Wednesday 13 May 2015

Authenticating users in Solaris 11.2 against Active Directory

Install Solaris on sparc then add samba for Active directory authentication in Solaris

Add server zone name in ADS first

and apply the following command in host system

# echo "set ngroups_max=1024" >> /etc/system

#pkg install ntp

Create ntp.conf in /etc/inet

# vi ntp.conf
# provide ad dc IP
server your-ntp-usually-AD-DC

# svcadm enable network/ntp

done with host
----

Login into zone or guest domain. This works for both virtualization technologies
#zlogin guest
or
#telnet locahost 500x
once login into zone or guest.

#pkg install samba

Add DC controllers to vi /etc/hosts for Solaris and Linux

192.xx.xx.xx ad-dc ad-dc.domain
192.xx.xx.xx ad-dc2 ad-dc2.domain

enable dns/client

# svcadm enable svc:/network/dns/client:default

configure name services SMF - DNS client only in zones, for guest domains this is configured at setup. skip to "select name-service/switch"

#svccfg
svc:> select dns/client
svc:/network/dns/client> setprop config/search = astring: ("your-domain" "your-sub-domain")
svc:/network/dns/client:default> setprop config/nameserver = net_address: (xx.xx.xx.xx xx.xx.xx.xx)
svc:/network/dns/client:default> select dns/client:default
svc:/network/dns/client:default> refresh

---you only need to set the three properties below refresh and exit --

svc:/network/dns/client:default>select name-service/switch
svc:/system/name-service/switch> setprop config/host =astring: "files [SUCCESS=return] dns"
svc:/system/name-service/switch> setprop config/password = "files winbind"
svc:/system/name-service/switch> setprop config/group = "files [SUCCESS=return] winbind"

-- these properties should show as below -----

svc:/system/name-service/switch> setprop config/network = "files"
svc:/system/name-service/switch> setprop config/protocol = "files"
svc:/system/name-service/switch> setprop config/rpc = "files"
svc:/system/name-service/switch> setprop config/ether = "files"
svc:/system/name-service/switch> setprop config/netmask = "files"
svc:/system/name-service/switch> setprop config/bootparam = "files"
svc:/system/name-service/switch> setprop config/publickey = "files"
svc:/system/name-service/switch> setprop config/netgroup= "files"
svc:/system/name-service/switch> setprop config/automount = "files ldap"
svc:/system/name-service/switch> setprop config/alias = "files"
svc:/system/name-service/switch> setprop config/service = "files"
svc:/system/name-service/switch> setprop config/project = "files"
svc:/system/name-service/switch> setprop config/auth_attr = "files"
svc:/system/name-service/switch> setprop config/prof_attr = "files"
svc:/system/name-service/switch> setprop config/tnrhtp = "files"
svc:/system/name-service/switch> setprop config/tnrhdb = "files"
svc:/system/name-service/switch> setprop config/printer = "user files"

-----do this to save ------

svc:/system/name-service/switch> select system/name-service/switch:default
svc:/system/name-service/switch:default> refresh
svc:/system/name-service/switch:default> validate
svc:/network/dns/client:default> exit

Create a smb.conf file, this one will authenticate with winbind.

#vi /etc/samba.smb.conf

[global]
        workgroup = domain
   realm = domain.ca
   security = ads
   utmp = Yes
 
   idmap config * : range = 16777216-33554431
 
   winbind separator = +
   template shell = /usr/bin/bash  
   template homedir = /data/%U
   winbind use default domain = true
   winbind offline logon = yes

        unix charset = iso8859-15
        winbind nss info = rfc2307
        server string = somass  
        username map = /etc/samba/smbusers
# once this is working change log level to 1
        log level = 5
        log file = /var/samba/log/%m.log
        max log size = 50
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        preferred master = No
        winbind trusted domains only = no
        winbind enum users = yes
        winbind enum groups = yes
        winbind nested groups = Yes
        dns proxy = No

###################################### printing cups disable ############
load printers = no
#printing =
printcap name = /dev/null
disable spoolss = yes



Then create the smb.conf

# testparm -s /etc/samba/smb.master > /etc/samba/smb.conf

If you want to only allow a list of users use pam security. Otherwise any AD user can login into the system. Also works with AD groups. No need for a winbind separator or domain. Just type the AD group name on the list.

