Active Directory Offline Authentication and local groups

OK! you can post your config file please ???

Gile I wanto to know:

/etc/nsswitch.conf
/etc/libnss_ldap.conf
/etc/pam_ldap.conf
/etc/ldap/ldap.conf

To do what you want, you can use the user created when you instaled the ubuntu descktop.

You can post the file in /etc/pam.d too

common-account
common-auth
common-password
common-session

thanks

To your first post I do not have the libnss package installed so I do not have the pam_ldap.conf file. I have also not configured the ldap.conf file either. The reason being is I have followed the Ubuntu documentation titled ActiveDirectory WinbindHowTo which does not have you configuring any of these packages.

I have listed the configuration files that I do have.

Here is the nsswitch.conf

passwd: compat winbind
group: compat winbind
shadow: compat

hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4
networks: files

protocols: db files
services: db files
ethers: db files
rpc: db files

netgroup: nis

Common-account
account sufficient pam_winbind.so
account required pam_unix.so

common-auth
# auth sufficient pam_krb5.so ccache=/tmp/krb5cc_%u
auth sufficient pam_winbind.so
auth required pam_unix.so likeauth nullok_secure use_first_pass

common-password
password required pam_unix.so nullok obscure min=4 max=8 md5

common-session
session required pam_unix.so
session optional pam_foreground.so
session required pam_mkhomedir.so umask=0022 skel=/etc/skel

If the documentation I mentioned above is not the correct way of getting AD authentication along with allowing offline access using the domain user account could you please direct me to the proper documentation? Also beneficial would be how to give domain accounts local security group rights.

Thanks,
Randy G.

But you don't have a ldap server installed, you have a bind installed, there is some differents. What do you want ???

Thanks

I think you have mis-understood what I am trying to do here. I have a complete Windows Active Directory environment here at my place of employment. We are wanting to test the fesibility of setting up Ubuntu workstations runing version 7.04. We want these Linux systems to be able to interact with the Active Directory environment as if they where Windows clients themselves.

For example we would like the ability of the a laptop that is running Ubuntu to authenticate a user against Active Directory. We also want this ability when the laptop is offline or not able to communicate with Active Directory. We will also need the ability to assign Active Directory users to local security groups on the laptop running Ubuntu.

So long story short we are able to setup our test laptop to login using an Active Directory account currently per the configuration files that I posted previously. However we are unable to use the same DOMAIN+User account to log into the system when it is disconnected from the network.

To sum up we where hoping that we can implement the same funcationality that has been implemented in OpenSuse 10.2 when dealing with an Active Directory environment. Some how they have the ability to allow a user to login using the DOMAIN+User format both on and off of the network through some sort of caching ability that has been implemented in Samba/Winbind version they are using. Is there something comparable to this functionality available in Ubuntu either through package install/upgrade or configurating the system in a certain manner? Or is there documentation already created that can walk us through getting the desired functionaly we need?

We really want to use Ubuntu in the corporate space but unless these items can be tackled just as Opensuse has done I fear that is not going to be a reality at this time.

Thanks,
Randy G.

You can use the new tool authtool

sudo apt-get install authtool

sudo apt-get install authtool-gtk

Authtool is a network authentication configuration tool, for configuring a workstation to authenticate against a server, whether it be LDAP+Kerberos, Active Directory, NIS+ or standalone.

If you try have problem I'm here.

Thanks

You can use the new tool authtool

sudo apt-get install authtool

sudo apt-get install authtool-gtk

Authtool is a network authentication configuration tool, for configuring a workstation to authenticate against a server, whether it be LDAP+Kerberos, Active Directory, NIS+ or standalone.

If you still have problem I'm here.

Thanks

Same boat but can't apt-get install authtool

E: Couldn't find package authtool

I got it to install... There are two packages authool and authtool-gtk

For me the tool really did not solve my problem. All it does is try and automate the manual process of editing the /etc/krb5.conf and smb.conf files which is does not do very well. Actually every time I ran the program it would create a backup of the smb.conf file and then create a smb.conf file that just had the programs own defaults and none of the information I typed in the GUI form.

So this tool has a long way to go before it is capable of getting a system to authenticate to AD.

So I am still firmly stuck in square one which is I have a laptop that is fully capable of logging into an AD environment after I successfuly edit the neccessary files manually but am still unable to log into the system with the domain account off the network or apply the domain account to local security groups. Does anyone else have any ideas on how this can be accomplished.

