Linux SSH + PAM + LDAP + 2003 R2 AD Deployment

3 Replies

Often I find my self working in a department where the skill sets of individuals varies significantly, and my current position is no different.  While there is nothing wrong with this, there have been several occasions (like being on vacation), where help desk personnel or other less savvy users are called upon to perform basic functions .  When you start dealing with a group of servers, it can be troublesome to maintain a local user base without some form of directory authentication.  Since most corporate offices still revolve around Windows at the desktop, Active directory becomes a very logical option.

This will basically document the steps I performed in setting up our Linux machines (Fedora 9, RHEL 5, CentOS 5) to authenticate against our Active Directory domain for SSH, while restricting access to a specific security group so that we can give only specific users access as needed.  While I have only used this with Red Hat distros, it may be helpful to others.

Phase 1: Preparing Active Directory

While Windows Services for UNIX is still available, Microsoft was nice enough to include a similar feature with Windows 2003 R2 out of the box.  In add/remove Windows components under Active Directory Services, you will find Identity Management for UNIX.  This will install the necessary LDAP attributes we need for getting this all to work, and will give you a new tab “UNIX Attributes” for your users.

Phase 2: Preparing Groups

Now create your first security group, note that it is beneficial not to include special characters or spaces in your group name.  Once your group has been created edit the UNIX Attributes under properties and set it to the default created NIS Domain, you may leave the Group ID or change as needed.

Phase 3: Preparing Users

Once your security group has been setup (I named mine LinuxUsers), you can setup add your users.  Under user properties, you will see a tab “UNIX Attributes” that contain our specific LDAP attributes.  Even though we won’t be using NIS, you have to set the NIS Domain to have access to other options.  As for the rest of the attributes, I personally prefer to use bash (/bin/bash) and ensure that home directories are all lower case.

Phase 4: Configuring Linux

The hardest part of this setup was getting the correct DN where needed.  Due to our number of organizational units, I ended up using jxplore a few times which made finding a specific DN much easier.

Packages: openldap, openldap-devel, pam, pam_krb5, ntp

# yum install openldap, openldap-devel, pam, pam_krb5, ntp

In order to log in, you must make sure your time is synchronized with your domain controller.  Since we use an external ntp server on our domain controller, we are going to sync with the same server before continuing.  An optional step would be to setup a cron job to synchronize the date and time consistently.  Also note that nptd must be stopped before updating, so in case you had it installed prior make sure the service is stopped.

# /etc/rc.d/init.d/ntpd stop
# ntpdate -u pool.ntp.org
# /etc/rc.d/init.d/ntpd start

Now there are several configuration files we must update, I will list the file paths I used and examples, though it may be different.  In these examples, MYDOMAIN.COM is our active directory domain, and pdc.mydomain.com is our domain controller.

/etc/krb.conf

(Example)

MYDOMAIN.COM
MYDOMAIN.COM pdc.mydomain.com

/etc/krb5.conf

(Example)

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log
 
[libdefaults]
 default_realm = MYDOMAIN.COM
 dns_lookup_realm = true
 dns_lookup_kdc = true
 ticket_lifetime = 24h
 forwardable = yes
 
[realms]
 MYDOMAIN.COM = {
  kdc = pdc.mydomain.com
  kdc = bdc.mydomain.com
 }
 
[domain_realm]
 .MYDOMAIN.COM = MYDOMAIN.COM
 MYDOMIN.COM = MYDOMAIN.COM
 
 mydomain.com = MYDOMAIN.COM
 .mydomain.com = MYDOMAIN.COM
[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

/etc/ldap.conf (NOTE: You must create a normal user for your Linux servers to bind to AD with, also you will need to change these DNs specific to your setup.)

