Configuring PAM on the Linux server

If Pluggable Authentication Modules (PAM) is used with the CM agent , it must be specifically configured on the Linux server. The following steps must be executed:

1. Time synchronization
2. Hosts file verification
3. krb5.conf file configuration
4. SAMBA configuration
5. Winbind service
6. Nsswitch.conf
7. Authentication configuration

To execute these steps, open a terminal window and proceed as follows:

1. Synchronize the Linux server with the KDC server:
   1. Stop the /etc/init.d/ntpd service.
   2. Synchronize the time by entering the following command: ntpdate KDC server address .
   3. Restart the /etc/init.d/ntpd service.

2. Ensure that the KDC server, the AD server (this might be on the same device), and the AD domain are reachable by name. If they cannot be pinged, the name resolution must be added to the hosts file, for example:

   192.168.110.3	support.sophia.metrixsystems.com	dns
   192.168.110.3	hotline.support.sophia.metrixsystems.com	host
   127.0.0.1	MonLinux.sophia.metrixsystems.com	localhost

3. To apply the modifications, restart the network service by typing the following command: /etc/init.d/network restart

4. Open the /etc/krb5.conf file and use the following example to define the server and domain definitions for communications required for Kerberos authentication: 

   
   
   
   <?xml version="1.0" encoding="UTF-8"?>
   [logging]
    default = FILE:/var/log/krb5libs.log
    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmind.log
   
   [libdefaults]
    default_realm = SUPPORT.SOPHIA.METRIXSYSTEMS.COM
    dns_lookup_realm = true
    dns_lookup_kdc = true
   
   [realms]
    SUPPORT.SOPHIA.METRIXSYSTEMS.COM = {
    kdc = support.sophia.metrixsystems.com
    default_domain = support.sophia.metrixsystems.com
    admin_server = support.sophia.metrixsystems.com
    }
   
   [domain_realm]
    .support.sophia.metrixsystems.com = SUPPORT.SOPHIA.METRIXSYSTEMS.COM
    support.sophia.metrixsystems.com = SUPPORT.SOPHIA.METRIXSYSTEMS.COM
   
   [kdc]
    profile = /var/kerberos/krb5kdc/kdc.conf
   
   [appdefaults]
    kinit = {
    forwardable = true
    }
   
    pam = {
    debug = false
    ticket_lifetime = 36000
    renew_lifetime = 36000
    forwardable = true
    krb4_convert = false
    }
    

5. Open the /etc/samba/smb.conf file and use the following example to configure Samba: 

   
   
   
   <?xml version="1.0" encoding="UTF-8"?>
   [global]
    realm = SUPPORT.SOPHIA.METRIXSYSTEMS.COM
    password server = support.sophia.metrixsystems.com
    workgroup = SUPPORT
    server string = Samba Server
    printcap name = /etc/printcap
    load printers = yes
    cups options = raw
    log file = /var/log/samba/%m.log
    max log size = 50
    security = ADS
    socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
    dns proxy = no
    winbind separator = @
    idmap uid = 10000-100000
    idmap gid = 10000-100000
    winbind enum users = yes
    winbind enum groups = yes
    template homedir = /home/%D/%U
    template shell = /bin/bash
    client use spnego = yes
    winbind use default domain = yes
    domain master = no
    local master = no
    prefered master = no
    os level = 0
   
   [homes]
    comment = Home Directories
    browseable = no
    writable = yes
   
   [printers]
    comment = All Printers
    path = /var/spool/samba
    browseable = no
    guest ok = no
    writable = no
    printable = yes
   

    After modifying the file the samba service must be restarted for the updated samba configuration to take effect. For this, enter the following command line: /etc/init.d/smb restart

6. Start or restart the winbind service by entering enter the following command: /etc/init.d/winbind restart

7. Verify that the nsswitch.conf file contains the following information: 

   
   
   
   <?xml version="1.0" encoding="UTF-8"?>
   passwd: compat winbind
   shadow: compat winbind
   group: compat winbind
   
   hosts: files dns
   
   bootparams: nisplus [NOTFOUND=return] files
   
   ethers: db files
   netmasks: files
   networks: files winbind
   protocols: db files
   rpc: db files
   services: db files
   
   netgroup: files
   
   publickey: nisplus
   
   automount: files
   aliases: files nisplus
   

8. To configure the authentication, create the file bmc in the directory /etc/pam.d with the following content: 

   
   
   
   <?xml version="1.0" encoding="UTF-8"?>
   #%PAM-1.0
   # This file is auto-generated.
   # User changes are destroyed the next time authconfig is run.
   auth required /lib/security/$ISA/pam_env.so
   auth sufficient /lib/security/$ISA/pam_winbind.so
   auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
   auth required /lib/security/$ISA/pam_deny.so
   
   account sufficient /lib/security/$ISA/pam_winbind.so
   account required /lib/security/$ISA/pam_unix.so
   account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
   account required /lib/security/$ISA/pam_permit.so
   
   password requisite /lib/security/$ISA/pam_cracklib.so retry=3
   password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
   password sufficient /lib/security/$ISA/pam_krb5.so use_authtok
   password required /lib/security/$ISA/pam_deny.so
   
   session required /lib/security/$ISA/pam_limits.so
   session required /lib/security/$ISA/pam_unix.so
   session optional /lib/security/$ISA/pam_mkhomedir.so skel=/etc/skel umask=027
   session optional /lib/security/$ISA/pam_krb5.so
   
   

   For more information, see https://help.ubuntu.com/community/ActiveDirectoryWinbindHowto