SUSE Manager 1.2.x ADS Authentication



Similar documents
SSSD Active Directory Improvements

Integrating Red Hat Enterprise Linux 6 with Microsoft Active Directory Presentation

Univention Corporate Server. Operation of a Samba domain based on Windows NT domain services

Attunity RepliWeb PAM Configuration Guide

Active Directory Integration

Integration with Active Directory. Jeremy Allison Samba Team

TopEase Single Sign On Windows AD

Configuring User Identification via Active Directory

Upgrading User-ID. Tech Note PAN-OS , Palo Alto Networks, Inc.

The following process allows you to configure exacqvision permissions and privileges for accounts that exist on an Active Directory server:

Configuring HP Integrated Lights-Out 3 with Microsoft Active Directory

Configuring Sponsor Authentication

Hyper-V Server 2008 Setup and Configuration Tool Guide

Customer Tips. Configuring Color Access on the WorkCentre 7328/7335/7345 using Windows Active Directory. for the user. Overview

Migration of Windows Intranet domain to Linux Domain Moving Linux to a Wider World

Using SUSE Linux Enterprise Desktop with Microsoft * Active Directory Infrastructure

(june > this is version 3.025a)

Allowing Linux to Authenticate to a Windows 2003 AD Domain. Prepared by. Thomas J. Munn, CISSP 11-May-06

CYAN SECURE WEB HOWTO. NTLM Authentication

FreeIPA 3.3 Trust features

Configuring Color Access on the WorkCentre 7120 Using Microsoft Active Directory Customer Tip

Integrating Linux systems with Active Directory

Parallels Plesk Panel

CLEO NED Active Directory Integration. Version 1.2.0

ZyWALL OTP Co works with Active Directory Not Only Enhances Password Security but Also Simplifies Account Management

Configuring Squid Proxy, Active Directory Authentication and SurfProtect ICAP Access

Enabling Active Directory Authentication with ESX Server 1

Dell Compellent Storage Center

IIS, FTP Server and Windows

Univention Corporate Server. Extended domain services documentation

Interoperability Update: Red Hat Enterprise Linux 7 beta and Microsoft Windows

Going in production Winbind in large AD domains today. Günther Deschner (Red Hat / Samba Team)

How to Configure Active Directory based User Authentication

Using Active Directory as your Solaris Authentication Source

Use Enterprise SSO as the Credential Server for Protected Sites

SETTING UP ACTIVE DIRECTORY (AD) ON WINDOWS 2008 FOR EROOM

Extending Microsoft Windows Active Directory Authentication to Access HP Service Health Reporter

Joining. Domain. Windows XP Pro

Setting Up a Backup Domain Controller

VMware Identity Manager Administration

Chapter Thirteen (b): Using Active Directory Integration

Active Directory and Linux Identity Management

Field Description Example. IP address of your DNS server. It is used to resolve fully qualified domain names

Configuring the Active Directory Plug-in

Enabling single sign-on for Cognos 8/10 with Active Directory

INUVIKA TECHNICAL GUIDE

AD Integration options for Linux Systems

Using LDAP Authentication in a PowerCenter Domain

Security Assertion Markup Language (SAML) Site Manager Setup

CAC AND KERBEROS FROM VISION TO REALITY

Domain Services for Windows Administration Guide

Configure Samba with ACL and Active Directory integration Robert LeBlanc BioAg Computer Support, Brigham Young University

ENABLING SINGLE SIGN-ON: SPNEGO AND KERBEROS Technical Bulletin For Use with DSView 3 Management Software

RSA Security Analytics

Linux Virtual Desktop

RHEL Clients to AD Integrating RHEL clients to Active Directory

Security Provider Integration Kerberos Authentication

Building Open Source Identity Management with FreeIPA. Martin Kosek

Install and Configure an Open Source Identity Server Lab

NSi Mobile Installation Guide. Version 6.2

Alcatel-Lucent Extended Communication Server Active directory synchronization : installation and administration

NetSupport DNA Configuration of Microsoft SQL Server Express

Faculty Details. : Assistant Professor ( OG. ),Assistant Professor (OG) Course Details. : B. Tech. Batch : : Information Technology

Integrating Mac OS X 10.6 with Active Directory. 1 April 2010

Security Provider Integration Kerberos Server

Collax Active Directory

External and Federated Identities on the Web

PRODUCT WHITE PAPER LABEL ARCHIVE. Adding and Configuring Active Directory Users in LABEL ARCHIVE

