Mac OS/Linux/Windows Single Sign-On
Centralized authentication greatly simplifies network administration. This post teaches how to log in to a Mac or Linux computer using centrally managed user accounts from a Windows Active Directory domain controller. With this configuration, the same Windows user accounts can be used to log in to any of the three operating systems, Mac OS, Linux, or Windows, with the same user network folder auto-mounted.
Want to learn more? This is one of the topics covered in depth in the Mixed Networks Bootcamp.
Requirements
Mac OS X 10.3 or newer, with all updates installed.
SAMBA 3.x on Linux (this example uses Fedora Core 4, but the steps should apply to other distributions as well).
Windows Domain Controller, running Server 2000 or newer.
Abstract
On Windows:
Configure the user network home folder path. Redirect the My Documents folder to the same network path (optional). Configure Kerberos to allow unencrypted connections (additional notes as to why this setup is used are at the end of the post).
On Linux:
Configure Kerberos, SAMBA, and Winbind with the domain settings. Join the domain. Configure NSS and PAM for AD authentication. Set PAM to autocreate local user home folders and auto-mount the network user folder specified in Active Directory. Log in as a domain user to test the configuration.
On OSX:
Configure Active Directory access using the Directory Access utility. Join the domain. Add the Active Directory domain to the Authentication and Contacts search paths. Change login preferences to prompt for username and password. Log in as a domain user to test the configuration.
Detailed Steps
We’ll handle each of the OS’s in order. First, Windows:
The steps below assume a domain named bnr.com in an IP range of 192.168.1.x with a domain user account called student and a domain controller named win-svr1. Adjust these values to match your own setup.
Windows
Configure the network folder that clients will automount:
1. Specify the user’s home folder path on the Profile tab of the user account properties in Active Directory Users and Computers. This is the path that each OS will connect to on login as this user. The parent folder (in this case \\win-svr1\home) is the UNC path of a pre-existing shared folder on a Windows server. The subfolder for this user (\\win-svr1\home\student) is created automatically:
Redirect the My Documents folder to the same network folder:
This is optional, but it’s a nice bonus having the My Documents files available from the other computers.
1. In the Default Domain Policy \ User Configuration \ Windows Settings \ Folder Redirection \ My Documents, choose the Basic setting and specify a file server share path. All users’ My Documents folders will be redirected here:
Configure security settings to allow SMB connections:
1. Allow unencrypted connections in the Default Domain Controller and Default Domain Group Policies:
In the Default Domain Controller Policy \ Computer Configuration \ Windows Settings \ Security Settings \ Local Policies \ Security Options, find “Microsoft network server: Digitally sign communications (always)” and “Microsoft network server: Digitally sign communications (if client agrees)”. Define both of these policies as “Disabled”:
2. Make the same change under the Default Domain Policy.
Apply the updated group policy changes:
1. Run gpupdate on the server from a command line to refresh group policy settings:
c:\>gpupdate Refreshing Policy... User Policy Refresh has completed. Computer Policy Refresh has completed.
Now, on to Linux:
Linux
Configure local NTP time source to avoid Kerberos time conflicts:
1. Add a local ntp server to the ntpservers file
$ sudo vi /etc/ntp/ntpservers 192.168.1.10 clock.redhat.com clock2.redhat.com
Specify a DNS server for local name resolution:
1. Add a local DNS server to /etc/resolv.conf:
$ sudo vi /etc/resolv.conf search bnr.com nameserver 192.168.1.10
Configure Kerberos:
1. Edit krb5.conf
$ sudo vi /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = BNR.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
[realms]
BNR.COM = {
kdc = win-svr1.bnr.com:88
admin_server = win-svr1.bnr.com:749
default_domain = bnr.com
}
[domain_realm]
.bnr.com = BNR.COM
bnr.com = BNR.COM
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
2. Test Kerberos by requesting a TGT (any domain account will work, but domain here is case-sensitive):
$ kinit student@BNR.COM Password for student@BNR.COM:
3. Check if ticket request was valid by listing active Kerberos tickets:
$ klist
Ticket cache: FILE:/tmp/krb5cc_500
Default principal: student@BNR.COM
Valid starting Expires Service principal
09/30/05 12:37:36 09/30/05 22:37:39 krbtgt/BNR.COM@BNR.COM
renew until 10/01/05 12:37:36
Read on for more Linux configuration steps
Posted by Nate Osborne on November 14th, 2005 under Sys Admin.
Comments: none