Thanks many for you comment about outthool, your experience will be very appreciated, i will open a bug with your opinion. Thanks many.
I have hoped to solve your problem with this tool, but unfortunatly we still have a problem. Sorry
My personal pc, which made a part of LDAP + Samba + Kerberos server, has the following configurazion file (I post my how-to I done some month ago). But before I want to know if you have delete your local account on you machne ??? In my pc I still have my local users who has the same name of the LDAP user. With this configuration I'm be able to use my laptop with or without LDAP server.

The how-to of my lan:

 Introduction

There are two important concepts for users: authentication, and accounts. With Active Directory authentication uses the Kerberos 5 protocol, and account information uses LDAP. Therefore we need to configure Kerberos 5 and LDAP on Ubuntu in order to manage users in an Active Directory.

Throughout this article the following IP addresses are going to be used, adjust appropriately for your network.

IP address Description
10.30.2.1 Router and DNS server or proxy
10.30.2.2 DHCP and TFTP server
10.30.2.10 NFS server
10.30.2.20 LTSP server
10.30.2.100-200 LTSP clients

It is assumed Active Directory is configured with an AD realm of EXAMPLE.COM and we will create one user:

account name: wendy
UID: 1002
GID: 1002
home directory: /home/wendy
shell: /bin/bash

Accounts

For LDAP accounts the software package libnss-ldap is required, in Ubuntu Dapper CD this is not in the main repository it is part of the universe repository, however if you are using an internet repository it is part of the main repository and you can skip to the next stage. In order to access to the universe repository edit the file /etc/apt/sources.list and uncomment the universe lines.

## Uncomment the following two lines to add software from the 'universe'
## repository.
## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu
## team, and may not be under a free licence. Please satisfy yourself as to
## your rights to use the software. Also, please note that software in
## universe WILL NOT receive any review or updates from the Ubuntu security
## team.
deb http://archive.ubuntu.com/ubuntu/ feisty universe main restricted multiverse
deb-src http://archive.ubuntu.com/ubuntu/ feisty universe main restricted

Then update the package list and install.

$ sudo apt-get update
$ sudo apt-get install libnss-ldap

Enter the address of the Active Directory server.
The Active Directory is accessed with the LDAP protocol
Enlarge
The Active Directory is accessed with the LDAP protocol

Specify the LDAP search basedn
The LDAP search base DN is where to search for user account information
Enlarge
The LDAP search base DN is where to search for user account information

Select LDAP version 3.
Active Directory can be accessed through protocol version 3
Enlarge
Active Directory can be accessed through protocol version 3

Some extra configuration changes are required for the Active Directory schema, edit /etc/libnss-ldap.conf

# libnss-ldap.conf

# Your LDAP server. Must be resolvable without using LDAP.
# Multiple hosts may be specified, each separated by a
# space. How long nss_ldap takes to failover depends on
# whether your LDAP client library supports configurable
# network or connect timeouts (see bind_timelimit).
host 10.30.2.2

# The distinguished name of the search base.
base example,dc=com

# The LDAP version to use (defaults to 3
# if supported by client library)
ldap_version 3

# RFC 2307 (AD) mappings
# <to> <from>
nss_map_attribute userPassword sambaPassword
nss_map_attribute gecos name
nss_map_attribute uid unixName
nss_map_attribute shadowLastChange pwdLastSet
nss_map_objectclass posixGroup group
pam_filter objectclass=User
pam_password crypt

# Disable SASL security layers. This is needed for AD.
sasl_secprops maxssf=0

Configure the name service to use LDAP, edit /etc/nsswitch.conf

# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd: files ldap
group: files ldap
shadow: files ldap

hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4
networks: files

protocols: db files
services: db files
ethers: db files
rpc: db files

netgroup: nis

Testing

The getent command will show the name service contents, so with Active Directory configured with a user and libnss-ldap configured you should be able to see the extra users and groups

$ getent passwd
…
gdm:x:106:111:Gnome Display Manager:/var/lib/gdm:/bin/false
test:x:1000:1000:Test,,,:/home/test:/bin/bash
wendy:x:1002:1002:wendy:/home/wendy:/bin/bash
$ getent group
…
gdm:x:111:
test:x:1000:
wendy:x:1002:

A simple file test will show whether Ubuntu understands a username from AD.

