PAM is a very convenient way for extending authentication to "exotic" directories. In particular, PAM lets one interface nuauth on NT domains, Active Directory, Radius, etc.
To have nuauth authenticate users based on PAM/Ldap, one must set in nuauth.conf:
nuauth_user_check_module="system"
In addition, PAM needs to be properly setup, which is external to NuFW, and basically out of the scope of this document. Here are a couple of files to set on Debian to get PAM/LDAP working with nuauth: /etc/pam.d/nuauth:
#This is to set PAM-LDAP, modify to suit your needs! auth required /lib/security/pam_env.so auth sufficient /lib/security/pam_ldap.so auth required /lib/security/pam_deny.so account required /lib/security/pam_ldap.so session required /lib/security/pam_limits.so session optional /lib/security/pam_ldap.soThe /etc/nsswitch.conf file also needs to be tuned:
#This is to set PAM-LDAP, modify to suit your needs! passwd: compat ldap group: compat ldap(leave the other lines unchanged). And you probably also need to tune the /etc/pam_ldap.conf file. This file works for us, provided there is no line beginning with "uri":
host 127.0.0.1 ldap_version 3 scope one pam_password crypt nss_base_passwd ou=Users,dc=nufw,dc=org?one nss_base_group ou=Group,dc=nufw,dc=org?oneYou also need to install and configure libnss-ldap. Configuration that works for us (still on debian) in /etc/libnss-ldap.conf:
host 127.0.0.1 base replace_with_your_base ldap_version 3 rootbinddn cn=admin,dc=replace_with_your_base #Optional, set if you need these: nss_base_passwd ou=users,dc=replace_with_your_base?one nss_base_group ou=groups,dc=replace_with_your_base?oneOf course, tune this to suit your needs, and be aware that these system instructions may not be accurate for other distributions!
On Debian/Ubuntu, you will need the following packages:
krb5-user
krb4-config
samba
winbind
The /etc/krb5.conf file should contain something like:
[libdefaults]
default_realm = DOMAIN.NAME
# The following krb5.conf variables are only for MIT Kerberos.
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
[realms]
DOMAIN.NAME = {
kdc = 10.0.122.5
admin_server = 10.0.122.5
default_domain = DOMAIN.NAME
}
[domain_realm]
.domain.name = DOMAIN.NAME
domain.name = DOMAIN.NAME
shortname = DOMAIN.NAME
.shortname = DOMAIN.NAME
The /etc/nsswitch file should look like:
passwd: compat winbind group: compat winbind shadow: compat hosts: files dns mdns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis
It is very important that your system is time-synchronized with the AD/NT server. You should setup ntp to achieve this!
The /etc/samba/smb.conf file should also be customized:
[global] # Change this to the workgroup/NT-domain name your Samba server will part of realm = DOMAIN.NAME password server = AD-SERVER netbios name = NUAUTH-SERVER workgroup = SHORTNAME # server string is the equivalent of the NT Description field server string = %h server sexa-prn1 (Samba, Ubuntu) ####### Authentication ####### security = ads encrypt passwords = true guest account = nobody ############ Misc ############ socket options = TCP_NODELAY domain master = no # Some defaults for winbind (make sure you're not using the ranges # for something else.) idmap uid = 10000-20000 idmap gid = 10000-20000 template shell = /bin/bash template homedir = /home/%D/%U client use spnego = yes client ntlmv2 auth = yes restrict anonymous = 2
To join the Windows Domain, one will use:
kinit administrator@DOMAIN.NAME net ads join -U administratorThe last command should display the short domain name, and should specify that the machine was successfully added to the domain.
Winbind (or winbindd) should be running on your system. You can check things are going allright by reading samba logs (probably in /var/log/samba/*).