Sign Up! FREE Redmond Report Newsletter  
Redmond: the independent voice of the microsoft IT communityFREE Print Subscription | Newsletters | Contact Us  
Redmond: the independent voice of the microsoft IT community
 FindIT Code What is This?
Enter Here:
December 5, 2008 2008 Redmond Readers' Surveyredmondmag.com via get an RSS feed
-- advertisement --
moreNews
moreCurrent Issue
moreProduct Reviews
moreColumns
Barney's Rubble
Beta Man
Foley on Microsoft
Integration Station
Mr. Roboto
Mr. Script
Never Again
Redmond Negotiator
Security Advisor
Windows Insider
Columns Archive
moreFeatures
moreTech Library
moreTech Portals
moreForums
moreYour Turn
moreNewsletters
moreSubscribe/Renew
moreAbout Us
moreRedmond Radio
moreSalary Surveys
RSS Feeds
Site Map
searchSearch
 
Click here and let us know what you think!
JUMP TO BOTTOM OF PAGE
... Home ... Columns You are reading ... Windows Insider ... Article

Windows Insider

Bill Boswell
Linux-Windows Single Sign-On
Follow these steps and have your users logging on at their Linux/Unix desktops with their Windows accounts.

January 2005 by Bill Boswell

I am an advocate of centralized identity management and I think Active Directory makes a great repository for user account information. Interoperability can be a challenge, though. For example, you may work in a mixed environment of Linux/Unix and Windows and want users to take advantage of their Windows accounts when logging on at a Linux/Unix machine. This provides single sign-on for users who otherwise would need to maintain two different sets of passwords.

A Modest Proposal
With this in mind, I set out to accomplish what I considered to be a fairly straightforward goal: Configure the Linux desktops and servers in my office to accept logins using accounts stored in AD. My metrics for success were relatively modest. I wanted to sit down at a Linux desktop, enter a set of Windows credentials, and get a KDE or Gnome desktop with a home directory that has appropriate access permissions.

-- advertisement --

Achieving this goal turned out to be a bit more challenging than anticipated. After spending lots of time reading through docs and chasing down hints and configuration snippets, I finally found the right combination of settings for all the different Linux flavors in my lab. The results were gratifying, though. I had seamless authentication with AD that could be used for initial login, file sharing, secure shell (ssh) and other network services.

To save you a little time in case you decide to give this interoperability experiment a try, I put together notes and screen shots that show how to configure AD authentication for Fedora Core 2 (and the Core 3 beta). To see examples and instructions for these other Linux flavors: SuSE Linux 9.1 Professional, Mandrake 10.1 and Xandros Desktop 2.5, visit my Web site at www.billboswellconsulting.com/linux-ad.html.

If you're a bottom-line kind of person, here's a quick summary. Xandros 2.5 has the slickest AD configuration of the bunch. Mandrakelinux and Fedora are fairly simple once you know where to add a few settings. SuSE required the most work, but Novell should have this corrected in Novell Linux Desktop.

In the examples here, I used a Windows Server 2003 domain called Company.com, flat name COMPANY. I retained the default Windows 2003 security settings, including SMB signing, LDAP signing and anonymous logon restrictions. I set the domain and forest functional level to Windows Server 2003 and left the Authentication Users group in Pre-Windows 2000 Compatible Access, the default Windows 2003 setting.

I installed Fedora Core 2 with the Workstation package options. During setup, I assigned a unique computer name of Fedora.company.com. Following the installation, I updated all packages using Yum, the Yellowdog Updater, Modified. (Other Linux flavors use different package managers.)

Initial Configuration
Regardless of Linux flavor, you'll work with the same elements when configuring AD authentication:

  • Name Service Switch (NSS): This is a set of capabilities built into the Linux C libraries that allow an application to select a source to validate authentication credentials.
  • Pluggable Authentication Modules (PAM): This extends the standard Unix password authentication mechanism to include central authentication databases such as LDAP, Kerberos, AD and so on.
  • Winbind with Samba: The winbind service uses Samba for configuration information. For AD interoperability, make sure your system is running a current version of Samba (3.05 or newer).
  • Kerberos: Winbind uses Kerberos to get tickets for accessing AD. A Windows domain controller acts as the Key Distribution Center (KDC).

To configure winbind in Fedora, launch the authconfig utility (see Figure 1) as superuser (root). Fedora has a GUI utility—system-config-authentication—but it doesn't make all the required configuration settings.

Figure 1. A Fedora authconfig utility showing the User Information screen.
Figure 1. A Fedora authconfig utility showing the User Information screen. (Click image to view larger version.)

