Linux authenticating on AD and running with LTS... http://translate.googleusercontent.com/translate_c...

Linux authenticating on AD and running with LTSP DHCP

(Windows 2003)

Author: David Roberts at <davirodrigues gmail.com>

Date: 08/01/2009

Introduction

As you know, let's talk here of a service that someone might one day try to make
it out of necessity, as this client that we serve.

What we use:

Linux Ubuntu 8.04 LTS Server

LTSP 5
Samba
Winbind
Kerberos

This will be the machine that we put in the field in 2003 AD.

Let the subject.

Installing LTSP 5
Let's install LTSP 5:

# Apt-get update
# Apt-get install ltsp-server-standalone openssh-server

Once done, we'll check if SSH is configured as needed.

We need the policy "X11Forwarding yes" is setada the following file:

# Vim / etc / ssh / sshd_config

1 of 10 05/03/2010 08:26 PM
Linux authenticating on AD and running with LTS... http://translate.googleusercontent.com/translate_c...

# Package configuration file generated

# See the sshd (8) manpage for details

# What ports, IPs and protocols we listen for

22 Port
# Use these options to restrict Which interfaces / protocols sshd bind to Will
# ListenAddress:
# ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey / etc / ssh / ssh_host_rsa_key
HostKey / etc / ssh / ssh_host_dsa_key
# Privilege Separation is Turned On for security
UsePrivilegeSeparation yes

# Lifetime and size of ephemeral version 1 key server

KeyRegenerationInterval 3600
ServerKeyBits 768

# Logging
SyslogFacility AUTH
LogLevel INFO

# Authentication:
LoginGraceTime 120
PermitRootLogin in
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile #% h / .ssh / authorized_keys

# Do not read the user's ~ /. Rhosts and ~ /. Shosts files

IgnoreRhosts yes
# For this to work you Will Also Need host keys in / etc / ssh_known_hosts
RhostsRSAAuthentication in
# Similar for protocol version 2
HostbasedAuthentication in
Uncomment if # you do not trust ~ / .ssh / known_hosts for
RhostsRSAAuthentication
# IgnoreUserKnownHosts yes

2 of 10 05/03/2010 08:26 PM
Linux authenticating on AD and running with LTS... http://translate.googleusercontent.com/translate_c...

To # enable empty passwords, change to yes (NOT RECOMMENDED)

PermitEmptyPasswords in

# Change to Yes to enable challenge-response passwords (beware issues with

# Some PAM modules and threads)
ChallengeResponseAuthentication in

Change to the # tunnelled to disable clear text passwords

# PasswordAuthentication yes

# Kerberos options
# KerberosAuthentication in
# KerberosGetAFSToken in
# KerberosOrLocalPasswd yes
# KerberosTicketCleanup yes

# GSSAPI options
# GSSAPIAuthentication in
# GSSAPICleanupCredentials yes

X11Forwarding yes
X11DisplayOffset 10
PrintMotd in
PrintLastLog yes
TCPKeepAlive yes
# UseLogin in

# MaxStartups 10:30:60
# Banner / etc / issue.net

# Allow client to pass locale environment variables

AcceptEnv LANG LC_ *

Subsystem sftp / usr / lib / openssh / sftp-server

UsePam yes

Setting environment for terminal

Installing the environment for the terminals:

3 of 10 05/03/2010 08:26 PM
Linux authenticating on AD and running with LTS... http://translate.googleusercontent.com/translate_c...

# Ltsp-build-client

If the environment is not installed successfully, you must remove the directory
"/ opt / ltsp /" and run the command again.

# Rm-rf / opt / ltsp

# Ltsp-build-client

Configuring Windows 2003 DHCP

for LTSP
To make that happen just check the configuration options of Windows DHCP:

17 Root Path - 192.168.1.5: / opt/ltsp/i386

66 Boot Server Host Name - 192.168.1.5
67 bootfile-name / ltsp/i386/pxelinux.0

After making the settings you can put the machines to boot over the network
and ready, LTSP is now working properly for this.

That completes our first part of the tutorial. Our next step is to make the users
who will use the LTSP be authenticated in Active Directory, let's go.

Configuring Linux to Authenticate to AD

We will install the dependencies you follow up the article.

First edit / etc / hosts by putting the name and ip of your Domain Controller:

# Vim / etc / hosts

10.100.0.165 domínio.com.br realm

10.100.0.165 maquina.domínio.com.br machine_name

127.0.0.1 localhost localhost.localdomain prx

Then we will install ntpdate to make the timing of time between the server

4 of 10 05/03/2010 08:26 PM
Linux authenticating on AD and running with LTS... http://translate.googleusercontent.com/translate_c...

Linux and an NTP Server:

# Apt-get install ntpdate

Installing Kerberos
Kerberos w / Linux (Debian Etch):

# Apt-get install krb5-kdc krb5-config krb5-clients libpam-krb5 krb5-user

After installation edit the krb5.conf file:

# Vim / etc/krb5.conf

[Libdefaults]
ticket_lifetime = 24000
default_realm = DOMINIO.COM.BR
dns_lookup_realm = false
dns_lookup_kdc = false

[Realms]
DOMINIO.COM.BR = (
kdc = 10.100.0.165
admin_server = 10.100.0.165:749
default_domain = 10.100.0.165
)

[Domain_realm]
. Nelinha-sp.com.br = DOMINIO.COM.BR
nelinha-sp.com.br = DOMINIO.COM.BR

[Login]
= true krb4_convert
krb4_get_tickets = false

[Logging]
kdc = FILE: / var/log/krb5kdc.log
admin_server = FILE: / var / log / kadmin.log
default = FILE: / var/log/krb5lib.log

Save and close.

