Search This Blog

Monday, April 28, 2014

Linux - Microsoft Active Directory Integration -- Using Linux Realm Daemon to Authenticate to Active Directory

Introduction

We have looked at several methods of authenticating the Squid Proxy Server application to Active Directory.  Configuring a client workstation to authenticate is much easier using the Realm Daemon.


Keep in mind authentication to Active Directory does not mean integration with it.  You will get a centralized account management system and user and group permissions to network resources.  But authenticating a Linux workstation to Active Directory does not provide Group Policy management -- one of Active Directory's many strengths.  And the applications installed on a Linux Workstation are not often designed to use or automatically pass network authentication, so they typically need to be individually configured.

Install the Realm Daemon, Password Check and Kerberos Client Software

Begin by installing the basic software required for the installation:
#sudo apt-get install realmd cracklib-runtime krb5-user
Enter MYDOMAIN.COM at prompt for the default Kerberos domain during the installation.

Obtain a Kerberos Ticket using the kinit command.  You may specify any Domain User, but in this case we will use the "Administrator" account.

#kinit Administrator
At this point, reboot the machine.

Discover and Join the Active Directory Kerberos Realm

 Two commands accomplish the task of joining the workstation to the Domain as a Computer Account, required for the machine to initiate the communications with Active Directory needed for subsequent User authentication.

#realm discover --verbose mydomain.com
#sudo realm join --client-software=sssd MYDOMAIN.COM
There will be an error due to the /etc/sssd/sssd.conf file.  Correct the error by commenting the incorrect statement:
#nano /etc/sssd/sssd.conf
insert # to comment out the statement:
use_fully_qualified_names = True
and then restart the sssd service.
#sudo service sssd restart


Add Active Directory User Accounts Permitted or Denied Logon

Issue the command:
#sudo realm permit --realm domain.example.com --all
Alternatively you may specify individual accounts permitted to log on or use the "realm deny" command to deny users the ability to log on to the workstation.

Finally, each user will require a home directory to log on to Linux.  The Linux Pluggable Authentication Modules (PAM) specify authentication behavior and can automatically create a home directory for network-authenticated users. Edit the common-session module configuration and add the module mkhomedir:

#nano /etc/pam.d/common-session
Add the line:
session    required   pam_mkhomedir.so skel=/etc/skel/ umask=0022
to the end of the file.  Make sure it comes after the comment statement declaring the end of the sections controlled by the automatic update command pam-auth-update.  Then, create a domain directory under /home.  Domain User home directories will be automatically created here.
#sudo mkdir /home/mydomain.com
Now log out and test authentication.  Check the Domain User's home directory in a file manager window; it will be under the /home/mydomain.com directory.  And then try to issue a sudo command; if the domain user is not added to the sudoers file, the account will not be able to execute elevated-privilege tasks.

The video below deomonstrates the entire process, which takes a five to seven minutes.




No comments :

Post a Comment