Firstly a note of warning. I’ve done this mostly using CentOS but there’s no reason it shouldn’t work just as well on other distributions. I’ve gleaned a lot of this information by scouring a lot of other resources around the internet, FAQs, newsgroups etc. but as far as I can remember I wasn’t able to find a coherent article which described all of the required pieces of the puzzle.<\/p>\n
Secondly the objective of this article is to have unified accounting across Windows & Linux, or at least as close as possible. We’re going to use Microsoft Active Directory, Kerberos, Samba, Winbind, pam and nsswitch. We’re also going to end up with consistent uids and gids across multiple linux clients.<\/p>\n
\/etc\/samba\/smb.conf<\/strong><\/p>\n \/etc\/krb5.conf<\/strong><\/p>\n Next we join the machine to the AD domain – it’s necessary to specify a user with the right privileges. It also prompts for a password.<\/p>\n We can check things are working so far by trying to create a kerberos ticket using an existing username. Again it prompts us for a password.<\/p>\n Then Cool, so we have a machine joined to the domain and able to use kerberos tickets. Now we can tell our system to use winbind for fetching account information:<\/p>\n \/etc\/pam.d\/system-auth-ac<\/strong><\/p>\n If we’re on a 64-bit distribution we’ll find that references to \/lib need to be switched for \/lib64, e.g. \/lib64\/security\/pam_mkhomedir.so . This file will also create new home directories for users if they’re not present during first log-in.<\/p>\n \/etc\/nsswitch.conf<\/strong><\/p>\n Now we need to tell a few services to start on boot<\/p>\n and start a few services now<\/p>\n The Winbind+pam configuration can sometimes take a few minutes to settle down – I occasionally find it’s necessary to wait 5 or 10 minutes before accounts are available. YMMV.<\/p>\n Should now list local accounts (which take precedence) followed by domain accounts. Using ssh to the box as a domain user should make new home directories in \/home\/PSYPHI\/username. If you decide to migrate home directories from \/home make sure you change uid and gid to the new domain values for that user, then remove the old local account.<\/p>\n There are a handful of limitations of this approach –<\/p>\n For debugging Firstly a note of warning. I’ve done this mostly using CentOS but there’s no reason it shouldn’t work just as well on other distributions. I’ve gleaned a lot of this information by scouring a lot of other resources around the internet, FAQs, newsgroups etc. but as far as I can remember I wasn’t able to … Continue reading “Active Directory + Linux account integration”<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"_uf_show_specific_survey":0,"_uf_disable_surveys":false,"footnotes":""},"categories":[17],"tags":[340,338,337,336,317,335,199,339,334,341,200],"class_list":["post-216","post","type-post","status-publish","format-standard","hentry","category-sysadmin","tag-accounts","tag-activedirectory","tag-ad","tag-authentication","tag-integration","tag-kerberos","tag-linux","tag-nsswitch","tag-samba","tag-winbind","tag-windows"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/psyphi.net\/blog\/wp-json\/wp\/v2\/posts\/216","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/psyphi.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/psyphi.