Un sistema operativo linux puede ser integrado de manera sencilla a un dominio de Active Directory para que este administre los usuarios y grupos, ademas de centralizar el proceso de indentificación, autenticación y autorización de nuestros sistemas.
El primer paso es verificar si contamos con las siguientes aplicaciones. Si es necesario instalarlas, lo hacemos de la siguiente manera:
pablo@clienteLinux:~$ sudo apt-get install samba smbclient winbind krb5-user krb5-config libnss-winbind libpam-winbind |
pablo@clienteLinux:~$ sudo apt-get install samba smbclient winbind krb5-user krb5-config libnss-winbind libpam-winbind
Editamos y/o verificamos la configuración de DNS del cliente Linux Ubuntu
pablo@clienteLinux:~$ sudo mcedit /etc/resolv.conf
nameserver 192.168.0.1 # IP del servidor de DNS primario, el Active Directory Principal
nameserver 192.168.1.1 # IP del servidor de DNS secundario, el Active Directory Alternativo
search miDominio |
pablo@clienteLinux:~$ sudo mcedit /etc/resolv.conf
nameserver 192.168.0.1 # IP del servidor de DNS primario, el Active Directory Principal
nameserver 192.168.1.1 # IP del servidor de DNS secundario, el Active Directory Alternativo
search miDominio
pablo@clienteLinux:~$ sudo mcedit /etc/hosts
127.0.0.1 localhost
192.168.0.50 clienteLinux.miDominio clienteLinux
192.168.0.1 adPrincipal.miDominio adPrincipal
192.168.1.1 adSecundario.miDominio adSecundario |
pablo@clienteLinux:~$ sudo mcedit /etc/hosts
127.0.0.1 localhost
192.168.0.50 clienteLinux.miDominio clienteLinux
192.168.0.1 adPrincipal.miDominio adPrincipal
192.168.1.1 adSecundario.miDominio adSecundario
Editamos el archivo de configuración del cliente de Kerberos
pablo@clienteLinux:~$ sudo mcedit /etc/krb5.conf
[libdefaults]
default_realm = MIDOMINIO
clockskew = 300
[realms]
MIDOMINIO = {
kdc = 192.168.0.1
kdc = 192.168.1.1
default_domain = miDominio
admin_server = 192.168.0.1
admin_server = 192.168.1.1
}
miDominio = {
kdc = 192.168.0.1
kdc = 192.168.1.1
default_domain = miDominio
admin_server = 192.168.0.1
admin_server = 192.168.1.1
}
[logging]
kdc = FILE:/var/log/krb5/krb5kdc.log
admin_server = FILE:/var/log/krb5/kadmind.log
default = SYSLOG:NOTICE:DAEMON
[domain_realm]
.miDominio = miDominio
miDominio = miDominio
[appdefaults]
pam = {
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = false
retain_after_close = false
minimum_uid = 0
try_first_pass = true
} |
pablo@clienteLinux:~$ sudo mcedit /etc/krb5.conf
[libdefaults]
default_realm = MIDOMINIO
clockskew = 300
[realms]
MIDOMINIO = {
kdc = 192.168.0.1
kdc = 192.168.1.1
default_domain = miDominio
admin_server = 192.168.0.1
admin_server = 192.168.1.1
}
miDominio = {
kdc = 192.168.0.1
kdc = 192.168.1.1
default_domain = miDominio
admin_server = 192.168.0.1
admin_server = 192.168.1.1
}
[logging]
kdc = FILE:/var/log/krb5/krb5kdc.log
admin_server = FILE:/var/log/krb5/kadmind.log
default = SYSLOG:NOTICE:DAEMON
[domain_realm]
.miDominio = miDominio
miDominio = miDominio
[appdefaults]
pam = {
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = false
retain_after_close = false
minimum_uid = 0
try_first_pass = true
}
Debemos crear los tickets Kerberos con el siguiente comando (y respetando el dominio en MAYUSCULA)
pablo@clienteLinux:~$ sudo kinit admin@MYDOMINIO |
pablo@clienteLinux:~$ sudo kinit admin@MYDOMINIO
Editamos el archivo de configuración del Samba
pablo@clienteLinux:~$ sudo mcedit /etc/samba/smb.conf
[global]
security = ADS
netbios name = clienteLinux
realm = MYDOMINIO
password server = adPrincipal.miDominio
workgroup = MYDOMINIO
log level = 1
syslog = 0
idmap uid = 10000-29999
idmap gid = 10000-29999
winbind separator = +
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%D/%U
template shell = /bin/bash
client use spnego = yes
domain master = no
