Single Sign On (SSO) for Linux and Windows

Leave a reply

SingleSignOn
Kerberos
OpenLDAPServer
Samba/Kerberos

Abkürzungen / Abbreviations

Active Directory (AD)
Domain Controller (DC)
Primary Domain Controller (PDC)
Group Policy Object (GPO), Gruppenrichtlinienobjekt für eine Windows Active-Directory-Domain

Linux Logon/Logoff Scripts

AppNote: How to Implement Login Scripts into a Pure Linux Environment

Name Service Switch (NSS)

Background on Name Service Switch

Pluggable Authentication Modules (PAM)

Understand PAM and NSS
PAM/NSS

How PAM works
Understanding PAM
NetBSD: Pluggable Authentication Modules (PAM)
FreeBSD: Pluggable Authentication Modules
Wikipedia: Pluggable Authentication Modules
RedHat: Using Pluggable Authentication Modules (PAM)
User Authentication HOWTO – PAM (Pluggable Authentication Modules)

Samba Shared Folders

Samba Server
Samba Server: smb.conf
samba question: share = user
ubuntu server and samba

$ chown nobody:sambashare /raid/share

# smbpasswd -a bachi
New SMB password:
Retype new SMB password:
tdbsam_open: Converting version 0.0 database to version 4.0.
WARNING: database '/var/db/samba4/private/passdb.tdb.tmp' does not end in .[n]tdb: treating it as a TDB file!
tdbsam_convert_backup: updated /var/db/samba4/private/passdb.tdb file.
tdb(/var/db/samba4/winbindd_idmap.tdb): tdb_open_ex: could not open file /var/db/samba4/winbindd_idmap.tdb: No such file or directory
tdb(/var/db/samba4/account_policy.tdb): tdb_open_ex: could not open file /var/db/samba4/account_policy.tdb: No such file or directory
account_policy_get: tdb_fetch_uint32 failed for type 1 (min password length), returning 0
account_policy_get: tdb_fetch_uint32 failed for type 2 (password history), returning 0
account_policy_get: tdb_fetch_uint32 failed for type 3 (user must logon to change password), returning 0
account_policy_get: tdb_fetch_uint32 failed for type 4 (maximum password age), returning 0
account_policy_get: tdb_fetch_uint32 failed for type 5 (minimum password age), returning 0
account_policy_get: tdb_fetch_uint32 failed for type 6 (lockout duration), returning 0
account_policy_get: tdb_fetch_uint32 failed for type 7 (reset count minutes), returning 0
account_policy_get: tdb_fetch_uint32 failed for type 8 (bad lockout attempt), returning 0
account_policy_get: tdb_fetch_uint32 failed for type 9 (disconnect time), returning 0
account_policy_get: tdb_fetch_uint32 failed for type 10 (refuse machine password change), returning 0
Added user bachi.

# pkg remove samba41 ntdb tdb
# pkg install samba41 ntdb tdb

# smbpasswd -a bachi
New SMB password:
Retype new SMB password:

# ls -la /var/db/samba4/
total 480
drwxr-xr-x   3 root  wheel     512 Feb 18 11:07 .
drwxr-xr-x  12 root  wheel     512 Feb 18 11:00 ..
-rw-------   1 root  wheel  421888 Feb 18 11:03 account_policy.tdb
-rw-r--r--   1 root  wheel     237 Feb 18 11:07 browse.dat
-rw-r--r--   1 root  wheel     696 Feb 18 11:03 gencache.tdb
-rw-r--r--   1 root  wheel     696 Feb 18 11:07 gencache_notrans.tdb
-rw-------   1 root  wheel     696 Feb 18 11:03 group_mapping.tdb
-rw-------   1 root  wheel     696 Feb 18 11:03 mutex.tdb
drwxr-xr-x   2 root  wheel     512 Feb 11 10:16 private


