8.0 Centralizing Authentication with Active Directory (AD)

Moab Adaptive HPC

8.0 Centralizing Authentication with Active Directory (AD)

Three packages are required to configure authentication against AD.

Kerberos
Winbind
Samba

Install the packages and their dependencies by using the following command:

> apt-get install krb5-user samba winbind

Note This example assumes a Debian-based system.

8.1 Configuring the Linux System

If you are using CentOS or RHLES, authconfig configures everything.

authconfig --update --kickstart --enablewinbind --enablewinbindauth --smbsecurity=ads --smbworkgroup=MYDOMAIN --smbrealm=MYDOMAIN --smbservers=MYSERVER.MYDOMAIN --winbindjoin=Administrator --winbindtemplatehomedir=/home/%U --winbindtemplateshell=/bin/bash --enablewinbindusedefaultdomain --enablelocauthorize

Set MYDOMAIN and MYSERVER.MYDOMAIN to reflect your environment. If you are using some other Linux distribution, follow the steps below.

The variables and names used in the examples below have the following meanings:

Variable	Description
cridomain	Public network domain name
sge.local	Private network domain name
SGE.LOCAL	Kerberos realm name
headnode	Head node Linux host name
winhead	Windows Active Directory server host name
winadmin	Windows user name for Windows domain administrator
winuser	Windows user name for normal user

Configure the Windows AD server domain name and name server.

/etc/resolv.conf

root@x36-lhn:~# vi /etc/resolv.conf
domain sge.local
nameserver 10.0.0.100
nameserver 192.168.0.1

Configure the Windows AD server as a recognized host.

/etc/hosts

Windows AD server IP address
fully qualified host name
host name with the Kerberos realm domain name
simple host name

root@headnode:~# vi /etc/hosts
...
10.0.0.100  winhead.cridomain    winhead.sge.local     winhead

Configure the Linux system to look up users using Winbind.

/etc/nsswitch.conf

root@headnode:~# vi /etc/nsswitch.conf
...
passwd:         compat winbind
group:          compat winbind
shadow:         compat winbind

Configure Kerberos.

/etc/krb5.conf

root@headnode:~# vi /etc/krb5.conf
...
[logging]
default=FILE:/var/log/krb5libs.log
kdc=FILE:/var/log/krb5kdc.log
admin_server=FILE:/var/log/kadmind.log

[libdefaults]
default_realm = SGE.LOCAL
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes

[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}

[realms]
SGE.LOCAL = {
kdc = winhead.sge.local
admin_server = winhead.sge.local
default_domain = SGE.LOCAL
}

[domain_realm]
.sge.local = SGE.LOCAL
sge.local = SGE.LOCAL

Synchronize the Linux system clock with Windows AD server and make sure the domain name is uppercase.

root@headnode:~# ntpdate winhead
 2 Dec 09:37:58 ntpdate[6495]: adjust time server 10.0.0.100 offset -0.120004 sec

Test Kerberos authentication.

root@headnode:~# kinit winuser@SGE.LOCAL
Password for winuser@SGE.LOCAL:

You can now check existing authentication tickets.

root@headnode:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: winuser@SGE.LOCAL

Valid starting     Expires            Service principal
12/02/09 09:38:38  12/02/09 19:38:41  krbtgt/SGE.LOCAL@SGE.LOCAL
        renew until 12/03/09 09:38:38

Configure Samba.

/etc/samba/smb.conf

workgroup = sge
max log size = 50
security = ads
password server = winhead.sge.local
realm = SGE.LOCAL
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
template shell = /bin/bash
template homedir = /home/%U
winbind use default domain = true
winbind enum users = yes
winbind enum groups = yes
winbind separator = +

Configure the pluggable authentication modules (PAM) to authenticate Windows AD users.

pam.d

root@headnode:~# vi /etc/pam.d/common-account

account sufficient pam_winbind.so
account required pam_unix.so

root@headnode:~# vi /etc/pam.d/common-auth

auth sufficient pam_winbind.so
auth required pam_unix.so nullok_secure use_first_pass

root@headnode:~# vi /etc/pam.d/common-session
...
session required pam_mkhomedir.so umask=0077 skel=/etc/skel

Note The /etc/pam.d/common-session file makes PAM create the user's home directory on successful authentication.

Join the Linux system to the Windows domain.

root@headnode:~# net ads join -U winadmin
Enter winadmin's password:
Using short domain name -- SGE
Joined 'HEADNODE' to realm 'sge.local'

Restart Samba and Winbind.

root@x36-lhn:~# service samba stop
 * Stopping Samba daemons                [ OK ]
root@x36-lhn:~# service winbind stop
 * Stopping the Winbind daemon winbind   [ OK ]
root@x36-lhn:~# service samba start
 * Starting Samba daemons                [ OK ]
root@x36-lhn:~# service winbind start
 * Starting the Winbind daemon winbind   [ OK ]

Restart Moab.

root@headnode:~# mschedctl -k

moab will be shutdown immediately

root@headnode:~# moab

Test Linux authentication of Windows AD users.

root@headnode:~# finger -m winuser
Login: winuser                              Name:
Directory: /home/winuser                    Shell: /bin/bash
Last login Tue Dec  1 18:07 (MST) on pts/4 from winhead.cridomain
No mail.
No Plan.

8.2 Synchronizing UIDs on the Master Node

Winbind generates local random user IDs in the order that users are first queried. This makes accessing NFS shares difficult; however, it can be resolved by syncing all the user IDs on the master node (the Linux head node or machine that exports the NFS share) and syncing Winbind's DBs on all the compute nodes for every reboot.