server string = linux como cliente del Active Directory
encrypt passwords = yes
idmap cache time = 30
idmap negative cache time = 12
winbind cache time = 30 |
pablo@clienteLinux:~$ sudo mcedit /etc/samba/smb.conf
[global]
security = ADS
netbios name = clienteLinux
realm = MYDOMINIO
password server = adPrincipal.miDominio
workgroup = MYDOMINIO
log level = 1
syslog = 0
idmap uid = 10000-29999
idmap gid = 10000-29999
winbind separator = +
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%D/%U
template shell = /bin/bash
client use spnego = yes
domain master = no
server string = linux como cliente del Active Directory
encrypt passwords = yes
idmap cache time = 30
idmap negative cache time = 12
winbind cache time = 30
Agregamos la máquina Linux al dominio
pablo@clienteLinux:~$ sudo net ads join -S adPrincipal.miDominio -U admin
pablo@clienteLinux:~$ sudo net ads join -S adSecundario.miDominio -U admin |
pablo@clienteLinux:~$ sudo net ads join -S adPrincipal.miDominio -U admin
pablo@clienteLinux:~$ sudo net ads join -S adSecundario.miDominio -U admin
En este punto podemos tener dos errores comunes:
- Que haya diferencias en la fecha/hora del linux y el controlador de dominio, donde solo deberíamos setear la hora del cliente para que coincida con la del Active Directory.
- Que exista un registro fijado en el DNS con el mismo nombre, donde solo debemos eliminarlo para que se genere luego automáticamente.
Debemos editar y configurar el NSSwitch para que resuelva por el Active Directory (además de localmente) los usuarios/passwords, grupos y hosts.
pablo@clienteLinux:~$ sudo mcedit /etc/nsswitch.conf
passwd: files winbind
group: files winbind
shadow: files winbind
hosts: files dns winbind
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
sudoers: files |
pablo@clienteLinux:~$ sudo mcedit /etc/nsswitch.conf
passwd: files winbind
group: files winbind
shadow: files winbind
hosts: files dns winbind
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
sudoers: files
Para configurar el acceso de usuarios del dominio al sistema debemos configurar PAM, editando los siguientes archivos:
pablo@clienteLinux:~$ sudo mcedit /etc/pam.d/common-session
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
session sufficient pam_winbind.so
session required pam_unix.so try_first_pass |
pablo@clienteLinux:~$ sudo mcedit /etc/pam.d/common-session
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
session sufficient pam_winbind.so
session required pam_unix.so try_first_pass
pablo@clienteLinux:~$ sudo mcedit /etc/pam.d/common-password
password sufficient pam_winbind.so
password required pam_unix.so nullok obscure min=4 max=8 md5 try_first_pass |
pablo@clienteLinux:~$ sudo mcedit /etc/pam.d/common-password
password sufficient pam_winbind.so
password required pam_unix.so nullok obscure min=4 max=8 md5 try_first_pass
pablo@clienteLinux:~$ sudo mcedit /etc/pam.d/common-auth
auth sufficient pam_winbind.so
auth required pam_unix.so nullok_secure try_first_pass |
pablo@clienteLinux:~$ sudo mcedit /etc/pam.d/common-auth
auth sufficient pam_winbind.so
auth required pam_unix.so nullok_secure try_first_pass
pablo@clienteLinux:~$ sudo mcedit /etc/pam.d/common-account
account sufficient pam_winbind.so
account required pam_unix.so try_first_pass |
pablo@clienteLinux:~$ sudo mcedit /etc/pam.d/common-account
account sufficient pam_winbind.so
account required pam_unix.so try_first_pass
y por último el archivo sudoers desde donde autorizamos a los diferentes usuarios/grupos las acciones permitidas. Mucho cuidado durante esta modificación ya que podríamos quedar «fuera» del sistema. Como ejemplo creamos dos grupos en el AD, uno linuxAdmin con permisos totales, y otro linuxSeg con acceso solo a algunos comandos de manera restringida.