$ cd /tmp
$ touch moo
$ ls -l moo
-rw-rw-r-- 1 root root 0 2006-07-20 14:27 moo
$ sudo chown wendy moo
$ ls -l moo
-rw-rw-r-- 1 wendy root 0 2006-07-20 14:27 moo

To view the users via LDAP install the ldap-utils package.

$ sudo apt-get install ldap-utils
$ ldapsearch -x -H ldap://10.30.2.2 "(objectClass=posixAccount)" sAMAccountName
# extended LDIF
#
# LDAPv3
# base <> with scope sub
# filter: (objectClass=posixAccount)
# requesting: sAMAccountName
#

# wendy, Users, EXAMPLE.COM
dn: cn=wendy,cn=Users,dc=EXAMPLE,dc=COM
sAMAccountName: wendy

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

Authentication

Now the user information exists we need to configure Linux so that the users are allowed to login. The login protocol for Active Directory is Kerberos 5, so we need to install the PAM Kerberos 5 module, and the client package to help testing.

$ sudo apt-get-install heimdal-clients libpam-heimdal

Configure Kerberos with the details of the AD realm and IP addresses, /etc/krb5.conf

[libdefaults]
       default_realm = EXAMPLE.COM

[realms]
       EXAMPLE.COM = {
               kdc = 10.30.2.2:88
       }

[domain_realm]
       .example.com = EXAMPLE.COM
       example.com = EXAMPLE.COM

Update the PAM configuration to check for Kerberos accounts, /etc/pam.d/common-auth, choose whether you want a Kerberos login prompt or a regular prompt first.

#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
# traditional Unix authentication mechanisms.
#

# prompt user "Password for <principal>: " (warning: no l18n)
auth sufficient pam_krb5.so minimum_uid=1000 ➊
auth required pam_unix.so nullok_secure

# use password from pam_unix prompt
#auth sufficient pam_unix.so nullok_secure
#auth sufficient pam_krb5.so minimum_uid=1000 use_first_pass

➊ Many alternatives are possible here, a popular replacement for "minimum_uid" is "ignore_root".

To manage the Kerberos tickets update /etc/pam.d/common-session

#
# /etc/pam.d/common-session - session-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define tasks to be performed
# at the start and end of sessions of *any* kind (both interactive and
# non-interactive). The default is pam_unix.
#

session required pam_unix.so
session optional pam_foreground.so
session optional pam_krb5.so

If you want home directories automagically created for new users add the following line.

session required pam_mkhomedir.so umask=0022 skel=/etc/skel

Samba 4 passwords cannot be changed via kpasswd and so common-password settings are irrelevant. The account information is handled already by pam_unix with NSS and libnss-ldap so no changes required for common-account. However the extra information would be along the lines of this.

#
# /etc/pam.d/common-account - authorization settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authorization modules that define
# the central access policy for use on the system. The default is to
# only deny service to users whose accounts are expired in /etc/shadow.
#
account required pam_unix.so
account [default=bad success=ok user_unknown=ignore service_err=ignore system_err=ignore] pam_krb5.so

Warning

If the AD server is running on PC Engines WRAP hardware there is no battery backup clock. This means when the machine is switched off for a period of time the clock will reset. When the machine is powered up it will need an internet connection to resync the time. Without a time resync Kerberos will not allow clients to login.

Testing

With the AD server running and an account setup try acquiring some tokens with the kinit command.

$ kinit wendy
<email address hidden>'s Password:

Clock Skew

For security and clock sanity in a network environment Kerberos requires that all clocks are synchronised. The kinit command will otherwise fail.

kinit: krb5_get_init_creds: Too large time skew

Setup time synchronisation with the ntpdate program and maintain clock consistency with the ntpd server.

$ sudo apt-get install ntpdate
$ sudo ntpdate ntp.ubuntu.com
25 Jul 16:22:06 ntpdate[8158]: step time server 82.211.81.145 offset 402569.951826 sec
$ sudo apt-get install ntp-simple

Confirm you now have tickets with the klist command.

$ klist
Credentials cache: FILE:/tmp/krb5cc_1000
        Principal: <email address hidden>

  Issued Expires Principal
Jul 25 16:23:06 Jul 26 02:23:58 <email address hidden>

To test the accounts we need a method of logging in, as we need it for LTSP we can install the OpenSSH server and client packages.

$ sudo apt-get install openssh-server openssh-client

Try to login using the AD user account.

