Arch server to Windows domain
From ArchWiki
Contents |
HowTo Arch Linux as Active Directory Member
This guide explains how to include Arch Linux into an existing Windows Active Directory.
WARNING
Although I have tested this HowTo many times, there may still be bugs. This procedure worked this week, who knows if it will do tomorrow. Any update in glibc, samba, heimdal could break this HowTo in pieces.
Having Backups of all modified files is recommended, as well as testing login before any rebooting. In the worst case, login will be broken for all users, including root - so be warned: Don't reboot or logout as root until you checked everything.
DO NOT RELY UPON ANY INFORMATION FOUND IN THIS HOWTO WITHOUT INDEPENDENT VERIFICATION. USE AT OWN RISK.
General
- What you get:
- Windows AD users & Arch Linux users are accepted Arch Linux box users, at the console or gdm
- Windows AD users can use Samba shares like Windows Shares.
- What you won't get
- Windows users are simply users on your machine. Possibly you can have Windows AD Admins to be linux admins, too. But this is not worked out so far in this HowTo.
- Several other apps use authentication - like sudo, f.e. As far as they use PAM, it should be able to let them check against AD user accounts, too. But this is not worked out so far.
Requirements
- Have a Windows Active Directory (AD)
- Be a Windows Admin.
- Be root.
- Be able to work with linux without X.
- Be able to edit files.
- Note: There is NO need to taint the AD with linux schemes.
Preparation of the Windows AD Policy
It is necessary to disable "Digital Sign Communication (Always)" in the AD group policies. Dive into
'Local policies'
'Security policies'
'Microsoft Network Server'
'Digital sign communication (Always)'
and
- activate "define this policy" and
- use the "disable" radio button
Installation
These packages are needed on the Arch Linux machine:
- Samba
- Heimdal
- NTP
- pam_krb5.so
Most of the packages can be installed by using pacman:
pacman -Sy samba ntp heimdal
To install pam_krb5.so, you have to download pam_krb5-1.60.1-css1_linux.tar.Z for RedHat / Linux from http://www.css-security.com/. Untar it, move into the extracted folder and run:
./install.sh
Now, pam_krb5.so is installed into /lib/security/cssi/, with a symlink into /lib/security.
Note: There is now a pam_krb5 in AUR
Configuration
Please check your /etc/hosts file! It is important for it to be correctly configured. If you have a dual boot system on a machine, you have to use a different hostname and netbios name for the linux configuration, or the protected connection between windows and the domain controller will result broken.
In our example:
127.0.0.1 MACHINE-NAME.PARADISE.COM MACHINE-NAME
192.168.0.1 ADAM.PARADISE.COM ADAM
192.168.0.2 EVE.PARADISE.COM EVE
Samba / Winbindd Startup
Arch Linux implements samba and winbind as a single script in /etc/rc.d/samba
The daemons started by /etc/rc.d/samba are configured in the file /etc/conf.d/samba.
##### /etc/conf.d/samba ##### SAMBA_DAEMONS=(smbd nmbd winbindd)
Heimdal / Kerberos - /etc/krb5.conf
Let's assume that your AD is named paradise.com. Let's further assume your AD is ruled by two domain controllers, the primary and secondary one, which are named adam and eve, adam.paradise.com and eve.paradise.com respectively. Their IP adresses will be 192.168.0.1 and 192.168.0.2 in this example.
##### /etc/krb5.conf #### [libdefaults] default_realm = PARADISE.COM clockskew = 300 ticket_lifetime = 1d [realms] PARADISE.COM = { kdc = 192.168.0.1 kdc = 192.168.0.2 default_domain = PARADISE.COM } [domain_realm] .paradise.com = PARADISE.COM paradise.com = PARADISE.COM paradise = PARADISE.COM [appdefaults] pam = { ticket_lifetime = 1d renew_lifetime = 1d forwardable = true proxiable = false retain_after_close = false minimum_uid = 0 debug = false } [logging] default = SYSLOG:NOTICE:DAEMON kdc = FILE:/var/log/kdc.log
Inside an AD, it is important that all machines run the same system time. To synchronize the time run:
/usr/bin/ntpdate adam.paradise.com
Now you can query the AD domain controllers for a ticket with the following commands (uppercase is necessary):
# kinit ADMINISTRATOR@PARADISE.COM
You´ll now be asked for the password. In case it matches, you'll be returned to the console.
