Windows-Linux Single Signon

Posted on December 15, 2005 by Ajitabh

Often I have been asked by the developers about the possibility of Linux servers authenticating against Active Directory so that the users do not have to change passwords on all the servers.Good suggestion, I thought! This will also free me from doing User management on the Linux Servers and let me focus on application and service monitoring and performance of my servers. So here is this paper explainig a brief howto on what I did to achieve this.

AD & Linux Integration – The Problem

From past many years Linux users have been using Samba for creating the Linux servers as Windows NT member servers or Primary Domain Controllers. With Microsoft moving towards Active Directory (AD) as a directory services, Samba has also evolved in letting Linux users integrate with Microsoft servers. AD was introduced with Windows 2000 and for the sake of backward compatibility supports the older NT domain controller protocols.

There are many problems encountered while trying to authenticate Linux servers to AD, couple of those issues are:

  • Windows passwords are encrypted using a technique which is unknown to Linux systems.
  • Windows domain controllers don’t maintain information which is critical for Linux systems, such as home directory, shell

Winbind to the rescue

Winbind is a service that allows Linux servers to authenticate against the NT Domain controllers or AD servers by linking the Windows database and the Linux native authentication system. Winbind achieves this using PAM (Pluggable Authentication Modules) and NSS (Name Service Switch). request failed: No such user, PAM error was 10, NT error was NT_STATUS_NO_SUCH_USER

PAM is a suit of shared libraries that determine how a user will be authenticated to the Linux system. PAM allows to write a program independent of the authentication scheme being used. The only required thing is that these program needs to be compiled against the PAM libraries and need “authentication modules” to be attatched to them at run-time in order to work.

winbindd is a NSS daemon for resolving names from Windows servers. The NSS allows user and system information to be obtained from different databases such as local FILES, NIS or DNS etc. The winbind service maintains the ‘host’, ‘passwd’ and ‘group’ databases for NSS.

How this is done?

Following are the brief sequence of steps which I took to acheive single signon:

  1. Configure winbind options in the /etc/samba/smb.conf
  2. Configure the Kerberos libraries
  3. Join the Linux server to the windows AD using the net join command
  4. Start the Samba and Winbind services
  5. Test that the Winbind is able to authenticate against AD
  6. Configure the /etc/nsswitch file to query winbind
  7. Configure the PAM system to use winbind

Configure winbind options in the /etc/samba/smb.conf

Here is the global section of my /etc/samba/smb.conf file. I have put in additional comments so a further explanation of various options is not necessary. 

[root@rhel3 root]# vi /etc/samba/smb.conf
[global]
# Parameters required for Active Directory Authentication 
workgroup = MYLINUXRULES 
realm = MYLINUXRULES.COM 
server string = %h 
security = ADS 
encrypt passwords = Yes 
password server = dc1.mylinuxrules.com

# Winbind options
# Because we have just one domain so we dont want the domain name to be a
# part of username. Alternatively if you have multiple domains and you are sure
# that user accounts are unique among each domain then you can use this. 
winbind use default domain = yes

# This option is useful in case the user logs on via ssh etc. Windows servers
# dont maintain this information and hence winbind does it. This value cant be
# customized on a per user basis, so all accounts maintained by winbind must
# use the same shell. 
template shell = /bin/bash

# This is to specify the home directory for a user. Windows servers do not
# maintain this information and hence winbind does it. The variables which can
# be used here are %D (for domain name) %U (for user name). Samba 3.0.6 onwards
# support %D, %N, %U and %u vriables only. Since we have just one domain we are
# using just the usernames within the /home for the individual home directories. 
template homedir = /home/%U

# This is the time (in seconds) for which the authentication information will be
# cached by winbind. After this time winbind will query the authetication
# server again. 
winbind cache time = 300

