Windows 2008R2

CentOS6 using AD authentication

Posted by phatdee on June 12, 2014
Posted in: Windows 2008R2. Tagged: , , , , , , . 2 comments

Previously had docs on how to get this working in SLES11/CentOS 5.x   .  Been struggling getting this working on CentOS 6, I mean come on people how the hell is this any easier.. LDAP is already hard to configure and it definitely did NOT get any easier..

I plan on writing my own docs, but for now, this site saved me another broken keyboard…

 

Copied from http://meinit.nl/user-authentication-centos-6-active-directory-based-hosts-and-groups

User authentication on CentOS 6 with Active Directory based on hosts and groups

Follow this article when you would like users to be able to login to a CentOS 6 host, authenticating to Active directory based on:

  1. Group membership of a user (a group like “Linux Administrators”) (or)
  2. A “host” attribute set per user to allow fine grained host-based permissions

This has a major benefit. You can add users to an administrative group and besides that you can assign permissions to login to a user per host. Once you have set this up, you can manage permissions fully through Active Directory.

Install required pacakges

You need to install one single package:

yum install nss-pam-ldapd

 

Configuration

There are quite few files to configure, I know that system-config-auth exists, but don’t know if it gives the right results. So here are the files one-by-one:

/etc/nslcd.conf

 

# This program runs under this user and group, these are local/system (/etc/passwd) users.
uid nslcd
gid ldap
# The base is where to start looking for users. Your Windows colleagues will know this value.
base dc=nl,dc=example,dc=com
# This is the URI that describes how to connect to the LDAP server/active directory server. You may use a DNS round-robin name here to point to multiple Domain Controllers.
uri ldaps://ldap.nl.example.com:636/
# This is a user that can authenticate to Active Directory. It's used to connect to AD and query stuff.
binddn somegenericuser@nl.example.com
bindpw SoMePaSsWoRd
# Don't exactly know where I got these settings from, man-page has more information.
scope  group  sub
scope  hosts  sub
# If there are many results, paging is used.
pagesize 1000
# LDAP servers can refer you to another location, in my experience this slow down authentication dramatically.
referrals off
# This is the trick to match users from a certain group and users that have a host-attribute filled in.
# Note that the value of the variable "host" should be set to the hostname where this file in installed.
filter passwd (&(objectClass=user)(!(objectClass=computer))(unixHomeDirectory=*)(|(host=mylinuxhost.nl.example.com)(memberOf=CN=Linux Administrators,OU=Groups,DC=nl,DC=example,DC=com)))
# Active Directory may store some values in attributes that need to be mapped.
map    passwd homeDirectory    unixHomeDirectory
filter shadow (&(objectClass=user)(!(objectClass=computer))(unixHomeDirectory=*))
map    shadow shadowLastChange pwdLastSet
# This filters out groups that have a "gidNumber" set. This typically only happens for groups that need to be available on Linux.
filter group  (&(objectClass=group)(gidNumber=*))
map    group  uniqueMember     member
# Some time limits.
bind_timelimit 3
timelimit 3
scope sub
# Secure Socket Layer, yes we do!
ssl on
tls_reqcert never

 

/etc/pam_ldap.conf

This file looks very much like /etc/nslcd.conf, don’t know why there are two actually. It confuses people.

bind_timelimit 3
timelimit 3
network_timeout 3
bind_policy hard
scope sub
nss_base_passwd dc=nl,dc=example,dc=com
nss_base_shadow dc=nl,dc=example,dc=com
nss_base_group dc=nl,dc=example,dc=com
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_objectclass posixGroup Group
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute uniqueMember member
nss_map_attribute shadowLastChange pwdLastSet
pam_login_attribute uid
pam_filter objectClass=user
pam_password ad
pam_member_attribute member
pam_min_uid 10000
pam_groupdn CN=Linux Administrators,OU=Groups,DC=nl,DC=example,DC=com
base dc=nl,dc=example,dc=com
uri ldaps://ldap.nl.example.com:636/
binddn somegenericuser@nl.example.com
bindpw SoMePaSsWoRd
bind_timelimit 3
timelimit 3
scope sub
ssl on
tls_reqcert never

