Single-Sign-On with Active Directory HOWTO
I have seen several single sign on guides on the internet, but not one seems to do the job.
This HOWTO article outlines the necessary steps for you to configure Active Directory and your Linux clients so that single sign on works successfully.’, ‘
Single Sign-On Solution
### UPDATE 26/10/2006: This is now confirmed to work on FC6. It is not necessary to roll-back to a previous version of nss_ldap. The supplied version, 253-1, works flawlessly.
This article covers the necessary steps needed in order to provide authentication against Microsoft Active Directory to Linux workstations running Fedora Core 4 & 5.
Microsofts Active Directory uses two forms of authentication, LDAP and kerberos. Thus,this guide explains how to confgiure both.Automatic mapping of network drives (or in Linux terms, auto-mounting) is also explained in this howto, so if users have roaming folders, they can follow them even to a Linux workstation, seemlessly.Remote administration is catered for (and discussed in this howto) in the form of \’x11vnc\’ which runs silently in the background and allows acces via a VNC viewer and password.By no means does this guide attempt to be a complete administartion guide to Linux systems, a nor does it address security other than SSL encryption of LDAP data.Gconf-editor, a systems policy editor, is also discussed in this article. Windows administrators will instantly feel familiar with is ‘regedit’ like approach to system settings. Settings such as background images, screensaver and font rendering sizes can be locked down to prevent your users from tampering with your workstations.Finally, you will need an active internet connection on your workstations in order to complete the configuration, unless files are downloaded and installed via ‘rpm’ instaed of ‘yum.’
Windows Preparation
First, if you are using Microsoft Windows Server 2000 / 2003 Release 1 you need to install Microsoft Services For Unix (SFU) on your domain controllers, and set the remote name mapping server as your primary domain controller. If you are running Windows Server 2003 Release 2 (R2) this is unnecessary.SFU needs to be installed on all Domain Controllers’s (pre- Server 2003 R2) in domains that have UNIX users to-be in them.
Next in the Default Domain Policy and Default Domain Controller Policy set these options:
Under Computer Settings > Windows > Security >
Microsoft Network Server: Digitally Sign Communications (Always) – Disabled
Microsoft Network Server: Digitally Sign Communications (If Client Agrees) – Disabled
Microsoft Network Client: Digitally Sign Communications (Always) – Disabled
Microsoft Network Client: Digitally Sign Communications (If Server Agrees) – Disabled
Run gpupdate /force on 2003 machines and secedit /refreshpolicy machhine_policy /enforce on Server 2000 machines.
Next, authenticated and anonymous searches need to be allowed on the AD;Run AD users and computers, rt-click top-level of Directory>
Delegate Control > Next > Add > Select Anonymous Logon, Authenticated Users and Everyone.> Next > “Create Custom Task to Delegate” > NextSelect “Read” and “Read All Properties” > Next > Finish
Now one thing you must take note of at this point is that I have setup an Certificate Authority (CA) on our domain, thus I will ensure that all LDAP data is encrypted using SSL. I strongly reccomend you do the same as otherwise passwords are sent in clear text. This guide reflects the presence of SSL certficates on the Domain Controllers and the certificate installation to the Linux box is covered in this guide.We now need to make a UNIX / POSIX compliant user in AD
Firstly ensure that the user login account has no capital letters in the user name, and that the ‘cn’ of the user has no capital letters either. If this is not done the user will be unable to access floppy disks, cdrom’s and usb drives.
You’ll notice that under the properties of a user account or group there is now “UNIX Attributes”.First, select the properties of a Windows AD group and Assign it UNIX attributes. This will include a Group ID (GID) and an NIS domain.Next select an AD User account and amend its UNIX Attributes, ensure that its GID is the same as the GID you created on the above group.Make the UNIX home drive something like /home/YOURDOMAININCAPS/username (make sure there are NO spaces in the home directory If this is not done gnome will not function correctly.)Then go back to the UNIX group you modified and add the above user as a member of this group.Next we create a user account in AD to use as the LDAP bind account. This account will be used by your LDAP client to search your Active Directory for user information, such as group memberships.