# This is the Linux UID range which will be assigned by winbind to users. Local
# Linux accounts must not be created in this range. In Linux UIDs 0-500 are
# reserved for system users (0 being the one for root), and above 500 is for
# ordinary accounts. We have reserved UIDs 1001-4000 for use by winbind
# If the Samba version being used is < 3.0.6 then this value has to be defined
# as the default value of undefined. From Samba version 3.0.6 onwards if this
# value is not set then Winbind will try to map NT domain username to locally
# defined accounts. This feature can be useful when you want to rely on domain
# controller for the password authentication. The only catch is that on different
# Linux systems users might get different UIDs which might cause problem with
# softwares such as NFS as they identify accounts on the basis of UIDs/GIDs and not
#username. 
idmap uid = 1001-4000

# This serves the same purpose for groups as above was for users. The default value
# of this is undefined. 
idmap gid = 1001-4000

#------------------------- Other options --------------------------------- 
printcap name = /etc/printcap 
load printers = yes 
cups options = raw 
log file = /var/log/samba/%m.log 
max log size = 50 
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 
.......[[snipped...]]......

Configure the Kerberos libraries

Next edit the /etc/krb5.conf file and place following entries: 

[root@rhel3 root]# vi /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
ticket_lifetime = 24000
default_realm = MYLINUXRULES.COM
dns_lookup_realm = false
dns_lookup_kdc = false

[realms]
MYLINUXRULES.COM = {
kdc = dc1.mylinuxrules.com:88
admin_server = dc1.mylinuxrules.com:749
default_domain = mylinuxrules.com
}
mickymouse
[domain_realm]
.mylinuxrules.com = MYLINUXRULES.COM
mylinuxrules.com = MYLINUXRULES.COM

[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]

pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}

Start the Samba and Winbind services as follows: 

[root@rhel3 root]# service smb restart
Shutting down SMB services:                                [  OK  ]
Shutting down NMB services:                                [  OK  ]
Starting SMB services:                                     [  OK  ]
Starting NMB services:                                     [  OK  ]

[root@rhel3 root]# service winbind restart
Shutting down Winbind services: 			   [ OK ] 
Starting Winbind services: 				   [ OK ]

Test that the winbind is able to authenticate against AD

To test whether the kerberos libraries are able to authenticate against ADS, we can run the ‘kinit’ program: 

[root@rhel3 root]# kinit myaduser01@MYLINUXRULES.COM
Password for myaduser01@MYLINUXRULES.COM:

If you just gets the command prompt back then everything is alright.
Now you can join the Linux box to the ADS in the (dn:ou=Linux,ou=Servers,dc=MYLINUXRULES,dc=COM):

[root@rhel3 root]# net ads join Servers\/Unix -U ad_admin_user01
ad_admin_user01's password:
Using short domain name -- MYLINUXRULES
Joined 'RHEL3' to realm 'MYLINUXRULES.COM'

To test whether the winbind service is able to query the AD we can use the wbinfo program. The -t option tests the trust account we have created and the basic winbind functionality. The resons I have explicitly specified the domain using "–domain" option because we have multiple windows domains runnining on old Windows servers (which all will die soon) and if I dont use this option I cannot make sure that the active directory domain which I wanted to check has been queried. The -u option lists all the usernames from the specified domain. In the username listing the usernames will appear as "\domain\user" if the "winbind use default domain" has been set to "no" in the "/etc/samba/smb.conf" file. If this parameter has been set to "yes" (that’s what I have done) then you will just see the usernames in the output. 

[root@rhel3 root]# wbinfo --domain=MYLINUXRULES.COM -t
checking the trust secret via RPC calls succeeded
[root@rhel3 root]# wbinfo --domain=MYLINUXRULES.COM -u
Guest
SUPPORT_388945a0
msadc_user_01
msadc_user_02
.....[[snipped...]]....