CONFIGURING ACTIVE DIRECTORY IN LIFELINE

White Paper. Installation and Configuration of Fabasoft Folio IMAP Service. Fabasoft Folio 2015 Update Rollup 3

Integrating UNIX and Linux with Active Directory. John H Terpstra

FreeIPA v3: Trust Basic trust setup

SAMBA SERVER (PDC) Samba is comprised of a suite of RPMs that come on the RHEL/Fedora CDs. The files are named:

Quick Scan Features Setup Guide

Polycom RealPresence Resource Manager System Getting Started Guide

Set up Outlook for your new student e mail with IMAP/POP3 settings

Configuring IBM Cognos Controller 8 to use Single Sign- On

escan SBS 2008 Installation Guide

LDAP Implementation AP561x KVM Switches. All content in this presentation is protected 2008 American Power Conversion Corporation

Entrust Managed Services PKI. Configuring secure LDAP with Domain Controller digital certificates

Upgrade Guide BES12. Version 12.1

This presentation explains how to integrate Microsoft Active Directory to enable LDAP authentication in the IBM InfoSphere Master Data Management

Using LifeSize systems with Microsoft Office Communications Server Server Setup

Instructions for Adding a MacOS 10.4.x Server to ASURITE for File Sharing. Installation Section

TIBCO Spotfire Platform IT Brief

How To Set Up A Macintosh With A Cds And Cds On A Pc Or Macbook With A Domain Name On A Macbook (For A Pc) For A Domain Account (For An Ipad) For Free

White Paper. Software version: 5.0

Cisco TelePresence Authenticating Cisco VCS Accounts Using LDAP

Creating a New Database and a Table Owner in SQL Server 2005 for exchange@pam

Intel Entry Storage System SS4200-E Active Directory Implementation and Troubleshooting

Active Directory 2008 Implementation. Version 6.410

Installation Guide. . All right reserved. For more information about Specops Deploy and other Specops products, visit

Entrust Managed Services PKI

SQL Server Setup for Assistant/Pro applications Compliance Information Systems

Configuring File Servers and Active Directory with Domain Services for Windows-Lab

Domain Services for Windows Administration Guide

Using Single Sign-on with Samba. Appendices. Glossary. Using Single Sign-on with Samba. SonicOS Enhanced

Password Reset Server Installation Guide Windows 8 / 8.1 Windows Server 2012 / R2

Implementing Linux Authentication and Authorisation Using SSSD

QUANTIFY INSTALLATION GUIDE

Transcription:

Best Practice www.suse.com SUSE Manager 1.2.x ADS Authentication How to use MS-ADS authentiction (Version 0.7 / March 2 nd 2012)

P r e f a c e This paper should help to integrate SUSE Manager to an existing Microsoft ad-service for user authentication. The example shows, how a simple windows 2008 domain, without any forest or trust can be used to authenticate SUSE Manager users against the ADS service. This does not replace the user management in the product itself, only the password management is outsourced to the active directory. The SUSE Manager can use the PAM authentication stack of the Linux operation system, so the first task is to bind the operating system against the Microsoft ADS. This can be done in several ways as always but this document will show two slightly different ways. ADS is based on a Kerberos, so SLES base of SUSE Manager has to be configured as a Kerberos client. But this solves only the authentication, the system also needs a naming service to resolve the user names. Here different solution are possible: local users, samba/winbind or LDAP. This documentation show the first two possibilities. When the authentication is working, SUSE Manager can be configured to use the PAM stack. It is important that the user names in SUSE Manager are the same as on operation system level. The example using the following assumptions: AD- Domain Name AD-Server Domain Suse Manager Host PEUKINGEN.DE winad.peukingen.de peukingen.de sm11.peukingen.de All trademarks, service marks, registered trademarks, or registered service marks mentioned in this document are the property of their respective owners. p. 2

