PAM authentication with winbind and AD

D

dwassman

All,

After two days of googling, reading, swearing and cursing, I am finally admitting I cannot solve this one. I have three production FreeBSD servers running various network utilities (DHCP, bacula, zabix, syslog, rsync). These have been running fine for several years. As a primary Windows domain (accounting firm. Not much choice), I like to centralize all logins into AD which is currently mixed 2003/2008 DCs. To achieve this with FreeBSD, I have been using the following instructions since FreeBSD 6.1 and Samba 3.0 with the exception that I built all the ports through the ports collection:

http://oslabs.mikro-net.com/fbsd_samba.html

It has always worked for several years through FreeBSD 7.1 and Samba 3.2 with the current AD structure but recently I decided to upgrade the Samba port and now I am having issues. To troubleshoot, I have setup a clean install of FreeBSD 8.1 with the follow ports built with the following options and setup:

Code: 
openntpd
heimdal 1.4
     IPV6=on
     KCM=on
     BDB=off
     SQLITE=off
     LDAP=off
     PKINIT=on
     DIGEST=on
     KX509=on
     KRB4=off
     CRACKLIB=off
     X11=off
cyprus-sasl2
     BDB=on
     MYSQL=off
     PGSQL=off
     SQLITE=off
     DEV_URANDOM=off
     ALWAYSTRUE=off
     KEEP_DB_OPEN=off
     AUTHDAEMOND=off
     LOGIN=off
     PLAIN=off
     CRAM=off
     DIGEST=off
     OTP=off
     NTLM=off
openldap24-sasl-client
     SASL=on
     FETCH=on
samba 3.5
     LDAP=on
     ADS=on
     CUPS=off
     WINBIND=on
     SWAT=off
     ACL_SUPPORT=on
     AIO_SUPPORT=on
     FAM_SUPPORT=on
     SYSLOG=on
     QUOTAS=on
     UTMP=on
     PAM_SMBPASS=on
     DNSUPDATE=off
     AVAHI=off
     EXP_MODULES=on
     POPT=on
     IPV6=off
     MAX_DEBUG=off
     SMBTORTURE=off

After setting up as I have before, I can get ldapsearch, wbinfo -u and getent passwd username to display the correct info. It appears that winbind is communicating with AD. But the login command fails with a signal 11 (core dump) and no other info.

I have included configs and an abridged log below as well. Some information in the configs and logs have been edited for security but I am sure they are set correctly in the real files.

I would appreciate any help. If there is easier, newer and/or better way to authenticate users to AD on FreeBSD, please let me know. I don't use Samba for file shares, just for authentication.

Code: 
/etc/krb5.conf
 [logging]
default = SYSLOG:AUTH:INFO
kdc = SYSLOG:AUTH:INFO
admin_server = SYSLOG:AUTH:INFO

[libdefaults]
default_domain = EXAMPLE.COM

[realms]
EXAMPLE.COM = {
kdc = gnv-dc3-tmp.example.com
default_domain = example.com
admin_server = gnv-dc3-tmp.example.com
}

[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
.EXAMPLE.COM = EXAMPLE.COM

[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}

/usr/local/etc/openldap/ldap.conf
host gnv-dc3-tmp.example.com
base dc=example,dc=com
ldap_version 3
URI ldap://gnv-dc3-tmp.example.com
binddn cn=username,cn=GNV,cn=AllUsers,dc=example,dc=com
bindpw p@55w0rd
scope sub
pam_login_attribute sAMAccountName
pam_passwd md5
idle_timeout 3600
nss_base_passwd dc=example,dc=com?one
nss_base_group dc=example,dc=com?one
sasl_secprops maxssf=0
krb5_ccname FILE:/tmp/krb5cc_0

/etc/pam.d/login
auth		sufficient	pam_winbind.so
auth		sufficient	pam_self.so		no_warn
auth		include		system

# account
account		sufficient	pam_winbind.so
account		requisite	pam_securetty.so
account		required	pam_nologin.so
account		include		system

# session
session		include		system

# password
password	include		system


/etc/nsswitch.conf
group: files winbind
group_compat: nis
hosts: files dns
networks: files
passwd: files winbind
passwd_compat: nis
shells: files
services: compat
services_compat: nis
protocols: files
rpc: files