PAM Configuration for Login
Now we have to change /etc/pam.d/login so it sends its request to the AD controllers. In case of logins, PAM should first ask for AD accounts, and for local accounts if no matching AD account was found. Therefore, we add entries to include pam_winbindd.so into the authentication process. Furthermore, we include pam_mkhomedir.so. If an AD user logs in, /home/paradise/user will be created automatically.
#### /etc/pam.d/login #### #%PAM-1.0 auth sufficient pam_unix2.so auth required pam_winbind.so use_first_pass use_authtok auth required pam_securetty.so auth required pam_nologin.so auth required pam_mail.so account sufficient pam_unix2.so account sufficient pam_winbind.so use_first_pass use_authtok password required pam_pwcheck.so password sufficient pam_unix2.so password sufficient pam_winbind.so use_first_pass use_authtok session required pam_mkhomedir.so skel=/etc/skel/ umask=0022 session sufficient pam_unix2.so session sufficient pam_winbind.so use_first_pass use_authtok session required pam_limits.so
If you like to allow AD users to login into GDM, you have to do the same for /etc/pam.d/gdm. You may try to change other /etc/pam.d/ rules for other apps, to allow them to authenticate AD users.
Samba Configuration for Shares
Samba is highly configurable. Take this example only as a rough idea, hardly polished. Here is what my /etc/samba/smb.conf looks like:
#### /etc/samba/smb.conf #### [Global] netbios name = archlinux workgroup = PARADISE realm = PARADISE.COM server string = archlinux map to guest = Bad User idmap uid = 10000-20000 idmap gid = 10000-20000 winbind enum users = yes winbind enum groups = yes winbind gid = 10000-20000 winbind use default domain = Yes winbind separator =+ os level = 20 # Theres no shell defined for users in AD, so I define a default shell to use # Not sure if its even possible to define a shell in AD template shell = /bin/bash encrypt passwords = yes security = ads password server = adam.paradise.com preferred master = no dns proxy = no wins server = eve.paradise.com wins proxy = no admin users = @"NET+domain admins" force group = "PARADISE+domain admins" inherit acls = Yes map acl inherit = Yes acl group control = yes load printers = no debug level = 3 use sendfile = no [homes] comment = User´s homedirs path =/home/%U valid users = %S NET+%S browseable = no read only = no [data] comment = Data valid users = %S net+%S path = /data read only = no browseable = yes [Back-up] comment = Backup filer path = /backup read only = no browseable = yes valid users = @"NET+Domain Admins"
We shall now explain to Samba that it shall use the PDC´s database for authentication queries. Again, we use winbindd which is a part of the samba package. Winbind maps the UID and GID of the AD to our Linux-machine. Winbind uses a Unix-implementation of RPC-calls, Pluggable Authentication Modules (aka PAM) and Name Service Switch (NSS) to allow Windows AD and users accessing and to grant permissions on the Linux-machine. The best part of winbindd is, that you don´t have to define the mapping yourself, but only define a range of UID and GID. That´s what we defined in smb.conf. To include Winbindd into NSS calls, edit /etc/nsswitch.conf. Add winbind to the lines as shown here:
#### /etc/nsswitch.conf #### passwd: files winbind shadow: files winbind group: files winbind
Starting and testing services
Starting Samba
Hopefully, you have not rebooted yet! Fine. If you are in an X-session, quit it, so you can test login into another console, while you are still logged in.
Start Samba (including smbd, nmbd and winbindd:
/etc/rc.d/samba restart
Testing Winbind
Let's check if winbind is able to query the AD. The following command should return a list of AD users:
wbinfo -u
We can do the same for AD groups:
wbinfo -g
Testing Login
Now, start a new console session and try to login with an AD account. As we told winbind to use default_realms, it should not be necessary to add the AD name. Lets assume there is an AD user named kain. Try to login as
kain PARADISE+kain
Both should work. You should notice that /home/paradise/kain will be created. Log into another session using an linux account. Check that you still be able to log in as root - but keep in mind to be logged in as root in at least one session!
Testing Samba Commands
Try out some net commands to see if samba can address the AD:
net ads info net ads lookup net ads status
The commands return several AD related information.
Arch Linux becomes an AD member
You need an AD Administrator account to do this. Let's assume this is named Administrator. The command is 'net ads join'
# net ads join -U Administrator Administrator's password: xxx Using short domain name -- PARADISE Joined 'MACHINE-NAME' to realm 'PARADISE.COM'
When to Reboot?
Everything checked? OK. Pray and reboot.
More Info
Everything there is to know about Samba
Please feel free to comment this article - but if your edit this - PLEASE LET ME KNOW