Security Basics mailing list archives
Re: Unix/Linux accounts integrated within AD?
From: "Nikhil Wagholikar" <visitnikhil () gmail com>
Date: Thu, 30 Aug 2007 09:34:58 +0530
Hello Dummy Cerberus, This is one of most common issue with organizations having two or more OSes. So there are solutions or work-arounds for such situations. One of the secured way of integrating UNIX OS to authenticate with Microsoft Active Directory is as follows: Note: Kindly note, that the information provided below, should be tested in a test environment strictly before bringing it to production or operational environment. The solution provided is just an work-around and is not exact; it might vary according to your flavor of Linux and your practical hands-on on Linux or UNIX based machines. Kindly follow the instructions provided below on your own risk, since I am not responsible for any damage or mis-configuration. Download and install following softwares as per given steps. Step 1: Install MIT Kerberos V5. (Download: http://web.mit.edu/kerberos/) Step 2: Install OpenLDAP with options to enable null, disable bdb, and no TLS (Download: http://www.openldap.org/) Step 3: Install SAMBA (Download: http://www.samba.org/). Now onwards steps are little tedious. 3.1: Unpack and set the CFLAGS environment variable to "-O2" 3.2: Set the CPPFLAGS environment variable to "-I/opt/local/include" 3.3: Set the LDFLAGS environment variable to "-L/opt/local/lib -Wl,-R/opt/local/lib" 3.4: Now from the source directory shoot something similar or appropriate to your custom installation like this: ./configure --prefix=/opt/local --exec-prefix=/opt/local/samba --with-sslinc=/opt/local/ssl/include --with-ssllib=/opt/local/lib --with-included-popt --with-smbwrapper --with-pam --with-ldap --with-ads --with-winbind --with-krb5=/opt/local --with-logfilebase=/var/log --with-automount --with-syslog 3.5: Then as usual 'make' followed by 'make install'. Step 4: Now configure your server to add Active Directory DNS Suffix in search statement in /etc/resolv.conf on the Linux/UNIX machine. Step 5: Then add domain settings into your Kerberos config file (default location: /opt/local/etc/krb5.conf) Ex: [libdefaults] default_realm = MY.DOMAIN.CO.IN [realms] MY.DOMAIN.CO.IN = {kdc = dc1.my.domain.co.in} [domain_realms] .kerberos.server = MY.DOMAIN.CO.IN Step 6: Now configure your SAMBA server as password server by including following mentioned points in your samba config file (default location: /opt/local/samba/lib/smb.conf) WORKGROUP = DOMAIN REALM = my.domain.co.in SECURITY = ADS PASSWORD SERVER = dc1.my.domain.co.in ENCRYPT PASSWORD = yes ALLOW TRUSTED DOMAINS = yes USERNAME MAP = /opt/local/samba/lib/user.map Step 7: Now map your Active Directory Usernames to respective UNIX usernames in the file mentioned for 'username map' in smb.conf file just in step above. Ex: unix_user_name = ms-ad-user@DOMAIN OR unix_user_name = DOMAIN\ms-ad-user Step 8: Start and Stop smbd, nmbd and winbindd Step 9: Now, if everything has gone correct till now, then join the SAMBA server to Active Directory. 9.1: /opt/local/bin/kinit Domain_Admin () MY DOMAIN CO IN 9.2: Now if the SAMBA server is able to talk and understand the AD communication, it'll prompt for password for the username supplied (which is the Domain Administrator Credentials). 9.3: /opt/local/samba/bin/net ads join DomainAdmin Step 10: Now restart all the SAMBA related daemons/services. Step 11: Test and verify the configuration for all users in Active Directory. As you all can see, its very complicated to setup and establish a perfect configuration for enabling UNIX/Linux based machines to integrate with Microsoft Active Directory. To avoid all these, there are products out in market, which enables this integration happen within minutes, that too without much hick-ups and errors. Some of them I am mentioning below, however I haven't yet used them: 1. Quest Software's Vintela Authentication Services - http://www.quest.com/Vintela-Authentication-Services/ 2. Centrify DirectControl - http://www.centrify.com/directcontrol/overview.asp 3. Centeris Likewise - http://www.centeris.com/products/ 4. Also you can explore Microsoft Services for UNIX, which is free and built-in into Microsoft Server OSes. 5. Other alternative option is to use 'Fedora Directory Service (FDS)' - http://directory.fedoraproject.org/ All the mentioned stuffs I had written down long back in my notes while searching on Google for UNIX and Microsoft AD integration. So there might be updated or more robust, easy and secured method available somewhere than the one I mentioned above. ---- Nikhil Wagholikar Information Security Analyst NII Consulting Web: http://www.niiconsulting.com On 8/29/07, Dummy cerberus <dummycerberus () gmail com> wrote:
Hello, First of all, thank you very much for your help wit my question about GPOs and so on... your answers helped me a lot... Now I have the following question: I have found that my organization has several kind of OS installed on computers... most of them are W2K/W2K3 integrated within a W2K domain... Since admins have to remember lots of accounts/passwords for the W2K* servers, and the others with Linux, HP-UX, Solaris, etc... I have found that most of the passwords are too simple, and repeated all over the non-W2K* systems... I have tried with a password manager, but some times we lost a valuable time searching for the strong password for one system at the password manager software... Is there anyway to integrate the OS accounts of UNIX-like sysetms with an AD? Best regards
Current thread:
- Unix/Linux accounts integrated within AD? Dummy cerberus (Aug 29)
- RE: Unix/Linux accounts integrated within AD? Roger A. Grimes (Aug 30)
- Re: Unix/Linux accounts integrated within AD? Serguei A. Mokhov (Aug 30)
- Re: Unix/Linux accounts integrated within AD? Daniel Miessler (Aug 30)
- Re: Unix/Linux accounts integrated within AD? Nikhil Wagholikar (Aug 30)
- Re: Unix/Linux accounts integrated within AD? Steve Olive (Aug 30)
- Re: Unix/Linux accounts integrated within AD? Ali, Saqib (Aug 30)
- Re: Unix/Linux accounts integrated within AD? gjgowey (Aug 30)
- RE: Unix/Linux accounts integrated within AD? John Hammond (Aug 30)
- Re: Unix/Linux accounts integrated within AD? Ivan . (Aug 30)
- RE: Unix/Linux accounts integrated within AD? liran (Aug 31)
- <Possible follow-ups>
- Re: Unix/Linux accounts integrated within AD? shiva (Aug 30)
- RE: Unix/Linux accounts integrated within AD? Smithers Jarrod (Aug 31)