Configuring PAM on the Linux server
If Pluggable Authentication Modules (PAM) is used with the BMC Client Management agent, it must be specifically configured on the Linux server. The following steps must be executed:
- Time synchronization
- Hosts file verification
- krb5.conf file configuration
- SAMBA configuration
- Winbind service
- Nsswitch.conf
- Authentication configuration
To execute these steps, open a terminal window and proceed as follows:
- Synchronize the Linux server with the KDC server:
- Stop the /etc/init.d/ntpd service.
Synchronize the time by entering the following command:
ntpdate KDC server address
- Restart the /etc/init.d/ntpd service.
Ensure that the KDC server, the AD server (this might be on the same device), and the AD domain are reachable by name. If they cannot be pinged, the name resolution must be added to the hosts file. For example:
192.168.110.3
dns
192.168.110.3
host
127.0.0.1
localhost
To apply the modifications, restart the network service by typing the following command:
/etc/init.d/network restart
Open the /etc/krb5.conf file and use the following example to define the server and domain definitions for communications required for Kerberos authentication:
<?xml version="1.0" encoding="UTF-8"?> [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = SUPPORT.SOPHIA.METRIXSYSTEMS.COM dns_lookup_realm = true dns_lookup_kdc = true [realms] SUPPORT.SOPHIA.METRIXSYSTEMS.COM = { kdc = support.sophia.metrixsystems.com default_domain = support.sophia.metrixsystems.com admin_server = support.sophia.metrixsystems.com } [domain_realm] .support.sophia.metrixsystems.com = SUPPORT.SOPHIA.METRIXSYSTEMS.COM support.sophia.metrixsystems.com = SUPPORT.SOPHIA.METRIXSYSTEMS.COM [kdc] profile = /var/kerberos/krb5kdc/kdc.conf [appdefaults] kinit = { forwardable = true } pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false }
Open the /etc/samba/smb.conf file and use the following example to configure Samba:
<?xml version="1.0" encoding="UTF-8"?> [global] realm = SUPPORT.SOPHIA.METRIXSYSTEMS.COM password server = support.sophia.metrixsystems.com workgroup = SUPPORT server string = Samba Server printcap name = /etc/printcap load printers = yes cups options = raw log file = /var/log/samba/%m.log max log size = 50 security = ADS socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 dns proxy = no winbind separator = @ idmap uid = 10000-100000 idmap gid = 10000-100000 winbind enum users = yes winbind enum groups = yes template homedir = /home/%D/%U template shell = /bin/bash client use spnego = yes winbind use default domain = yes domain master = no local master = no prefered master = no os level = 0 [homes] comment = Home Directories browseable = no writable = yes [printers] comment = All Printers path = /var/spool/samba browseable = no guest ok = no writable = no printable = yes
After modifying the file the samba service must be restarted for the updated samba configuration to take effect. For this, enter the following command line: /etc/init.d/smb restart
Start or restart the
winbind
service by entering enter the following command:/etc/init.d/winbind restart
Verify that the nsswitch.conf file contains the following information:
<?xml version="1.0" encoding="UTF-8"?> passwd: compat winbind shadow: compat winbind group: compat winbind hosts: files dns bootparams: nisplus [NOTFOUND=return] files ethers: db files netmasks: files networks: files winbind protocols: db files rpc: db files services: db files netgroup: files publickey: nisplus automount: files aliases: files nisplus
To configure the authentication, create the file bmc in the directory /etc/pam.d with the following content:
<?xml version="1.0" encoding="UTF-8"?> #%PAM-1.0 # This file is auto-generated. # User changes are destroyed the next time authconfig is run. auth required /lib/security/$ISA/pam_env.so auth sufficient /lib/security/$ISA/pam_winbind.so auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok auth required /lib/security/$ISA/pam_deny.so account sufficient /lib/security/$ISA/pam_winbind.so account required /lib/security/$ISA/pam_unix.so account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet account required /lib/security/$ISA/pam_permit.so password requisite /lib/security/$ISA/pam_cracklib.so retry=3 password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow password sufficient /lib/security/$ISA/pam_krb5.so use_authtok password required /lib/security/$ISA/pam_deny.so session required /lib/security/$ISA/pam_limits.so session required /lib/security/$ISA/pam_unix.so session optional /lib/security/$ISA/pam_mkhomedir.so skel=/etc/skel umask=027 session optional /lib/security/$ISA/pam_krb5.so
For more information, see https://help.ubuntu.com/community/ActiveDirectoryWinbindHowto
Comments
Log in or register to comment.