Authenticating UNIX/Linux to Windows 2008R2. Part 1

-

Background

Prior to using Windows, UNIX (eg Solaris) managed users and groups using /etc/passwd, /etc/group files, or using NIS or NIS+. Since Solaris 8, NIS+ was deprecated, with LDAP being the preferred authentication method.

However, whilst Windows 2008R2 Active Directory does act as a LDAP server, it doesn't provide any authentication. Authentication is done via Kerberos/V5. This blog will document the steps required to set up Windows 2008R2 to act as a Kerberos and LDAP server to support both Linux and Solaris.

VMware Workstation will be used to do the Proof-of-concept. It is expected that the SPARC version of Solaris 10 would act the same as the Intel version of Solaris 10.

The following Guest UNIX Operating systems will be tested:

  • Solaris 10 Update 9, (x86_64)
  • Red Hat Enterprise Linux 5 Update 6 (x86_64)
  • Red Hat Enterprise Linux 6 (x86_64)

Windows 2008R2 (x64) Standard Edition will be used.

Requirements

  • VMware Workstation 7.1.4 used as the proof-of-concept hosting platform.
  • Active Directory must be the source of truth.
  • Windows 2008R2 will also provide DNS.
  • No Additional self-supported software allowed.
  • Configuration files may be edited and documented (eg pam.conf)
  • Encryption must be used (ie LDAPS, not LDAP).
  • Certificates must be used to provide positive authentication of servers (to prevent spoofing). This applies to both LDAP and Kerberos.
  • Users must be able to manage their own passwords (ie this isn't password synchronisation).
  • Password expiry controls must be honoured.
  • Kerberos features, such as single sign on (from Windows to UNIX, or UNIX to UNIX) must be supported.

Network and Host IP Addresses

  1. Subnet: 192.168.102.0/24
  2. Default Router: None
  3. DNS Domain: example.com
  4. Kerberos RealmEXAMPLE.COM
  5. AD server hostnameadserver.example.com
  6. AD server IP address: 192.168.102.10
  7. Solaris guest 1 hostname: sol10host1.example.com
  8. Solaris guest 1 IP address: 192.168.102.20
  9. Solaris guest 2 hostname: sol10host2.example.com
  10. Solaris guest 2 IP address: 192.168.102.30
  11. RHEL5.6 guest 1 hostname: rhel5host1.example.com
  12. RHEL5.6 guest 1 IP address: 192.168.102.40
  13. RHEL5.6 guest 2 hostname: rhel5host2.example.com
  14. RHEL5.6 guest 2 IP address: 192.168.102.50
  15. RHEL6.0 guest 1 hostname: rhel6host1.example.com
  16. RHEL6.0 guest 1 IP address: 192.168.102.60
  17. RHEL6.0 guest 2 hostname: rhel6host2.example.com
  18. RHEL6.0 guest 2 IP address: 192.168.102.70