(Example)

# Must be RESOLVABLE
host pdc.mydomain.com bdc.mydomain.com
 
# The distinguished name of the search base.
base dc=mydomain,dc=com
 
# Bind user you created in AD
# The credentials to bind with.
binddn CN=ldapuser,OU=Users,DC=mydomain,DC=com
bindpw Password123
 
# The search scope.
scope sub
 
# Search timelimit
timelimit 30
 
# Bind/connect timelimit
bind_timelimit 30
 
# Idle timelimit; client will close connections
# (nss_ldap only) if the server has not been contacted
# for the number of seconds specified below.
idle_timelimit 3600
 
# Group to enforce membership of
# The group you setup in AD that contains your linux users
pam_groupdn CN=LinuxUsers,OU=Groups,DC=mydomain,DC=com
 
# Group member attribute
pam_member_attribute member
 
# Update Active Directory password, by
# creating Unicode password and updating
# unicodePwd attribute.
pam_password ad
 
nss_base_passwd    ou=Users,dc=mydomain,dc=com?sub
nss_base_shadow    ou=Users,dc=mydomain,dc=com?sub
nss_base_group     ou=Users,dc=mydomain,dc=com?sub
 
# Just assume that there are no supplemental groups for these named users
nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman
 
# RFC 2307 (AD) mappings
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_attribute uid sAMAccountName
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute shadowLastChange pwdLastSet
nss_map_objectclass posixGroup group
nss_map_attribute uniqueMember member
pam_login_attribute sAMAccountName
pam_filter objectclass=User
pam_password ad
 
# Disable SASL security layers. This is needed for AD.
sasl_secprops maxssf=0
 
# Override the default Kerberos ticket cache location.
krb5_ccname FILE:/etc/.ldapcache
ssl no

/etc/nsswitch.conf

Append ldap to the end of the following lines:

  • passwd:
  • shadow:
  • group:
  • netgroup:

(Example)

passwd:     files ldap
shadow:     files ldap
group:      files ldap
hosts:      files dns
bootparams: nisplus [NOTFOUND=return] files
ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files
netgroup:   files ldap
publickey:  nisplus
automount:  files ldap
aliases:    files nisplus

/etc/pam.d/sshd – Add the following ldap and krb5 pam modules, also create users home directory if it does not exist.

auth        sufficient    pam_krb5.so use_first_pass
auth        sufficient    pam_ldap.so use_first_pass
 
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
account     [default=bad success=ok user_unknown=ignore] pam_krb5.so
 
password    sufficient    pam_krb5.so use_authtok
password    sufficient    pam_ldap.so use_authtok
 
session     optional      pam_krb5.so
session     optional      pam_ldap.so
 
session     required      pam_mkhomedir.so umask=0022 skel=/etc/skel silent

(Example)

#%PAM-1.0
auth        sufficient    pam_krb5.so use_first_pass
auth        sufficient    pam_ldap.so use_first_pass
auth       include      system-auth
 
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
account     [default=bad success=ok user_unknown=ignore] pam_krb5.so
account    required     pam_nologin.so
account    include      system-auth
 
password    sufficient    pam_krb5.so use_authtok
password    sufficient    pam_ldap.so use_authtok
password   include      system-auth
 
session     optional      pam_krb5.so
session     optional      pam_ldap.so
session    optional     pam_keyinit.so force revoke
session    include      system-auth
session    required     pam_loginuid.so
session     required      pam_mkhomedir.so umask=0022 skel=/etc/skel silent

Verify ldap authentication is working by logging in under a domain account with the correct permissions. You can watch the security log for information on failures.

Phase 5: Giving SUDO permissions (Optional)

Add the group to your sudoers file using %groupname.

(Example)

# Give our Windows Group linuxusers (system admins), ALL commands.
%linuxusers     ALL=(ALL)       ALL

3 thoughts on “Linux SSH + PAM + LDAP + 2003 R2 AD Deployment

  1. Pingback: Linux SSH + PAM + LDAP + SSSD+ 2008 R2 AD Deployment at Ohjeah!

  3. rad_e

    How can I permit or deny access for my AD users to my Linux servers?
    In AD I define some hosts for permit access to them in user account (button “login on …” – (attribute – “userWorkstations”) – but it does not work.
    Can you help me?
    I think it does’t work because I must mapping AD-attribute “userWorkstation” with POSIX(LDAP)-attribut “host” in /etc/ldap.conf…. but I can’t find something like this:
    nss_map_attribute host userWorkstations # I try use this line, but it doesn’t work too…

Leave a Reply

Your email address will not be published. Required fields are marked *