How to integrate SUSE Linux Enterprise 11 with Windows Active Directory

February 1, 2012 — 22 Comments

suse_linux_logo1Getting SUSE Enterprise Linux integrated with Microsoft Active Directory is much easier than it sounds.

There are a few prerequisites to meet before:

  • Samba client must be installed.
  • Packages samba-winbind and krb5-client must be installed.
  • The primary DNS server must be the Domain Controller.

For this task we will use YaST2, the SUSE configuration tool.

YaST2 can be run either in graphical…

Screenshot-YaST2 Control Center-1

…or in text mode.

YaST2_text_mode

I decided to use the text mode since it will be by far the most common use case, anyway in both cases the procedure is exactly the same.

Go to Network Services section and later select Windows Domain Membership. The Windows Domain Membership configuration screen will appear.

In the Membership area enter the domain name and configure the options that best suit your environment, including the other sections of the screen.

YaST2_WinDom_config

I configure it to allow SSH single sign-on, more on this later, and to create a home directory for the user on his first login.

You should take into account the NTP configuration since it’s a critical component in Active Directory authentication.

Select OK to acknowledge your selection and a small pop-up will show up to inform that the host is not part of the domain and if you want to join it.

YaST2_domain_confirmation

Next you must enter the password of the domain Administrator.

YaST2_domain_admin_password

And YaST will finally confirm the success of the operation.

YaST2_domain_joined

At this point the basic configuration is done and the server should be integrated on the Windows Domain.

Under the hood this process has modified several configuration files in order the get the system ready to authenticate against Active Directory:

  • smb.conf
  • krb5.conf
  • nsswitch.conf

smb.conf

The first is the configuration file for the samba service. As you should know Samba is an open source implementation of the Windows SMB/CIFS protocol, it allows Unix systems to integrate almost transparently into a Windows Domain infrastructure and also provides file and print services for Windows clients.

The file resides in /etc/samba. Take a look at the contents of the file, the relevant part is the global section.

[global]
        workgroup = VJLAB
        passdb backend = tdbsam
        printing = cups
        printcap name = cups
        printcap cache time = 750
        cups options = raw
        map to guest = Bad User
        include = /etc/samba/dhcp.conf
        logon path = \\%L\profiles\.msprofile
        logon home = \\%L\%U\.9xprofile
        logon drive = P:
        usershare allow guests = No
        idmap gid = 10000-20000
        idmap uid = 10000-20000
        realm = VJLAB.LOCAL
        security = ADS
        template homedir = /home/%D/%U
        template shell = /bin/bash
        winbind refresh tickets = yes

krb5.conf

The krb5.conf is the Kerberos daemon configuration file which contains the necessary information for the Kerberos library.

jreypo@sles11-01:/etc> cat krb5.conf
[libdefaults]
        default_realm = VJLAB.LOCAL
        clockskew = 300
[realms]
        VJLAB.LOCAL = {
                kdc = dc.vjlab.local
                default_domain = vjlab.local
                admin_server = dc.vjlab.local
        }
[logging]
        kdc = FILE:/var/log/krb5/krb5kdc.log
        admin_server = FILE:/var/log/krb5/kadmind.log
        default = SYSLOG:NOTICE:DAEMON
[domain_realm]
        .vjlab.local = VJLAB.LOCAL
[appdefaults]
        pam = {
                ticket_lifetime = 1d
                renew_lifetime = 1d
                forwardable = true
                proxiable = false
                minimum_uid = 1
        }
jreypo@sles11-01:/etc>

nsswitch.conf

The nsswitch.conf file as stated by its man page is the System Databases and Name Service Switch configuration file. Basically it includes the different databases of the system to look for authentication information when user tries to log into the server.

Have a quick look into the file and you will notice the two fields changed, passwd and group. In both the winbind option has been added in order to indicate the system to use Winbind, the Name Service Switch daemon used to resolve NT server names.

passwd: compat winbind
group:  compat winbind

SSH single sign-on

Finally we need to test the SSH connection to the host using a user account of the domain. When asked for the login credentials use the DOMAIN\USER formula for the user name.

SSH_auth

This kind of integration is very useful, specially for the bigger shops, because you don’t have to maintain the user list of your SLES servers individually, just only the root account since the other accounts can be centrally managed from the Windows Domain.

However there is one issue that must be taken into account, the SSH single sign-on authentication means that anyone with a domain account can log into your Linux servers and we don’t want that.

To prevent this potentially dangerous situation we are going to limit the access only to those groups of users that really need it. I’m going to use the Domain Admins to show you how.

First we need to look for the Domain Admins group ID within our Linux box. Log in as DOMAIN\Administrator and use the id command to get the user info.

VJLAB\administrator@sles11-01:~> id
uid=10000(VJLAB\administrator) gid=10000(VJLAB\domain users) groups=10000(VJLAB\domain users),10001(VJLAB\schema admins),10002(VJLAB\domain admins),10003(VJLAB\enterprise admins),10004(VJLAB\group policy creator owners)
VJLAB\administrator@sles11-01:~>

There are several group IDs, for our purposes we need the VJLAB\domain admins which is 10002.

You should be asking yourself, but the GID is not 10002 but 10000? Yes you are right and because of that we need to make some changes at Domain Controller level.

Fire up Server Manager and go to Roles –> Active Directory Domain Services –> Active Directory Users and Computers –> DOMAIN –> Users.

server_manager

On the right pane edit the properties of the account you want to be able to access the linux server via SSH. In my case I used my own account juanma. In the Member of tab select the Domain Admins group and click Set Primary Group.

member_of

Now we need to modify how the pam daemon manage the authentication. Go back to SLES and edit /etc/pam.d/sshd.