After these tests are successfull then you can further test the authentication against the Active Directory by using the "-a" switch of "wbinfo".

root@rhel3 root]# wbinfo --domain=MYLINUXRULES.COM -a msadc_user01%password
plaintext password authentication succeeded
challenge/response password authentication succeeded

Configure /etc/nsswitch to query winbind

To configure the PAM and NSS to use Winbind to authenticate users and return additional account information to the programs needing them we need pam_winbind.so and libnss_winbind.so. The default location of all PAM modules is /lib/security in Linux so the pam_winbind.so should be present in this directory in order for PAM libraries to find it automatically. The libnss_winbind.so is a library and hence should be present in the /lib directory with soft link in /usr/lib directory. On my machines these files are located at the following locations:

  • On RHEL AS and Fedora
    • [root@rhel3 root]# ls -l /lib/security/pam_winbind.so
-rwxr-xr-x    1 root     root        16032 Jul 21 16:22 /lib/security/pam_winbind.so
[root@rhel3 root]# ls -l /usr/lib/libnss_winbind.so
lrwxrwxrwx    1 root     root           24 Dec  9 16:12 /usr/lib/libnss_winbind.so -> /lib/libnss_winbind.so.2
[root@rhel3 root]# ls -l /lib/libnss_winbind.so.2
-rwxr-xr-x    1 root     root        17928 Jul 21 16:22 /lib/libnss_winbind.so.2
[root@rhel3 root]# ls -l /lib/libnss_winbind.so
lrwxr-xr-x    1 root     root           19 Dec  9 14:15 /lib/libnss_winbind.so -> libnss_winbind.so.2
  • On Debian
    • [root@debian root]# ls -l /lib/security/pam_winbind.so
-rw-r--r--  1 root root 16544 2005-05-27 08:19 /lib/security/pam_winbind.so
[root@debian root]# ls -l /lib/libnss_winbind.so.2
-rw-r--r--  1 root root 17840 2005-05-27 08:19 /lib/libnss_winbind.so.2

To configure NSS edit the /etc/nsswitch file and edit it to use winbind service. Modify the "passwd" and "group" fields to contain winbind as an source for account and group information. Do not touch any other lines (including the line containing the "shadow" word) unless you know what you are doing.

  • On RHEL AS and Fedora
    • [root@rhel3 root]# vi /etc/nsswitch.conf
.....[[snipped..]].....
passwd:     files winbind
shadow:     files
group:      files winbind
.....[[snipped..]].....
  • On Debian
    • [root@debian root]# vi /etc/nsswitch.conf
.....[[snipped..]].....
passwd:     compat winbind
shadow:     compat
group:      compat winbind
.....[[snipped..]].....

Configure the PAM System to Use winbind

The power of PAM lies in that it enables us to customize authentication on a per-service basis. For example the system can be configured to use the local accounts for console logins, and to use NT domain authentication for remote SSH or FTP logins. For this changes can be done on either /etc/pam.conf file or various configuration files (one per service) located in /etc/pam.d/

Different distributions have PAM configured in different manner. For example RHEL and Fedora uses pam_stack.so modules which pushes part of the PAM configuration in the /etc/pam.d/system-auth file. Similarly Debian Sarge maintains a set of three files /etc/pam.d/common-account (authorization settings common to all services), /etc/pam.d/common-auth (authentication settings common to all services), /etc/pam.d/common-password (containing password related settings common to all services) and /etc/pam.d/common-session (session-related modules common to all services)

So if it is required that all services use Windows authentication then modify the /etc/pam.d/system-auth file on RHEL and Fedora Systems and /etc/pam.d/common-account /etc/pam.d/common-auth /etc/pam.d/common-password /etc/pam.d/common-session files. Otherwise individually each service file can also be modified.

Please note that the sequence of the lines is very important. If you need more info on PAM configuration then you can visit A Linux PAM page

I had to use the winbind on all the services so I changed the /etc/pam.d/system-auth file. Here is how my file looks like: 

[root@rhel3 root]# vi /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run. 
auth required /lib/security/$ISA/pam_env.so 
auth sufficient pam_winbind.so 
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok try_first_pass 
auth required /lib/security/$ISA/pam_deny.so

account sufficient pam_winbind.so 
account required /lib/security/$ISA/pam_unix.so

password required /lib/security/$ISA/pam_cracklib.so retry=3 type= 
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow min=6 max=255
password required /lib/security/$ISA/pam_deny.so

session required /lib/security/$ISA/pam_limits.so 
session required /lib/security/$ISA/pam_unix.so 
session required pam_mkhomedir.so skel=/etc/skel umask=0027

Please note that if you happen to run the Red Hat’s "authconfig" tool then this file will be overwritten, so please make a backup copy of this file.

