Difference between revisions of "PAM configuration for Windows Active Directory"
Line 62: | Line 62: | ||
winbind use default domain = yes | winbind use default domain = yes | ||
restrict anonymous = 2 | restrict anonymous = 2 | ||
+ | |||
+ | == Restart services == | ||
+ | In order to activate the changes, restart the needed services: | ||
+ | os4xvirtual:/etc/samba# /etc/init.d/winbind stop | ||
+ | Stopping the Winbind daemon: winbind. | ||
+ | os4xvirtual:/etc/samba# /etc/init.d/samba restart | ||
+ | Stopping Samba daemons: nmbd smbd. | ||
+ | Starting Samba daemons: nmbd smbd. | ||
+ | os4xvirtual:/etc/samba# /etc/init.d/winbind start | ||
+ | Starting the Winbind daemon: winbind. |
Revision as of 08:40, 22 February 2013
If you want to configure OS4X to authentificate users with the configured username via a centralized Windows Active Directory service, you have to configure the PAM security system of the underlying Unix environment.
This documentation is based on the OS4Xvirtual VMware image, which is based on the latest Debian Linux distribution. If you have any other distribution, you may re-use these information in order to configure your environment accordingly.
Configuring the connectivity consists of several steps, which are described here:
Declarations
In this documentation, several values will be used for hostnames, domain name, usernames and password. These are only examples and must be changed according to your environment.
AD server:
Hostname: win2k8 (192.168.1.65, name resolving works via an another DNS server; FQDN: win2k8.sbs.c-works.net) Domain name: w2k8.c-works.net Kerberos realm: W2K8.C-WORKS.NET
(The kerberos realm is the domain name in upper case characters!)
User for connecting to domain (with administrative rights, but without permission to login interactively on AD server):
Username: pamauth Password: Test4321
User to be authentificated (as an example) and configured in OS4X:
Username: os4xuser Password: Test1234
All commands on the Linux side are executed in the context of the user "root
".
Network availability
The AD server must be reachable via network on the Linux side:
os4xvirtual:~# ping -c 3 win2k8 PING win2k8.sbs.c-works.net (192.168.1.65) 56(84) bytes of data. 64 bytes from 192.168.1.65: icmp_req=1 ttl=128 time=0.762 ms 64 bytes from 192.168.1.65: icmp_req=2 ttl=128 time=0.737 ms 64 bytes from 192.168.1.65: icmp_req=3 ttl=128 time=0.659 ms --- win2k8.sbs.c-works.net ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2013ms rtt min/avg/max/mdev = 0.659/0.719/0.762/0.049 ms
Synchronize time
The underlying security model relies on synchronized time between (Active Directory) server and (Linux OS4X) client). Windows Active Directory servers offer a NTP server which can be used for time synchronization.
ntpdate win2k8
If the domain controller server doesn't run as time server, be sure to use the same time source for local and remote time synchronization.
Install required software
The PAM user authentification relies on two packages:
- Winbind
- Samba
If not installed already, install these packages through the local Linux packaging system:
apt-get install winbind samba
Configure Samba
You have to configure the Samba component. Edit the file "/etc/samba/smb.conf
" with your favorite text editor and make the following changes in the configuration section 'global
':
[global] security = ads realm = W2K8.C-WORKS.NET password server = 192.168.1.65 workgroup = W2K8 client ntlmv2 auth = yes encrypt passwords = yes winbind use default domain = yes restrict anonymous = 2
Restart services
In order to activate the changes, restart the needed services:
os4xvirtual:/etc/samba# /etc/init.d/winbind stop Stopping the Winbind daemon: winbind. os4xvirtual:/etc/samba# /etc/init.d/samba restart Stopping Samba daemons: nmbd smbd. Starting Samba daemons: nmbd smbd. os4xvirtual:/etc/samba# /etc/init.d/winbind start Starting the Winbind daemon: winbind.