 

/etc/pam.d/system-auth-ac and /etc/pam.d/password-auth-ac

These two files contain the same.

auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_krb5.so
auth        required      pam_deny.so

account     [default=bad user_unknown=ignore success=ok authinfo_unavail=ignore] pam_krb5.so
account     required      pam_unix.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_autht ok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     required      pam_mkhomedir.so skel=/etc/skel umask=0077

 

/etc/nsswitch.conf

This determines to send certain resolving queries to what facility. Make sure these lines are in:

passwd:     files ldap [NOTFOUND=return UNAVAIL=return] db
shadow:     files ldap [NOTFOUND=return UNAVAIL=return] db
group:      files ldap [NOTFOUND=return UNAVAIL=return] db
sudoers:    files ldap [NOTFOUND=return UNAVAIL=return] db

 

Starting of daemons

When all configuration changes are done, make sure to startup nslcd:

service nslcd start
chkconfig nslcd on

 

Troubleshooting

There is a caching mechanism in nslcd. I don’t know how to flush that cache, but it caches negative hits too. (So when a user is not found, it will keep on saying that the user is not found) Waiting (a night) clears that cache, but this does not help you to solve the problem today.

You may stop nslcd and run in in debug mode:

service nslcd stop
nslcd -d

Adding SSL Cert to Windows 2008 R2 (LDAP over SSL)

Posted by phatdee on July 23, 2013
Posted in: Windows 2008R2. Tagged: , , , , . Leave a Comment

http://technet.microsoft.com/en-us/library/dd941846(v=ws.10).aspx

 

Event ID 1220 — LDAP over SSL

2 out of 3 rated this helpful - Rate this topic

Updated: March 11, 2013

Applies To: Windows SBS 2003, Windows SBS 2008, Windows Server 2000, Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Server 2008, Windows Server 2008 Foundation, Windows Server 2008 R2, Windows Server 2008 R2 Foundation, Windows Server 2008 R2 with SP1, Windows Server 7

Lightweight Directory Access Protocol (LDAP) communications between client computers and server computers can be encrypted with LDAP over Secure Sockets Layer (SSL) connections. You can configure Active Directory Domain Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS) to support LDAP over SSL.

ImportantImportant
More detailed and recently updated information regarding this warning and how to resolve it have been published to the following TechNet Wiki articles: 

 

Event Details

Product Windows Operating System
ID 1220
Source Windows Server® 2003 and Windows Server® 2003 R2: Active DirectoryWindows Server® 2008 and Windows Server® 2008 R2: Microsoft-Windows-ActiveDirectory_DomainService
Version 5.0 and 6.0
Symbolic Name DIRLOG_LDAP_SSL_NO_CERT
Message LDAP over Secure Sockets Layer (SSL) will be unavailable at this time because the server was unable to obtain a certificate.

Resolve

Event ID 1220 is logged on a domain controller when client computers attempt to make an LDAP-over-SSL connection to the directory when SSL connections are not enabled on the directory. If you want to configure a domain controller or an AD LDS server to support SSL connections, you must provide a certificate for the AD DS or AD LDS directory to use. If you do not want to support LDAP over SSL connections on the directory, identify the client computers that are attempting to make such connections so that you can resolve this issue.

Membership in Domain Admins, or equivalent, is the minimum required to complete this procedure. Perform the following procedure on a domain controller or a computer that has RSAT installed. See Installing Remote Server Administration Tools for AD DS (http://go.microsoft.com/fwlink/?LinkId=144909).

If you want to configure your domain controllers to support SSL connections, you can install and configure the Active Directory Certificate Services (AD CS) role on a domain controller or you can import a certificate from a trusted certification authority (CA).