It is worth noting that Active Directory group membership has no influence under Linux. Thus if you are a member of the Domain Administrators group in Active Directory, as far as Linux is concerned you are merely a normal, restricted, user.For my LDAP bind accoutn I created a user called ‘dirsearch’ and a password of my choice.If network printers are to be used which are installed on servers running Windows Server operating systems, ensure you install Print Services for Unix on your print server, this is a free addition to Windows Server and can be installed via Add/Remove Programs > Windows Components. The process is simple, and will allow all configured printers to be utilised by your UNIX / LINUX users.If you want to provide Microsoft Exchange functionality to your users you can use Evolution which is included with Fedora Core 4 & 5. An additional component must be installed, the evolution connector. Also, it is necessary to enable Outlook Web Access for the users that will utilise EvolutionNow we are now ready to move on to Linux Configuration…
Linux Configuration
With FC4, FC5 and FC6 Ensure SELinux is disabled
We have to configure kerberos and LDAP on each Linux client in order for single-sign authentication on to function properly.First, log in as root and bring up a terminal.
Type: yum install openssl-devel
Wait for this to run through, it will take around 5 minutes on a broadband connection to find, download and install these packages.
A quick LDAP authentication fix for Fedora Core 5
The version of nss_ldap shipped with FC5 is faulty. Therefore we need to downgrade it to the version shipped with FC4. This process is very simple and takes a few seconds to complete.First download the following files:compat-openldap-2.3.19_2.2.29-4.i386.rpmnss_ldap-234-4.i386.rpmThen run the following commands as ‘root’
yum remove -y nss_ldap-249-1
rpm -ivh compat-openldap-2.3.19_2.2.29-4.i386.rpmrpm -ivh nss_ldap-234-4.i386.rpm
We are now ready to proceed on to configuring the authentication methods needed for Active Directory.
Kerberos Authentication
/etc/krb5.conf
Your finished krb5.conf file should look similar to this:
[libdefaults]
default_realm = YOURDOMAIN.COM
ticket_lifetime = 24h
clockskew = 300
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
YOURDOMAIN.COM = { kdc = dc1.yourdomain.com:88 kdc = dc2.yourdomain.com:88 admin_server = dc1.yourdomain.com:749 }
[domain_realm]
.yourdomain.com = YOURDOMAIN.COM yourdomain.com = YOURDOMAIN.COM
With this saved the command kinit retail should display:Password for [email protected] the password for the user and hit enter. Then enter the command klist. There should now be a kerberos ticket for [email protected] If there is not check your config file before we move on.
LDAP Authentication
First we need to edit the LDAP authentication files:
/etc/ldap.conf:
#Stay away from spaces, LDAP does not like them.
