Authenticating Linux against Windows 2003 Active Directory
Linux - EnterpriseThis forum is for all items relating to using Linux in the Enterprise.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
CURRENT STATUS
The authentication part of the problem has been solved using LDAP, Kerberos and PAM. A user is now able to logon to a Linux server with no local account existing. getent passwd shows all users including users on the AD server, and getent group shows all groups, including groups on the AD server.
CURRENT PROBLEM
For the rest of this, I will use an AD user named waynep that is part of two groups on the AD server named waynep_unixgroup and testgroup respectively.
My current problem is viewing which members belong to which groups on the AD server. Using LDAP, all I see is the group name and the group ID that I assigned in the Unix attributes tab in the group management section on Windows. I do not see any of the group members.
So for example, getent group (with LDAP as the lookup tool) will produce the following
waynep_unixgroup:x:10002:
testgroup:x:10011:
If I bring winbind into the setup, things progress slightly, but still have one major limitation - group numbers are not static.
If I change my nsswitch.conf group entry to read
group: files winbind ldap
getent group will show groups with users as follows
This is the desired result, BUT the problem here is that the group ID's being shown are not the group ID's that have been configured in the UNIX attributes tab when creating a group. In addition, when I create a new group, there is no way to predict what will happen to the existing groups or how things will change.
Using LDAP the group ID's are correct, but I cannot see group members.
This leads me to believe that this information can be retrieved in a useful way somehow, but I'm failing to make the leap as to how Also, if anyone could point me towards any mailing lists that may be of assistance, or Windows forums where this information would be available, I would greatly appreciate it.
Originally posted by Builder CURRENT STATUS
The authentication part of the problem has been solved using LDAP, Kerberos and PAM. A user is now able to logon to a Linux server with no local account existing. getent passwd shows all users including users on the AD server, and getent group shows all groups, including groups on the AD server.
CURRENT PROBLEM
For the rest of this, I will use an AD user named waynep that is part of two groups on the AD server named waynep_unixgroup and testgroup respectively.
My current problem is viewing which members belong to which groups on the AD server. Using LDAP, all I see is the group name and the group ID that I assigned in the Unix attributes tab in the group management section on Windows. I do not see any of the group members.
So for example, getent group (with LDAP as the lookup tool) will produce the following
waynep_unixgroup:x:10002:
testgroup:x:10011:
If I bring winbind into the setup, things progress slightly, but still have one major limitation - group numbers are not static.
If I change my nsswitch.conf group entry to read
group: files winbind ldap
getent group will show groups with users as follows
This is the desired result, BUT the problem here is that the group ID's being shown are not the group ID's that have been configured in the UNIX attributes tab when creating a group. In addition, when I create a new group, there is no way to predict what will happen to the existing groups or how things will change.
Using LDAP the group ID's are correct, but I cannot see group members.
This leads me to believe that this information can be retrieved in a useful way somehow, but I'm failing to make the leap as to how Also, if anyone could point me towards any mailing lists that may be of assistance, or Windows forums where this information would be available, I would greatly appreciate it.
How exactly are you looking to leverage this information? Are you looking to strictly view it? My opinion, is that I would probably leverage an ldapsearch against the msSFU30posixMember (I think that's the attribute) by doing something like
The above syntax is probably wrong, but you get the general idea. If your only problem is acessing the information from the LDAP source, that should take care of it, while not giving you the problem with the winbind inconsistency of uid/gid.
Originally posted by LanRx How exactly are you looking to leverage this information? Are you looking to strictly view it? My opinion, is that I would probably leverage an ldapsearch against the msSFU30posixMember (I think that's the attribute) by doing something like
The above syntax is probably wrong, but you get the general idea. If your only problem is acessing the information from the LDAP source, that should take care of it, while not giving you the problem with the winbind inconsistency of uid/gid.
I'm looking to use the group membership information as I normally would on Unix. So for file permissions, giving groups of people sudo access, etc.
So have you tried assigning more than one group to the user, and then trying the filesystem access?
I guess, where I'm going with this,is to try to discover if it's a problem within nss_ldap, or if it's a problem in getent, or if it's a problem elsewhere.
Originally posted by LanRx So have you tried assigning more than one group to the user, and then trying the filesystem access?
I guess, where I'm going with this,is to try to discover if it's a problem within nss_ldap, or if it's a problem in getent, or if it's a problem elsewhere.
I have a user in multiple groups, with Unix GID's.
I have a file which one of these groups can write to.
When using LDAP, when getent doesn't show the user as a group member, logging in as this user and attempting to touch the file fails with a permission denied (ERR 13).
When using winbind, and changing the group that owns the file to match the GID that the group currently has, then logging in as this user and touching the file succeeds.
So the problem is that the system does not believe that this user is part of the group when using LDAP. This is shown in getent and by running id as the user.
when using winbind, the user does belong to the group, but the ID always changes.
I think I'm _very_ close to solving my groups issue with using LDAP to authenticate against AD. I have added the following line to my ldap.conf:
nss_map_attribute memberUid msSFU30PosixMember
Once I've done this, getent group shows users with groups, but the groups are in the dn format, not their sAMAccountName that I need. Is there any way to map these ?
For example, getent testgroup now gives me
testgroup:x:10011:CN=Wayne P,CN=Users,DC=my,DC=domain,DC=com,CN=Test User,CN=Users,DC=my,DC=domain,DC=com
What I actually want to see here is
testgroup:x:10011:waynep,testuser
In my Unix attributes tab in Active Directories Users and Computers, I add users to the groups by clicking Add, selecting NIS users and clicking the add button.
I see the members that I've added as msSFU30PosixMember attributes in their CN=blah format. I also see this information in the member attribute, in exactly the same format. I don't see their sAMAccountName anywhere here.
Knowing their CN=blah data, is there any way to replace this in my ldap config using an nss_map_attribute so that I can set memberUid to be the UID of the user ?
At the moment, if I login as a user and do id, I still only see their primary group, not any additional groups that they belong to.
Not sure if you go this working. But you can do it with samba and winbindd. Linux magazine had an artical on it last month. I am in the process of writing a how-to for it. If you would like me to email it to you let me know.
Originally posted by tangle Not sure if you go this working. But you can do it with samba and winbindd. Linux magazine had an artical on it last month. I am in the process of writing a how-to for it. If you would like me to email it to you let me know.
The problem with the Winbindd solution is that you can't guarantee UIDs and GIDs will stay the same long term. This can be a HUGE problem. We've already seen one incident where a change to Samba added machine accounts, which threw out UIDs and GIDs in a big way!
Originally posted by mast_tech I did every thing as per Lanrx document to get AD user authenticate on linux server.
I am getting userlist by getent passwd but not able to login
it says login incorrect
in ssh login it says Access Denied
Pl. help
I finally got all of this working. I'll try and document it tonight / tomorrow and I'll post here when it's done. I've not used the LANRX stuff for this, but a combination of stuff I found the experts exchange, Security focus and a conversation with someone from Red Hat Global Professional Services.
The final solution I've arrived at uses the following:
Kerberos for authentication
LDAP for directory information (UID, GID, etc.)
pam for gluing stuff together and
pam_limit to control which users can login to a machine.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.