Recently I have had the pleasure to work with Microsoft active directory. The goal is to get CentOS 4.4 to authenticate from active directory for ssh/mail/telnet etc. Below is a quick “howto” of sorts that deals with setting up the Linux side to authenticate from active directory.
Much to my surprise I found this process really simple and pretty effective, I’ve collected some thoughts as to advantages and disadvantages in using kerberos on the Linux side to connect to active directory.
Advantages:
1. Streamlined authentication process 2. Easily maintenance (two config files)
3. Fall back to /etc/passwd
4. Apache has a krb5/ldap module to-do authentication that works against AD
5. No need for LDAP or two/one way syncing
6. Simple maintenance and setup
Disadvantages:
1. Requires user to be in /etc/passwd (no password needed)
2. User shell/uid/gid are maintained from the Unix side
3. If a user is removed from AD the user will need to be removed from the Linux side as well
Implementation is rather simple and below are the changes I made to the Linux side so I could authenticate linux users from active directory, change passwords from the Linux side and update them in active directory.
Installed software (CentOS4.4) if you are using another distro package names may vary.
krb5-libs-1.3.4-46
krb5-auth-dialog-0.2-1
krbafs-1.2.2-6
krb5-workstation-1.3.4-46
pam_krb5-2.1.8-1
Next you will want to edit the /etc/krb5.conf file, please note YOURDOAMIN.COM is the realm you are using in your active directory setup.
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log[libdefaults]
default_realm = YOURDOMAIN.COM
dns_lookup_realm = false
dns_lookup_kdc = false[realms]
YOURDOMAIN.COM = {
kdc = YOURACTIVEDIRECTORYSERVER.COM:88
default_domain = YOURDOMAIN.COM
kpasswd_server = YOURACTIVEDIRECTORYSERVER.COM
}[domain_realm]
YOURDOMAIN.COM = YOURDOMAIN.COM[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
Next you will want to make sure to edit /etc/pam.d/system-auth to include the kerberos pam modules, the easiest way to achieve this is by running “authconfig” from the command prompt. If you are using another OS other then CentOS4.4 you can find the changes below.
auth sufficient /lib/security/$ISA/pam_krb5.so use_first_pass
account [default=bad success=ok user_unknown=ignore] /lib/security/$ISA/pam_krb5.so
password sufficient /lib/security/$ISA/pam_krb5.so use_authtok
session optional /lib/security/$ISA/pam_krb5.so
Additional information:
Users must be present in the /etc/passwd file in order to authenticate via active directory. A simple “useradd username” will do just fine. There is no need to set a password as it will be retrieved from active directory. If you do wish to set a password for the linux user you may and the user can then bypass active directory and authenticate via that password, the passwords must be different.
I hope this helps, your mileage may vary. 
Like it or lump it, Microsoft’s Active Directory is a very popular network directory, and thus, management system. It’s been possible to use AD for Linux, but it was never easy. Now, Likewise Software, formerly Centeris, a leader in mixing and matching Windows and Linux network solutions, has announced the first open-source version of release of version 4.0 of its cross-platform authentication software: Likewise Open.
What is up, good web-site. I adore your style. I recently finished cosmetic school and would like to launch my website. Thanks for the wonderful post!