# Your LDAP server. Must be resolvable without using LDAP.
# Another way to specify your LDAP server is to provide an# uri with the server name. This allows to use
# Unix Domain Sockets to connect to a local LDAP Server
# debug use this to determine errors
debug 1
host dc1.yourdomain.com dc2.yourdomain.combase dc=yourdomain,dc=com
# bindn is the name of the user you created at the beginning of this article to search your AD.
# bindpw is the password for that user
binddn cn=dirsearch,cn=Users,dc=yourdomain,dc=com
bindpw dirsearch
port 389
timelimit 30
## next two lines for SSL setups only
ssl start_tls
tls_cacertfile /etc/openldap/cacerts/adcert.pemscope sub
#Active Directory Mappings as stated by Microsoft
pam_password ad
nss_base_passwd dc=yourdomain,dc=com
subnss_base_shadow dc=yourdomain,dc=com
subnss_base_group dc=yourdomain,dc=com
subpam_login_attribute sAMAccountName
pam_member_attribute msSFU30PosixMember
pam_filter objectclass=User
# pam_groupdn enables you to limit access to this machine to a certain AD group, in this case
# the group is called LinuxUsers
pam_groupdn cn=LinuxUsers,ou=LinuxUsers,dc=yourdomain,dc=com
# Update Active Directory password, by creating Unicode password
# and updating unicodePwd
attribute.nss_map_objectclass posixAccount
Usernss_map_objectclass shadowAccount
Usernss_map_objectclass posixGroup
Groupnss_map_attribute uid
sAMAccountNamenss_map_attribute uidNumber
msSFU30UidNumbernss_map_attribute gidNumber msSFU30GidNumber
nss_map_attribute cn sAMAccountNamenss_map_attribute uniqueMember
membernss_map_attribute homeDirectory msSFU30HomeDirectory
nss_map_attribute loginShell msSFU30LoginShell
nss_map_attribute gecos name
#SSL setup only
tls_cacertdir /etc/openldap/cacerts
/etc/openldap/ldap.conf:
# LDAP Defaults
#debug 1
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
#BASE dc=example, dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
BASE dc=yourdomain,dc=news
#HOST dc1.yourdomain.com dc2.yourdomain.com
# use LDAPS only in an SSL enviroment
URI ldap://dc1.yourdomain.com ldaps://dc1.yourdomain.com ldap://dc2.yourdomain.com ldaps://dc2.yourdomain.com
# Next two lines for SSL setups only
TLS_CACERTDIR /etc/openldap/cacerts
TLS_REQCERT never
HOST dc1.yourdomain.com dc2.yourdomain.com
Now copy your active directory domain controller certificate, which is obtainable from your CA server (i.e http://10.0.0.22/certsrv) across to /etc/openldap/cacerts. If your certificate is self-signed (i.e from your own windows certificate server) you will need to convert it to \’.pem\’ format using the following command:
openssl x509 -in certnew.cer -inform DER -out adcert.pem -outform PEM
Now we are ready to enable the authentication methods described above, run the command:
authconfig –enablekrb5 –enableldap –enableldapauth –updateall
Automatic Home Directory Creation
Now in order for our login system to function correctly we must edit /etc/pam.d/gdm and /etc/pam.d/login to call pam_mkhomedir, a library that is installed by default with your FC5 setup.
/etc/pam.d/gdm:
#%PAM-1.0
auth required pam_env.so
auth include system-auth
account required pam_nologin.so
account include system-auth
password include system-auths
ession include system-auth
session required pam_mkhomedir.so skel=/etc/skel umask=0077
session required pam_loginuid.so
session optional pam_console.so
/etc/pam.d/login:
#%PAM-1.0
auth required pam_securetty.so
auth include system-auth
account required pam_nologin.so
account include system-auth
password include system-auth
# pam_selinux.so close should be the first session rulesession required pam_selinux.so closesession include system-authsession required pam_loginuid.sosession optional pam_console.sosession required pam_mkhomedir.so skel=/etc/skel umask=0077
#pam_selinux.so open should be the last session rule
session required pam_selinux.so open
With pam_mkhomedir.so configured all POSIX configured Active Directory user should now be able to login to your linux box.
Auto-mount network share on user logon
With this done we now need to install pam_mount, in order to mount user network shares / home drives on our domain. This is useful if your users have re-directed My Documents folders etc.
yum –enablerepo=extras-development install pam_mount
Next we need to configure pam_mount using the file /etc/security/pam_mount.conf.
Some examples of shares that will be mounted are below:
volume * cifs shed.yourdomain.com & /home/YOURDOMAIN.COM/&/MyDocs user=&,uid=&,dir_mode=0700,workgroup=YOURDOMAIN.COM – -volume * cifs filesrv1.yourdomain.com & /home/YOURDOMAIN.COM/&/MyDocs user=&,uid=&,dir_mode=0700,workgroup=YOURDOMAIN.COM – -We must call pam_mount during the login process, thus we need to edit /etc/pam.d/system-auth.