WarningWarning
In most cases, you should not install a CA on a domain controller. For additional information, see PKI Design Brief Overview (http://social.technet.microsoft.com/wiki/contents/articles/pki-design-brief-overview.aspx). 

 

If you want to configure your domain controllers to support SSL connections, you can install and configure the Active Directory Certificate Services (AD CS) role on a domain controller or you can import a certificate from a trusted certification authority (CA). If you install the AD CS role and specify the Setup Type asEnterprise on a domain controller, all domain controllers in the forest will be configured automatically to accept LDAP over SSL. For instructions about installing and configuring a local certificate server using a Windows Server 2008 computer, see the Active Directory Certificate Services Step-by-Step Guide (http://go.microsoft.com/?linkid=9645085).

In most cases you should use a certificate from a CA that is not installed on a domain controller. The certificate that you import into the LDAP server [e.g. domain controller or Active Directory Application Mode, or Active Directory Lightweight Directory Services (AD LDS)] must meet the following specifications:

  1. Certificate must be valid for the purpose of Server Authentication. This means that it must also contains the Server Authentication object identifier (OID): 1.3.6.1.5.5.7.3.1
  2. The Subject name or the first name in the Subject Alternative Name (SAN) must match the Fully Qualified Domain Name (FQDN) of the host machine, such as Subject:CN=server1.contoso.com. For more information, see How to add a Subject Alternative Name to a secure LDAP certificate(http://support.microsoft.com/kb/931351).
  3. The host machine account must have access to the private key.

If you are preparing a Windows Server 2008 or Windows Server 2008 R2 domain controller to accept LDAP over SSL (LDAPS) connections you should import the certificate into the AD DS personal store (as shown in the following procedure). If you are working on a Windows Server 2003 or Windows Server 2003 R2 computer, you should import the certificate into as described in Configure Authentication and Encryption (http://technet.microsoft.com/en-us/library/cc757003.aspx). If you are working on an AD LDS server, then you should following the instructions in Appendix A: Configuring LDAP over SSL Requirements for AD LDS. ((http://go.microsoft.com/?linkid=9645086)

To import a certificate into the AD DS personal store

  1. Open a command prompt as an administrator. To open a command prompt as an administrator, click Start. In Start Search, type Command Prompt. At the top of the Start menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Yes.
  2. To open Microsoft Management Console (MMC), type mmc, and then press ENTER.
  3. Click File, click Add/Remove Snap-in, select Certificates from the available snap-ins, and then click Add.
  4. In Add or Remove Snap-ins, click Service account to view the certificates that are stored in the service’s personal store, and then click Next.
  5. In Add or Remove Snap-ins, click Local computer, and then click Next.
  6. In Add or Remove Snap-ins, click Active Directory Domain Services, click Finish, and then click OK.
  7. In the console tree, expand Certificates – Service (Active Directory Domain Services), expand Personal, and then expand Certificates.
  8. To import a certificate, right-click the NTDS\Personal folder, click All Tasks, and then click Import. When the certificate is imported, client computers should be able to make SSL connections to all domain controllers in the forest.
noteNote
If you are working on a Windows Server 2003 or Windows Server 2003 R2 computer, you should import the certificate into as described in Configure Authentication and Encryption (http://technet.microsoft.com/en-us/library/cc757003.aspx). If you are working on an AD LDS server, then you should following the instructions in Appendix A: Configuring LDAP over SSL Requirements for AD LDS. (http://go.microsoft.com/?linkid=9645086) 

 

noteNote
The community version of this topic is on the TechNet Wiki as Event ID 1220 — LDAP over SSL (LDAPS) (http://social.technet.microsoft.com/wiki/contents/articles/2979.aspx) 

 

Verify

Membership in Domain Users, or equivalent, is the minimum required to complete this procedure. Learn more about default group memberships online (http://go.microsoft.com/fwlink/?LinkID=150761). Perform the following procedure on a domain controller or a computer that has Remote Server Administration Tools (RSAT) installed. For more information about RSAT, see Installing Remote Server Administration Tools for AD DS (http://go.microsoft.com/fwlink/?LinkId=144909).