Note HPCUsers is the default user group. Users are automatically placed in it when they are created through MSMHPC or MSMHPC tool scripts (./create.ad.account.hpc.pl).

Populate the winbind_idmap file on the Linux head node.

[root@x36-lhn samba]# for i in `wbinfo -u`; do id ${i} ; done
uid=16777216(administrator) gid=16777216(HPCUsers) groups=16777216(HPCUsers),16777217(group policy creator owners),16777218(domain admins),16777219
(enterprise admins),16777220(schema admins),16777221(denied rodc password replication group)
uid=16777217(guest) gid=16777222(domain guests) groups=16777222(domain guests)
uid=16777223(krbtgt) gid=16777216(HPCUsers) groups=16777216(HPCUsers),16777221(denied rodc password replication group)
uid=16777220(lmsilva) gid=16777216(HPCUsers) groups=16777216(HPCUsers)
uid=16777221(test) gid=16777216(HPCUsers) groups=16777216(HPCUsers)

Dump the winbind_idmap mapping DB on the Linux head node and restore it across all the compute nodes.

[root@x36-lhn samba]# for i in node01 node02 node03 node04; do net idmap dump /var/cache/samba/winbindd_idmap.tdb | ssh ${i} net idmap restore ;done

Query a single user ID on the entire cluster to verify the synchronization.

[root@x36-lhn samba]# for i in node01 node02 node03 node04; do ssh ${i} id test1; done
uid=16777224(test1) gid=16777216(HPCUsers) groups=16777216(HPCUsers)
uid=16777224(test1) gid=16777216(HPCUsers) groups=16777216(HPCUsers)
uid=16777224(test1) gid=16777216(HPCUsers) groups=16777216(HPCUsers)
uid=16777224(test1) gid=16777216(HPCUsers) groups=16777216(HPCUsers)

8.3 Synchronizing UIDs across All Linux Machines

To synchronize UIDs across all Linux machines, do the following every time the active directory adds or removes any user account.

Populate the winbind_idmap file on the Linux head node.

[root@x36-lhn samba]# for i in `wbinfo -u`; do id ${i} ; done
uid=16777216(administrator) gid=16777216(HPCUsers) groups=16777216(HPCUsers),16777217(group policy creator owners),16777218(domain admins),16777219
(enterprise admins),16777220(schema admins),16777221(denied rodc password replication group)
uid=16777217(guest) gid=16777222(domain guests) groups=16777222(domain guests)
uid=16777223(krbtgt) gid=16777216(HPCUsers) groups=16777216(HPCUsers),16777221(denied rodc password replication group)
uid=16777220(lmsilva) gid=16777216(HPCUsers) groups=16777216(HPCUsers)
uid=16777221(fchism) gid=16777216(HPCUsers) groups=16777216(HPCUsers)
uid=16777222(test) gid=16777216(HPCUsers) groups=16777216(HPCUsers)

Dump the winbind_idmap mapping DB on the Linux head node and restore it across all the compute nodes and synchronize ID maps.

[root@x36-lhn samba]# for i in node01 node02 node03 node04; do net idmap dump /var/cache/samba/winbindd_idmap.tdb | ssh ${i} net idmap restore ;done

Query a single user ID on the entire cluster to verify the synchronization.

[root@x36-lhn samba]# for i in node01 node02 node03 node04; do ssh ${i} id test1; done
uid=16777222(test1) gid=16777216(HPCUsers) groups=16777216(HPCUsers)
uid=16777224(test1) gid=16777216(HPCUsers) groups=16777216(HPCUsers)
uid=16777223(test1) gid=16777216(HPCUsers) groups=16777216(HPCUsers)
uid=16777223(test1) gid=16777216(HPCUsers) groups=16777216(HPCUsers)

# for i in `wbinfo -u`; do id ${i} ; done
uid=16777216(administrator) gid=16777216(HPCUsers) groups=16777216(HPCUsers),16777217(group policy creator owners),16777218(domain admins),16777219(enterprise admins),16777220(schema admins),16777221(denied rodc password replication group)
uid=16777217(guest) gid=16777222(domain guests) groups=16777222(domain guests)
uid=16777223(krbtgt) gid=16777216(HPCUsers) groups=16777216(HPCUsers),16777221(denied rodc password replication group)
uid=16777220(lmsilva) gid=16777216(HPCUsers) groups=16777216(HPCUsers)
uid=16777221(fchism) gid=16777216(HPCUsers) groups=16777216(HPCUsers)
uid=16777222(test) gid=16777216(HPCUsers) groups=16777216(HPCUsers)
uid=16777224(test1) gid=16777216(HPCUsers) groups=16777216(HPCUsers)
uid=16777225(test2) gid=16777216(HPCUsers) groups=16777216(HPCUsers)
uid=16777226(test3) gid=16777216(HPCUsers) groups=16777216(HPCUsers)

# for i in node01 node02 node03 node04; do net idmap dump /var/cache/samba/winbindd_idmap.tdb | ssh ${i} net idmap restore ;done

# for i in node01 node02 node03 node04; do ssh ${i} id test1; done
uid=16777224(test1) gid=16777216(HPCUsers) groups=16777216(HPCUsers)
uid=16777224(test1) gid=16777216(HPCUsers) groups=16777216(HPCUsers)
uid=16777224(test1) gid=16777216(HPCUsers) groups=16777216(HPCUsers)
uid=16777224(test1) gid=16777216(HPCUsers) groups=16777216(HPCUsers)