Open topic with navigation

You are here: 8.0 Centralizing Authentication with Active Directory

8.0 Centralizing Authentication with Active Directory (AD)

Three packages are required to configure authentication against AD.

Install the packages and their dependencies by using the following command:

> apt-get install krb5-user samba winbind
Note This example assumes a Debian-based system.

8.1 Configuring the Linux System

If you are using CentOS or RHLES, authconfig configures everything.

authconfig --update --kickstart --enablewinbind --enablewinbindauth --smbsecurity=ads --smbworkgroup=MYDOMAIN --smbrealm=MYDOMAIN --smbservers=MYSERVER.MYDOMAIN --winbindjoin=Administrator --winbindtemplatehomedir=/home/%U --winbindtemplateshell=/bin/bash --enablewinbindusedefaultdomain --enablelocauthorize

Set MYDOMAIN and MYSERVER.MYDOMAIN to reflect your environment. If you are using some other Linux distribution, follow the steps below.

The variables and names used in the examples below have the following meanings:

Variable Description
cridomain Public network domain name
sge.local Private network domain name
SGE.LOCAL Kerberos realm name
headnode Head node Linux host name
winhead Windows Active Directory server host name
winadmin Windows user name for Windows domain administrator
winuser Windows user name for normal user
  1. Configure the Windows AD server domain name and name serverAdd the Windows domain name and name server IP addresses to /etc/resolv.conf.
    root@x36-lhn:~# vi /etc/resolv.conf
    domain sge.local
    nameserver 10.0.0.100
    nameserver 192.168.0.1
  2. Configure the Windows AD server as a recognized host. Add a line to /etc/hosts that contains the:
    • Windows AD server IP address
    • fully qualified host name
    • host name with the Kerberos realm domain name
    • simple host name
    root@headnode:~# vi /etc/hosts
    ...
    10.0.0.100  winhead.cridomain    winhead.sge.local     winhead
  3. Configure the Linux system to look up users using Winbind. Add the Windows AD server and domain name to /etc/nsswitch.conf:
    root@headnode:~# vi /etc/nsswitch.conf
    ...
    passwd:         compat winbind
    group:          compat winbind
    shadow:         compat winbind
  4. Configure Kerberos. Set up Kerberos by adding the following to /etc/krb5.conf:
    root@headnode:~# vi /etc/krb5.conf
    ...
    [logging]
    default=FILE:/var/log/krb5libs.log
    kdc=FILE:/var/log/krb5kdc.log
    admin_server=FILE:/var/log/kadmind.log
     
    [libdefaults]
    default_realm = SGE.LOCAL
    dns_lookup_realm = true
    dns_lookup_kdc = true
    ticket_lifetime = 24h
    forwardable = yes
     
    [kdc]
    profile = /var/kerberos/krb5kdc/kdc.conf
     
    [appdefaults]
    pam = {
    debug = false
    ticket_lifetime = 36000
    renew_lifetime = 36000
    forwardable = true
    krb4_convert = false
    }
     
    [realms]
    SGE.LOCAL = {
    kdc = winhead.sge.local
    admin_server = winhead.sge.local
    default_domain = SGE.LOCAL
    }
     
    [domain_realm]
    .sge.local = SGE.LOCAL
    sge.local = SGE.LOCAL
  5. Synchronize the Linux system clock with Windows AD server and make sure the domain name is uppercase.
    root@headnode:~# ntpdate winhead
    2 Dec 09:37:58 ntpdate[6495]: adjust time server 10.0.0.100 offset -0.120004 sec
  6. Test Kerberos authentication.
    root@headnode:~# kinit [email protected]
    Password for [email protected]:

    If no error messages are returned, Kerberos authentication was successful.

