30 July 2009

Dual factor OpenVPN with Active Directory and Certificate Services (Part 2 of 4)


2 Building Active Directory Integration
Joining this box to the active directory (AD) domain is the first part of our two-factor authentication. Authconfig-tui should have done most of this, but double-check your files. It is good to know what is what in case you need to trouble-shoot. And if you are using a different distro, you may still need to do this manually.

2.1 Setting Name services
Point the machine to winbind services. Authconfig-tui should have made all these changes.

2.1.1 Modify /etc/nsswich.conf
# vi /etc/nsswitch.conf
passwd: files winbind
shadow: files winbind
group: files winbind

2.1.2 Modify /etc/hosts
Add the AD controller to /etc/hosts. This is optional and not done by
authconfig-tui.
# vi /etc/hosts
127.0.0.1 openvpn.yourdomain.com localhost.localdomain localhost
192.168.1.1 DOMAINCONTROLLER.YOURDOMAIN.COM DOMAINCONTROLLER

2.1.3 Set Kerberos authentication
Authenticating is locked through the kb5 settings. Authconfig-tui should have made all these changes.
These changes are made in /etc/krb5.conf

# less krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = YOURDOMAIN.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
[realms]
YOURDOMAIN.COM = {
kdc = DOMAINCONTROLLER.
YOURDOMAIN.COM:88
}
[domain_realm]
.yourdomain.com =
YOURDOMAIN.COM
yourdomain.com = YOURDOMAIN.COM
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}


2.1.4 Samba adjustments
Don’t forget smb.conf! /etc/samba/smb.conf will need some adjustments. Basically adding the last three lines will prevent the VPN server from trying to become the master SMB browser. Changing winbind default domain to “true” means users do not have to type “YOURDOMAIN” when they logon.

# vi /etc/samba/smb.conf
workgroup = YOURDOMAIN
password server = DOMAINCONTROLLER.
YOURDOMAIN.COM
realm = YOURDOMAIN.COM
security = ads
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
template shell = /sbin/nologin
winbind use default domain = true
winbind offline logon = false
domain master = no
local master = no
preferred master = no

2.2 About services…

To check if a service is running in CentOS/Redhat distros:
service status

Starting a service:
service start

Stopping a service:
service stop

Have a service start automatically at boot:
1. Open the ntsysv program:
# ntsysv
2. Find your service in the list and press space to enable it. Services marked with a * will start automatically at boot.

2.3 Join the machine to the Active Directory Domain
Start the smb nmb services:
# service smb start
Check your clock. If needed, start the ntp daemon:
# vi /etc/ntp.conf
to point to a different ntp server set.
# service ntpd restart

You cannot join the domain if your time is too far off. Without ntp, if your time drifts later, you will not be able to authenticate users.

This machine is now ready to be joined to AD. I prefer the command, instead of authconfig-tui, because errors appear right there, as does confirmation.
# net ads join -U domain-admin
domain-admin's password:
Using short domain name -- YOURDOMAIN
Joined 'openvpn to realm 'YOURDOMAIN.COM'

Once this is done, confirmation can be made in AD itself.

This machine is then moved to the appropriate AD OU.

Start winbind:
# service winbind start

You can run some checks to make sure all is working. If it is not, you should stop and troubleshoot.
Test 1: Get a list of all the users in the domain:
# wbinfo -u

Test 2: Get a list of groups in the domain:
# wbinfo -g

If those lists do not have domain users and domain groups, then something is not working. Again, you should stop and troubleshoot. NOTE: if this command appears to hang that likely means it IS working. Give it time, it is pulling all of the AD info, which is a lot of data.

Some other tests:
Get a kerberos ticket with kinit and a domain user.
# kinit
Type the password for the user and check with klist
# klist
You should see information about tickets being issued.

2.4 Autostart the services
If everything is working, set smb and winbind to autostart by using the ntsysv command.

2.5 PAM Configuration
In the old days I had to do extensive PAM modifications to get things working. PAM is the main authentication module. OpenVPN will plug into this for authentication. But now this seems unnecessary.

Congratulations! Your now have a Linux box that knows about Active Directory. Next is installing and configuring OpenVPN.


No comments: