opsi-server_authentication_over_windows_ad_based_on

OPSI Server authentication over Windows AD based on LDAP

Purpose:

You can use your Windows user and password to authenticate against the following services:

SSH
SAMBA
OPSI ConfigEditor

Configuration steps:

This procedure is tested with Debian 6.0.10 and OPSI 4.0.5

Before you can use the login to the OPSI host with your Windows user and password, you have to create a local *NIX user account (no password necessary). Use as *NIX username the Windows sAMAccountName.
- addusers –no-create-home –ingroup opsiadmin <sAMAccountName>

Install additional package:
- apt-get install libpam-ldap

Here is the relevant configuration part for pam_ldap.conf:
- Windows AD Domain Controller: dc1.mywin.domain (in this case the DC holds the PDC role)
- AD user account: OpsiAdRead
- AD user pass: secretpw

/etc/pam_ldap.conf

#

# The distinguished name of the search base.
base dc=mywin,dc=domain

# Another way to specify your LDAP server is to provide an
uri ldap://dc1.mywin.domain 

# The LDAP version to use (defaults to 3
# if supported by client library)
ldap_version 3

# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
binddn cn=OpsiAdRead,cn=Users,dc=mywin,dc=domain

# The credentials to bind with.
# Optional: default is no credential.
bindpw secretpw

# The search scope.
scope sub

# Search timelimit
timelimit 5

# Bind/connect timelimit
bind_timelimit 5

# Reconnect policy: hard (default) will retry connecting to
# the software with exponential backoff, soft will fail
# immediately.
bind_policy soft

# The user ID attribute (defaults to uid)
pam_login_attribute sAMAccountName

# Hash password locally; required for University of
# Michigan LDAP server, and works with Netscape
# Directory Server if you're using the UNIX-Crypt
# hash mechanism and not using the NT Synchronization
# service.
pam_password crypt

# Update Active Directory password, by
# creating Unicode password and updating
# unicodePwd attribute.
pam_password ad

# RFC 2307 (AD) mappings
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_attribute uid sAMAccountName
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute shadowLastChange pwdLastSet
nss_map_objectclass posixGroup group
nss_map_attribute uniqueMember member
pam_login_attribute sAMAccountName
pam_filter objectclass=User
pam_password ad

Here is the relevant configuration changes for the smb.conf:
- For the “password server” option you can use more as one server, if one server not reachable the next one is used. Use as server name the Netbios name and not the FQDN or the IP address. If one of the servers rejects the password the connection failed, Samba does not ask the next server.

/etc/samba/smb.conf

[global]

## Browsing/Identification ###

# Change this to the workgroup/NT-domain name your Samba server will part of
    workgroup = MYWIN

####### Authentication #######

# "security = user" is always a good idea. This will require a Unix account
# in this server for every user accessing the server. See
# /usr/share/doc/samba-doc/htmldocs/Samba3-HOWTO/ServerType.html
# in the samba-doc package for details.
   security = domain

# You may wish to use password encryption.  See the section on
# 'encrypt passwords' in the smb.conf(5) manpage before enabling.
   encrypt passwords = true

# If you are using encrypted passwords, Samba will need to know what
# password database type you are using.
#   passdb backend = tdbsam
   password server = dc1 dc2 

   obey pam restrictions = yes
#

Join the OPSI host to the Windows AD domain
- DC1 = Netbios name of the windows domain controller dc1.mywin.domain
- Administrator = Domain admin account
  - net rpc join -S DC1 -U Administrator

Create a domain user account <pcpatch>
- Use for the domain user <pcpatch> the same password as for the OPSI user <pcpatch>.

passwd pcpatch <secret_pcpatch_password>
smbpasswd –U pcpatch <secret_pcpatch_password>
opsi-admin -d task setPcpatchPassword <secret_pcpatch_password>

Create a global host parameter with the ConfigEd.

clientconfig.depot.user : MYWIN\pcpatch

http://thejoyofstick.com/blog/2012/03/31/authenticating-linux-users-against-microsoft-active-directory/

Special thanks to Jürgen Judt for writing this paper!