#%PAM-1.0
auth     requisite      pam_nologin.so
auth     include        common-auth
account  include        common-account
password include        common-password
session  required       pam_loginuid.so
session  include        common-session

Delete the account line and add the following two lines.

account  sufficient     pam_localuser.so
account  sufficient     pam_succeed_if.so gid = 10002

The sshd file should look like this:

#%PAM-1.0
auth     requisite      pam_nologin.so
auth     include        common-auth
account  sufficient     pam_localuser.so
account  sufficient     pam_succeed_if.so gid = 10002
password include        common-password
session  required       pam_loginuid.so
session  include        common-session

What we did? First eliminated the ability to login via SSH for every user and later we allow the server local users and the Domain Admins to log into the server.

And we are done. Any comment would be welcome as always :-)

Juanma.

22 responses to How to integrate SUSE Linux Enterprise 11 with Windows Active Directory

  1. 

    Está muy bien aunque yo prefiero personalmente el método con el “Identity manager por UNIX” porque no me hace falta winbind ni samba aunque hace falta instalar este paquete en el servidor de dominio y tiene que ser como mínimo la versión 2008. ;-)

  2. 

    Rather than changing the primary gid of each user, is it not possible to configure pam to check if the user is a member of a certain group?

    • 

      Try this in your /etc/pam.d/sshd file:

      account sufficient pam_succeed_if.so user ingroup \

      It works for me.

      My only issue has been that it seems to take a really long time for the SLES system to recognize changes in AD; it seems to take quite a while (i.e. over an hour, possibly longer) for changes to be recognized. So adding or removing users from the AD group doesn’t work right away.

      I’m assuming this information is getting cached, but I’m not sure how or where.

  3. 

    Nice post guy! I did something like this in my past work (but without screens, only text files ;)) Deal with Samba is always “funny” ;)

  4. 

    Now only need to add to this share access configuration as per:
    http://wiki.samba.org/index.php/Samba_&_Active_Directory

  5. 

    thanks a lot, it´s a really good discribtion and works probably if i use one Network like 192.168.0.X.
    What must be done when I use two or more Networksegments? I can ping each server, but i can´t login on the Suse Server.
    The idea was to make a SSO for employeers even they are in Headquarter or in branch office.
    Do you have an idea for a solutioin?

    By
    Alois

  6. 

    Excellent one..
    Is there a way to map Windows user to UNIX user then authenticate with SSO withUNIX ID and AD password ?

    Any suggestions ?

  7. 

    These screen shots suggest that you join the linux box to the domain, I don’t want to do that, just authenticate through AD from the linux box, it does not seem to be working to well……

  8. 

    Someone essentially help to make critically articles I might state.
    That is the very first time I frequented
    your website page and to this point? I surprised with the research you made to make this actual post extraordinary.
    Fantastic process!

  9. 

    Hi would you mind letting me know which web host you’re using?
    I’ve loaded your blog in 3 different browsers and I must say this blog loads a lot quicker
    then most. Can you suggest a good hosting provider at a honest
    price? Many thanks, I appreciate it!

  10. 

    I was more than happy to discover this page. I want to to thank
    you for your time just for this wonderful read!! I definitely really liked every bit
    of it and I have you book-marked to look at new information in
    your blog.

  11. 

    What’s up, just wanted to mention, I liked this blog post.
    It was helpful. Keep on posting!

  12. 

    I truly love your site.. Great colors & theme.
    Did you build this site yourself? Please reply back as I’m hoping to create my own blog and would like to know where you got this from or what the theme is named.
    Kudos!

  13. 

    Thank you for another magnificent article. Where else could anybody get that type of info in such
    an ideal way of writing? I’ve a presentation subsequent week, and I am on the search for such information.

  14. 

    I’ve been surfing online more than 3 hours nowadays, yet
    I never discovered any fascinating article like yours.

    It’s lovely value enough for me. In my view, if all web owners and bloggers
    made just right content material as you probably did, the web will be a lot more useful than ever before.

  15. 

    This post gives clear idea in support of the new users of blogging,
    that truly how to do blogging.

  16. 

    I write a leave a response whenever I appreciate a post on a site or I have
    something to add to the conversation. It is a result
    of the sincerness communicated in the post I looked at.
    And on this article How to integrate SUSE Linux Enterprise 11 with Windows Active Directory Juanma’s Blog.

    I was excited enough to leave a thought :-) I actually do have
    a couple of questions for you if it’s okay. Is it just me or
    does it look as if like a few of these remarks appear like coming
    from brain dead folks? :-P And, if you are
    writing on additional sites, I’d like to follow everything
    new you have to post. Could you make a list every one of your shared pages
    like your twitter feed, Facebook page or linkedin profile?

  17. 

    Hi! I’m at work surfing around your blog from my new iphone!
    Just wanted to say I love reading your blog and look forward to all your
    posts! Keep up the great work!

  18. 

    The SLES 11 AD integration worked fine for me. I had to change the passdb backend from tdbsam to rid for the users to get listed in wbinfo -u . All looked ok. But after reboot, when I execute wbinfo -u, I get error “Error looking up domain users” . Any clues ??

  19. 

    hi can anybody tell me how to install samba client? I am really confused…

Trackbacks and Pingbacks:

  1. Samba e i problemi comuni | Blog di trucchisuse - October 3, 2013

    […] Qui se avete la versione Suse 11 (ma va bene anche per ver. 12) (ing.) […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s