[PLUG] Re: Authenticating Linux systems to MS AD using Kerberos

Wil Cooley wcooley at nakedape.cc
Mon Dec 20 21:59:15 UTC 2004 

On Fri, 17 Dec 2004 17:16:59 -0700, Matt Alexander wrote:

> If you have a Microsoft AD controller and you'd like to authenticate your
> Linux systems to it, here's a simple way:
> 
> These instructions are taken from a RedHat box so some things might be
> different for other distros:
> 
> Edit /etc/krb5.conf and change all the domain/realm info to your company's
> values.  Make sure these are in capital letters because the connection
> will fail for some stupid Microsoft reason if not.  The "kdc" line is your
> AD controller.
> 
> Next, edit /etc/pam.d/system-auth to include this line after the auth line
> with pam_env.so:
> auth sufficient /lib/security/pam_krb5.so
> 
> And change the auth line for pam_unix.so to this: auth sufficient
> /lib/security/pam_unix.so likeauth nullok use_first_pass
> 
> You need to make sure the Linux box and the AD controller have
> approximately the same time or else the Kerberos authentication will fail.
>  Use ntp or rdate or whatever to keep them in sync.
> 
> Now all that you need on the Linux box is the account name.  The password
> you supply will be the password stored in AD. ~M

Frightfully enough, Microsoft has published a doc on doing it:

http://www.microsoft.com/windows2000/techinfo/planning/security/kerbsteps.asp

And on a RH box, you should/could just run 'authconfig' to do that setup. 
Actually, though, the pam.d/system-auth file works better if you tweak it
a bit:  You really want pam_krb5 before pam_unix (and/or pam_ldap) and to
move 'use_first_pass' to the latter modules.

Also, you can use the 'net' command to create the host key in Active
Directory and copy it to the local keytab; otherwise you end up using a
less defined process to get the host's key from a w2k workstation into the
key tab.

There's also fun stuff you can do with winbind to automatically map W2K
SIDs to UID/GIDs and with OpenLDAP (or apparently now MySQL) site-wide.

Wil
-- 
Wil Cooley                                 wcooley at nakedape.cc
Naked Ape Consulting                        http://nakedape.cc
* * * * Linux, UNIX, Networking and Security Solutions * * * *

"Sufficiently advanced cluelessness is indistinguishable from malice." 
 -- Alex Martelli

More information about the PLUG mailing list