To confirm that LDAP over SSL is configured successfully

  1. Open the Ldp snap-in. To open Ldp, click Start. In Start Search, type ldp. Right-click the Ldp icon on the Start menu, and then click Run as administrator. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Yes.
  2. Click the Ldp Connection menu, and then click Connect. In Server, type the host name of the server to which you want to connect. Ensure that Port is set to 636, the Connectionless check box is cleared, and the SSL check box is selected, and then click OK. If you receive a message that says “Cannot open connection,” LDAP-over-SSL binding is not configured properly.
  3. Click the Connection menu, click Bind, and then click OK.
  4. The command output should display the user name and domain name that you used for binding, if LDAP over SSL is configured properly.
TipTip
To install LDP on computers running Windows Server® 2003 or Windows® XP operating systems, install Windows Server 2003 Support Tools from the Windows Server 2003 product CD or from the Microsoft Download Center (http://go.microsoft.com/fwlink/?LinkId=100114). For more information about how to install Windows Support Tools from the product CD, see Install Windows Support Tools (http://go.microsoft.com/fwlink/?LinkId=62270). 

 

See Also

Secure Linux / Windows AD Authentication

Posted by phatdee on January 11, 2012
Posted in: Windows 2008R2. Tagged: , , , . Leave a Comment

So this method wasn’t our first attempt to get our Linux farm authenticating against Windows AD. Our first attempt was to use the Microsoft Identity Management for UNIX component which is a role based component for Windows 2008 R2. We attempted to just do a one-way sync from AD to the Linux farm. This did work, but we latter found out that it’s just very insecure. Perhaps, I set it up wrong, but I tried to follow the instructions given or what I could find online the best I could.

There method was to have a Linux agent (ssod binary) that will need to run on every Linux box. That agent by default (and can be changed via /etc/sso.conf) is set to run on port 6677. It seemed the only purpose of this agent was to encrypt and decrypt the pass words so there were not being sent over the wire in plain text. Why I even thought that was a good idea without just enforcing LDAP over SSL or TLS from the get go, I have no idea. Anyhow, we choose to use that method. Well things were fine right up to the point of noticing that our network engineering accidentally started blocking port 6677 to the AD hosts. Had they not done that, we might still be using that insecure method. Anyhow with that port being blocked, low and behold I started noticing plain text being sent over the wire. Turns out if that ssod binary isn’t running or is getting blocked on the network, plain text pass words start getting sent. Well that definitely isn’t good, wouldn’t take very much effort to kill that ssod binary on any host, and fire up a sniffer. Shit snowball in full effect.

At that point, I needed to figure out how the hell to get either LDAPS (LDAP over SSL port 636) or TLS (port 389) working in AD, as of course, that being the secure method and well it being Microsoft that isn’t the default choice.

Long story short…here’s how.

First you need to install the CA manager in AD and/or a 3rd party CA. We have a CA at work, so I used this form. You of course will need to replace with your info.

Save this into a file like notepad, name it like ‘fqdn.example.com.cnf’. I’ll write up more on this if someone requests this, but there are a billion howto’s on how to create these self signed certs and to get Windows setup on that.

Make sure you save yourself a copy of the CA-cert, as you will need this on every Linux host you plan on authenticating from.

Continue to Page 2

SLES11 AD Authentication using TLS SSO Windows 2008R2 page 2

Posted by phatdee on January 5, 2012
Posted in: Windows 2008R2. Tagged: , , , , , , , . 1 comment

These are the steps I followed, your mileage may vary..

1). Verify Windows2008R2 isn’t using a cert already…

Windows 2008R2 should be listening already on port 636, but there will be NO cert attached. To confirm this..use the openssl s_client which I’ve been abusing lately..