Important points to keep in mind

I use mod_auth_pam with Apache for secure areas on our intranet. This works fine with Winbind and Samba. But if in the PAM files you reverse the order of pam_winbind.so and pam_unix_so in the auth and account lines then although your local unix authentication will work, but Apache does not let you through to the secure area. It is probably because if pam_unix.so is first and you try to use the ADS account, the first time PAM tries to authenticate against local Unix database, it fails and that’s what Apache gets. I dont know the details of all this, but this is what I have found and when I reverse the order it all works very well. If someone comes to know the details then please let me know.

Posted in FLOSS | Tagged , | Leave a comment

Solaris, OpenSolaris and GNU/Solaris – What’s in the name

Posted on November 30, 2005 by Ajitabh

I always wanted to try my hands on to Open Solaris since the day Sun announced that it is making its Solaris operating system open source. I had worked with Soalris 2.6 (read Solaris 6) and Solaris 2.8 (read Solaris 8) as a server operating systems and have found them to be quite stable and rock solid.

Trying out Solaris 10

I downloaded Solaris 10 from Sun’s website to try installing it on my Dell OptiPlex PC (PIII, 256MB), but backed off after finding that it is too slow and took very-very long time to go from one step to another. While thinking about it I realized that Solaris kernel has been designed to work for a server (typically with multiple processors) like a server and hence there are lots of things which this kernel is doing which are not required in case of a PC Server. So I dropped the idea of trying out Solaris 10 for now. I have an old Compaq (now HP) ML370 lying in my server room and might give it a try on that box someday.

OpenSolaris

Next in my quest for learning Image I downloaded the four CDs Image of Soalris Express Community Edition 27 and as I was installing it I realised that this is exactly Soalris 10 (with minor differences, ofcourse) and at some point during the installation I found that this is actually internally being treated as Solaris 11 (SunOS 5.11) by Sun. Overall I found that although still under development OpenSolaris to be quite impressive and with a bright future.

GNU/Solaris

GNU fans (like me) will be glad to know that there is a product called Nexenta GNU/Solaris which is based on OpenSolaris. I downloaded the CD last night, burnt it and installed it. Debian users will feel like home. It is a Debian GNU system with a Solaris kernel. It is not an official Debian project yet.

Bottomline

Solaris is a very powerfull kernel and combinig GNU tools and Solaris will definitely give GNU/Linux a tough competition.

Posted in Views | Leave a comment

Another month passes by…

Posted on November 22, 2005 by Ajitabh

I am having a very busy life these days. Another month has passed at BDS and I didnt realised it till this time. There is a lot of work pressure here and so time flies…

I am not even finding time to check my personal emails before the weekend. My day starts at 05:00 when I get up and ends at around 23:00 when I sleep. I normally come back from work at around 20:00

Highlights of the last month

Since the parent company of BDS , BBC Broadcast is no longer a part of the BBC group it has to change its name to remove the words BBC from it. The new name was decided to be RedBee Media Ltd.

  • Changes in network and A bit of History

Looking at the ongoing problems with our network which is flat and depends on badly configured and dying HP Procurve switches, it was decided to move to a properly designed network around Foundry switches and Cisco Pix Firewall. All this happened and the design finalized before I joined BDS. The new network is supposed to have two fast Foundry  switches acting as a CORE which will house all the servers connected through CAT6 cables  and four Foundry Edgetron switches acting as EDGE switches connected through Gigabit links to core and meant to house the desktops. Almost all end user desktops except the IT team use Wyse Terminals (dumb terminals based on Linux and Windows) using Citrix metaframe and Windows Terminal Servers. So the emphasis is on fast network. All the cables are either CAT 5e or CAT6.

