PDC Authentication HOWTO

               Anthony E. Greene <[1]tony@greene-family.org>
                        Sun Nov 27 12:35:06 UTC 2005
     _________________________________________________________________

   This document describes configuring a Linux box to authenticate logins using
   either a Windows PDC or a local password file.
     _________________________________________________________________

Table of Contents

    1. [2]Introduction
    2. [3]Requirements
    3. [4]Installation
    4. [5]Configuration
    5. [6]Testing
    6. [7]Copyright

  Introduction

   I have a server and a Laptop that both run Linux in an environment that is
   otherwise dominated by Windows clients and servers. We use Windows NT Domain
   logins for our Windows clients. To make it easy for users, I use the same
   passwords  for  services  provided  by  Linux (login, POP3, FTP, Samba
   file/print) as are used when users login to their Windows desktops.

   Initially, I had done this by manually updating users' Linux passwords when
   their domain passwords changed. Recently my organization shortened the
   domain password expiration interval. Additionally, the Linux server has
   become an integral part of our office's operation and I needed to set it up
   for easier long term maintenance. One of the things that I needed to do to
   satisfy both these requirements was reduce or eliminate password maintenance
   overhead. This also improves security by eliminating my need for access to
   users' passwords.

   I decided that if I could authenticate users using either their domain
   username/password or their local password, then local passwords would only
   need to be managed for those users that did not have a domain account (ie;
   root). I would still need to add/delete user accounts on the machine, but
   that would only need to be done on the infrequent occasion that someone
   joins or leaves our workgroup.

   There is a way to enable logins for users that do not have a local account,
   but there are security issues that should be considered. If you want to do
   this, you should read the [8]Linux-PAM documents.

  Requirements

     * A Linux system that supports Pluggable Authentication Modules (PAM).
       Most popular distributions do.
     * The pam_smb_auth package, currently available in tar.gz format from
       [9]http://www.csn.ul.ie/~airlied/pam_smb/. This package comes installed
       on all popular Linux distros.
     * A  server capable of providing SMB authentication. This could be a
       Windows PDC or a [10]Samba server setup as a PDC.
     * Some knowledge of Linux-PAM and/or the Linux-PAM documentation from
       /usr/share/doc/pam-<version>/html/pam.html on your Linux system.
     * A means to open multiple simultaneous logins to your Linux box. This
       could be several xterm windows, or multiple SSH sessions from another
       machine, or [Alt]-[F2 thru F6] at the console. Test this first to be
       sure it will work.

  Installation

     untar the pam_smb_auth archive:
    su
    cd /usr/local/src
    tar -zxvf /path/pam_smb_auth-<version>.tar.gz

     Follow the installation instructions in the README file included in the
   pam_smb_auth documentation:
    cd pam_smb_auth-<version>
    less README

  Configuration

   I'll only cover the configuration of the login and xdm services in this
   document. Configuring other services is similar and usually simpler.

   The first step is to create the /etc/pam_smb.conf file. This file contains
   three lines. The first is the name of your Windows domain. The second and
   third are the names of two machines that can perform authentication for your
   user accounts. The file might look like this:
    MyDomain
    MyPDC
    MyBDC

   The authentication servers must be specified by their NETBIOS names. These
   NETBIOS names should be included in the local hosts file (/etc/hosts) to
   ensure fast name resolution:
    192.168.1.50        mypdc.mydomain.tld      mypdc
    192.168.1.51        mybdc.mydomain.tld      mybdc

   The  login  and  xdm  PAM configuration files are /etc/pam.d/login and
   /etc/pam.d/xdm, respectively. On my Red Hat 6.2 box, the login file looks
   like this:
    auth      required  /lib/security/pam_securetty.so
    auth      required  /lib/security/pam_pwdb.so shadow nullok
    auth      required  /lib/security/pam_nologin.so
    account   required  /lib/security/pam_pwdb.so
    password  required  /lib/security/pam_cracklib.so
    password  required  /lib/security/pam_pwdb.so nullok use_authtok md5 shadow
    session   required  /lib/security/pam_pwdb.so
    session   optional  /lib/security/pam_console.so

   The lines we are interested in are the ones that authenticate the user. In
   this  case, that's the first three lines. These lines make up the auth
   module. Make a backup copy of the file (cp login login.original) before
   starting your edit. This will make it easier to return to your original
   configuration if this procedure does not work.

   We will set up the authentication so that it checks the local password file
   first.  If  this  succeeds,  the  user  is  authenticated  and the SMB
   authentication is skipped. But if the password file authentication fails,
   then the same credentials (username/password) will be presented to the SMB
   authentication server. If this also fails then the authentication fails and
   the user will not be able to login.

   The key changes we will make are:
     * Change the pam_pwdb line from required to sufficient and move it so that
       it follows all other auth lines.
     * Add an auth line for pam_smb_auth below the pam_pwdb line and make it
       required.

   DO NOT EXIT THE ROOT LOGIN UNTIL YOU HAVE TESTED THE RESULT.