Running that command on a default Windows 2008 AD box will come up with no certificates.

So after you install the cert, and reboot your Windows AD box, you should run the above command again from a Linux host and you should see the server certs at this stage.
Don’t be concerned with the last line, which probably should say something like “Verify return code: 21 (Unable to verify the first certificate)” We are just verifying that there is a cert attached to the AD host at this point.

2). LDAP Bind account

Setup an LDAP Bind account in Active Directory, this account doesn’t need to have any special privileges on the account.  In fact, just granting guest privs will work. This account will be needed to be configured into every /etc/ldap.conf file and this is required as it’s really not a good idea to turn on anonymous on the AD host.

3).  Install Identity Management for UNIX on your AD host.

This primarily is needed for the extra tab provided in user properties (UNIX tab).  This grants home directory, UID, GID etc POSIX functionality.  By default all AD users will NOT have UNIX access, this is something we need to turn on.

4).  Group accounts.

Create a separate OU for all the UNIX groups.  For my setup, I choose to not use the pre-existing Windows groups.  That might be an easier approach for you, however, we used to use Novell Edirectory / OpenLDAP solution so all our Linux boxes are  all ready setup for that  and are pre-populated with those groups.   Basically I just mirrored current group names and users in those groups which I created in AD to help minimize to many configuration changes on every Linux host.

My base group OU = ou=unix,ou=group accounts,dc=example,dc=com

And in AD, just create a new folder called Unix under “group accounts”.

You will want to create a new group called unixusers or whatever you want.  This group will be used for the primary UNIX group, most users will also be part of other groups, but if they have UNIX enabled onto there accounts, then they should be part of unixgroup account for sure.

You need to make sure that you enable the users accounts first by granting a UID, home directory etc FIRST, before you goto try to populate that user in the groups.  To populate users in the group, just double click whatever group, two places Members & UNIX Attributes tab.  I used to think only the UNIX attribute tab was necessary, until I tried to go get Apache logins working then noticed that uses the Members tab.  Anyhow  UNIX tab, make sure NIS Domain: has whatever name in there selected and group ID will auto update to the next available GID, if it’s NOT the first group your setting up.  Then just Add, select what users, click ok, then click Members tab, advanced, find now, select users , rinse and repeat as deemed necessary.  Ok all the way out.

5).  User accounts

To turn on the UNIX access on a user account, just find your user , right click, properties, and you should see a new tab called “Unix Attributes”

Here’ you will see NIS Domain:  drop down that to your NIS name (which you named in the Identity Manager for UNIX)

UID:  21000 (use whatever fits for your orgization)

Shell: /bin/bash

Home Directory:  /home/username

Prmary Group:  unixusers

 

A very important thing here:   PLease make sure ALL letters are in lower-case.   For Windows of course, it really doesn’t matter, but for UNIX which is case sensitive it matters.  Some of the default entries are in both uppper /lower case, just change it to lower case.  Does anyone knows how to change the default values on this, so its’ always lower case?  I’ll write more on this later as there are some interesting things with /etc/sudoers, PAM w/ makehomedir.so settings.  If you just want to save yourself some headaches later down the road, also click on Account tab and change User logon name to all lower case and preWindows2000 to all lowercase, and click Ok.

Tools like getent, id are pulling from this Account tab settings and so far I haven’t been able to locate anything (short of just recompiling those tools, which I wasnt going to do) that I can setup so it ignores case and just uses all lower case.   Maybe a wrapper would work..I don’t know.  If someone knows, let me know.

 

6). Installing cacert.pem

You should have gotten a CA-Cert file along with your AD SSL cert.  Your can place this cert anywhere,  I placed mine in /etc/openldap/keys

Copy cacert.pem into /etc/openldap/keys

Create a hash of this file, using

To verify this cacert.pem will work, you can use the following command to test

openssl s_client -connect windowsAD.example.com:636 -CAfile /etc/openldap/keys/cacert.pem

If this openssl client does NOT work, save yourself sometime and double check to make sure you have the correct cacert. We have multiple CA’s at my work and for last few hours I’ve been struggling trying to get this working.. turns out I was using the wrong cacert.