/usr/local/etc/smb.conf
[global]
realm = EXAMPLE.COM
security = ADS
encrypt passwords = yes
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE SO_SNDBUF=8192 SO_RCVBUF=8192 
workgroup = EXAMPLE
server string =
allow trusted domains = no 
idmap backend = idmap_rid:EXAMPLE=100000-200000
 idmap uid = 100001-200000 
idmap gid = 100001-200000 
netbios name = GNV-NS2-TMP 
winbind use default domain = yes 
syslog = 3 
syslog only = yes 
template shell = /bin/tcsh 
restrict anonymous = 2 
client ntlmv2 auth = yes

/var/log/all.log
Feb  3 16:09:38 gnv-ns2-tmp ntpd[29094]: ntp engine ready
Feb  3 16:09:40 gnv-ns2-tmp ntpd[29093]: set local clock to Thu Feb  3 16:09:40 EST 2011 (offset 1.713505s)
Feb  3 16:10:03 gnv-ns2-tmp ntpd[29094]: peer 192.168.4.19 now valid
Feb  3 16:12:27 gnv-ns2-tmp ntpd[29094]: clock is now synced
Feb  3 16:13:31 gnv-ns2-tmp ntpd[29096]: adjusting local clock by 0.032613s
...
Feb  3 22:04:23 gnv-ns2-tmp kernel: pid 1532 (login), uid 0: exited on signal 11 (core dumped)
 
There are a couple of potential overlapping requirements here, let's break them down.

There is the authentication piece (taking a username/password and verifying that it is valid).
There is the directory services piece (account details for username foo (uid, homedir, shell, etc)).

Which piece are you interested in working against active directory?

Assuming you want both, here's my recommendation having done this exact same thing about 9 years ago at a previous job.

Note: I don't recommend using Samba. I find it's very unwieldy and difficult to use myself, but as I say above, it's been 9 years

Authentication:

First off, check to see if your DNS is properly setup with the SRV records for the Active Directory domain:
% dig _kerberos._udp.EXAMPLE.COM SRV
If that doesn't return a valid result, figure out if you are talking to the wrong DNS server.

Now that we verified DNS, try the following from a stock FreeBSD install with network access (UDP port 88) to the domain controllers:
% kinit [email]imauser@EXAMPLE.COM[/email]

If that works, you basically have the authentication piece nailed.

All you need to do is enable pam_krb5 in your system. Uncomment the following line in /etc/pam.d/system and /etc/pam.d/sshd (and any others you need):
Code: 
auth           sufficient      pam_krb5.so             no_warn try_first_pass
(Optionally uncomment the account module, read pam_krb5(8). I don't think the password module will work, but it's probably not a big deal).

Now, create a local user in the password file named imauser (matching the AD username) and attempt to login using the windows password. It should work.

Congratulations, you are now halfway there.

Directory Services:

I'll admit, this is the much harder piece. Honestly, if you only have 3 FreeBSD boxes, I'd probably just create local user accounts for people (as shown by the imauser example above) and be done with it.

Otherwise you'll need to come up with something as described by http://en.wikipedia.org/wiki/Active_Directory#Unix_integration. The problem is you need a place to store the necessary Unix user information for each user (username, uid, gid, home dir, gecos, shell). Fortunately, the default schema for Active Directory since 2003 R2 includes the necessary schema changes, but you need to figure some of this out on your own. Try this reference https://help.ubuntu.com/community/ActiveDirectoryHowto#Configure AD. Basically, you need to install some software on your Windows domain that will allow you to setup the Unix attributes in AD.

Once you've figured that out (exercise for the reader), install the net/nss_ldap port. You will need to build an /etc/ldap.conf that will map the AD attributes to Unix, something like:
Code: 
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_attribute uid sAMAccountName
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute shadowLastChange pwdLastSet
nss_map_objectclass posixGroup group
nss_map_attribute uniqueMember member
Along with login details (you'll need a read only AD account to bind to the LDAP server with). The exact mapping will depend on what version of AD you are using. The example ldap.conf that comes with the port is generally helpful.

After that, alter /etc/nsswitch.conf to have:
Code: 
passwd: files ldap
group: files ldap

Then try it out. I recommend using % id -P imauser to show you the user's equivalent passwd line.

Conclusion:
Once you have all that, sit back and realize you've done something that almost no one else is crazy enough to attempt: Successfully integrating Unix and Windows systems into a single authentication and directory services realm.

It's pretty nifty when it works well.
 
Thanks, Gordon. That worked great. I only really wanted authentication. In fact, I like having to setup a "shadow" user on the FreeBSD box as that allows me to regulate who has access. And it doesn't require a bulky service for something simple. I can't thank you enough.
 
Still getting PAM auth error invalid user, something tells me that it is not going on AD server. Any help or tips for troubleshooting/debugging?
 
You must log in or register to reply here.
Back
Top