Hello Dummy Cerberus,
This is one of most common issue with organizations having two or more
OSes. So there are solutions or work-arounds for such situations. One
of the secured way of integrating UNIX OS to authenticate with
Microsoft Active Directory is as follows:
Note:
Kindly note, that the information provided below, should be tested in
a test environment strictly before bringing it to production or
operational environment. The solution provided is just an work-around
and is not exact; it might vary according to your flavor of Linux and
your practical hands-on on Linux or UNIX based machines.
Kindly follow the instructions provided below on your own risk, since
I am not responsible for any damage or mis-configuration.
Download and install following softwares as per given steps.
Step 1: Install MIT Kerberos V5. (Download: http://web.mit.edu/kerberos/)
Step 2: Install OpenLDAP with options to enable null, disable bdb, and
no TLS (Download: http://www.openldap.org/)
Step 3: Install SAMBA (Download: http://www.samba.org/). Now onwards
steps are little tedious.
3.1: Unpack and set the CFLAGS environment variable to "-O2"
3.2: Set the CPPFLAGS environment variable to "-I/opt/local/include"
3.3: Set the LDFLAGS environment variable to "-L/opt/local/lib
-Wl,-R/opt/local/lib"
3.4: Now from the source directory shoot something similar or
appropriate to your custom installation like this:
./configure --prefix=/opt/local --exec-prefix=/opt/local/samba
--with-sslinc=/opt/local/ssl/include --with-ssllib=/opt/local/lib
--with-included-popt --with-smbwrapper --with-pam --with-ldap
--with-ads --with-winbind --with-krb5=/opt/local
--with-logfilebase=/var/log --with-automount --with-syslog
3.5: Then as usual 'make' followed by 'make install'.
Step 4: Now configure your server to add Active Directory DNS Suffix
in search statement in /etc/resolv.conf on the Linux/UNIX machine.
Step 5: Then add domain settings into your Kerberos config file
(default location: /opt/local/etc/krb5.conf)
Ex:
[libdefaults] default_realm = MY.DOMAIN.CO.IN
[realms] MY.DOMAIN.CO.IN = {kdc = dc1.my.domain.co.in}
[domain_realms] .kerberos.server = MY.DOMAIN.CO.IN
Step 6: Now configure your SAMBA server as password server by
including following mentioned points in your samba config file
(default location: /opt/local/samba/lib/smb.conf)
WORKGROUP = DOMAIN
REALM = my.domain.co.in
SECURITY = ADS
PASSWORD SERVER = dc1.my.domain.co.in
ENCRYPT PASSWORD = yes
ALLOW TRUSTED DOMAINS = yes
USERNAME MAP = /opt/local/samba/lib/user.map
Step 7: Now map your Active Directory Usernames to respective UNIX
usernames in the file mentioned for 'username map' in smb.conf file
just in step above.
Ex: unix_user_name = ms-ad-user@DOMAIN
OR unix_user_name = DOMAIN\ms-ad-user
Step 8: Start and Stop smbd, nmbd and winbindd
Step 9: Now, if everything has gone correct till now, then join the
SAMBA server to Active Directory.
9.1: /opt/local/bin/kinit Domain_Admin@MY.DOMAIN.CO.IN
9.2: Now if the SAMBA server is able to talk and understand the AD
communication, it'll prompt for password for the username supplied
(which is the Domain Administrator Credentials).
9.3: /opt/local/samba/bin/net ads join DomainAdmin
Step 10: Now restart all the SAMBA related daemons/services.
Step 11: Test and verify the configuration for all users in Active Directory.
As you all can see, its very complicated to setup and establish a
perfect configuration for enabling UNIX/Linux based machines to
integrate with Microsoft Active Directory.
To avoid all these, there are products out in market, which enables
this integration happen within minutes, that too without much hick-ups
and errors.
Some of them I am mentioning below, however I haven't yet used them:
1. Quest Software's Vintela Authentication Services -
http://www.quest.com/Vintela-Authentication-Services/
2. Centrify DirectControl - http://www.centrify.com/directcontrol/overview.asp
3. Centeris Likewise - http://www.centeris.com/products/
4. Also you can explore Microsoft Services for UNIX, which is free and
built-in into Microsoft Server OSes.
5. Other alternative option is to use 'Fedora Directory Service (FDS)'
- http://directory.fedoraproject.org/
All the mentioned stuffs I had written down long back in my notes
while searching on Google for UNIX and Microsoft AD integration. So
there might be updated or more robust, easy and secured method
available somewhere than the one I mentioned above.
----
Nikhil Wagholikar
Information Security Analyst
NII Consulting
Web: http://www.niiconsulting.com
On 8/29/07, Dummy cerberus <dummycerberus@gmail.com> wrote:
Hello,
First of all, thank you very much for your help wit my question about
GPOs and so on... your answers helped me a lot...
Now I have the following question: I have found that my organization
has several kind of OS installed on computers... most of them are
W2K/W2K3 integrated within a W2K domain...
Since admins have to remember lots of accounts/passwords for the W2K*
servers, and the others with Linux, HP-UX, Solaris, etc... I have
found that most of the passwords are too simple, and repeated all over
the non-W2K* systems...
I have tried with a password manager, but some times we lost a
valuable time searching for the strong password for one system at the
password manager software...
Is there anyway to integrate the OS accounts of UNIX-like sysetms with an AD?
Best regards