    You can now check existing authentication tickets

    root@headnode:~# klist
    Ticket cache: FILE:/tmp/krb5cc_0
    Default principal: [email protected]
    Valid starting     Expires            Service principal
    12/02/09 09:38:38  12/02/09 19:38:41  krbtgt/[email protected]
    renew until 12/03/09 09:38:38
  7. Configure Samba. Set up Samba by adding the following to /etc/samba/smb.conf:
    workgroup = sge
    max log size = 50
    security = ads
    password server = winhead.sge.local
    realm = SGE.LOCAL
    idmap uid = 16777216-33554431
    idmap gid = 16777216-33554431
    template shell = /bin/bash
    template homedir = /home/%U
    winbind use default domain = true
    winbind enum users = yes
    winbind enum groups = yes
    winbind separator = +
  8. Configure the pluggable authentication modules (PAM) to authenticate Windows AD users. Set up PAM by adding the following to the specified pam.d files:
    root@headnode:~# vi /etc/pam.d/common-account
     
    account sufficient pam_winbind.so
    account required pam_unix.so
     
    root@headnode:~# vi /etc/pam.d/common-auth
     
    auth sufficient pam_winbind.so
    auth required pam_unix.so nullok_secure use_first_pass
     
    root@headnode:~# vi /etc/pam.d/common-session
    ...
    session required pam_mkhomedir.so umask=0077 skel=/etc/skel
    NoteThe /etc/pam.d/common-session file makes PAM create the user's home directory on successful authentication.
  9. Join the Linux system to the Windows domain.
    root@headnode:~# net ads join -U winadmin
    Enter winadmin's password:
    Using short domain name -- SGE
    Joined 'HEADNODE' to realm 'sge.local'

    You can ignore any DNS update errors.

  10. Restart Samba and Winbind. Restart Samba and Winbind in the following order:
    root@x36-lhn:~# service samba sto
    * Stopping Samba daemons                [ OK ]
    root@x36-lhn:~# service winbind stop
    * Stopping the Winbind daemon winbind   [ OK ]
    root@x36-lhn:~# service samba start
    * Starting Samba daemons                [ OK ]
    root@x36-lhn:~# service winbind start
    * Starting the Winbind daemon winbind   [ OK ]
  11. Restart Moab. If Moab is running, restart it so that it can recognize the Windows AD users.
    root@headnode:~# mschedctl -k
    moab will be shutdown immediately
    root@headnode:~# moab
  12. Test Linux authentication of Windows AD users. Verify Windows AD users can log in to the Linux system.
    root@headnode:~# finger -m winuser
    Login: winuser                              Name:
    Directory: /home/winuser                    Shell: /bin/bash
    Last login Tue Dec  1 18:07 (MST) on pts/4 from winhead.cridomain
    No mail.
    No Plan.

8.2 Synchronizing UIDs on the Master Node

Winbind generates local random user IDs in the order that users are first queried. This makes accessing NFS shares difficult; however, it can be resolved by syncing all the user IDs on the master node (the Linux head node or machine that exports the NFS share) and syncing Winbind's DBs on all the compute nodes for every reboot.

Note HPCUsers is the default user group. Users are automatically placed in it when they are created through MSMHPC or MSMHPC tool scripts (./create.ad.account.hpc.pl).
  1. Populate the winbind_idmap file on the Linux head node.
    [root@x36-lhn samba]# for i in `wbinfo -u`; do id ${i} ; done
    uid=16777216(administrator) gid=16777216(HPCUsers) groups=16777216(HPCUsers),16777217(group policy creator owners),16777218(domain admins),16777219
    (enterprise admins),16777220(schema admins),16777221(denied rodc password replication group)
    uid=16777217(guest) gid=16777222(domain guests) groups=16777222(domain guests)
    uid=16777223(krbtgt) gid=16777216(HPCUsers) groups=16777216(HPCUsers),16777221(denied rodc password replication group)
    uid=16777220(lmsilva) gid=16777216(HPCUsers) groups=16777216(HPCUsers)
    uid=16777221(test) gid=16777216(HPCUsers) groups=16777216(HPCUsers)
  2. Dump the winbind_idmap mapping DB on the Linux head node and restore it across all the compute nodes.
    [root@x36-lhn samba]# for i in node01 node02 node03 node04; do net idmap dump /var/cache/samba/winbindd_idmap.tdb | ssh ${i} net idmap restore ;done
  3. Query a single user ID on the entire cluster to verify the synchronization.
    [root@x36-lhn samba]# for i in node01 node02 node03 node04; do ssh ${i} id test1; done
    uid=16777224(test1) gid=16777216(HPCUsers) groups=16777216(HPCUsers)
    uid=16777224(test1) gid=16777216(HPCUsers) groups=16777216(HPCUsers)
    uid=16777224(test1) gid=16777216(HPCUsers) groups=16777216(HPCUsers)
    uid=16777224(test1) gid=16777216(HPCUsers) groups=16777216(HPCUsers)

8.3 Synchronizing UIDs across All Linux Machines

To synchronize UIDs across all Linux machines, do the following every time the active directory adds or removes any user account.