The stuff was delivered quite recently and a consultant was hired to configured the Cisco Pix firewalls. He configured the firealls but as per the plan the firewalls cannot be replaced till the entire network is moved to the new switches and cables. And guess what.. there was no one who has configured switches before. So I volunteered to do this massive task. Took four foundries (EdgeIron 4802CF), connected to them one by one and configured the switches with one VLAN for desktops as these were the lighter switches meant to be EDGE and connected to the two Foundry FastIron switches meant to be the CORE. Next step I took the two CORE switches and then configured various VLANs. All this I had done for the first time and it was so simple. Just by reading the documentations. I can configure the  Foundries now Image

What happened today?

Today we laid out cables and migrated the Cisco 2600 router (which will eventually be removed as the CORE foundries are layer 3 switches supporting VRRP), the old Pix Firewalls, the Edge switches and the Citrix servers. So most of the office is now running on new network. Only Linux servers and some windows servers are left out for tommorow.

Quite a lot in one day

Posted in Personal | Leave a comment

NIC Bonding

Posted on November 21, 2005 by Ajitabh

NIC Bonding is a technique in which multiple Network Interface Cards (NICs) are logically bonded together and presented as a single interface to the outside world.

Before activating bonding it is recommended that the NICs are working alright. mii-tool can be used for this:

$ sudo /sbin/mii-tool
eth0: negotiated 100baseTx-FD, link ok
eth1: negotiated 100baseTx-FD, link ok

Bonding Driver in the Kernel

The first thing is to check whether the bonding driver module is already loaded or not.

$ sudo lsmod|grep bonding

If you do not see anything in the output then the bonding driver is not loaded. Most distribution’s default kernel compiles and installs the bonding driver module. To find out whether your distribution has the bonding driver module available. Use the following command:

$ sudo /sbin/modprobe --list | grep -i bonding
/lib/modules/2.6.8-2-386/kernel/drivers/net/bonding/bonding.ko

The output of the command shows that the bonding driver is available as a module. To load the bonding driver you can do the following:

$ sudo modprobe bonding
$ sudo lsmod|grep bonding
bonding                59112  0

If your distribution does not have the bonding driver module available then you need to recompile your kernel with the support. Select the “Bonding Driver Support” in the “Network Device Support” section. Remember to configure the driver as a module as currently it is the only way to pass parameters to it.
Configuring the bonding driver to load automatically at boot time.

To load the bonding driver automatically at boot time:

  • On RHEL 3 modify the /etc/modules.conf file to contain the following: 
    $ cat /etc/modules.conf
alias bond0 bonding
options bond0 miimon=100 mode=1 downdelay=2000 updelay=5000
  • On RHEL 4 modify the /etc/modprobe.conf file to contain the following: 
    $ cat /etc/modprobe.conf
alias bond0 bonding
options bond0 miimon=100 mode=1 downdelay=2000 updelay=5000
  • On the Debian Sarge system with the 2.6.8 kernel, I had to create the /etc/modprobe.conf file and add the following lines to it. 
    $ cat /etc/modprobe.conf
alias bond0 bonding
options bond0 miimon=100 mode=1 downdelay=2000 updelay=5000

    In debian if you install a package called modconf then there is another way to do this.

    $ sudo apt-get install modconf
$ sudo /usr/sbin/modconf

modconf is ncurses based. Select the bonding driver modules from it and install it. Enter the parameters for the driver when prompted and exit from the utility. Your bonding driver is loaded with the parameters and also set to be loaded automatically next time the server reboots.

This method of using modconf basically modifies the /etc/modules file(which basically lists the modules to be loaded at boot time) to include the bonding driver name and creates a file by the driver name in /etc/modprobe.d/ to contain the parameters for the drivers. Here are the two files on my system:

$ cat /etc/modules
bonding
$ cat /etc/modprobe.d/bonding
options bonding mode=1 miimon=100 updelay=2000 downdelay=3000

Userspace Tools

You need the ifenslave utility also in addition to the bonding driver in the kernel. For Debian Sarge you can install the metapackage ifenslave. This currently points to the ifenslave-2.4 package. Since the Sarge has 2.4 kernel as the default if you just install ifenslave metapackage then ifenslave-2.4 will be installed. If you have installed the 2.6 kernel instead of the default 2.4 kernel then you should install ifenslave-2.6 package.

$ uname -a
Linux noddy 2.6.8-2-386 #1 Thu May 19 17:40:50 JST 2005 i686 GNU/Linux
$ sudo apt-get install ifenslave-2.6

Configuring the system

Once the bonding driver has been loaded with the required parameter, the system needs to be configured to use the bonding driver.

  • Red Hat Enterprise Linux (all versions) and FedoraCreate a file /etc/sysconfig/network-scripts/ifcfg-bond0 with the following contents: 
    DEVICE=bond0
IPADDR=172.16.100.3
NETMASK=255.255.0.0
NETWORK=172.16.0.0
BROADCAST=172.16.255.255
ONBOOT=yes
BOOTPROTO=none
USERCTL=no
PEERDNS=no
TYPE=Ethernet
GATEWAY=172.16.200.254

    Modify the file /etc/sysconfig/network-scripts/ifcfg-eth0 to contain the following:

    DEVICE=eth0
USERCTL=no
ONBOOT=yes
MASTER=bond0
SLAVE=yes
BOOTPROTO=none
TYPE=Ethernet

    For other NICs in the system which you want to bond together with eth0 do the same and replace eth0 with the respective NIC like eth1, eth2 and so on.

    Restart the networking:

    $ sudo /sbin/service network restart
  • Debian and DerivativesOn Debian systems edit the /etc/network/interfaces file and remove the reference of all the NICs and just leave the loopback adapter details. Then add the following interface details: 
    # The bonding interface
auto bond0
iface bond0
inet static
address 172.16.202.2
netmask 255.255.0.0
gateway 172.16.200.254

up ifenslave bond0 eth0 eth1
down ifenslave -d bond0 eth0 eth1

    After that a simple restart of networking services will bring the bonding interface up.

    $ sudo invoke-rc.d networking restart

    • ifconfig will list all the interfaces along with the bond0 interface. All will have the same MAC address and same ip address.

Posted in FLOSS | Tagged , , | Leave a comment

First Month At New Job

Posted on October 24, 2005 by Ajitabh

The first month at new job was hectic and I was so busy during the weekdays that could find time for my family, let alone creating a blog entry. Annanya, my 4 year old daughter missed me a lot as by the time I used to come back home, she was already asleep and next day morning again the same routine. Situation has eased down a bit as I have started understanding my servers and the organisational systems a bit.

On the first day itself on 26th Sep 2005 I was asked to move an LVM filesystem to a seperate physical disk. Not a difficult task, but since it was to be done in production servers, out of core business hours after 18:00 BST. I reached home at around 22:00 BST. And since then  I never reached home before 19:30 BST. Some people might think that this is normal in a SysAdmin’s life, but I got used to the luxorious life at British Airways where I used to leave dot at 17:00 BST.

Quite surprising that no proper monitoring system was in place except the HP Insight Manager and RRD-TOOL. The first few tasks which I initiated was to establish a HA monitoring station in place using Linux-HA project , Nagios, RRDTOOL , Cacti , Cheops. To start with I have been configuring and building Nagios in my development box which runs Slackware 10.1.

I also found that the only method of remote access to office network from home is using Cisco VPN client as we have Cisco Pix firewalls. I was finding it difficult to compile the Cisco VPN client for my  linux box at home due to I using the latest kernel and the client demanding 2.4. To provide myself a remote access I had to make use of OpenVPN without opening up any additional port on the Pix firewall. You can read more about that in my techlog here. Since my role was Linux Systems Administrator I decided to use Linux desktop for my self. I quickly installed Fedora Core 4 on one of the desktops and Slackware 10.1 on another. I decided to use the slack box as a test/dev machine to try out various new things.

Overall things have eased down a bit and I am really enjoying my new job and see a lots of opportunity.

Posted in Personal | Leave a comment