   The updated login file should look something like this:
    auth      required   /lib/security/pam_securetty.so
    auth      required   /lib/security/pam_nologin.so
    auth      sufficient /lib/security/pam_pwdb.so shadow nullok
    auth      required   /lib/security/pam_smb.so use_first_pass
    account   required   /lib/security/pam_pwdb.so
    password  required   /lib/security/pam_cracklib.so
    password  required   /lib/security/pam_pwdb.so nullok use_authtok md5 shado
w
    session   required   /lib/security/pam_pwdb.so
    session   optional   /lib/security/pam_console.so

   The  sufficient flag tells Linux-PAM that if the authentication module
   succeeds, then following authentication modules may be skipped. If the
   module fails, then the failure is not fatal and following authentication
   modules should be tried.

   Since the pam_smb_auth module follows the pam_pwdb module, pam_smb_auth will
   only be run if pam_pwdb (local password file) fails. Since pam_smb_auth is a
   required module, it's failure will result in a failed authentication for the
   user. But if it passes, then the failed pam_pwdb authentication is ignored.

  Testing

   You will need to edit /etc/shadow to disable the password on a local account
   that also exists in the Windows domain. You will need to edit /etc/shadow.
   Copy/paste the encrypted/hashed password into a text editor or write it
   down. This is so you can recover easily. Alternatively, you can just delete
   the password and reset it from the root login later. Remember to safely
   discard the saved copy of the encrypted/hashed password after you finish.

   Replace the encrypted/hashed password for the test user with an asterisk
   (*). The line should now look something like this:
    username:*:11034:0:99999:7:-1:-1:134550580

   Save the file and close the editor, but do not logout.

   Login on another console (ALT-F2), or open an xterm and ssh -l username
   localhost. Test the changes like this:
     * Attempt to login with a non-existent username. This should fail.
     * Attempt to login with a username other than the one whose password you
       removed (ie; root). This should succeed.
     * Attempt to login with the username whose password you removed, but with
       an invalid password (don't do this several times in a row or you may
       lockout your account). This should fail.
     * Attempt to login with the username whose password you removed, using the
       correct password. This should succeed (and it should reset any lockout
       counter).

   If all tests give the expected results, then your password maintenance
   chores have just become easier. You can now edit the xdm file so that the
   auth section looks like the one in the login file. On my system, the gdm and
   kde files are essentially duplicates of the xdm file, so I renamed them and
   created links to the xdm file using their original names:
    mv gdm gdm.original
    mv kde kde.original
    ln -s xdm gdm
    ln -s xdm kde

   Now all the graphical logins will use the same authentication scheme. You
   can edit the PAM configuration files for the other services if they need to
   be accessible to users (ie, Samba). For instance, if your users will be
   using a POP3 client to read their mail, then you should edit the imap and/or
   pop PAM config files to use pam_smb_auth too. If your users will need to be
   able to use the machine as an FTP server, then you should configure the ftp
   PAM config file.

   In each case, the key is to make sure the pam_pwdb and pam_smb_auth lines
   are the last two in the auth section and that they are setup the same as in
   the login file.

   You  can now add and delete users on your Linux box using the standard
   useradd and userdel utilities or whatever GUI tool you prefer. If you don't
   set a local password, the authentication will automatically be done using
   your new pam_smb_auth module.

  Copyright

   Copyright © 2000-2005, Anthony E. Greene <[11]tony@greene-family.org> 
   Permission is granted to copy, distribute and/or modify this document under
   the terms of the GNU Free Documentation License, Version 1.1 or any later
   version  published  by the Free Software Foundation, with no Invariant
   Sections, with no Front-Cover Texts, and with no Back-Cover Texts. A copy of
   the license is available on the Internet at
   [12]http://www.gnu.org/copyleft/fdl.html or from the [13]vCard for Free
   Software Foundation Free Software Foundation, 50 Temple Place - Suite 330,
   Boston, MA 02111-1307 USA.

References

   1. mailto:%41%6E%74%68%6F%6E%79%20%45%2E%20%47%72%65%65%6E%65%20%3C%74%6F%6E%79%40%67%72%65%65%6E%65%66%61%6D%69%6C%79%2E%6F%72%67%3E?Subject=PDC-Authentication-HOWTO
   2. file://localhost/home/agreene/public_html/tony/linux/PDC-Authentication-HOWTO.html#Introduction
   3. file://localhost/home/agreene/public_html/tony/linux/PDC-Authentication-HOWTO.html#Requirements
   4. file://localhost/home/agreene/public_html/tony/linux/PDC-Authentication-HOWTO.html#Installation
   5. file://localhost/home/agreene/public_html/tony/linux/PDC-Authentication-HOWTO.html#Configuration
   6. file://localhost/home/agreene/public_html/tony/linux/PDC-Authentication-HOWTO.html#Testing
   7. file://localhost/home/agreene/public_html/tony/linux/PDC-Authentication-HOWTO.html#Copyright
   8. http://www.kernel.org/pub/linux/libs/pam/
   9. http://www.csn.ul.ie/~airlied/pam_smb/
  10. http://samba.anu.edu/
  11. mailto:%41%6E%74%68%6F%6E%79%20%45%2E%20%47%72%65%65%6E%65%20%3C%74%6F%6E%79%40%67%72%65%65%6E%65%66%61%6D%69%6C%79%2E%6F%72%67%3E?Subject=PDC-Authentication-HOWTO
  12. http://www.gnu.org/copyleft/fdl.html
  13. file://localhost/home/agreene/public_html/tony/linux/fsf.vcf