Authenticating Linux with Active Directory for CVS

This documents the findings of the pilot project to have a Linux box authenticate against
Active Directory for CVS access.
The reason for pursuing this pilot was to satisfy the following requirements:
• Developers need to use their Windows login/password to access CVS
• UNIX clients must have access to the repository which means that pserver access
must be supported

Recommendation
The pilot Linux box was successfully configured to bind to the Windows domain using
Active Directory. CVS was then able to authenticate users against Active Directory using
their Windows user name and password. The authenticated user was then able to access
the CVS repository.

Required Packages
This project used Redhat Enterprise Linux 3 update 4 as the base operating system. The
packages that make it possible to authenticate CVS against Active Directory are:
• Kerberos – provides strong encryption for authentication.
• Name Service – specifies Linux name services other than the default password
and group files are to be consulted for system authorization information. (
Winbind )
• Samba – this package is typically used to provide access to services (printers and
shared disks) residing on a Linux server to Windows clients. As of version 3.0,
the package also provides winbind which allows the server to authenticate against
an Windows domain.
• Pluggable Authentication Modules (PAM) – provides an API so that applications
such as CVS can seamlessly delegate authentication to variety of modules.
Modules exist to support the traditional password file as well as LDAP. This pilot
made use of a winbind PAM module provided by Samba.
• Pam_require.so – Is a PAM module that matches an AD Group to a User
attempting to use a service. Allows a fine grained approach to authenticating AD
users to Unix services
• xinetd – this internet services daemon provides network access to many Linux
applications including CVS.

Also, the version 1.12.12 of CVS is required. This is the first release of CVS to support
PAM. The version used for this pilot was version 1.12.11. This version is only available
from source at this time. When compiling from source the following command is
required to enable the application to use PAM:
See “Version Management with CVS” by Per Cedervqvist for more information on
compiling and configuring CVS.

Network Configuration
In order for Active Directory servers to allow transitive trust, the machine must resolve to
the same domain as the Active Directory server on a reverse DNS lookup. Therefore, the
DNS search path must include entries for each domain containing an Active Directory
server. Below is the /etc/resolv.conf in use.

! !
" ! #

Authentication Configuration
Bring up the Redhat authentication configuration tool by executing the following
command:
redgat-config-authentication
On the “User Information” tab, enable option to cache user information. Below is how
the “User Information” tab should appear.
Also, enable winbind support and configure it as follows. You must use a system
administrator on the Active Directory server in order to join the domain and establish
trust.
On the “Authentication” tab, enable Kerberos, SMB, Winbind support. Also enable the
use of shadow passwords and MD5 passwords. Below is how the configuration should
appear.

The Kerberos configuration should appear as below:

Below is the SMB configuration:

The winbind configuration appears the same as it did earlier.

Kerberos Configuration
Kerberos must be configured to access the Windows Active Directory server. This is
because the Active Directory server uses Kerberos protocol for authentication. There
three files for configuring Kerberos.
The /etc/krb5.conf file binds the Kerberos agent to one or more servers that use the
Kerberos protocol. Below are the contents of this file from the pilot box:

! $ %&'() * +
*! $ %&'() * +*!
! , $ %&'() * ! !

!
! , $ -(. /%& 0/1
! , * , $
! , * ,*! $
 -(. /%& 0/1 $ 2
*! $ ! ! ! )
! , $ ! ! ! ) 3
! ,! $ ! ! !
4

! ,
! $ -(. /%& 0/1
! $ -(. /%& 0/1

*!
$ * * +*! *!

!
$ 2
! $
* , $ 5666
7, $ 5666
7 ! $
* , $
4

The configuration file /etc/krb.conf contains information about the default realm that
serving as a host for this client. Below are the entries added for the pilot:
-(. /%& 0/1
-(. /%& 0/1 ! ! ! )
-(. /%& 0/1 ! ! ! ) 3 !

