RedHat Enterprise Linux 5 Encrypted Microsoft Active Directory Authentication

So after a few hours getting Linux authenticating happily from Active Directory, I turned my attention to getting it all working with encryption.
Initially I had tried a telnet to port 636 (the LDAPS port) which failed, so it didnt look like my AD box was talking LDAPS. Somewhere to start I guess!

So after a few hours getting Linux authenticating happily from Active Directory, I turned my attention to getting it all working with encryption.

Initially I had tried a telnet to port 636 (the LDAPS port) which failed, so it didnt look like my AD box was talking LDAPS. Somewhere to start I guess!

Continue reading “RedHat Enterprise Linux 5 Encrypted Microsoft Active Directory Authentication”

RedHat Enterprise Linux 5 Microsoft Active Directory Authentication

Today I set out to get RHEL 5.x (Specifically 5.5) to authenticate from a Windows 2003 R2 Active Directory. I used plenty of web pages, none of which were 100% correct for my setup, so I thought I’d document exactly what I did here for my own future reference, if anybody else finds it useful, so much the better. To start with, thanks to the following pages, between them, they got me about 80% of the way there:

  • Scott Lowe has a useful howto here. It is version 4 currently, click around his site to ensure he hasnt updated it before you use it as a reference.
  • The second resource I used is here.

Continue reading “RedHat Enterprise Linux 5 Microsoft Active Directory Authentication”

Back to Windows

After nearly 7 weeks without having to suffer Windows in any of its incarnations, I returned to work today and had the pleasure of XP on my horribly clunky Thinkpad. Very shortly after booting it I was presented with the following error message.

What a wonderful dialogue box and what a ‘Useful tip’. A Google search suggests it is something to do with the Windows Bluetooth stack. Oh I dont fucking care you stupid program, I just wanted to message somebody, you worked 7 weeks ago, why are you arsing around now.

As an aside, I notice the 8.3 filename, which still at some level seems to exist in Windows XP. How quaint of it!

The windows experience.

So I’m on a wikipedia page which has a OGG file. These are the steps taken to listen to the OGG.

* Next to the link is a large play button. I click it. A Java system tray icon appears along with a large tooltip saying something about Java. Nothing else happens.

* I click play again, nothing

* I open the ‘media help’ page in a new tab

* Try to switch to the tab with the standard keyboard shortcut ctrl-2. nothing

* Switch to the tab with the mouse, windows dialog ‘application has stopped responding’ Firefox crashes.

* Re-open firefox, visit the wikipedia page, navigate straight to the media help page.

* Download the ogg codec pack

* Install the codec pack

* Tell windows ‘yes i meant to double click that installer’

* Wait

* Click the ogg link on the original page, offered to save file (not play it)

* Save the file to disk

* Find file (firefox put it some temp folder so had to use find to locate it)

* Double click it. ‘Do you want windows to look on the internet to find out how best to handle this file?’ yes

* Windows cannot identify the file.

* Manually run Windows Media player, drag file onto player window.

* Player is busy ‘loading library’ so nothing happens

* Wait, try again

* Nothing, no message.

* Shift Right click -> open with, manually choose Windows Media Player. file plays.

yay! 2008 and I feel computers have really come a long way.

Linux authentication from Active Directory

Just needed to auth a Redhat (actually Centos) 4 update 4 machine from an Active Directory server, thought I ought to make a note for future reference
It is worth gathering some information before you start, you will need the follow:

AD Domain, in the example I use HILDEBRANDTECH
Domain Controllers, in the example i use win23kent.hildebrandtechnology.local
ADS Realm, mine was HILDEBRANDTECHNOLOGY.LOCAL

It seems that for all of this case is important. Thanks Microsoft.

Other things to watch for are:

  1. Your client machine can resolve the hostname of your ad server, try with ping now and if it fails fix it before you start.
  2. Check your clocks are in sync, kerberos uses time based tickets so any clock skew at all will cause problems.

Because I was using RedHat Enterprise I had the luxury of using the authconfig. Login as root or su and run authconfig from the command line, you will be presented with some options for where the machine should source user and authentication data from. You need to tick the ‘Use Winbind’ option in both columns, after making my selections mine looked like this:

Authconfig AD Setup Page 1

After making the correct settings, hit next. On the next screen you need to enter all the information you gathered before starting. Additionally I chose /bin/bash as the template shell:

Authconfig AD Setup Page 2

After typing all the above in hit Ok. You can choose ‘Join Domain’ at this point but I prefer to do that manually so you can ensure it was successful.

Once you are at your prompt again, run the following:

[root@adc-a04 ~]# net ads join -U administrator
administrator's password:
Using short domain name -- HILDEBRANDTECH
Joined 'ADC-A04' to realm 'HILDEBRANDTECHNOLOGY.LOCAL'
[root@adc-a04 ~]#

If you see a message similar to the above your machine should now be joined to the domain.

If you now run ‘getent passwd’ you should see some extra users are displayed, the ones gathered from the AD. An example of one is shown below.

HILDEBRANDTECH\robin:*:16777223:16777216:Robin Kearney:/home/HILDEBRANDTECH/robin:/bin/bash

You should now be able to login as ‘HILDEBRANDTECH\robin’. By default winbind requires the domain to be entered as part of the username. If your linux machine is only going to authenticate from a single AD realm you can make a small change to smb.conf to avoid this.

In /etc/samba/smb.conf look for the line which reads:

winbind use default domain = no

And change the no to yes. Then issue a ‘service winbind restart’ and re-run your ‘getent passwd’ you should notice the domain component of all the usernames has gone. Now you can simple use ‘robin’ to login.

Your users should now be able to login. There is a slight problem in that they will have no home accounts, pam can help with this though.

If you edit /etc/pam.d/login and add the following as the last line:

session required pam_mkhomedir.so skel=/etc/skel/ umask=0077

Pam will auto create the user a home account when they first login.

There is one minor issue with the default winbind settings for home accounts, by default winbind is configured set AD users’ home accounts to /home/DOMAIN/USER this is fine in our setup but pam refuses to create the DOMAIN directory, so none of the home accounts will get created.

You can fix this in one of two ways. First, manually create the /home/DOMAIN for each of your AD domains, this will likely be just the one. Or and this might suit better, change the structure of home accounts for AD users. This is done in /etc/samba/smb.conf. You need to add or edit a line like the following:

template homedir = /home/%U

The default here is %D/%U. %D gets expanded to the DOMAIN. The official samba documentation for this setting is here

Hopefully after all that you can still login, and your AD users can too.