Linux Authentication Integration with Active Directory

Note:  Since I originally posted this, Likewise Open came out with version 6.  The instructions below work for version 5.3 and 5.4.

I manage a few dozen Oracle Enterprise Linux (OEL) servers. The timeline to implement these servers and bring them in to production was extremely short. I wanted to have these servers integrated with Active Directory for user authentication. We didn’t have the time to implement any of Oracle's Single Sign On solutions. I also didn’t have the time to properly setup LDAP/WinBind/Samba, so I opted to create a user setup script which would insure the UID would be the same on all the servers. The script worked great. User setup was a snap. The downside was passwords. I set everyone’s password to a default password and set it to expire immediately. Once a user would log in, they would be prompted to change their password. Doesn’t seem like a big deal, but there are close to 40 servers that a user would need to do this on. Not ideal for a long term solution.

So, now that these servers are running in production, I needed to go back and implement a better way to manage user accounts in Linux.

I needed to test my implementation on a non-production server. I installed VirtualBox on my Windows 7 PC and installed OEL as a virtual machine. Perfect. Now I have a box I can break without affecting anyone else.

Next, I did some reading on various ways to authenticate Active Directory accounts on a Linux server. I found a Microsoft TechNet article that looked promising. From what I read, LDAP and LADP/Kerberos were probably not the best solutions. The author suggested Winbind. The article walked me through the steps. I was able to join the server to the domain. Wow, that was pretty easy. Now the true test; logging in. I could not log in to the server from the GUI. I could, however, SSH to the server and log in as my Active Directory persona. I checked log files, tried a couple dozen different things and got nowhere. Maybe the fix was easy and I just missed it. In either case, after spending about two (work) days trying to get it to work, I needed to find a different/easier solution.

Enter LikeWise Open.

Right from their website, LikeWise Open
• Joins non-Windows systems to Active Directory domains in a single step from the command line or from a GUI
• Authenticates users with a single user name and password on both Windows and non-Windows
• Enforces the same password policies for non-Windows users and Windows users
• Supports multiple forests with one-way and two-way cross forest trusts
• Caches credentials in case your domain controller goes down
• Provides single sign-on for SSH and Putty
• Next-generation authentication engine that supports Kerberos, NTLM, and SPNEGO
• No schema changes to Active Directory required

Instructions for install:
1. Download the installer package and make it executable.
2. Double click the package and install.
3. Join the server to the AD domain (/opt/likewise/bin/domainjoin-cli join domainName joinAccount).
4. Reboot
5. Login as an AD user (domain\username) from GUI or (domain\\username) from the command line or SSH.

Yes. It was that easy. It worked.

I wanted to make sure that a specific Active Directory group had “sudo” privileges, so I (as root) ran visudo to edit the sudoers file. The line added looked like this.
%MYDOMAIN\\Info^Services ALL=(ALL) ALL

If your group name has a space in it use the ^ charterer in place of a space.
Example: Info Services would be Info^Services
Note the double \ or \\. On the command line “\” is interpreted as an escape charterer so you need two of them.

I tried to sudo as me and it worked!

I change the group on a directory to an Active Directory group.
Example: # chgrp MYDOMAIN\\Info^Services /tmp/testdir

Then I did a: # ls -l /tmp

There it was. The group on the directory was MyDomain\Info^Services

Slick.

I still need to do a little research to make sure this solution meets my security requirements, but so far I am impressed.

P.S. In no way am I associated with the company LikeWise. I like the solution and thought others may too.