and gid) by the domain user's SID. So it does not ensure the uniqueness of
these identifiers. When you have a very old domain or just a lot of users, the risk is very high that two or more users will get the same identifiers in a system with OpenPBIS. In the paid version there is a choice between id generation algorithms, but it costs significantly more than a similar product from Quest Software ; (.