Re: Unix/Linux accounts integrated within AD?

["Nikhil Wagholikar" <visitnikhil () gmail com>]

Hello Dummy Cerberus,

This is one of most common issue with organizations having two or more
OSes. So there are solutions or work-arounds for such situations. One
of the secured way of integrating UNIX OS to authenticate with
Microsoft Active Directory is as follows:

Note:

Kindly note, that the information provided below, should be tested in
a test environment strictly before bringing it to production or
operational environment. The solution provided is just an work-around
and is not exact; it might vary according to your flavor of Linux and
your practical hands-on on Linux or UNIX based machines.

Kindly follow the instructions provided below on your own risk, since
I am not responsible for any damage or mis-configuration.

Download and install following softwares as per given steps.

Step 1: Install MIT Kerberos V5. (Download: http://web.mit.edu/kerberos/)

Step 2: Install OpenLDAP with options to enable null, disable bdb, and
no TLS (Download: http://www.openldap.org/)

Step 3: Install SAMBA (Download: http://www.samba.org/). Now onwards
steps are little tedious.

3.1: Unpack and set the CFLAGS environment variable to "-O2"
3.2: Set the CPPFLAGS environment variable to "-I/opt/local/include"
3.3: Set the LDFLAGS environment variable to "-L/opt/local/lib
-Wl,-R/opt/local/lib"
3.4: Now from the source directory shoot something similar or
appropriate to your custom installation like this:

./configure --prefix=/opt/local --exec-prefix=/opt/local/samba
--with-sslinc=/opt/local/ssl/include --with-ssllib=/opt/local/lib
--with-included-popt --with-smbwrapper --with-pam --with-ldap
--with-ads --with-winbind --with-krb5=/opt/local
--with-logfilebase=/var/log --with-automount --with-syslog

3.5: Then as usual 'make' followed by 'make install'.

Step 4: Now configure your server to add Active Directory DNS Suffix
in search statement in /etc/resolv.conf on the Linux/UNIX machine.

Step 5: Then add domain settings into your Kerberos config file
(default location: /opt/local/etc/krb5.conf)

Ex:
[libdefaults]     default_realm = MY.DOMAIN.CO.IN

[realms]     MY.DOMAIN.CO.IN = {kdc = dc1.my.domain.co.in}

[domain_realms]     .kerberos.server = MY.DOMAIN.CO.IN

Step 6: Now configure your SAMBA server as password server by
including following mentioned points in your samba config file
(default location: /opt/local/samba/lib/smb.conf)

WORKGROUP = DOMAIN
REALM = my.domain.co.in
SECURITY = ADS
PASSWORD SERVER = dc1.my.domain.co.in
ENCRYPT PASSWORD = yes
ALLOW TRUSTED DOMAINS = yes
USERNAME MAP = /opt/local/samba/lib/user.map

Step 7: Now map your Active Directory Usernames to respective UNIX
usernames in the file mentioned for 'username map' in smb.conf file
just in step above.

Ex: unix_user_name = ms-ad-user@DOMAIN

OR unix_user_name = DOMAIN\ms-ad-user

Step 8: Start and Stop smbd, nmbd and winbindd

Step 9: Now, if everything has gone correct till now, then join the
SAMBA server to Active Directory.

9.1: /opt/local/bin/kinit Domain_Admin () MY DOMAIN CO IN
9.2: Now if the SAMBA server is able to talk and understand the AD
communication, it'll prompt for password for the username supplied
(which is the Domain Administrator Credentials).
9.3: /opt/local/samba/bin/net ads join DomainAdmin

Step 10: Now restart all the SAMBA related daemons/services.

Step 11: Test and verify the configuration for all users in Active Directory.

As you all can see, its very complicated to setup and establish a
perfect configuration for enabling UNIX/Linux based machines to
integrate with Microsoft Active Directory.

To avoid all these, there are products out in market, which enables
this integration happen within minutes, that too without much hick-ups
and errors.

Some of them I am mentioning below, however I haven't yet used them:

1. Quest Software's Vintela Authentication Services -
http://www.quest.com/Vintela-Authentication-Services/

2. Centrify DirectControl - http://www.centrify.com/directcontrol/overview.asp

3. Centeris Likewise - http://www.centeris.com/products/

4. Also you can explore Microsoft Services for UNIX, which is free and
built-in into Microsoft Server OSes.

5. Other alternative option is to use 'Fedora Directory Service (FDS)'
- http://directory.fedoraproject.org/

All the mentioned stuffs I had written down long back in my notes
while searching on Google for UNIX and Microsoft AD integration. So
there might be updated or more robust, easy and secured method
available somewhere than the one I mentioned above.

----
Nikhil Wagholikar
Information Security Analyst
NII Consulting
Web: http://www.niiconsulting.com


On 8/29/07, Dummy cerberus <dummycerberus () gmail com> wrote:
> Hello,
>
> First of all, thank you very much for your help wit my question about
> GPOs and so on... your answers helped me a lot...
>
> Now I have the following question: I have found that my organization
> has several kind of OS installed on computers... most of them are
> W2K/W2K3 integrated within a W2K domain...
>
> Since admins have to remember lots of accounts/passwords for the W2K*
> servers, and the others with Linux, HP-UX, Solaris, etc... I have
> found that most of the passwords are too simple, and repeated all over
> the non-W2K* systems...
>
> I have tried with a password manager, but some times we lost a
> valuable time searching for the strong password for one system at the
> password manager software...
>
> Is there anyway to integrate the OS accounts of UNIX-like sysetms with an AD?
>
> Best regards