#vi /etc/security/pam_winbind.conf
#
[global]
# request a cached login if possible
# (needs "winbind offline logon = yes" in smb.conf)
cached_login = yes

#debug = yes
require_membership_of =joe, rolando
#Authomatically create home dir
mkhomedir = yes





create kerberos config file

#vi /etc/krb5/krb5.conf


[libdefaults]
ticket_lifetime = 24000
default_realm = DOMAIN.CA
#default_tgs_enctypes = RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
# default_tkt_enctypes = RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
default_tgs_enctypes = AES256-CTS-HMAC-SHA1-96 AES128-CTS-HMAC-SHA1-96 RC4-HMAC
    default_tkt_enctypes = AES256-CTS-HMAC-SHA1-96 AES128-CTS-HMAC-SHA1-96 RC4-HMAC
    permitted_enctypes = AES256-CTS-HMAC-SHA1-96 AES128-CTS-HMAC-SHA1-96 RC4-HMAC

allow_weak_crypto = true
# dns_lookup_realm = true
# dns_lookup_kdc = true

[realms]
DOMAIN = {

 kdc = xx.xx.xx.xx
 kdc = xx.xx.xx.xx


  admin_server = xx.xx.xx.xx
  }

[domain_realm]
.domain.ca= DOMAIN.CA
domain.ca= DOMAIN.CA
[kdc]
  profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]

kinit = {
                renewable = true
                forwardable= true
        }


same for all OS but solaris gives a warning, check wiht klist to see if ticket was created
# kinit admin-user-in-ad@DOAMIN.CA




JOin domain same for all OS

# net join -w DOMAIN -U admin-user-in-ad
Enter admin-user-in-ad's password:
Using short domain name -- DOMAIN
Joined 'SOMASS' to dns domain 'DOMAIN'

configure PAM for SSO

#cp /etc/pam.conf-winbind /etc/pam.conf

note and modify the lines with pam_winbind.so.1 only

#vi /etc/pam.conf
#
login   auth sufficient         pam_winbind.so.1        try_first_pass
login   auth requisite          pam_authtok_get.so.1
login   auth required           pam_dhkeys.so.1
login   auth required           pam_unix_cred.so.1
#login   auth sufficient          pam_krb5.so.1
login   auth binding            pam_unix_auth.so.1      server_policy
login   auth required           pam_dial_auth.so.1
#
# rlogin service (explicit because of pam_rhost_auth)
#
rlogin  auth sufficient         pam_rhosts_auth.so.1
rlogin  auth requisite          pam_authtok_get.so.1
rlogin  auth required           pam_dhkeys.so.1
rlogin  auth required           pam_unix_cred.so.1
#rlogin auth sufficient         pam_winbind.so.1        try_first_pass
rlogin  auth required           pam_unix_auth.so.1
#
#
krlogin auth required           pam_unix_cred.so.1
krlogin auth required           pam_krb5.so.1
#
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
#
rsh     auth sufficient         pam_rhosts_auth.so.1
rsh     auth required           pam_unix_cred.so.1
#rsh     auth sufficient         pam_winbind.so.1      try_first_pass
#
# Kerberized rsh service
#
krsh    auth required           pam_unix_cred.so.1
krsh    auth required           pam_krb5.so.1
#
ktelnet auth required           pam_unix_cred.so.1
ktelnet auth required           pam_krb5.so.1
#
# PPP service (explicit because of pam_dial_auth)
#
ppp     auth requisite          pam_authtok_get.so.1
ppp     auth required           pam_dhkeys.so.1
ppp     auth required           pam_unix_cred.so.1
ppp     auth required           pam_unix_auth.so.1
ppp     auth required           pam_dial_auth.so.1
#
#
gdm-autologin auth  required    pam_unix_cred.so.1
gdm-autologin auth  sufficient  pam_allow.so.1
#
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authentication
#
other   auth sufficient         pam_winbind.so.1        try_first_pass
other   auth requisite          pam_authtok_get.so.1
other   auth required           pam_dhkeys.so.1
other   auth required           pam_unix_cred.so.1
#other   auth sufficient          pam_krb5.so.1
other   auth required           pam_unix_auth.so.1
#
#
passwd  auth binding            pam_passwd_auth.so.1    server_policy
cron    account required        pam_unix_account.so.1
cups    account required        pam_unix_account.so.1

gdm-autologin account  sufficient  pam_allow.so.1
#
other   account sufficient      pam_winbind.so.1    try_first_pass
other   account requisite       pam_roles.so.1
other   account binding         pam_unix_account.so.1   server_policy
#
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
#
other   session required        pam_unix_session.so.1
other   session sufficient      pam_winbind.so.1        try_first_pass
#
# Default definition for Password management
# Used when service name is not explicitly mentioned for password management
#
other   password required       pam_dhkeys.so.1
other   password requisite      pam_authtok_get.so.1
other   password requisite      pam_authtok_check.so.1  force_check
#other  password sufficient     pam_winbind.so.1        try_first_pass
other   password required       pam_authtok_store.so.1
other   account sufficient         pam_ldap.so.1



enable services for samba

#svcadm enable winbind samba
# svcs winbind samba swat wins
STATE          STIME    FMRI
disabled       Dec_03   svc:/network/swat:default
disabled       Dec_03   svc:/network/wins:default
online         14:41:00 svc:/network/samba:default
online         14:41:01 svc:/network/winbind:default

Check you see all the AD groups and Users
# wbinfo -g
# wbinfo -i "user"

add AD users to sudoers


#vi /etc/sudoers

User_Alias      CHIS = joe,rolando
CHIS ALL=(ALL) ALL
%AD-GROUP  ALL=(ALL)       ALL


test by login with AD user and sudo commands

Monitor your server with nagios

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)