Home arrow Linux arrow General Linux arrow Integrating SuSE 10.2 with Microsoft Active Directory
Integrating SuSE 10.2 with Microsoft Active Directory Print E-mail
Written by Jason   
Jun 09, 2007 at 09:51 PM

With the, ahem, 'popularity' of Microsoft Active Directory, I thought it would be a good idea to integrate SuSE 10.2 Linux servers within the directory. Here's how to accomplish it. 

Getting SuSE 10.2 integrated with MS Active Directory is fairly easy in most environments. Yast2 will do most of the work for you.

Step 1) Create a computer account 

First things first: create a computer account in the domain for the SuSE box matching the DNS name.

Sometimes this step isn't necessary and the SuSE box will be added without any problems, other times it has problems. I've found it easier to just add the system to AD first before joining it to the domain. 

Step 2) Fire up yast2 and add the server to the domain

From a command line run yast2 and arrow down to Network Services, Windows Domain Membership:

Yast2 Config

From here enter the domain you're joining. Since for this example I want users of roboguys.com to be able to authenticate and log on to the server I've checked Also Use SMB Information for Linux Authentication as well as Create Home Directory on Login.

Yast2 Windows Domain Membership

NTP configuration is important as clock synchronization is important for authentication in Active Directory. So, here you'll want to put in one of your domain controllers that is running NTP for your domain. You are running NTP for your domain, aren't you?

Yast2 NTP config

Once that's entered you're back to the previous screen. If all looks good, hit Finish.

You'll be prompted to enter the account credentials of a user who has rights to add a machine to the domain. Enter them and you should be set.

Pretty simple stuff. To test the configuration, log on to the system with an account in the Windows domain; doing so from another Linux system via ssh is a good way to test:

ssh "roboguys\jason"@suse.roboguys.com

Take note of the quotes, otherwise the credentials won't be passed correctly. If all worked as planned you should be greeted by:

Creating directory '/home/ROBOGUYS/jason'.
Creating directory '/home/ROBOGUYS/jason/.xemacs'.
Creating directory '/home/ROBOGUYS/jason/.mozilla'.
Creating directory '/home/ROBOGUYS/jason/.fonts'.
Creating directory '/home/ROBOGUYS/jason/bin'.
Creating directory '/home/ROBOGUYS/jason/Documents'.
Creating directory '/home/ROBOGUYS/jason/public_html'.
ROBOGUYS\jason@suse:/>

Very spiffy.

Step 3) Secure it 

The only problem with this is anyone that authenticates to Active Directory can now ssh to the SuSE box. More than likely you'll want to restrict this to specific group in AD, such as Domain Admins. To do this, we'll need to find out what the GID (Group ID) of the Domain Admins group is. Log on to the SuSE server with a Windows account that is in the Domain Admins group and run the simple command:

id

This should spit out the groups the account is a member of along with the GID of the primary group in Windows that's associated with the account:

uid=10000(ROBOGUYS\jason) gid=10000(ROBOGUYS\domain users) groups=10000(ROBOGUYS\domain users),10010(ROBOGUYS\domain admins) 

Here we see that the Domain Admins group has a GID of 10010. But there's a problem: the GID for this account is 10000, meaning that the primary group in Windows is Domain Users. We'll need to correct this before going further.

From Active Directory Users and Computers look at the account:

ADUC Primary Group

Highlight the target group we want the account to have the GID of (in this case Domain Admins) and click Set Primary Group. Apply the changes then switch back to the SuSE server. 

Now we'll make a change to the /etc/pam.d/sshd file:

#%PAM-1.0
auth     requisite      pam_nologin.so
auth     include        common-auth
account  include        common-account
password include        common-password
session  required       pam_loginuid.so
session  include        common-session
# Enable the following line to get resmgr support for
# ssh sessions (see /usr/share/doc/packages/resmgr/README)
#session  optional      pam_resmgr.so fake_ttyname

The line you'll want to change is the account line. Change this to:

account  sufficient     pam_succeed_if.so gid = 10010

See the 10010? That was the GID of the Domain Admins group. This means that any account that is in the Domain Admins group in AD and has it set as it's primary group will be able to log on - all other accounts will be denied access to ssh, including root. A user could of course su to root after they've logged on as long as they know the root password.

Now that the box is a member of the domain it will update Active Directory DNS with it's IP address just like any other server on the domain.

We used Yast2 to handle the Samba configuration to join the Windows domain, but what exactly did it change? Three files: smb.conf, nsswitch.conf, and krb5.conf. If you're interested in what happened behind the scenes take a look at these three files for what changed.

Did I miss anything? Let know! 

Last Updated ( Jun 12, 2007 at 06:58 AM )
� http://www.roboguys.com, Mambo and Designed by Siteground