Check the Use Winbind option, then click Next. The Winbind Settings screen opens (Figure 2.) Fill in the following settings (the entries you make in this screen aren't case sensitive):

  • Security Model: ADS
  • Domain: flat (NetBIOS) name for the domain (COMPANY)
  • Domain Controllers: Fully Qualified Domain Name (FQDN) for a domain controller (dc1.company.com)
  • ADS Realm: FQDN for the domain (company.com)
  • Template Shell: /bin/bash
Figure 2. If you use Samba, this is the Winbind Settings screen in authconfig.
Figure 2. If you use Samba, this is the Winbind Settings screen in authconfig. (Click image to view larger version.)

There's a Join Domain option, but don't select it. It might not work, and you won't get sufficient feedback to help resolve problems. For now, just click OK to save the changes you just entered.

When the authconfig window closes, the console window should show that winbind starts. If this fails, try starting the service manually with the following command:

/etc/init.d/winbind start

If winbind starts, it will appear on a ps process list like this:

# ps -A | grep winbind
3132 ? 00:00:00 winbindd
3133 ? 00:00:00 winbindd

If you get an error, search the Internet with the error message. It may take a while, but nearly always someone with a similar error will have posted a solution.

Configuration Files
Authconfig makes changes to three configuration files. Listings 1-3 show their contents, with comments and irrelevant information removed.

  • nsswitch (/etc/nsswitch.conf): The critical entries are passwd and group. Other Linux flavors don't bother assigning winbind to other services.
  • system-auth (/etc/pam.d/system-auth): PAM uses a stackable authentication scheme, and each element in the stack must be separately configured. Thankfully, authconfig does a good job of setting up system-auth. Otherwise, you have to do quite a bit of experimenting.
  • smb.conf (/etc/samba/smb.conf): The idmap entries are important because winbind uses them to maintain a correspondence between AD account names and the User IDs and Group IDs used by Linux. Fedora assigns a large range of potential IDs. Typically, other Linux flavors assign a range of 10000-20000.

Also, in smb.conf, note the home directory path inserted by authconfig, /home/%D/%U. A user, call him winuser1, from an AD domain, call it company.com, would get a home directory path of /home/COMPANY/ winuser1. Authconfig does not create the domain folder under /home. You must create it manually.

Joining an AD Domain
You can now join the Linux workstation to the AD domain using the Linux net command. Here's the syntax, with everything after the first line generated by net:

# net ads join -U administrator
administrator's password:
Using short domain name -- COMPANY
Joined 'FEDORA' to realm 'COMPANY.COM'

You'll see many different syntax examples for net ads if you browse the Internet. My example shows the bare minimum, which is all you really need.

Configure PAM
At this point, a Windows user trying to authenticate at the Linux desktop would get a series of errors because a local home directory isn't present. A PAM module—mkhomedir.so—automatically creates a home directory. To include this module as part of the login process, change two configuration files under /etc/pam.d (see Listings 4 and 5):

  • login: This file controls authentication from a console prompt.
  • gdm: This file controls login from a graphical screen.

Always make copies of the original files before changing PAM files. You can lock yourself out of a system if you aren't careful.

After changing the PAM files, restart the desktop. This is a quick way to ensure that authconfig made the correct boot settings for the required services.

At the login window following restart, Fedora prompts for a name. Enter the Windows account name in domain\user format, such as company\winuser1, then enter the password when prompted. (Other Linux flavors present a selection list of Windows accounts. The option to display a selection list is available in Fedora, but it is not the default setting.)

You can configure smb.conf so that you don't need to enter a domain name, which is fine if you have one AD domain but a little cumbersome if you have several.

At this point, when the login succeeds, you'll get an announcement about creating a home directory for the user. The permissions assigned to the home directory use the AD account of the user.

Rock On
If you can't get the steps to work, e-mail me with the particulars. This can be a finicky configuration, and you want to make sure you're in the right state of mind. During the testing I did for this column, I played Jeff Beck's album, You Had It Coming. I found track six, "Loose Cannon," especially good when setting PAM files. Give it a try. Redmond

Contributing Editor Bill Boswell, MCSE, is the principal of Bill Boswell Consulting, Inc. He's the author of Inside Windows Server 2003 and Learning Exchange Server 2003 both from Addison Wesley. Bill is also Redmond magazine's "Windows Insider" columnist and a speaker at MCP Magazine's TechMentor Conferences. You can contact Bill about "Linux-Windows Single Sign-On" at boswell@101com.com.
More Information

Listing 1: nsswitch.conf

passwd: files winbind
shadow: files winbind
group: files winbind
hosts: files dns
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files winbind
rpc: files
services: files winbind
netgroup: files winbind
publickey: nisplus
automount: files
aliases: files nisplus

Listing 2: smb.con

[global]
workgroup = COMPANY
server string = Samba Server
printcap name = /etc/printcap
load printers = yes
log file = /var/log/samba/%m.log
max log size = 50
security = ads
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
dns proxy = no
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
template shell = /bin/bash
winbind use default domain = no
password server = w2k3-dc1.company.com w2k3-dc1.company.com
realm = COMPANY.COM

Listing 3: system-auth

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth sufficient /lib/security/$ISA/pam_winbind.so use_first_pass
auth required /lib/security/$ISA/pam_deny.so
account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100
account required /lib/security/$ISA/pam_unix.so
account [default=bad success=ok user_unknown=ignore] /lib/security/$ISA/pam_winbind.so
password requisite /lib/security/$ISA/pam_cracklib.so retry=3
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
password sufficient /lib/security/$ISA/pam_winbind.so use_authtok
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so

Listing 4: gdm (PAM configuration file)

#%PAM-1.0
auth required pam_env.so
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
session optional pam_console.so
session required pam_mkhomedir.so skel=/etc/skel/ umask=0077

Listing 5: login (PAM configuration file)

#%PAM-1.0
auth required pam_securetty.so
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_selinux.so multiple
session required pam_stack.so service=system-auth
session optional pam_console.so
session required pam_mkhomedir.so skel=/etc/skel/ umask=0077