pablo@clienteLinux:~$ sudo mcedit /etc/sudoers
#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults env_reset
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
# Host alias specification
# User alias specification
# Cmnd alias specification
# User privilege specification
root ALL=(ALL:ALL) ALL
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL
# See sudoers(5) for more information on "#include" directives:
#includedir /etc/sudoers.d
%MYDOMINIO+linuxAdmin ALL=(ALL) ALL
%MYDOMINIO+linuxSeg ALL=(ALL) /sbin/iptables -L -n,/usr/bin/less /var/log/*,/usr/sbin/aideinit,/usr/bin/tshark* |
pablo@clienteLinux:~$ sudo mcedit /etc/sudoers
#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults env_reset
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
# Host alias specification
# User alias specification
# Cmnd alias specification
# User privilege specification
root ALL=(ALL:ALL) ALL
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL
# See sudoers(5) for more information on "#include" directives:
#includedir /etc/sudoers.d
%MYDOMINIO+linuxAdmin ALL=(ALL) ALL
%MYDOMINIO+linuxSeg ALL=(ALL) /sbin/iptables -L -n,/usr/bin/less /var/log/*,/usr/sbin/aideinit,/usr/bin/tshark*
Para que el sistema funcione es conveniente reiniciar el sistema y ya podríamos iniciar sesión con el usuario de AD.
pablo@clienteLinux:~$ sudo reboot
.
.
.
pablo@otroClienteLinux:~$ ssh -l pablo@myDominio clienteLinux 2222
pablo@MYDOMINIO@clienteLinux\'s password:
Last login: Wed Apr 27 10:21:09 2016 from 192.168.0.55
MYDOMINIO+pablo@clienteLinux:~$ |
pablo@clienteLinux:~$ sudo reboot
.
.
.
pablo@otroClienteLinux:~$ ssh -l pablo@myDominio clienteLinux 2222
pablo@MYDOMINIO@clienteLinux\'s password:
Last login: Wed Apr 27 10:21:09 2016 from 192.168.0.55
MYDOMINIO+pablo@clienteLinux:~$
Como información adicional, les dejo la ayuda del comando wbinfo con el que podemos extraer información variada del controlador de domino, como ser usuarios, grupos, uids, etc..
pablo@clienteLinux:~$ wbinfo
Usage: wbinfo [OPTION...]
-u, --domain-users Lists all domain users
-g, --domain-groups Lists all domain groups
-N, --WINS-by-name=NETBIOS-NAME Converts NetBIOS name to IP
-I, --WINS-by-ip=IP Converts IP address to NetBIOS name
-n, --name-to-sid=NAME Converts name to sid
-s, --sid-to-name=SID Converts sid to name
--sid-to-fullname=SID Converts sid to fullname
-R, --lookup-rids=RIDs Converts RIDs to names
--lookup-sids=Sid-List Converts SIDs to types and names
-U, --uid-to-sid=UID Converts uid to sid
-G, --gid-to-sid=GID Converts gid to sid
-S, --sid-to-uid=SID Converts sid to uid
-Y, --sid-to-gid=SID Converts sid to gid
--allocate-uid Get a new UID out of idmap
--allocate-gid Get a new GID out of idmap
--set-uid-mapping=UID,SID Create or modify uid to sid mapping in idmap
--set-gid-mapping=GID,SID Create or modify gid to sid mapping in idmap
--remove-uid-mapping=UID,SID Remove uid to sid mapping in idmap
--remove-gid-mapping=GID,SID Remove gid to sid mapping in idmap
--sids-to-unix-ids=Sid-List Translate SIDs to Unix IDs
-t, --check-secret Check shared secret
-c, --change-secret Change shared secret
-P, --ping-dc Check the NETLOGON connection
-m, --trusted-domains List trusted domains
--all-domains List all domains (trusted and own domain)
--own-domain List own domain
--sequence Deprecated command, see --online-status
--online-status Show whether domains are marked as online or offline
-D, --domain-info=STRING Show most of the info we have about the domain
-i, --user-info=USER Get user info
--uid-info=UID Get user info from uid
--group-info=GROUP Get group info
--user-sidinfo=SID Get user info from sid
--gid-info=GID Get group info from gid
-r, --user-groups=USER Get user groups
--user-domgroups=SID Get user domain groups
--sid-aliases=SID Get sid aliases
--user-sids=SID Get user group sids for user SID
-a, --authenticate=user%password authenticate user
--pam-logon=user%password do a pam logon equivalent
--logoff log off user
--logoff-user=STRING username to log off
--logoff-uid=INT uid to log off
--set-auth-user=user%password Store user and password used by winbindd (root only)
--ccache-save=user%password Store user and password for ccache operation
--getdcname=domainname Get a DC name for a foreign domain
--dsgetdcname=domainname Find a DC for a domain
--dc-info=domainname Find the currently known DCs
--get-auth-user Retrieve user and password used by winbindd (root only)
-p, --ping Ping winbindd to see if it is alive
--domain=domain Define to the domain to restrict operation
-K, --krb5auth=user%password authenticate user using Kerberos
--separator Get the active winbind separator
--verbose Print additional information per command
--change-user-password=STRING Change the password for a user
--ntlmv2 Use NTLMv2 cryptography for user authentication
--lanman Use lanman cryptography for user authentication
Help options:
-?, --help Show this help message
--usage Display brief usage message
Common samba options:
-V, --version Print version |
pablo@clienteLinux:~$ wbinfo
Usage: wbinfo [OPTION...]
