BrainScraps Wiki

Linux Auth with Active Directory

21pages on
this wiki
Add New Page
Comments0 Share

Mbm329 23:23, March 9, 2012 (UTC)

Setup Prerequesites


Place entries in /etc/hosts for domain controllers. domaincontroller1 domaincontroller2


Make sure NTP is setup on the host and synchronized to the time of the domain controller (important for kerberos)

#don't panic should the hardware clock acts erratically
tinker panic 0

#lock it down
restrict default kod nomodify notrap nopeer noquery

server prefer

# Drift file. Put this in a directory which the daemon can write to.
# No symbolic links allowed, either, since the daemon updates the file
# by creating a temporary in the same directory and then rename()'ing
# it to the file.
driftfile /var/lib/ntp/drift


To allow NTP to start with a timeserver initially upon loading ntpdate at bootup.

Setup Kerberos Authentication configurations


  default = FILE:/var/log/krb5libs.log
  kdc = FILE:/var/log/krb5kdc.log
  admin_server = FILE:/var/log/kadmind.log

  default_realm = EXAMPLE.COM
  dns_lookup_realm = true
  dns_lookup_kdc = true

    kdc =
    kdc =
    admin_server =
    admin_server =
    default_domain =

[domain_realm] = EXAMPLE.COM = EXAMPLE.COM

  pam = {
    debug = false
    ticket_lifetime = 36000
    renew_lifetime = 36000
    forwardable = true
    krb4_convert = false


Add in appropriate PAM modules for proper auth, account, and session entries.[1]

auth sufficient #place after
account sufficient #place after
session required skel=/etc/skel umask=0077 #place after

Setup NSS LDAP Library Configuration


Setup nss_ldap client library config to bind to your domain controller.[2]

host domaincontroller1 domaincontroller2
base dc=example,dc=com
uri ldap:// ldap://
bindpw binduser_password
scope sub
ssl no

#Timeout helpers if ldap is unavailable - Ref:
bind_policy soft
bind_timelimit 1
timelimit 5
idle_timelimit 3600
nss_initgroups_ignoreusers root,mbm

#Filter passwd and shadow to improve speed of lookups and return far less than max allowed from AD - Ref:
nss_base_passwd dc=example,dc=com?sub?&(objectCategory=user)(uidNumber=*)
nss_base_shadow dc=example,dc=com?sub?&(objectCategory=user)(uidNumber=*)
nss_base_group dc=example,dc=com?sub?&(objectCategory=group)(gidNumber=*)

nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_objectclass posixGroup group
nss_map_attribute gecos cn
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute uniqueMember member


For passwd, shadow, and group, have the system look at files, then ldap for resolution.

passwd: files ldap
shadow: files ldap
group: files ldap

Test LDAP Configuration

Test querying of passwd data from ldap:

getent passwd
getent passwd <username>

Test querying of group data from ldap:

getent group
getent group <group>

Test querying of shadow data from ldap:

getent shadow
getent shadow <username>

Test listing of users with id command:

id <username>

Setup Automatic CIFS Home Directory Mounting


This will enable the mounts to authenticate via kerberos tickets. You must ensure the "keyutils" package is installed on the system.

create cifs.spnego * * /usr/sbin/cifs.upcall %k
create dns_resolver * * /usr/sbin/cifs.upcall %k


/winhomes /etc/auto.winhomes


Here, "*" is defined as any key (subdirectory that is accessed under /winhomes), and "&" is the name of that key that was referenced. Two examples are shown below to show that you could specify certain users go to a specific server and everybody else go to a different one.

user1 -fstype=cifs,rw,soft,sec=krb5i,uid=&,file_mode=0700,dir_mode=0700 ://HOME_SHARE_SERVER1/home_share/&
*     -fstype=cifs,rw,soft,sec=krb5i,uid=&,file_mode=0700,dir_mode=0700 ://HOME_SHARE_SERVER2/home_share/&

It's possible that the server that you're trying to authorize the users doesn't support packet signing. In which case, you should use sec=krb5 instead of sec=krb5i.

user1 -fstype=cifs,rw,soft,sec=krb5,uid=&,file_mode=0700,dir_mode=0700 ://HOME_SHARE_SERVER1/home_share/&
*     -fstype=cifs,rw,soft,sec=krb5,uid=&,file_mode=0700,dir_mode=0700 ://HOME_SHARE_SERVER2/home_share/&


Add this code to the default .bash_profile to create a symlink to the autofs mountpoint for easy access to the home share.

if ! [ -h ~/h ] ;then
  ln -s /winhomes/$(whoami) ~/h

Test CIFS Auto-Mounting

Test auto-mounting of homedir when accessed by user:

ls -l ~/h/

Configure SAMBA to Join System to Domain[3]


workgroup = workgroup
security = ads
realm =
use kerberos keytab = true
password server =

Run following commands to join system to domain:

sudo kdestroy
sudo kinit domain_admin_username@EXAMPLE.COM
sudo net ads join -U domain_admin_username

Test SSO Access for File Shares

Login as a standard user account and use smbclient to access the user's homeshare without requiring a password.

std_user$ smbclient -k '\\domaincontroller1\home_share\' -c 'ls std_user\*'
OS=[Windows Server 2008 R2 Enterprise 7600] Server=[Windows Server 2008 R2 Enterprise 6.1]
  .                                   D        0  Thu Oct  6 17:55:41 2011
  ..                                  D        0  Thu Oct  6 17:55:41 2011
  std_user_file.txt                      A       26  Thu Oct  6 17:55:50 2011

                61235 blocks of size 524288. 38719 blocks available

User-mounted CIFS Filesystems

Since the system is now in a Windows domain, we can allow users to mount their own CIFS shares that they have access to to increase their productivity. This is allowed by making /sbin/mount.cifs to suid-root.

$ sudo chmod 4755 /sbin/mount.cifs

The mount.cifs command can now be accessed directly by the user to mount their own filesystems like so:

$ /sbin/mount.cifs '//SERVER1/SHARE/DIRECTORY TO BE MOUNTED' /home/USERNAME/MOUNTPOINT -o rw,soft,sec=krb5,uid=USERNAME,file_mode=0700,dir_mode=0700

It's important that the command's arguments are specified in the order above. You could even create a wrapper script that the user could call that would handle the options for them as well.



Ad blocker interference detected!

Wikia is a free-to-use site that makes money from advertising. We have a modified experience for viewers using ad blockers

Wikia is not accessible if you’ve made further modifications. Remove the custom ad blocker rule(s) and the page will load as expected.