Finally, the /etc/krb.realms file contains domain/host to realm mappings. Below is the
entry added for the pilot project:
-(. /%& 0/1 -(. /%& 0/1

Once kerberos is configured, the following command can be used to test the
configuration:
* 8 9 -(. /%& 0/1

The program will prompt for a password and then attempt to authenticate the user against
the Windows Domain server using Kerberos.
The Ticket Granting Ticket (TGT) reserved by kinit seems to expire after a period of
time. That period is controlled by the Active Directory server. Therefore, it is necessary
after the initial configuration to install a keytab file so that machine remains authorized
with the Active Directory server.
The Network Engineering group must supply a keytab file for the server. Below is the
command to generate the keytab for the server. It is based on from Microsoft.
* " " .: -.; <(='1 .=1( 7 !
" * #
Once the keytab is on the Linux server it must be installed using Kerberos keytab file
utility. Execute the following commands to load the keytab file.
8* # 9 * + * #
*
!,* * + * #

>

The list command above should list the keytab that was loaded.

Name Service Configuration

Name service configuration is contained in the /etc/nsswitch.conf file. It must be updated
so that services will consult winbind for authorization information. Below are the
contents of the file used for the project pilot:
7!) 7 !
" ! 7) 7 !
) 7 !
" ) !
) ./:%/?.-$
" )
* )
7 * )
) 7 !
)
) 7 !
) 7 !
* #)

Samba Configuration
The configuration of Samba is contained in a single configuration file, but there are
several parameters that must be specified. Below are the parameters that were overridden
in the pilot project:

$ 0@;
7 * $ -(.
$ -(. /%& 0/1
# $ =-;
7 ! $ !
# $
7 ! ! ! $
7 ! $ #
7 ! $ #
! ! $ 5 5 ++
! ! $ 5 5 ++
 " $
" ! $
7 ! " $ 566
7 ! $
$
* $ :0A,./-('=B ;/,<0@C?%$ 3 ;/,;.-C?%$ 3
! $
$ !
D E $ +666
! D# $

We will want to do further experimentation with the parameters specify the user, group,
home, and shell. This is because the parameters specified above are probably too open for
a production environment. For example, we probably want Windows users to have login
access to the box.
Now the Linux server must be joined to the Windows domain to establish a trust
relationship. Execute the following command to establish this trust:
F ; -(. ? 8 ! 9

After configuring Samba the service winbindd must be running in order to authenticate
against the Windows domain server.
Execute the following command to test that winbind can get a list of users from the
Windows domain:
7

Execute the following command to test that machine has trust established to each domain.
Each domain where trust is established will list a sequence identifier. Domains without
trust will either read as DISCONNECTED or have a sequence identifier of -1. If some of
the domains are not connected, make sure resolv.conf has an entry for the domain for the
Active Directory server that is not connected.
7 >

Execute the following command to test the ability of winbind to authenticate an

individual user within the domain:
7 -(.GG8 9H8 7 !9

Finally, the following command should be executed to test that the mapping of Windows
domain users to Linux users is working. It will list the contents of the Linux password
file along with mappings of each user in the Windows domain.
7!

PAM Configuration
Configuring CVS to use PAM requires that a configuration file be added to /etc/pam.d
specifically for CVS access. The file specifies what level of authentication is required by
the application as well as which modules are consulted to authenticate users. Below are
the contents of /etc/pam.d/cvs from the pilot box:
Fedora Core 3 Example:
HA=1 6
 " > ! , #
" > ! , * $ # "
" > ! ,
> ! , * $ # "
7 ! > ! , * $ # "
, D " ! "
> ! , D
> ! , * $ # "
,
, D " ! "
> ! , D

This file was created by copying the contents of the login configuration file which
delegates the modules consulted to the system-auth configuration. This delegation allows
a system administrator to control the authentication chain for many applications with a
single file.
Redhat Enterprise Linux 3 Example:
% % ! )
HA=1 6
" > ! ,
" , D * " *
" ,7 ! , ,
" > ! ,! #

> ! , > -(. 0@; =! -(. 0@; ? .B 0@; ?

> ! , D * , " ! 7
! $ ! $ * , * 7 $ ,7 !
> ! ,

7 ! ,7 ! , " *
7 ! , D * , " * !+ " ! 7
7 ! > ! ,! #

> ! , D

xinetd Configuration
This package provides internet access to many applications within Linux including CVS.
Configuration for the services are stored in the /etc/xinet.d directory. Below is the
configuration file /etc/xinet.d/cvspserver used for the pilot project to allow CVS access
using pserver.
D ! !
! )
! ) :" " ! . 7 B *
 ! -

2
$ 6
! $
7 $
* , # $
$
$
$ A=:I
, # $ %&'(
$
, $ 7 $ 7 $
7 $ 7 $ 7
$ 7 $ "
4

Once this service is configured, remote clients can access the CVS server using pserver.

CVS Usage
Once the configuration is complete, users can access the CVS repository on the Linux
box with their Windows user name and password. Below is a command line example
showing how to login using the Windows user for authentication:
! ) )-(. D + " )

Also, UNIX users can export CVS root in the following manner to access the repository:
- (D )
D 0@;<//:$J) )-(. ) J
.B (D )
D 0@;<//:$J) ).B # D ) "J
= # (D )
D 0@;<//:$J) ) # ) J

Security
SAMBA/winbind creates a database mapping Active Directory users and groups to
users and groups on the Linux system. Using normal file and group permissions, updates
to any portion of the CVS repository can be limited using those users and groups that
have been mapped to the Linux system. Groups within sub-domains must be global in
order for mappings on the Linux system to be created.

Appendix A
Below is a list of the packages installed on the system used to pilot this project along with
their versions. Also, all of the packages may not be required, but there are dependencies
between several of them.
Fedora Core 3 Example:
 Package Version
kernel 2.6.10-1.766_FC3
kernel-utils 2.4-13.1.49_FC3
krb5-libs 1.3.6-2
samba 3.0.10-1.fc3
samba-common 3.0.10-1.fc3
openssl 0.9.7a-40
nss_ldap 220-3
nss_db 2.2-29
pam_passwdqc 0.7.5-2
pam 0.77-66.2
pam_smb 1.1.7-5
pam_krb5 2.1.2-1
pam_ccreds 1-3
openldap-clients 2.2.13-2
openldap 2.2.13-2
xinetd 2.3.13-4.25-2

RHEL 3 Example:
Package Version (RPM)
kernel kernel-smp-2.4.21-4.EL
kernel-utils kernel-utils-2.4-8.37
krb5-libs krb5-libs-1.2.7-47
samba samba-3.0.20-1 ( built by hand )
openssl openssl-0.9.7a-33.15
nss_ldap nss_ldap-207-2
pam pam-0.75-51
pam_smb pam_smb-1.1.7-1
pam_krb5 pam_krb5-1.70-1
pam_devel pam-devel-0.75-51
openldap-clients openldap-clients-2.0.27-11
openldap openldap-2.0.27-11
xinetd xinetd-2.3.12-2.3E
cvs 1.12.12 (config option –enable-pam )
References
CVS. https://www.cvshome.org/
Cederqvist, Per. Version Management with CVS.
https://ccvs.cvshome.org/files/documents/19/607/cederqvist-1.12.11.pdf
Smith, Roderick W. Linux in a Windows World.
http://www.oreilly.com/catalog/linuxwinworld/
Vernooij, Jelmer R., et al. SAMBA HowTo Collection.
http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/
Terpstra, John H., et al. Samba-3 by Example.
http://www.samba.org/samba/docs/man/Samba3-ByExample/
HOW TO: Use Ktpass.exe in Windows 2000.
http://support.microsoft.com/default.aspx?scid=kb;en-us;324144