0

Authenticating Linux users against Microsoft Active Directory

If you work in a company with Microsoft Windows focused IT this is a great way to delegate your Linux users authentication. No more “I forgot my password”. With this configuration you are free of that. However you still can create local users without this centralized authentication.

This was tested with Ubuntu 8.04, 10.04 and 12.04

Active Directory credentials

The first step is to ask the Active Directory guys permission to use their authentication service. They will give you:

  1. The network address of the Active Directory (one or more, usually by IP address)
  2. A base DN
  3. A bind DN user
  4. A bind DN password

This bind designated name will permit your systems to use the Active Directory. The base DN is the top level of the Active Directory (LDAP) directory tree.

The LDAP client configuration

You should install these modules. Usually it will ask for LDAP parameters during the installation. You can just ignore them at this time.

sudo apt-get install libpam-ldap
sudo apt-get install libpam-modules

Now just edit your /etc/ldap.conf with the information you got in the previous section

host 10.11.12.13
base ou=ACME,dc=example,dc=com
ldap version 3
binddn cn=Linux Auth System,ou=ACMEServiceAccounts,dc=example,dc=com
bindpw uwegyjus
pam_login_attribute sAMAccountName

Adapting the pam modules

Now make sure all the /etc/pam.d/common-* files are like these

/etc/pam.d/common-account

account    [success=2 new_authtok_reqd=done default=ignore] pam_unix.so
account    [success=1 default=ignore] pam_ldap.so
account    requisite pam_deny.so
account    required pam_permit.so

/etc/pam.d/common-auth

auth    [success=2 default=ignore]    pam_unix.so nullok_secure
auth    [success=1 default=ignore]    pam_ldap.so use_first_pass
auth    requisite                     pam_deny.so
auth    required                      pam_permit.so

/etc/pam.d/common-password

password    [success=2 default=ignore]    pam_unix.so obscure sha512
password    [success=1 user_unknown=ignore default=die]    pam_ldap.so use_authtok try_first_pass
password    requisite                     pam_deny.so
password    required                      pam_permit.so

/etc/pam.d/common-session

session    [default=1]    pam_permit.so
session    requisite      pam_deny.so
session    required       pam_permit.so
session    required       pam_unix.so
session    optional       pam_ldap.so
session    required       pam_mkhomedir.so umask=0022

But every authentication will fail. Your system doesn’t know anything about these new users. You have to add each user first :-)

Adding Linux users

You may have a framework to deploy users among several machines, but we will just add one:

sudo addgroup acme

By default all these foreign accounts will belong to the acme group.

sudo addusers --no-create-home --ingroup acme pkdick

and you just add to one of your systems user pkdick belonging to group acme. The /home/pkdick creation will be performed automatically by the pam system (pam_mkhomedir.so) and not by the addusers command.

So…

  • Get the authorization to deal with Active Directory
  • Install libpam-ldap + libpam-modules
  • Update /etc/ldap.conf and check /etc/pam-d/common-*
  • Create the Linux users with the same user name from the Windows Domain.

Leave a Reply