More Columns

Lessons in Logic December 2008

Internet Impeded by ISA Server Firewall December 2008

Clustering and Rolling Upgrades (Exam 70-642) December 2008

A Fix for Database Orphans December 2008

The Great Recession? December 2008

Bionic Scheduled Task Reporting December 2008

Backup (Almost) Made Easy December 2008

2009: The Year of Windows 7? December 2008

Prof. Powershell: Get Smart and Get -Out November 2008

QuickTip: Next, Next, Repeat November 2008


...read COLUMNS ARCHIVE

Redmondmag.com reader comments for: Linux-Windows Single Sign-On

There are 67 reader comments.
PAGE 1 of 4
12/30/04 – Anonymous says: Hi, Something like a year ago I faced similair project. The outcome is quite different, though. 1. it was not AD but NT-domain authentication system. 2. among over 200 users there, only a fractions ever needed UNIX access (apart from server diskspace). 2-3 really required shell. A single-sing-on was do-able as you described above - with the only difference, that logins would be goverend by domain master brawser, not the AD - but I've chosen agains it. The reasons were: 1. I haven't found a consise info on safety of NT-domain cryptography... and if it's at least as secure as /etcshadow-SHA1. (I understand, that AD uses kerberos, so this securiti concern is not an issue there). 2. my domain users mainly needed e-mail access, so their careing for strong password selection is ... none. So, for me an article on MSW-UNIX single-sing-on would be of some help if: 1. it covered comparition of NT-domain (SAMBA-LDAP or cource) v.s. /etc/shadow password repository security. 2. it showed a way to allow users to 'upgrade' their access to cover full UNIX shell access, too - once they peeked a stronger password.
12/30/04 – gh3ng1s says: I have a much simpler solution - ditch AD and install Novell's eDirectory. It will install natively on both Windows and Linux and gives you a much simpler and far more robust method of managing all your accounts.
12/31/04 – Windows Admin from AZ says: Great article, but I don’t think a lot of everyday users are going to run out and try this on there desktop. I had been noticing a trend to use Linux (red hat) in large corporation in different roles where cost saving can be made. Most corporations have two I.T. divisions: Windows and UNIX team. The UNIX groups usually deploy and maintain Linux servers that are used to saving money over utilizing larger UNIX servers. My question is can the same principles be used on Linux servers? Applying Windows AD users/groups to Linux (red hat) servers for something like file server? Most IT security groups frown on Samba stating it’s not security for corporate use. Thx Windows Admin
12/31/04 – LadyNred from Canada says: I agree with gh3ng1s. If you really want interoperability with Windows, Linux, NetWare, Mac etc. Install eDirectory instead of AD. eDirectory plays nice with everyone.
12/31/04 – David Magda says: On the flip side, if you have a Unix-y back-end (e.g., NIS) and would like the minority Windows clients to log in you could try pGINA: http://pgina.xpasystems.com/
1/1/05 – Pete says: Thanks for the great article. I have been looking for an easy how-to like this for a while. I set it up on my FC3 box. When trying to login via ssh I can authenticate, but the home directory does not get created on the fly. I have modified the login and gdm files to include mkhomedir.so, do I need to edit something else for ssh logins?
1/1/05 – Pete says: Found the answer here: http://fedora.musc.edu Edit /etc/pam.d/system-auth and add the line: session optional /lib/security/$ISA/pam_mkhomedir.so Edit /etc/ssh/sshd_config and add the line: UsePrivilegeSeparation no
1/1/05 – Tim says: Or we could use something like this: http://www.vintela.com/products/vas Of course it costs money, but for a large corporation, it should work fine.
1/1/05 – Better Idea says: Ditch Linux and simply use Windows. No complicated configuration. No hassles.
1/2/05 – Even better idea says: Ditch Windows n Linux and simply use Mac OS X. No complicated configuration, No adware/malware/viruses, *Really* no hassles. :P
1/2/05 – sunburntkamel from chicago says: this article is a complete waste of everyone's time. "google for your error message"? that's so sloppy it's unbelievable you even got this thing posted. at least point people in the direction of the relevant config files. there are several very important config files that need to be modified, which you provide some examples of at the end, but don't explain when to modify them, where they are, or what they do. i've done this very thing with a SUSE workstation, and this article glosses over everything that was difficult about it. even from an FC3 perspective, you jump from topic to topic, without any clear outline or set of steps. it's this sort of weak writing that gives linux a bad name to the windows users an article like this would be helpful to.
1/2/05 – Greg says: Lighten up people. I don't see you providing links to your own meticulously written HOWTOs. This article was not intended for the Linux greenhorn. It takes a lot of time to put documentation together, especially when people require everything to be explicitly written out. I found the article very helpful. It will be an awesome jumping point for doing this myself. Not everyone has control over the directory services that are used by their employer, and Windows and OS X may not be an option for a number of reasons (price, software availability, system requirements, etc). And if you want to talk about over your head poor documentation please take a look at http://msdn.microsoft.com/library/ , it has all the information you could ever need for Microsoft products but it is by no means well organized and most topics have no examples. So quit wining and be a bit more thankful.
1/3/05 – Brainee says: Does this work for a laptop configuration as well? One of the main things about the early versions for Xandros were that "cached credentials" weren't working (you had to be connected to that network only) so it was useless for laptops because you'd always have one profile for outside and one for inside the building. Does this setup work when you aren't connected to the AD network, like Win2k or XP does?
1/3/05 – NixerX from Maine says: To Greg. Well said. Thank You, It would be nice if people would be more appreciative of this type of work. many people dont seem to realize that Linux is not windows so it will take some time to get used to ! Damn brats ( lol ) :P -Nx
1/3/05 – Tim from Herndon, VA says: One thing left out is that if you do this, then ANY windows account will be able to log into your Linux server. Adding lines like: account lib/security/$ISA/pam_succeed_if.so login = bgates to the pam.d/system_auth file would allow you to restrict users based on login. valid parameters to pam_succeed_if.so include 'login', 'gid', 'uid', 'shell', etc, allowing quite a range of flixibility with regards to limiting access to the unix servers from the windows users. -Tim
1/4/05 – Brett from Corvallis says: We've done this in a bit different way - we didn't use samba or winbind. Of course we're also running RedHat 9 or less. To help overcome the problem with every windoes user being able log into the Linux servers, we give the windows users almost no access what-so-ever. Then we assign windows groups to SUDOERS and give groups of people rights to do more advanced and specific tasks. -Brett
1/4/05 – Stephen from Corvallis says: Hi Brett. Perhaps you could post a short article on the MWVLUG website or talk about it in tonight's meeting?
1/4/05 – Anonymous says: How about SFU (free) from Microsoft, making the AD DC's act as NIS servers as well for *nix hosts? Or is that way too old and insecure?
FIRST PAGE   NEXT PAGE   LAST PAGE

Add your comment here:
Name: (optional)Location: (optional)E-mail Address: (optional)
If you would like your comments to be considered for print in the Redmond magazine Letters page, please check here and be sure to include your name, location and e-mail address.
 
Microsoft Unified Communications Virtual Conference and Trade Show: Wednesday, May 21
Watch Free Webcast: Optimize Your VMware Infrastructure with the New Releases from the Symantec Backup Exec Family


TOP
Home | Subscribe/Renew | About Us | Contact Us | Contributors | 2008 Media Kit | Tech Library | RSS Feeds  RSS Feeds from redmondmag.com
Issue Archive | Columns | Current Issue | Features | Forums | News | Tech Library | Tech Portals | Tech Library Webcasts
Press Releases | Product Reviews | Redmond Radio | Salary Surveys | Search | Site Map
For reprint information, click here.
Application Development Trends | Campus Technology | CertCities.com | The Data Warehousing Institute
E-Gov | EduHound | ENTmag.com | Enterprise Systems | Federal Computer Week | Government Health IT |IT Compliance Institute
MCPmag.com | Recharger | Redmond Channel Partner | Redmond Developer News | Redmond Report | Redmond Events
TCPmag.com | T.H.E. Journal | TechMentor Conferences | Virtualization Review | Visual Studio Magazine | VSLive!
Redmond magazine. Get a free subscription.
Copyright 1996-2008 1105 Media, Inc. See our Privacy Policy.
1105 Redmond Media Group
.