Method

Windows Setup

    1. Create a Windows 2008R2 VM, with the following configuration:
      1. Custom Config, VMware Workstation 6.5 compatible
      2. I will install the operating system later.
      3. Guest OS : Microsoft Windows, Windows Server 2008 R2 x64
      4. VM Name: "adserver"
      5. 1 Processor, 1 Core per Processor
      6. 1024MB Memory
      7. Use Host-Only Networking
      8. IDE Controller type: ATAPI
      9. SCSI Controller type: LSI Logic SAS
      10. Disk: Create a new virtual disk, SCSI, Maximum Disk size, 40GB, Store as Single File, adserver.vmdk (on an NTFS filesystem).
      11. Insert the Windows installer CD (build 59754),
      12. Power on and Boot from CD.
    2. Install Windows 2008R2:
      1. Select English Language, English (Australian) Time/Currency, US Keyboard
      2. Install Now
      3. Select Windows 2008 R2 Standard (Full Installation)
      4. Accept the License Terms
      5. Select Custom->Advanced
      6. Select Drive 0, Unallocated Space
      7. Set hostname, timezone,
      8. Install VMware Tools. Use Typical Setup.
      9. Set VMware tools to use Time Synchronisation between the VM and the host.
      10. Reboot
      11. Configure Networking, using Static IPv4 address. Disable IPv6.
      12. Allow Remote Desktop, if required
      13. Disable Firewall
    3. Install AD Server Role, run "dcpromo"
      1. Advanced Mode Installation: yes
      2. New domain in a new forest: yes
      3. Domain FQDNexample.com
      4. Domain NETBIOS name: EXAMPLE
      5. Forest Functional Level: Windows Server 2008 R2
      6. Select the DNS Server Additional Option
      7. Use the standard folder names
      8. Enter a Directory Services Restore Mode Administrator Password
      9. Reboot
      10. Set the nameserver (same as parent folder) NS to use the FQDN. "adserver.example.com."
      11. Set the nameserver for the Network Connection to "127.0.0.1"
      12. Set the DNS suffix for this connection to "example.com"
    4. Install the Identity Management for UNIX Role Service
    5. Install the Active Directory Certificate Services Role:
      1. Install just the Certificate Authority
      2. Setup Type : Enterprise
      3. CA Type: Root CA
      4. Private Key : Create a new private key
      5. Cryptographic Service Provider : RSA (default)
      6. Key Length : 2048 (default)
      7. Hashing Algorithm: SHA1 (default)
      8. Common Name for the CA : example-ADSERVER-CA
      9. Distinguished Name Suffix : DC=example,DC=com
      10. Validity Period : 5 Years
    6. Start Active Directory Users and Computers
      1. Create a user for doing LDAP bind (anonymous binds are not supported):
        1. Name the user
          (eg. "ldapsearch").
        2. Set the password:
          (eg "ld@p53arch")
        3. Set the user password to never expire, and not be changeable.
        4. The user must be a member of "Domain Users" (by default, it is).
      2. Create an OU, if required to contain UNIX objects,
        (eg. "OU=UNIX,DC=example,DC=com").
      3. Create UNIX groups, as required:
        1. Create a Global Security Group. Name the group
          (eg. "unixgrp1″).
        2. Select the properties, UNIX Attibutes tab, and set as follows:
        3. NIS Domain: EXAMPLE
        4. GID: 10000
        5. Primary Group: 10000
      4. Create UNIX users, as required:
        1. Name the user, and give it a password.
        2. Select the properties, UNIX Attibutes tab, and set as follows:
        3. NIS Domain: EXAMPLE
        4. UID: 10000
        5. Login Shell: /bin/bash
        6. Home Directory: /home/unix1
        7. Primary Group: unixgrp1
    7. Using DNS Management, Add DNS entries for the hosts.
      Create A record, and PTR record
    8. Start Certificate Services (certsrv.msc), and export the certificate for "example-ADSERVER-CA":
      1. Select Base-64 encoding X.509 (.CER)
      2. Save the file to "rootCA.cer".
    9. Start Active Directory Users and Computers
      1. Create a computer object for each host. This will be used to map Kerberos host principals to a user.




Popular posts from this blog

Shrink you container size up to 95%.

-
BLAFS is a bloat-aware filesystem for container debloating. The design principles of BLAFS are effective, efficient, and easy to use. It detects the files used by the container, and then debloats the container by removing the unused files. The debloated containers are still functional and can run the same workload as the original containers, but with a much smaller size and faster deployment. https://github.com/negativa-ai/BLAFS?tab=readme-ov-file
Read more

alma linux: dnf Module yaml error: Unexpected key in data

-
While applying recent updates to a server running Rocky Linux 8, an error presented itself. Module yaml error: Unexpected key in data: static_context [line 9 col 3] Module yaml error: Unexpected key in data: static_context [line 9 col 3] The solution turned out to be a simple one. Update the libmodulemd first to correct the problem then perform the dnf updates as usual. dnf update libmodulemd For a detailed explanation as to the cause of this problem.
Read more