Managing Linux Through Windows Active Directory
A nice article about connecting Linux Authentication to Windows Authentication.
Check this how-to posted here a while back on Linux/AD Integration
http://thelazyadmin.com/index.php?/archives/381-LinuxUnix-Active-Directory-Authentication-Integration-Part-1.html
http://thelazyadmin.com/index.php?/archives/383-LinuxUnix-Active-Directory-Authentication
Not a complete authentication solution. Kerberos against a Windows ADS does work, but as laid out in the article, this does not present a SSO solution nor does it work for all authentication operations. It does get you about "80%" there, but there are holes. For one, if you managed all your users in ADS, you'll still need to create the users on each of the linux machines that the user(s) are allowed to use. You can work around this using samba and some user/group mappings, but it is something that anyone trying to manage users in one place should be aware of. Also, not all the linux modules use krb5. You may need to recompile or install the appropriate module with krb5 support and that still may not be enough. I can't recall if it's KDE or GNOME, but one of them let's you authenticate at login using kerberos against ADS, but if you then attempt to use the manager's "network explorer", the authentication fails (one of them fails silently and just denies you access, the other at least prompts you for you domain, username, and password even though you just entered the information at login). It is a starting point but these are probably better resources (even if not fully complete themselves):
http://redmondmag.com/columns/article.asp?EditorialsID=858
http://redmondmag.com/features/article.asp?EditorialsID=422
This should work at least 95% of the time when the service/program/etc uses PAM for authentication. Some can even use winbind directly, some (like GDM, etc) support kerberos directly but i have never had any real luck with them, tends to make more of a mess than anything.
As far as having to set up samba, you have to do that already for pam->winbind->AD to work. And you don't need to create the users/groups locally (winbind takes care of that, try getent passwd/groups or wbinfo -u/g after samba/winbind is configured), but you do need to script the creation of the home directory on the first login (from skeleton, or maybe even grab it from a roaming profile possibly? how to keep it in sync though...).
The whole process isn't trivial, but it isn't that hard either. Good tutorials/howtos are hard to come by (at least were 4 years ago when I first did this) but are getting better.
I set up our Linux boxes to authenticate to our Active Driectory domain using Samba's winbindd, pam_winbind and pam_mkhomedir. Works well and has reduced my management headache a fair bit. http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/winbind.html has all the related information.
Why stop there, integrate all of it, samba, ldap, mail, etc...
http://www.fatofthelan.com/articles/articles.php?pid=24
While the forum linked to in the post here seems valuable, here's the actual article link:
http://www.linux-watch.com/news/NS4820656867.html
Web app authentication is much better handled with a simple LDAP bind. If you're in PHP, for instance:
// Given $username and $passwd, try domain auth...
// DC = domain controller, yourdomain.local = domain name
$ad = ldap_connect("DC");
ldap_set_option($ad, LDAP_OPT_PROTOCOL_VERSION, 3);
$bd = @ldap_bind($ad, "$username@yourdomain.local", $passwd);
if (!$bd) {
// bad username or password
} else {
// logged in
}
Check this how-to posted here a while back on Linux/AD Integration
http://thelazyadmin.com/index.php?/archives/381-LinuxUnix-Active-Directory-Authentication-Integration-Part-1.html
http://thelazyadmin.com/index.php?/archives/383-LinuxUnix-Active-Directory-Authentication
Not a complete authentication solution. Kerberos against a Windows ADS does work, but as laid out in the article, this does not present a SSO solution nor does it work for all authentication operations. It does get you about "80%" there, but there are holes. For one, if you managed all your users in ADS, you'll still need to create the users on each of the linux machines that the user(s) are allowed to use. You can work around this using samba and some user/group mappings, but it is something that anyone trying to manage users in one place should be aware of. Also, not all the linux modules use krb5. You may need to recompile or install the appropriate module with krb5 support and that still may not be enough. I can't recall if it's KDE or GNOME, but one of them let's you authenticate at login using kerberos against ADS, but if you then attempt to use the manager's "network explorer", the authentication fails (one of them fails silently and just denies you access, the other at least prompts you for you domain, username, and password even though you just entered the information at login). It is a starting point but these are probably better resources (even if not fully complete themselves):
http://redmondmag.com/columns/article.asp?EditorialsID=858
http://redmondmag.com/features/article.asp?EditorialsID=422
This should work at least 95% of the time when the service/program/etc uses PAM for authentication. Some can even use winbind directly, some (like GDM, etc) support kerberos directly but i have never had any real luck with them, tends to make more of a mess than anything.
As far as having to set up samba, you have to do that already for pam->winbind->AD to work. And you don't need to create the users/groups locally (winbind takes care of that, try getent passwd/groups or wbinfo -u/g after samba/winbind is configured), but you do need to script the creation of the home directory on the first login (from skeleton, or maybe even grab it from a roaming profile possibly? how to keep it in sync though...).
The whole process isn't trivial, but it isn't that hard either. Good tutorials/howtos are hard to come by (at least were 4 years ago when I first did this) but are getting better.
I set up our Linux boxes to authenticate to our Active Driectory domain using Samba's winbindd, pam_winbind and pam_mkhomedir. Works well and has reduced my management headache a fair bit. http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/winbind.html has all the related information.
Why stop there, integrate all of it, samba, ldap, mail, etc...
http://www.fatofthelan.com/articles/articles.php?pid=24
While the forum linked to in the post here seems valuable, here's the actual article link:
http://www.linux-watch.com/news/NS4820656867.html
Web app authentication is much better handled with a simple LDAP bind. If you're in PHP, for instance:
// Given $username and $passwd, try domain auth...
// DC = domain controller, yourdomain.local = domain name
$ad = ldap_connect("DC");
ldap_set_option($ad, LDAP_OPT_PROTOCOL_VERSION, 3);
$bd = @ldap_bind($ad, "$username@yourdomain.local", $passwd);
if (!$bd) {
// bad username or password
} else {
// logged in
}
<< Home