# pdbedit -L  -v
---------------
Unix username:        bachi
NT username:
Account Flags:        [U          ]
User SID:             S-1-5-21-565438450-2596499718-1061971255-1000
Primary Group SID:    S-1-5-21-565438450-2596499718-1061971255-513
Full Name:            Andreas Bachmann
Home Directory:       \\bsd\bachi
HomeDir Drive:
Logon Script:
Profile Path:         \\bsd\bachi\profile
Domain:               BSD
Account desc:
Workstations:
Munged dial:
Logon time:           0
Logoff time:          Sun, 04 Dec 219250468 16:30:07 CET
Kickoff time:         Sun, 04 Dec 219250468 16:30:07 CET
Password last set:    Wed, 18 Feb 2015 11:07:24 CET
Password can change:  Wed, 18 Feb 2015 11:07:24 CET
Password must change: never
Last bad password   : 0
Bad password count  : 0
Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

# testparm
Load smb config files from /usr/local/etc/smb4.conf
Processing section "[homes]"
Loaded services file OK.
WARNING: 'workgroup' and 'netbios name' must differ.
Server role: ROLE_STANDALONE
Press enter to see a dump of your service definitions

[global]
        workgroup = BSD
        idmap config * : backend = tdb

[homes]
        comment = Home Directories
        valid users = %S
        read only = No
        create mask = 0600
        directory mask = 0700
        browseable = No

Samba mit Primary Domain Controller (PDC)

Samba-3 by Example: Chapter 11. Active Directory, Kerberos, and Security
Microsoft: You incorrectly receive an error message when you join a computer that is running Windows 7 to a Samba 3-based domain
Samba AD DC HOWTO
Samba Server PDC
Aufbau und Konfiguration eines Domänencontrollers mit Samba
Samba domain controller
Samba 4 Active Directory Domain Controller
Samba4 AD DC on Ubuntu 14.04
The Samba AD DNS Back Ends

FreeBSD

How to integrate Active Directory with FreeBSD 10.0 using security/sssd?
FreeBSD 10: SAMBA 4 as a domain controller running on a public IP (OpenVPN, BIND, pf)
Samba 4.1 Active Directory Domain Controller on FreeBSD 10.1
How to set up FreeBSD 10.1 as a Domain Controller (Video)
Samba4 dc in FreeBSD 10
Howto setup Samba Domain Controller on FreeBSD

LDAP / OpenLDAP

zytrax.com Open Source Guides – LDAP for Rocket Scientists

2. LDAP Concepts & Overview
Chapter 6. LDAP Configuration
Chapter 8. LDAP LDIF and DSML

Useful tutorials

Example: Shared Address Book (LDAP)
OpenLDAP Server on Ubuntu 14.04
Ubuntu Server Guide: OpenLDAP Server
How To Install and Configure OpenLDAP and phpLDAPadmin on an Ubuntu 14.04 Server
How To Install and Configure a Basic LDAP Server on an Ubuntu 12.04 VPS
Getting error for setting password feild when creating generic user account phpldapadmin

Line 2469:
$default = $this->getServer()->getValue('appearance','password_hash');
or
$default = $this->getServer()->getValue('appearance','password_hash_custom');

$ ldapsearch -X u:admin -b dc=auth,dc=intra,dc=fablabwinti,dc=ch
SASL/DIGEST-MD5 authentication started
Please enter your password: 
ldap_sasl_interactive_bind_s: Invalid credentials (49)
	additional info: SASL(-13): user not found: no secret in database

$ ldapsearch -x -LLL -b dc=auth,dc=intra,dc=fablabwinti,dc=ch 
dn: dc=auth,dc=intra,dc=fablabwinti,dc=ch
objectClass: top
objectClass: dcObject
objectClass: organization
o: fablabwinti
dc: auth

dn: cn=admin,dc=auth,dc=intra,dc=fablabwinti,dc=ch
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator

$ ldapsearch -x -LLL -b dc=auth,dc=intra,dc=fablabwinti,dc=ch dn
dn: dc=auth,dc=intra,dc=fablabwinti,dc=ch
dn: cn=admin,dc=auth,dc=intra,dc=fablabwinti,dc=ch

$ ldapsearch -LLL -x -H ldap:/// -b dc=auth,dc=intra,dc=fablabwinti,dc=ch dn
dn: dc=auth,dc=intra,dc=fablabwinti,dc=ch
dn: cn=admin,dc=auth,dc=intra,dc=fablabwinti,dc=ch

-X

RADIUS

FreeRADIUS
Centralized Logins Using LDAP and RADIUS
Primer: Authentication – RADIUS, Kerberos, and LDAP
How to integrate RADIUS with Kerberos?
RADIUS and Kerberos and LDAP!!! Oh my!!!

