Anthony E. Greene <firstname.lastname@example.org>
Sun Nov 27 12:35:06 UTC 2005
This document describes configuring a Linux box to authenticate logins using either a Windows PDC or a local password file.
I have a server and a Laptop that both run Linux in an environment that is otherwise dominated by Windows clients and servers. We use Windows NT Domain logins for our Windows clients. To make it easy for users, I use the same passwords for services provided by Linux (login, POP3, FTP, Samba file/print) as are used when users login to their Windows desktops.
Initially, I had done this by manually updating users' Linux passwords when their domain passwords changed. Recently my organization shortened the domain password expiration interval. Additionally, the Linux server has become an integral part of our office's operation and I needed to set it up for easier long term maintenance. One of the things that I needed to do to satisfy both these requirements was reduce or eliminate password maintenance overhead. This also improves security by eliminating my need for access to users' passwords.
I decided that if I could authenticate users using either their domain username/password or their local password, then local passwords would only need to be managed for those users that did not have a domain account (ie; root). I would still need to add/delete user accounts on the machine, but that would only need to be done on the infrequent occasion that someone joins or leaves our workgroup.
There is a way to enable logins for users that do not have a local account, but there are security issues that should be considered. If you want to do this, you should read the Linux-PAM documents.
su cd /usr/local/src tar -zxvf /path/pam_smb_auth-<version>.tar.gz
cd pam_smb_auth-<version> less README
I'll only cover the configuration of the login and xdm services in this document. Configuring other services is similar and usually simpler.
The first step is to create the /etc/pam_smb.conf file. This file contains three lines. The first is the name of your Windows domain. The second and third are the names of two machines that can perform authentication for your user accounts. The file might look like this:
MyDomain MyPDC MyBDC
The authentication servers must be specified by their NETBIOS names. These NETBIOS names should be included in the local hosts file (/etc/hosts) to ensure fast name resolution:
192.168.1.50 mypdc.mydomain.tld mypdc 192.168.1.51 mybdc.mydomain.tld mybdc
The login and xdm PAM configuration files are /etc/pam.d/login and /etc/pam.d/xdm, respectively. On my Red Hat 6.2 box, the login file looks like this:
auth required /lib/security/pam_securetty.so auth required /lib/security/pam_pwdb.so shadow nullok auth required /lib/security/pam_nologin.so account required /lib/security/pam_pwdb.so password required /lib/security/pam_cracklib.so password required /lib/security/pam_pwdb.so nullok use_authtok md5 shadow session required /lib/security/pam_pwdb.so session optional /lib/security/pam_console.so
The lines we are interested in are the ones that authenticate the user. In this case, that's the first three lines. These lines make up the auth module. Make a backup copy of the file (cp login login.original) before starting your edit. This will make it easier to return to your original configuration if this procedure does not work.
We will set up the authentication so that it checks the local password file first. If this succeeds, the user is authenticated and the SMB authentication is skipped. But if the password file authentication fails, then the same credentials (username/password) will be presented to the SMB authentication server. If this also fails then the authentication fails and the user will not be able to login.
The key changes we will make are:
DO NOT EXIT THE ROOT LOGIN UNTIL YOU HAVE TESTED THE RESULT.
The updated login file should look something like this:
auth required /lib/security/pam_securetty.so auth required /lib/security/pam_nologin.so auth sufficient /lib/security/pam_pwdb.so shadow nullok auth required /lib/security/pam_smb.so use_first_pass account required /lib/security/pam_pwdb.so password required /lib/security/pam_cracklib.so password required /lib/security/pam_pwdb.so nullok use_authtok md5 shadow session required /lib/security/pam_pwdb.so session optional /lib/security/pam_console.so
The sufficient flag tells Linux-PAM that if the authentication module succeeds, then following authentication modules may be skipped. If the module fails, then the failure is not fatal and following authentication modules should be tried.
Since the pam_smb_auth module follows the pam_pwdb module, pam_smb_auth will only be run if pam_pwdb (local password file) fails. Since pam_smb_auth is a required module, it's failure will result in a failed authentication for the user. But if it passes, then the failed pam_pwdb authentication is ignored.
You will need to edit /etc/shadow to disable the password on a local account that also exists in the Windows domain. You will need to edit /etc/shadow. Copy/paste the encrypted/hashed password into a text editor or write it down. This is so you can recover easily. Alternatively, you can just delete the password and reset it from the root login later. Remember to safely discard the saved copy of the encrypted/hashed password after you finish.
Replace the encrypted/hashed password for the test user with an asterisk (*). The line should now look something like this:
Save the file and close the editor, but do not logout.
Login on another console (ALT-F2), or open an xterm and ssh -l username localhost. Test the changes like this:
If all tests give the expected results, then your password maintenance chores have just become easier. You can now edit the xdm file so that the auth section looks like the one in the login file. On my system, the gdm and kde files are essentially duplicates of the xdm file, so I renamed them and created links to the xdm file using their original names:
mv gdm gdm.original mv kde kde.original ln -s xdm gdm ln -s xdm kde
Now all the graphical logins will use the same authentication scheme. You can edit the PAM configuration files for the other services if they need to be accessible to users (ie, Samba). For instance, if your users will be using a POP3 client to read their mail, then you should edit the imap and/or pop PAM config files to use pam_smb_auth too. If your users will need to be able to use the machine as an FTP server, then you should configure the ftp PAM config file.
In each case, the key is to make sure the pam_pwdb and pam_smb_auth lines are the last two in the auth section and that they are setup the same as in the login file.
You can now add and delete users on your Linux box using the standard useradd and userdel utilities or whatever GUI tool you prefer. If you don't set a local password, the authentication will automatically be done using your new pam_smb_auth module.
Copyright © 2000-2005, Anthony E. Greene <email@example.com>
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.1 or any later version published by the Free Software Foundation, with no Invariant Sections, with no Front-Cover Texts, and with no Back-Cover Texts. A copy of the license is available on the Internet at http://www.gnu.org/copyleft/fdl.html or from the Free Software Foundation, 50 Temple Place - Suite 330, Boston, MA 02111-1307 USA.