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/psyphi.net\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/psyphi.net\/blog\/wp-json\/wp\/v2\/comments?post=216"}],"version-history":[{"count":6,"href":"https:\/\/psyphi.net\/blog\/wp-json\/wp\/v2\/posts\/216\/revisions"}],"predecessor-version":[{"id":222,"href":"https:\/\/psyphi.net\/blog\/wp-json\/wp\/v2\/posts\/216\/revisions\/222"}],"wp:attachment":[{"href":"https:\/\/psyphi.net\/blog\/wp-json\/wp\/v2\/media?parent=216"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/psyphi.net\/blog\/wp-json\/wp\/v2\/categories?post=216"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/psyphi.net\/blog\/wp-json\/wp\/v2\/tags?post=216"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}[global]\r\n\tworkgroup = PSYPHI\r\n\trealm = PSYPHI.LOCAL\r\n\tsecurity = ADS\r\n\tallow trusted domains = No\r\n\tuse kerberos keytab = Yes\r\n\tlog level = 3\r\n\tlog file = \/var\/log\/samba\/%m\r\n\tmax log size = 50\r\n\tprintcap name = cups\r\n\tidmap backend = idmap_rid:PSYPHI=600-20000\r\n\tidmap uid = 600-20000\r\n\tidmap gid = 600-20000\r\n\ttemplate shell = \/bin\/bash\r\n\twinbind enum users = Yes\r\n\twinbind enum groups = Yes\r\n\twinbind use default domain = Yes<\/code><\/pre>\n[logging]\r\n default = FILE:\/var\/log\/krb5libs.log\r\n kdc = FILE:\/var\/log\/krb5kdc.log\r\n admin_server = FILE:\/var\/log\/kadmind.log\r\n\r\n[libdefaults]\r\n default_realm = PSYPHI.LOCAL\r\n dns_lookup_realm = true\r\n dns_lookup_kdc = true\r\n ticket_lifetime = 24h\r\n forwardable = yes\r\n\r\n[realms]\r\n EXAMPLE.COM = {\r\n kdc = kerberos.example.com:88\r\n admin_server = kerberos.example.com:749\r\n default_domain = example.com\r\n }\r\n\r\n PSYPHI.LOCAL = {\r\n }\r\n\r\n[domain_realm]\r\n .example.com = EXAMPLE.COM\r\n example.com = EXAMPLE.COM\r\n\r\n psyphi.local = PSYPHI.LOCAL\r\n .psyphi.local = PSYPHI.LOCAL\r\n[appdefaults]\r\n pam = {\r\n debug = false\r\n ticket_lifetime = 36000\r\n renew_lifetime = 36000\r\n forwardable = true\r\n krb4_convert = false\r\n }<\/code><\/pre>\nnet ads join -U administrator<\/code><\/pre>\nkinit (username)<\/code><\/pre>\nklist<\/code> gives us output something like this:<\/p>\nTicket cache: FILE:\/tmp\/krb5cc_0\r\nDefault principal: username@PSYPHI.LOCAL\r\n\r\nValid starting Expires Service principal\r\n04\/28\/10 10:57:32 04\/28\/10 20:57:34 krbtgt\/PSYPHI.LOCAL@PSYPHI.LOCAL\r\n\trenew until 04\/29\/10 10:57:32\r\n\r\n\r\nKerberos 4 ticket cache: \/tmp\/tkt0\r\nklist: You have no tickets cached<\/code><\/pre>\nauth required pam_env.so\r\nauth sufficient pam_unix.so nullok try_first_pass\r\nauth requisite pam_succeed_if.so uid >= 500 quiet\r\nauth sufficient pam_krb5.so use_first_pass\r\nauth required pam_deny.so\r\n\r\naccount required pam_unix.so broken_shadow\r\naccount sufficient pam_localuser.so\r\naccount sufficient pam_succeed_if.so uid < 500 quiet\r\naccount [default=bad success=ok user_unknown=ignore] pam_krb5.so\r\naccount required pam_permit.so\r\n\r\npassword requisite pam_cracklib.so try_first_pass retry=3\r\npassword sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok\r\npassword sufficient pam_krb5.so use_authtok\r\npassword required pam_deny.so\r\n\r\nsession optional pam_keyinit.so revoke\r\nsession required pam_limits.so\r\nsession [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid\r\nsession required \/lib\/security\/pam_mkhomedir.so \r\nsession required pam_unix.so\r\nsession optional pam_krb5.so<\/code><\/code><\/pre>\npasswd: files winbind\r\nshadow: files winbind\r\ngroup: files winbind\r\n\r\nhosts: files dns\r\n\r\nbootparams: nisplus [NOTFOUND=return] files\r\n\r\nethers: files\r\nnetmasks: files\r\nnetworks: files\r\nprotocols: files\r\nrpc: files\r\nservices: files\r\n\r\nnetgroup: nisplus\r\n\r\npublickey: nisplus\r\n\r\nautomount: files nisplus\r\naliases: files nisplus<\/code><\/pre>\nchkconfig smb on\r\nchkconfig winbind on<\/code><\/pre>\nservice smb start\r\nservice winbind start<\/code><\/pre>\ngetent passwd<\/code><\/pre>\n\n
service winbind restart<\/code> every 15 minutes, which seriously sucks<\/li>\n\/var\/log\/secure<\/code> is very useful, as are the samba logs in \/var\/log\/samba\/<\/code>.<\/p>\n","protected":false},"excerpt":{"rendered":"