Difference between revisions of "PAM configuration for Windows Active Directory"

From OS4X
Jump to navigation Jump to search
Line 22: Line 22:
  
 
All commands on the Linux side are executed in the context of the user "<code>root</code>".
 
All commands on the Linux side are executed in the context of the user "<code>root</code>".
 +
 +
== Network availability ==
 +
The AD server must be reachable via network on the Linux side:
 +
<pre>
 +
os4xvirtual:~# ping -c 3  win2k8
 +
PING win2k8.sbs.c-works.net (192.168.1.65) 56(84) bytes of data.
 +
64 bytes from 192.168.1.65: icmp_req=1 ttl=128 time=0.762 ms
 +
64 bytes from 192.168.1.65: icmp_req=2 ttl=128 time=0.737 ms
 +
64 bytes from 192.168.1.65: icmp_req=3 ttl=128 time=0.659 ms
 +
 +
--- win2k8.sbs.c-works.net ping statistics ---
 +
3 packets transmitted, 3 received, 0% packet loss, time 2013ms
 +
rtt min/avg/max/mdev = 0.659/0.719/0.762/0.049 ms
 +
</pre>
  
 
== Synchronize time ==
 
== Synchronize time ==
 
The underlying security model relies on synchronized time between (Active Directory) server and (Linux OS4X) client). Windows Active Directory servers offer a NTP server which can be used for time synchronization.
 
The underlying security model relies on synchronized time between (Active Directory) server and (Linux OS4X) client). Windows Active Directory servers offer a NTP server which can be used for time synchronization.
 
  ntpdate win2k8
 
  ntpdate win2k8

Revision as of 08:20, 22 February 2013

Task

If you want to configure OS4X to authentificate users with the configured username via a centralized Windows Active Directory service, you have to configure the PAM security system of the underlying Unix environment.


This documentation is based on the OS4Xvirtual VMware image, which is based on the latest Debian Linux distribution. If you have any other distribution, you may re-use these information in order to configure your environment accordingly.


Configuring the connectivity consists of several steps, which are described here:

Declarations

In this documentation, several values will be used for hostnames, domain name, usernames and password. These are only examples and must be changed according to your environment.

AD server:

Hostname: win2k8 (192.168.1.65, name resolving works via an another DNS server; FQDN: win2k8.sbs.c-works.net)
Domain name: w2k8.c-works.net

User for connecting to domain (with administrative rights, but without permission to login interactively on AD server):

Username: pamauth
Password: Test4321

User to be authentificated (as an example) and configured in OS4X:

Username: os4xuser
Password: Test1234

All commands on the Linux side are executed in the context of the user "root".

Network availability

The AD server must be reachable via network on the Linux side:

os4xvirtual:~# ping -c 3  win2k8
PING win2k8.sbs.c-works.net (192.168.1.65) 56(84) bytes of data.
64 bytes from 192.168.1.65: icmp_req=1 ttl=128 time=0.762 ms
64 bytes from 192.168.1.65: icmp_req=2 ttl=128 time=0.737 ms
64 bytes from 192.168.1.65: icmp_req=3 ttl=128 time=0.659 ms

--- win2k8.sbs.c-works.net ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2013ms
rtt min/avg/max/mdev = 0.659/0.719/0.762/0.049 ms

Synchronize time

The underlying security model relies on synchronized time between (Active Directory) server and (Linux OS4X) client). Windows Active Directory servers offer a NTP server which can be used for time synchronization.

ntpdate win2k8