  1. Populate the winbind_idmap file on the Linux head node.
    [root@x36-lhn samba]# for i in `wbinfo -u`; do id ${i} ; done
    uid=16777216(administrator) gid=16777216(HPCUsers) groups=16777216(HPCUsers),16777217(group policy creator owners),16777218(domain admins),16777219
    (enterprise admins),16777220(schema admins),16777221(denied rodc password replication group)
    uid=16777217(guest) gid=16777222(domain guests) groups=16777222(domain guests)
    uid=16777223(krbtgt) gid=16777216(HPCUsers) groups=16777216(HPCUsers),16777221(denied rodc password replication group)
    uid=16777220(lmsilva) gid=16777216(HPCUsers) groups=16777216(HPCUsers)
    uid=16777221(fchism) gid=16777216(HPCUsers) groups=16777216(HPCUsers)
    uid=16777222(test) gid=16777216(HPCUsers) groups=16777216(HPCUsers)
  2. Dump the winbind_idmap mapping DB on the Linux head node and restore it across all the compute nodes and synchronize ID maps.
    [root@x36-lhn samba]# for i in node01 node02 node03 node04; do net idmap dump /var/cache/samba/winbindd_idmap.tdb | ssh ${i} net idmap restore ;done
  3. Query a single user ID on the entire cluster to verify the synchronization.
    [root@x36-lhn samba]# for i in node01 node02 node03 node04; do ssh ${i} id test1; done
    uid=16777222(test1) gid=16777216(HPCUsers) groups=16777216(HPCUsers)
    uid=16777224(test1) gid=16777216(HPCUsers) groups=16777216(HPCUsers)
    uid=16777223(test1) gid=16777216(HPCUsers) groups=16777216(HPCUsers)
    uid=16777223(test1) gid=1677721(HPCUsers) groups=16777216(HPCUsers)
     
    # for i in `wbinfo -u`; do id ${i} ; done
    uid=16777216(administrator) gid=16777216(HPCUsers) groups=16777216(HPCUsers),16777217(group policy creator owners),16777218(domain admins),16777219(enterprise admins),16777220(schema admins),16777221(denied rodc password replication group)
    uid=16777217(guest) gid=16777222(domain guests) groups=16777222(domain guests)
    uid=16777223(krbtgt) gid=16777216(HPCUsers) groups=16777216(HPCUsers),16777221(denied rodc password replication group)
    uid=16777220(lmsilva) gid=16777216(HPCUsers) groups=16777216(HPCUsers)
    uid=16777221(fchism) gid=16777216(HPCUsers) groups=16777216(HPCUsers)
    uid=16777222(test) gid=16777216(HPCUsers) groups=16777216(HPCUsers)
    uid=16777224(test1) gid=16777216(HPCUsers) groups=16777216(HPCUsers)
    uid=16777225(test2) gid=16777216(HPCUsers) groups=16777216(HPCUsers)
    uid=16777226(test3) gid=16777216(HPCUsers) groups=16777216(HPCUsers)
     
    # for i in node01 node02 node03 node04; do net idmap dump /var/cache/samba/winbindd_idmap.tdb | ssh ${i} net idmap restore ;done
     
    # for i in node01 node02 node03 node04; do ssh ${i} id test1; done
    uid=16777224(test1) gid=16777216(HPCUsers) groups=16777216(HPCUsers)
    uid=16777224(test1) gid=16777216(HPCUsers) groups=16777216(HPCUsers)
    uid=16777224(test1) gid=16777216(HPCUsers) groups=16777216(HPCUsers)
    uid=16777224(test1) gid=16777216(HPCUsers) groups=16777216(HPCUsers)

Copyright © 2011 Adaptive Computing Enterprises, Inc.®