Samba und OpenLDAP

The Linux Samba-OpenLDAP Howto
Setting up Samba as a Domain Controller with OpenLDAP
Samba and LDAP
Setup Samba Domain Controller with LDAP Backend in Ubuntu 13.04
Linux-PDC mit Samba und OpenLDAP – Zentrale Anmeldung

MIT Kerberos 5

Setting up an Active Directory Domain Controller using Samba 4 on Ubuntu 14.04
Ubuntu 14.04 kerberos krb5 installation+removing messed up login
Debian GNU and Ubuntu: Setting up MIT Kerberos 5
Unable to setup Kerberos on Ubuntu 14.04 – krb5kdc: No such file or directory – while initializing database for realm myrealm
Kerberos – Community Help Wiki
Kerberos
Kerberos und LDAP
Kerberos with LDAP Backend on Ubuntu 12.04 – Part One
Kerberos with LDAP Backend on Ubuntu 12.04 – Part Two
Kerberos with LDAP Backend on Ubuntu 12.04 – Part Three
Kerberos with LDAP Backend on Ubuntu 12.04 – Part Four
MIT Kerberos Documentation: Kerberos with LDAP backend on Ubuntu 10.4
MIT Kerberos Documentation: Configuring Kerberos with OpenLDAP back-end
Ubuntu 14.04 LTS : Samba Server : Samba AD DC : Server Settings
Ubuntu 14.04 LTS : WEB Server : Use Kerberos Auth

LightDM

Lightdm Login & Kerberos: Ticket nicht gekommen
Testing Kerberos in Ubuntu
How do I enable the “Other” user for login with Active Directory?
Ubuntu Linux and Active Directory

Abhändigheiten / Dependencies

ISC-DHCPD
BIND DNS-Server

$ sudo apt-get install bind9
$ sudo service bind9 stop

DNS

$ ls -la /etc/bind
[...]
-rw-r--r--   1 bind bind   493 Dez 26 19:41 named.conf
-rw-r--r--   1 root bind   307 Dez 29 18:50 named.conf.local
[...]

$ ls -la /var/lib/bind
[...]
-rw-r--r--  1 bind bind   572 Feb  6 18:49 db.192.168.1
[...]

$ cat /etc/apparmor.d/usr.sbin.named
/usr/sbin/named {
  [...]
 
  # /etc/bind should be read-only for bind
  # /var/lib/bind is for dynamically updated zone (and journal) files.
  # /var/cache/bind is for slave/stub data, since we're not the origin of it.
  # See /usr/share/doc/bind9/README.Debian.gz
  /etc/bind/** r,
  /var/lib/bind/** rw,
  /var/lib/bind/ rw,
  /var/cache/bind/** lrw,
  /var/cache/bind/ rw,
 
  [...]
}

NTP

HOWTO: Set Up an NTP Server
Time Synchronisation with NTP
Postponing ntpd
how do I disable ntpd?
The NTP FAQ and HOWTO – Understanding and using the Network Time Protocol

Apache

$ echo "ServerName localhost" | sudo tee /etc/apache2/conf-available/fqdn.conf
$ sudo a2enconf fqdn

Bugs

Bug #1125726: boot-time race between /etc/network/if-up.d/ntpdate and “/etc/init.d/ntp start”
Bug #777879: removing ntpdate removes ubuntu-minimal (duplicate! use Bug #61619)
Bug #61619: ntpdate in -minimal should have an alternative
Bug #556372: Please remove the plymouth dependency from mountall / cryptsetup (Create a simple package)

Leave a Reply

Your email address will not be published. Required fields are marked *