Add the lines in bold to
/etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth requisite pam_mount.so
auth required pam_env.so
auth sufficient pam_unix.so nulloktry_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_krb5.so use_first_pass
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account [default=bad success=ok user_unknown=ignore] pam_krb5.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password sufficient pam_krb5.so use_authtok
password sufficient pam_ldap.so use_authtok
password required pam_mount.so shadow md5 use_authtok
password required pam_deny.so
session required pam_limits.so
session required pam_unix.so
session optional pam_krb5.sosession optional pam_ldap.so
session optional pam_mount.so
Now try and login to a tty session using a Windows Domain User name and password, you\’ll it works a treat!
Configuration of evolution
Evolution is the Gnome Email Client, there is a connector which allows it to connect to an Exchange Server via WebDAV.First we need to install the evolution connector:yum install evolution-connectorThen run “Email” from the menu bar at the top of the screen or from >Applications>Internet>Email.Configuration is simple from this point. Select Server type as Microsoft Exchange.Enter the OWA url as:https://yourexchangeserver/exchangeEnter username as:username – (ie no domain prefix)
Configuration of x11vnc
x11vnc is a vncserver for Linux which allows the remote user to view the active X session (session \’:0\’) and therefore provide remote support to users interactively. Fisrt download the x11vnc rpm file from herex11vnc is a VNC server that allows access to display :0.To install use the command:rpm -ivh x11vnc-0.7.2-1.2.el4.rf.i386.rpmThis then needs to be configure for startup.
First edit /etc/gdm/Init/Default. All we need to do is add a single line at the top of this file:
#!/bin/sh
# Stolen from the debian kdm setup, aren\’t I sneaky
#Plus a lot of fun stuff added
# -George
/usr/bin/x11vnc -rfbauth /home/.vncpasswd -forever -bg
Now we have to edit
/etc/gdm/custom.conf.
This file will have very little in it other than a few headers.
Under “ [daemon] “ we need to add the following line:
KillInitClients=false
Lastly, save the file, and from the command line run the command:
gdmflexiserver -command=”UPDATE_CONFIG daemon/KillInitClients”
Reboot the client and see if you can connect and login remotely using VNC. If you can log in but then the VNC window closes run the gdmflexiserver -command=”UPDATE_CONFIG daemon/KillInitClients” command again.
Next run the command:vncpasswd
Enter your chosen vnc password that will be used by x11vnc.Now copy the encrypted password file:cp ~/.vnc/passwd /home/.vncpasswd
x11vnc will now load at startup requiring the password you set.
Adobe Acrobat Reader
First we must install the necessary dependencies:yum install compat-libstdc++-33.i386 openldap-develNow you need to obtain the latest adobe reader, available here
Then use the command:
rpm -ivh AdobeReader_enu-7.0.5-1.i386.rpm
Next we must install the adobe plugin so that web broswer can view pdf files.
cd /usr/lib/mozilla/plugins
ln -s /usr/local/Adobe/Acrobat7/Browser/intellinux/nppdf.so
Macromedia Flash Installer
First we must install the flash plugin available from http://macromedia.mplug.org/index.html\
rpm -ivh flash-plugin-7.0.63-1.i386.rpm
Then run the following commands:mkdir -p /usr/X11R6/lib/X11/fs/ln -s /etc/X11/fs/config /usr/X11R6/lib/X11/fs/config
Sophos Anti-Virus Configuration
This is only applicable if your site has a sophos enterprise license.First we need to make a folder on the linuxclient to mount the sophos network share for automatic hourly updates.mkdir /mnt/sophosavas we need to have the updates available for the installation process we need to use this command:mount -t cifs //camb-sophos/InterChk/ /mnt/sophosav -o user=sophosav,workgroup=YOURDOMAIN.COMcopy the savlinux folder from //camb-sophos/InterChk/ to your desktop on the linuxclient.Enter that directory and run the command:./mkinstpkg.shAccept the licence agreement and leave the installation directory as the default (/opt/sophos-av).For the username and password