P r e p a r a t i o n the followings steps are necessary to integrate SUSE Manager to a ADS user environment. 1. DNS-Service The SUSE Manager host must use the DNS server of the Windows domain. All systems should be included in the DNS service. Both, the name and the ip of the ADS server must be sm11:~ # getent hosts winad.peukingen.de 192.168.7.10 winad.peukingen.de sm11:~ # getent hosts winad 192.168.7.10 winad.peukingen.de sm11:~ # getent hosts 192.168.7.10 192.168.7.10 winad.peukingen.de sm11:~ # nslookup query=any _gc._tcp.peukingen.de Server: 192.168.7.10 Address: 192.168.7.10#53 _gc._tcp.peukingen.de service = 0 100 3268 winad.peukingen.de. resolved: 2. TIME Synchronization All systems must use the same time. It is recommended to use the Windows AD server as the timesource. This can be done by running sm11:~ # sntp P no r winad sm11:~ # date Tue Jan 31 15:07:27 CET 2012 3. SUSE Manager is up to date To get winbind working, the last updates for SLES11-SP1 and SUSE Manager have to be applied to the system. p. 3

E n a b l e P A M A u t h e n t i c a t i o n i n S U S E M a n a g e r Two simple changes have to be made on the system to enable PAM: 1. Setup a PAM service file: /etc/pam.d/susemanager: #%PAM 1.0 auth include common auth account include common account password include common password session include common session 2. Add in /etc/rhn/rhn.conf the line: sm11:~ # echo pam_auth_service = susemanager >> /etc/rhn/rhn.conf 3. reboot the system (or restart all needed services...) K e r b e r o s A u t h e n t i c a t i o n w i t h l o c a l u s e r s In this case only the authentication is done against the Microsoft ADS service. All users have to be known by the local naming system (/etc/passwd). To configure the /etc/krb5.conf file YaST can be used. Install the following packages: sm11:~ # zypper install yast2 kerberos client pam_krb5 krb5 client pam_krb5 32bit Start YaST and select the network service menu and the item Kerberos Client within this menu. Change the Option to Use Kerberos and complete the basic kerberos settings: p. 4

Use as KDC Server Address the IP of the windows ADS server. After submitting the dialog, test the authentication with kinit. Kinit will retrieve a Kerberos ticket from the ADS server (The capital characters are important!!): sm11:~ # kinit V susedemo@peukingen.de Password for susedemo@peukingen.de: Authenticated to Kerberos v5 Now, the user can be added to the local system: sm11:~ # useradd susedemo After that, create the user in the SUSE Manager system (spacecmd or browser): IMPORTANT: Be sure, that the Windows logon name, the Linux user and the SUSE Manager user are all exact the same! In the Create User dialog, the password field can be kept empty. Now the user can login with his Windows password. p. 5

S A M B A / W i n b i n d C o n f i g u r a t i o n Samba can be used as a client to access Windows file, print and user services. The winbind service is responsible to connect the Linux user management against a Microsoft AD-service. YaST provides an easy way to build a valid configuration. Important: make sure that you have access to and installed the latest patches otherwise the authentication will not work! First install the needed samba packages: sm11:~ # zypper install yast2 samba client samba client samba client 32bit samba winbind krb5 client samba winbind 32bit Now start YaST and select the Network Services menu and the Windows Domain Membership item within the menu. Enter the Domain name and select Also Use SMB Information for Linux Authentication : p. 6

When select OK you will be asked to join the domain: Confirm this and enter the username of a Windows user with the right to add computer accounts to the domain (Domain-Administrator): p. 7

You should be now a member of the domain. Just try to retrieve the Windows users: sm11:~ # wbinfo u PEUKINGEN\administrator PEUKINGEN\gast PEUKINGEN\krbtgt PEUKINGEN\susedemo PEUKINGEN\demo Now you can add this user(s) to the SUSE Manager (spacecmd or browser): IMPORTANT: The login is build from the domain name and the windows login: DOMAINNAME\login! p. 8

T r o u b l e s h o o t i n g If a user can't access with his Windows password, first try to a Kerberos authentication on the console: sm11:~ # kinit V user@domain.com for winbind problem, test if the Linux system has successful joined the Windows domain: sm11:~# net ads info LDAP server: 192.168.7.10 LDAP server name: winad.peukingen.de Realm: PEUKINGEN.DE Bind Path: dc=peukingen,dc=de LDAP port: 389 Server time: Di, 31 Jan 2012 16:28:18 CET KDC server: 192.168.7.10 Server time offset: 0 sm11:~ # wbinfo D PEUKINGEN Name : PEUKINGEN Alt_Name : peukingen.de SID : S 1 5 21 1146430519 78324060 294905416 Active Directory : Yes Native : Yes Primary : Yes p. 9

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information