$ ssh wendy@localhost
The authenticty of host 'localhost (127.0.0.1)' can't be established.
RSA key fingerprint is xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'localhost' (RSA) to the list of known hosts.
wendy@localhosts password:
Linux ubuntu 2.6.15-23-386 #1 PREEMPT Tue May 23 13:49:40 UTC 2006 i686 GNU/Linux

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
Last login: Wed Jul 26 10:32:24 2006 from localhost
wendy@ubuntu:~$

If you get a password error confirm that the password works correctly with kinit, if that works then there might be a problem with time synchronisation between the AD and your server. First step is to enable debug logging with the pam_krb5 module, edit common-auth and add the keyword "debug" to the end of the Kerberos line.

auth sufficient pam_krb5.so minimum_uid=1000 use_first_pass debug

Try to login again and monitor /var/log/auth.log, this should explain why you cannot login.

Invalid Key Table

The following error can arise if an invalid /etc/krb5.keytab exists.

Aug 7 19:31:27 ubuntu sshd[4444]: pam_krb5: pam_sm_authenticate(ssh wendy): entry:
Aug 7 19:31:27 ubuntu sshd[4444]: pam_krb5: verify_krb_v5_tgt(): krb5_mk_req(): KDC has no support for encryption type
Aug 7 19:31:27 ubuntu sshd[4444]: pam_krb5: pam_sm_authenticate(ssh wendy): exit: failure
Aug 7 19:31:30 ubuntu sshd[4444]: Failed password for wendy from 127.0.0.1 port 50054 ssh2

The following error usually indicates lack of valid /etc/krb5.keytab, usually not a problem.

Aug 7 20:00:05 ubuntu sshd[4764]: pam_krb5: pam_sm_authenticate(ssh wendy): entry:
Aug 7 20:00:05 ubuntu sshd[4764]: pam_krb5: verify_krb_v5_tgt(): krb5_kt_read_service_key(): Key table entry not found
Aug 7 20:00:05 ubuntu sshd[4764]: pam_krb5: pam_sm_authenticate(ssh wendy): exit: success
Aug 7 20:00:05 ubuntu sshd[4764]: Failed password for wendy from 10.0.0.69 port 39428 ssh2

Shadow Passwords

However one cause of failure is that the shadow account details cannot be found, ensure you have the following in /etc/nsswitch.conf.

shadow: files ldap

Specifying any of the following will fail.

shadow: files
shadow: compat

Realm Mismatch

The following error indicates an incorrect host name, domain name, or AD domain:

Sep 9 17:35:00 ubuntu sshd[8088]: pam_krb5: pam_sm_authenticate(ssh steve-o): entry:
Sep 9 17:35:00 ubuntu sshd[8088]: pam_krb5: verify_v5_tgt(): krb5_sname_to_principal(): Cannot determine realm for host
Sep 9 17:35:00 ubuntu sshd[8088]: pam_krb5: pam_sm_authenticate(ssh steve-o): exit: failure
Sep 9 17:35:00 ubuntu sshd[8088]: Failed password for steve-o from 127.0.0.1 port 52992 ssh2

Check that /etc/hostname matches /etc/hosts with full domain entries that match /etc/krb5.conf, the following examples highlight where the domain name should appear.

/etc/hostname:

ubuntu.example.com

/etc/hosts:

127.0.0.1 localhost

10.82.6.10 ubuntu.example.com ubuntu

/etc/krb.conf:

[libdefaults]
default_realm = EXAMPLE.COM

[realms]
EXAMPLE.COM = {
        kdc = 10.30.2.2:88
}

[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM

The pam modules are well configurated in this how-to, there is some problem with dbus which require a manual configuration of dbus daemon, or there is other pam configuration. Ather problem is the passowrd, in this case there is not control of security passowrd, the user can inser all they want. Tha pam modules must be imrove.

Thanks

The pam modules are not well configurated in this how-to, sorry for my error before

I am having this exact same problem. I have a bunch of Edubuntu machines in a school with a Windows 2003 AD server. They have no sound and I need to know what to do to allow 'Domain Users' to have access to the audio group.

I'm in the same boat too. Although I did get the sound working for AD users. I followed this forum on Ubuntu Forums. http://ubuntuforums.org/showthread.php?t=77469
It came down to in the /etc/pam.d/common-auth file put the folowing

auth required pam_group.so use_first_pass

and... in the /etc/security/group.conf

* ; * ; * ; Al0000-2400 ; floppy, video, audio, cdrom, dip, plugdev, users, scanner

You will need to Reboot the ubuntu linux box.
This also add the users to the other local groups as well.