5 of 10 05/03/2010 08:26 PM
Linux authenticating on AD and running with LTS... http://translate.googleusercontent.com/translate_c...

We will edit some configuration files and make the communication between the
Proxy and Domain Controller via Kerberos.

First it is necessary that the server time Linux and Windows server are
synchronized. For this we use an NTP server, the following steps:

Linux server:

# Ntpdate ntp.cais.rnp.br

Windows server:

C: \ WINNT> net time / setsntp: ntp.cais.rnp.br

C: \ WinNT> net stop w32time & net start w32time

Note: To update the time has to be released at the gateway firewall.

Then we initiate communication between Linux and using Kerberos Domain

Controller (remembering that the domain used in this article draws
DOMINIO.COM.BR).

Prompted for the password for user "administrator". If all went well, you will
run the command "klist" and the return will be similar to what we obtained, as
follows:

# Kinit administrator
Administrador@DOMINIO.COM.BR password is:

# Klist
Ticket cache: FILE: / tmp/krb5cc_0
Default principal: administrador@DOMINIO.COM.BR
Valid starting Expires Service principal
02/22/07 14:25:47 02/23/07 00:25:47 krbtgt / MACHINE @ DOMINIO.COM.BR
Kerberos 4 ticket cache: / tmp/tkt0
klist: You Have No tickets cached

If the command output is different than the one above, check:

If there is no error in the krb5.conf file;

If the time is not synchronized between the machines;
If the administrator password was changed.

6 of 10 05/03/2010 08:26 PM
Linux authenticating on AD and running with LTS... http://translate.googleusercontent.com/translate_c...

Installing and configuring Samba and winbind

Let's install winbind:

# Apt-get install winbind

Then we edit the nsswitch.conf file:

# Vim / etc / nsswitch.conf

passwd: compat winbind

group: compat winbind
shadow: compat winbind
hosts: files dns wins
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis

PS: DO NOT START Winbind.

Let's install Samba on Debian Etch:

# Apt-get install samba

Edit the smb.conf file:

# Vim / etc / samba / smb.conf

[Global]
workgroup = your-domain
server string = ltsp server
log level = 2
log file = / var / log / samba /% m.log
max log size = 50
ads security =
password server = 10.100.0.165
encrypt passwords = true
socket options = TCP_NODELAY SO_RCVBUF = 8192 SO_SNDBUF = 8192
winbind uid = 10000-20000

7 of 10 05/03/2010 08:26 PM
Linux authenticating on AD and running with LTS... http://translate.googleusercontent.com/translate_c...

winbind gid = 10000-20000

winbind enum users = yes
winbind enum groups = yes
template homedir = / dev / null
template shell = / dev / null
winbind use default domain = yes
interfaces = 10.100.0.0/16
bind interfaces only = yes
realm = dominio.com.br

#======= Share Definitions =========

[Homes]
comment = Home Directories
browseable = no
writable = yes
valid users =% S
create mode = 0664
directory mode = 0775

[Printers]
comment = All Printers
Path = / var / spool / samba
browseable = yes
guest ok = yes
writable = no
printable = yes

Note: Before starting Samba you must enter the field. Before joining check the
following:

Check if file / etc / samba / secrets.tdb was created, if yes delete it. This file
must be deleted because it saves the previous settings of fields;
Check the Windows machine to machine Samba is already entered, if yes
delete it.

If the machine entered a success message appears, a new file is created

secrets.tdb and the machine will appear in AD.

Start Samba and winbind:

# / Etc / init.d / smb start

# / Etc / init.d / winbind start

8 of 10 05/03/2010 08:26 PM
Linux authenticating on AD and running with LTS... http://translate.googleusercontent.com/translate_c...

Configuring PAM and commons

We will now configure PAM. Enter the directory / etc / pam.d /:

# Cd / etc / pam.d

Let's edit the first file common-account:

# Vim common-account

account sufficient pam_winbind.so

account required pam_unix.so

# Vim common-auth

auth sufficient pam_winbind.so

auth required pam_unix.so nullok_secure use_first_pass

# Vim common-password

nullok instructs password required pam_unix.so obscure min = 4 max = 50 md5

# Vim common-session

session required pam_mkhomedir.so umask = 0022 skel = / etc / skel

Create the file / etc / pam.d / common-winbind with this content:

account required pam_winbind.so use_first_pass

auth required pam_winbind.so use_first_pass
session required pam_winbind.so use_first_pass

In / etc / pam.d / gdm add:

@ Include common-pammount
@ Include common-winbind

Once configured these files, everything is ready to authenticate to Windows

Server 2003 domain.

# Net ads join-U administrator% password@DOMINIO.COM.BR

9 of 10 05/03/2010 08:26 PM
Linux authenticating on AD and running with LTS... http://translate.googleusercontent.com/translate_c...

In my case I had to do with the user login also in graphical mode, so I had to
edit the file mentioned above / etc / pam.d / gdm.

Well, I hope you enjoyed it and that can help many others ...

"Freedom for all"

http://www.vivaolinux.com.br/artigo/Linux-autenticando-no-AD-e-rodando-
LTSP-com-DHCP- (Windows-2003)

Back to site

10 of 10 05/03/2010 08:26 PM