Quickly check it by running this command:
openssl x509 -in cacert.pem -noout -text

Once that is working then try using this ldapsearch -ZZ , this will test out you AD Bind user account as well as the SSL cert.

If you don’t know what the -D part is log onto the Windows host, open a command prompt (cmd.exe) type:

That should spit out the correct DN. Maybe there is an easier way, but I know I struggled with this part for a long time before finding that command.
-Z turns on TLS for the ldapsearch, -ZZ and important that you use this as if AD returns an error you will see if otherwise you won’t , it’s very important there is no error.  Make sure you do ldap, and not ldaps, TLS uses port 389 and SSL or ldaps uses port 636

It’s very important to make sure the last line on this return comes back with (ok) line.  ( Verify return code: 0 (ok) ).  If it doesn’t then you need to verify you have the correct cacert, because if it doesn’t work here, it’s definitely not going to work after we setup everything.

 

7).  /etc/openldap/ldap.conf   and /etc/ldap.conf

First of all these two files are different but both are needed and will need to be edited.

/etc/openldap/ldap.conf:   this file is basically used for using the OpenLDAP tools like ldapsearch, ldapmodify etc.

/etc/ldap.conf:  this is the NSS LDAP client configuration file.  This is what PAM will be using.

 

 

host:  Make sure you are using a fqdn here.  We used to use IP only here, as I didn’t want to have a DNS fqdn there and thought IP would just be better, it’s not.  You will get alot of bind errors in the logs when it’s an IP,  I ended up just adding the host to /etc/hosts so this way if DNS did mess up , we could still log in.   Update:  It’ 100% doesn’t work when you trying to use SSL or TLS, using just the IP.  We used to use non secure method and using IP gives a ton of bind errrors but it still works.

uri:  samething make sure it’s fqdn

binddn/bindpw:  The guest user account that you setup

ssl:  you can also have “on” here, but if you did you need to update uri line to ldaps…  and comment out all the tls_ lines

nss_base_group:  you can just leave dc=example,dc=com like the above user groups, but it’s faster if you choose the exact path so you don’t have to search through all the Windows groups first.  If you are un-sure what the OU path is, open command prompt on the AD host

I’m sure there are easier ways, but that’s how I did it.

bind_policy soft:  make sure you have this, or without it , the next time you go to reboot, it probably will get hung.

8).  nsswitch.conf & PAM

Here’s ours, using just “files ldap” should be just fine for passwd, group

 

9)  /etc/pam.d

SLES handles the pam files a little bit different instead of having everything in one file like Redhat flavors, SLES breaks them out into 4 files.  I personally like Redhat’s method alot better , but whatever .

To make the Linux hosts accept for only certain AD groups, and it be able to use multiple groups , we use /etc/security/access.conf.   The pam_access.so is enforcing this.  Common-session will automatically create  users home directory on the system if they didn’t already have one.  Again, your setup may be different…

 

Once everything above has been installed, you can go ahead and try it.  I highly recommend you don’t log out 100%, leave one ssh session , ie the session your using logged in.  And just open a new sesssion to test, this way you can make adjustments when it doesn’t work and won’t be shut out..lol

getent passwd

getent group

id username

new session:  make sure you populate /etc/security/access.conf with your users or you won’t be able to log in.  Or just for now, comment #-ALL:ALL until you get everything working.

I highly recommend once you are able to SSH in, that you setup a sniffer to make sure you see TLS/SSL traffic and obviously no passwords in plain text…

 

You may find it necessary to dump your nscd cache if you are in fact using this.

sudo nscd-ihosts; nscd -i passwd; nscd -i group; /etc/init.d/nscd restart