use sophosav / sophos123Set the update path as /mnt/sophosav/savlinuxSelect no for on-access scanning.This will create a new package for installation named savinstpkg.tgzCopy this file to the desktop and unzip it:cp savinstpkg.tgz ..tar -zxvf savinstpkg.tgzEnter the new directory sophos-av and run the command ./install.shNext we will create a daily scan.Creat a new file called sav_scan the contents of which should be:/opt/sophos-av/bin/savupdate/opt/sophos-av/bin/savscan / -p=/opt/sophos-av/scan.logThis file should be copied to /opt/sophos-av/ and have the following permissions set:chmod 700 /opt/sophos-av/sav_scanNext we will edit /etc/crontab by adding the following line to the bottom:01 0 * * * root /opt/sophos-av/sav_scanThis will make a scan happen at 00:01 everyday.Finally we must creat an fstab entry to ensure the sophos update folder is available after a reboot. Add the following line to the bootom of /etc/fstab//camb-sophos/InterChk /mnt/sophosav cifs ro,auto,user=unixldap,pass=unixldap,workgroup=YOURDOMAIN.COM 0 0
Citrix ICA Client
First download the CitrixICA client from here (direct file link >here<)rpm -ivh –nodeps ICAClient-9.0-1.i386.rmpThen copy libXm.so.3.0.2 to /usr/lib (file libXm.so.3.0.2 available >here<)Finally use the command:ln -s /usr/lib/libXm.so.3.0.2 /usr/lib/linXm.so.3You will now be able to access the ICS client under Applications>Internet>CitrixICA Client
Printer Configuration
First ensure the latest print drivers are installed on the print server.Then go to System>Administration>PrintingClick newQueue type should be selected as Unix (LPD)Select SpecifyServer : servernameQueue: printer share nameSet A4 paper size.Click next, then select the correct printer type and model.Click finish.
Install terminal services client:
TSClient is a fully functioning Terminal Services client that will allow your users to access Microsoft Terminal Server applications and desktops.yum install tsclientA shortcut will appear under Applications > InternetFor this to work the user must be a member of the remote desktop users group on the server they are to connect to.
Extras (FC5 only)
We need to update the kernel, compilers, openoffice and firefox:
yum update kernel kernel-devel gcc gcc-c++ firefox openoffice* xorg-x11* nautilus pam vnc
Then reboot.Next remove the old kernel version:
yum remove kernel-2.6.15-1.2054_FC5
********note for smp kernels (multi core):************
to update kernel use:yum update kernel-smpto remove old kernel use:
yum remove kernel-smp-2.6.15-1.2054_FC5
******** end note ***********
If a newer kernel is installed and you are uncertain of the version number use the command:
rpm -qa | grep kernel*
Install the gconf-editor to lockdown system settings
yum install gconf-editor
As root user run gconf-editor. This needs to be run as root in order to lockdown the settings for normal users.For example, in order to lock down the background:Go to Desktop > Gnome > BackgroundSelect picture_filename and enter /home/wallpaper.jpg click OK.Then right-click this value, select \’Set As Default\’ right click again, select \’Set As Mandatory\’Right-click picture_options, select \’Set As Default\’ right click again, select \’Set As Mandatory\’ ensure this value is set as stretched.Finally we shall configure gnome to use the file browser as the default viewer over a single folder window solution. Go to Apps > Nautilus > Preferences, tick \’Always User Browser\’ Right-click always_use_browser select \’Set As Default\’ right click again, select \’Set As Mandatory\’ We can also select the default theme under preferences, select the value \’Blue Curve\’. Right-click theme select \’Set As Default\’ right click again, select \’Set As Mandatory\’ Screen saver options can also be set under Apps > gnome_Screensaver.
Disable services:As root user run these commands:/sbin/chkconfig –level 2345 bluetooth off/sbin/chkconfig –level 2345 isdn off/sbin/chkconfig –level 2345 mdmonitor off/sbin/chkconfig –level 2345 sav_web offJob done, you\’ll find that any user who has POSX attributes defined in AD and who is a member of the linuxusers group is able to log into these machines.