SUSE Manager 1.2.x ADS Authentication

SUSE Manager 1.2.x ADS

Authentication

How to use MS-ADS authentiction

(Version 0.7 / March 2

₂₀₁₂₎

P r e f a c e

This paper should help to integrate SUSE Manager to an existing Microsoft ad-service for user authentication.

The example shows, how a “simple” windows 2008 domain, without any forest or trust can be used to authenticate SUSE Manager users against the ADS service. This does not replace the user

management in the product itself, only the password management is outsourced to the active directory.

The SUSE Manager can use the PAM authentication stack of the Linux operation system, so the first task is to bind the operating system against the Microsoft ADS. This can be done in several ways – as always – but this document will show two slightly different ways.

ADS is based on a Kerberos, so SLES base of SUSE Manager has to be configured as a Kerberos client. But this solves only the authentication, the system also needs a naming service to resolve the user names. Here different solution are possible: local users, samba/winbind or LDAP.

This documentation show the first two possibilities. When the authentication is working, SUSE Manager can be configured to use the PAM stack. It is important that the user names in SUSE Manager are the same as on operation system level.

The example using the following assumptions:

AD- Domain Name PEUKINGEN.DE

AD-Server winad.peukingen.de

Domain peukingen.de

Suse Manager Host sm11.peukingen.de

All trademarks, service marks, registered trademarks, or registered service marks mentioned in this document are the property of their respective owners.

P r e p a r a t i o n

the followings steps are necessary to integrate SUSE Manager to a ADS user environment. 1. DNS-Service

The SUSE Manager host must use the DNS server of the Windows domain. All systems should be included in the DNS service. Both, the name and the ip of the ADS server must be

resolved:

2. TIME Synchronization

All systems must use the same time. It is recommended to use the Windows AD server as the timesource. This can be done by running

3. SUSE Manager is up to date

To get winbind working, the last updates for SLES11-SP1 and SUSE Manager have to be applied to the system.

p. 3 sm11:~ # getent hosts winad.peukingen.de  192.168.7.10    winad.peukingen.de  sm11:~ # getent hosts winad 192.168.7.10    winad.peukingen.de sm11:~ # getent hosts 192.168.7.10  192.168.7.10    winad.peukingen.de  sm11:~ # nslookup ­query=any _gc._tcp.peukingen.de  Server: 192.168.7.10  Address: 192.168.7.10#53  _gc._tcp.peukingen.de service = 0 100 3268 winad.peukingen.de.  sm11:~ # sntp ­P no ­r winad  sm11:~ # date  Tue Jan 31 15:07:27 CET 2012 

E n a b l e P A M A u t h e n t i c a t i o n i n S U S E M a n a g e r

Two simple changes have to be made on the system to enable PAM: 1. Setup a PAM service file: /etc/pam.d/susemanager:

2. Add in /etc/rhn/rhn.conf the line:

3. reboot the system (or restart all needed services...)

K e r b e r o s A u t h e n t i c a t i o n w i t h l o c a l u s e r s

In this case only the authentication is done against the Microsoft ADS service. All users have to be known by the local naming system (/etc/passwd).

To configure the /etc/krb5.conf file YaST can be used. Install the following packages:

Start YaST and select the “network service” menu and the item “Kerberos Client” within this menu. Change the Option to “Use Kerberos” and complete the basic kerberos settings:

#%PAM­1.0  auth     include        common­auth  account  include        common­account  password include        common­password  session  include        common­session  sm11:~ # echo pam_auth_service = susemanager >> /etc/rhn/rhn.conf  sm11:~ # zypper install yast2­kerberos­client pam_krb5 krb5­client  pam_krb5­32bit

Use as “KDC Server Address” the IP of the windows ADS server. After submitting the dialog, test the authentication with “kinit”. Kinit will retrieve a Kerberos ticket from the ADS server (The capital characters are important !!):

Now, the user can be added to the local system:

After that, create the user in the SUSE Manager system (spacecmd or browser):

IMPORTANT: Be sure, that the Windows logon name, the Linux user and the SUSE Manager user are all exact the same !

In the “Create User” dialog, the password field can be kept empty. Now the user can login with his Windows password. p. 5 sm11:~ #  kinit ­V [email protected]  Password for [email protected]:  Authenticated to Kerberos v5 sm11:~ #  useradd susedemo

S A M B A / W i n b i n d C o n f i g u r a t i o n

Samba can be used as a client to access Windows file, print and user services. The winbind service is responsible to connect the Linux user management against a Microsoft AD-service.

YaST provides an easy way to build a valid configuration. Important: make sure that you have access to and installed the latest patches – otherwise the authentication will not work !

First install the needed samba packages:

Now start YaST and select the “Network Services” menu and the “Windows Domain Membership” item within the menu.

Enter the Domain name and select “ Also Use SMB Information for Linux Authentication”:

sm11:~ #  zypper install yast2­samba­client samba­client samba­client­32bit  samba­winbind krb5­client samba­winbind­32bit  

When select “OK” you will be asked to join the domain:

Confirm this and enter the username of a Windows user with the right to add computer accounts to the domain (Domain-Administrator):

You should be now a member of the domain. Just try to retrieve the Windows users:

Now you can add this user(s) to the SUSE Manager (spacecmd or browser):

IMPORTANT: The login is build from the domain name and the windows login: DOMAINNAME\login ! sm11:~ #  wbinfo ­u  PEUKINGEN\administrator  PEUKINGEN\gast  PEUKINGEN\krbtgt  PEUKINGEN\susedemo  PEUKINGEN\demo  

T r o u b l e s h o o t i n g

If a user can't access with his Windows password, first try to a Kerberos authentication on the console:

for winbind problem, test if the Linux system has successful joined the Windows domain:

p. 9 sm11:~ #  kinit ­V [email protected] sm11:~# net ads info  LDAP server: 192.168.7.10  LDAP server name: winad.peukingen.de  Realm: PEUKINGEN.DE  Bind Path: dc=PEUKINGEN,dc=DE  LDAP port: 389  Server time: Di, 31 Jan 2012 16:28:18 CET  KDC server: 192.168.7.10  Server time offset: 0  sm11:~ # wbinfo ­D PEUKINGEN  Name      : PEUKINGEN  Alt_Name      : peukingen.de  SID       : S­1­5­21­1146430519­78324060­294905416  Active Directory  : Yes  Native      : Yes  Primary       : Yes