-u, --domain-users Lists all domain users
-g, --domain-groups Lists all domain groups
-N, --WINS-by-name=NETBIOS-NAME Converts NetBIOS name to IP
-I, --WINS-by-ip=IP Converts IP address to NetBIOS name
-n, --name-to-sid=NAME Converts name to sid
-s, --sid-to-name=SID Converts sid to name
--sid-to-fullname=SID Converts sid to fullname
-R, --lookup-rids=RIDs Converts RIDs to names
--lookup-sids=Sid-List Converts SIDs to types and names
-U, --uid-to-sid=UID Converts uid to sid
-G, --gid-to-sid=GID Converts gid to sid
-S, --sid-to-uid=SID Converts sid to uid
-Y, --sid-to-gid=SID Converts sid to gid
--allocate-uid Get a new UID out of idmap
--allocate-gid Get a new GID out of idmap
--set-uid-mapping=UID,SID Create or modify uid to sid mapping in idmap
--set-gid-mapping=GID,SID Create or modify gid to sid mapping in idmap
--remove-uid-mapping=UID,SID Remove uid to sid mapping in idmap
--remove-gid-mapping=GID,SID Remove gid to sid mapping in idmap
--sids-to-unix-ids=Sid-List Translate SIDs to Unix IDs
-t, --check-secret Check shared secret
-c, --change-secret Change shared secret
-P, --ping-dc Check the NETLOGON connection
-m, --trusted-domains List trusted domains
--all-domains List all domains (trusted and own domain)
--own-domain List own domain
--sequence Deprecated command, see --online-status
--online-status Show whether domains are marked as online or offline
-D, --domain-info=STRING Show most of the info we have about the domain
-i, --user-info=USER Get user info
--uid-info=UID Get user info from uid
--group-info=GROUP Get group info
--user-sidinfo=SID Get user info from sid
--gid-info=GID Get group info from gid
-r, --user-groups=USER Get user groups
--user-domgroups=SID Get user domain groups
--sid-aliases=SID Get sid aliases
--user-sids=SID Get user group sids for user SID
-a, --authenticate=user%password authenticate user
--pam-logon=user%password do a pam logon equivalent
--logoff log off user
--logoff-user=STRING username to log off
--logoff-uid=INT uid to log off
--set-auth-user=user%password Store user and password used by winbindd (root only)
--ccache-save=user%password Store user and password for ccache operation
--getdcname=domainname Get a DC name for a foreign domain
--dsgetdcname=domainname Find a DC for a domain
--dc-info=domainname Find the currently known DCs
--get-auth-user Retrieve user and password used by winbindd (root only)
-p, --ping Ping winbindd to see if it is alive
--domain=domain Define to the domain to restrict operation
-K, --krb5auth=user%password authenticate user using Kerberos
--separator Get the active winbind separator
--verbose Print additional information per command
--change-user-password=STRING Change the password for a user
--ntlmv2 Use NTLMv2 cryptography for user authentication
--lanman Use lanman cryptography for user authentication
Help options:
-?, --help Show this help message
--usage Display brief usage message
Common samba options:
-V, --version Print version
Fuentes: