View previous topic :: View next topic |
Author |
Message |
ct85711 Veteran
Joined: 27 Sep 2005 Posts: 1791
|
Posted: Wed Mar 23, 2016 7:21 am Post subject: KRB/LDAP authentication/authorization to AD |
|
|
I have been wondering about this, and maybe one of you could explain this to me. I am working on setting some some linux guests to authenticate to an AD (Windows Server 2012 r2 specifically), but yet most guides is always having you using samba and setting up with winbind on the linux machine. From my understanding, AD uses LDAP as it's foundation with Kerberos; so you should be able to just connect directly to it without using winbind and Samba.
From my what I have gotten to work and my own tests, it's fairly straight forward to setup krb5 to authenticate to the AD DC (which is also the KDC) quite easily, without much issues). I'm still working on setting up ldap connection (as I have no experience using ldap directly), but my initial setup has already yielded to where I can retrieve records from the AD. The only small hurdle that I am encountering now, is authenticating the host to the AD, to allow like PAM to connect (I am slowly working on resolving this, and should be resolved soon). I could have disabled this security feature in AD, but I don't see where this would have to be done.
So it lies down to, why both going through the hassel to setup winbind, when it's use isn't necessary much anymore? (Windows 2012 on has Unix attribute extensions already applied, so translation between Windows and Unix login shouldn't be necessary anymore) |
|
Back to top |
|
|
steveL Watchman
Joined: 13 Sep 2006 Posts: 5153 Location: The Peanut Gallery
|
Posted: Wed Mar 23, 2016 2:51 pm Post subject: Re: KRB/LDAP authentication/authorization to AD |
|
|
ct85711 wrote: | I have been wondering about this, and maybe one of you could explain this to me. I am working on setting some some linux guests to authenticate to an AD (Windows Server 2012 r2 specifically), but yet most guides is always having you using samba and setting up with winbind on the linux machine. From my understanding, AD uses LDAP as it's foundation with Kerberos; so you should be able to just connect directly to it without using winbind and Samba. |
Yeah you can, using krb5 (MIT iirc) as you outline. We did this, many years ago, using Gentoo on a web-server. (The requirement was for an intranet phpBB instance to log users in via AD over ssl, for convenience and so password maintenance was not handled by the bulletin-board.)
You need a DNS server that will accept record updates (I can't remember the exact term); djbdns with patches serves very nicely as a caching-DNS (on the Linux server), even where AD provides it for the LAN. ISTR something about needing to add records, and you definitely need access to the non-standard data, so djbdns gave us that (and speed-up on other dns queries.)
Quote: | The only small hurdle that I am encountering now, is authenticating the host to the AD, to allow like PAM to connect (I am slowly working on resolving this, and should be resolved soon). I could have disabled this security feature in AD, but I don't see where this would have to be done. |
The bit that sticks in my mind is "SAMAccountName" is what Windoze calls user names (relevant to code which is constructing a login request.) UNIX tends to call that "user login name" formally or just "user" or "login" in code. "$LOGNAME" in shell.
Though maybe that's not needed any more, with what you said about translation.
And may not be relevant to the overall job, as I'd be surprised if someone hasn't already put out PAM modules for this.
wrt samba/winbind, I think people just find it easier. It's certainly useful for browsing the Windows Network to see what's out there.
LISA was the best GUI app for that. |
|
Back to top |
|
|
Syl20 l33t
Joined: 04 Aug 2005 Posts: 621 Location: France
|
Posted: Wed Mar 23, 2016 5:21 pm Post subject: |
|
|
I think SSSD is the easiest solution. You can configure it to use the AD as an AD, or as a "simple" ldap server. And it provides a PAM module. |
|
Back to top |
|
|
steveL Watchman
Joined: 13 Sep 2006 Posts: 5153 Location: The Peanut Gallery
|
Posted: Thu Mar 24, 2016 3:21 pm Post subject: |
|
|
I'm lost now; what's SSSD?
Sorry, not had to deal with this stuff for ages (TF.) |
|
Back to top |
|
|
Syl20 l33t
Joined: 04 Aug 2005 Posts: 621 Location: France
|
Posted: Thu Mar 24, 2016 3:54 pm Post subject: |
|
|
https://packages.gentoo.org/packages/sys-auth/sssd
https://fedorahosted.org/sssd/
I discovered SSSD recently, when I had to enrol some CentOS servers in a AD 2012 structure. Once SSSD and its dependencies installed, the registration is very simple : just one command, which makes nearly all the job (ldap, kerberos, NSS, PAM, and so on), and, potentially, two or three tweaks in its configuration file. And voilà... |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|