Wednesday, 3 February 2010

Using Winbind in Linux to authenticate to AD

Linux has Pluggable Authentication Modules (PAM) to provide a common set of authentication of APIs.
Also has Name Server Switch (NSS) APIs for looking up user information.
This resides on each linux machine.

AD authentication method 1
Have PAM and NSS communicate directly with AD using LDAP. However, LDAP authentication passes in clear text (so would need to use LDAPS). Also need to specify DC.

AD authentication method 2
Get PAM to use Kerberos and NSS to do group membership lookup via LDAP. More secure but still has problem where have to specify DC. Also doesn't manage passwords well.

AD authentication method 3
Use Samba.
Samba has a Winbind daemon that interprets PAM and NSS calls and interprets them into AD calls, using either Kerberos, LDAP or RPC, depending upon which is appropriate.
Winbind can also replicate the DC locator mechanism to find the best DC using SRV records.

Winbind parameters
Winbind domain: Netbios name of AD domain.
Security model: ADS.
Winbind ADS realm: DNS name of domain.
Winbind domain controllers: name of DC or * to get Winbind to use its DC locator mechanism.

ID mapping
NIS is used in Linux often to ensure that a Linux UID is unique on machines.

Can therefore have a mechanism to do a 1:1 mapping of AD users and groups to Linux UIDs. This is a big admin overhead.

Easier method is to get Winbind to extract the RID from the SID when the user logs in and use the RID as the UID.
This has zero admin overhead but won't work in a multi domain environment in case the RID is repeated.

Implementing mapping
To implement mapping, edit etc/samba/smb.conf
AD mapping: add "idmap backend = ad"
RID mapping: add "idmap backend = rid"

No comments:

Post a Comment