[Spacewalk-list] Active Directory and Spacewalk

Wed Jul 17 14:18:00 UTC 2013

if I can make a suggestion you may be a lot better off with pam_krb5 than
winbind or LDAP.
AD's Kerberos server is compatible with the MIT Kerberos 5 client.
Ive done this with web apps many times with AD, Heimdal, and MIT Kerberos 5
servers and it works quite well with any of them. For spacewalks purposes
all you really need from your AD server is for it to verify that the
username and password is correct which is exactly what the Kerberos 5
protocol does no more no less. So all the other methods mentioned before in
this string are really over complicated over kill. The best part is its
easy to configure and maintain because it can mostly auto configure based
on DNS entries AD needs to operate any way.

here is an example of a /etc/krb5.conf that should work
'
[libdefaults]
 default_realm = <MY.AD.DOMIAN.HERE>
 dns_lookup_realm = true
 dns_lookup_kdc = true
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
'
The rest of the config file isn't really needed but its not a bad idea to
populate the domain_realm section.
Also unless you want your users to be able to reset their passwords on the
box you don't have to bother with all the keytab rigamarole.

On Wed, Jul 17, 2013 at 9:17 AM, J Epperson <
spacewalk at epperson.homelinux.net> wrote:

> **
>
> AD is a somewhat proprietary implementation of LDAP.  The link provided is
> for a more extensive integration of LDAP/AD into spacewalk/Satellite than
> the GUI user PAM authentication you want to do (although it does contain a
> link to the doc on implementing PAM authentication).  Here are our working
> notes from our Satellite installation journals.
>
>
>
> ALLOWING AD USERS TO LOGIN TO SATELLITE WITH AD CREDENTIALS USING WINBIND
>
> To have satellite authenticate via pam to an external source, multiple
> steps must be performed.
>
> NOTE: Unless the host has winbind enabled for passwd in
> /etc/nssswitch.conf, users must have an account that matches their windows
> login in the local passwd/shadow file.
>
> 1
>
> Install winbind and authconfig-tui
>
>
>
>         yum –y install samba-winbind samba-winbind-clients authconfig
>
> 2
>
> Configure winbind with authconfig-tui on the command line
>
>    - Select Use Winbind and Local Authorization is sufficient click next
>    - Select ads for security model
>    - In the Domain enter the NETBIOS domain (not the AD fqdn)
>    - In Domain Controllers enter the AD domain
>    - In ADS Realm enter the AD domain again
>    - Unless you want to allow every windows user in your enterprise AD to
>    SSH into your satellite server, set Template Shell to /sbin/nologin
>    - Do not join the domain via the TUI, it is broken.  Select OK and
>    save the changes
>    - On the command line enter the following command:
>
>
>
>         /usr/bin/net ads join –U <user with AD admin credentials>
>
>
>
> To test AD connectivity:
>
>        wbinfo –t
>
>
>
> To see if an AD user can be found:
>
>        wbinfo –i <test AD user>
>
> 3
>
> In order to not require that a login be prepended with the domain (IE:
> DOMAIN\user) modify /etc/samba/smb.conf.  In the [general] section, add:
>
>
>
>         winbind use default domain
>
> 4
>
> Enable PAM within satellite.  Edit the file /etc/rhn/rhn.conf and add the
> following line:
>
>          pam_auth_service = rhn-satellite
>
>
>
> 5
>
> Create the file /etc/pam.d/rhn-satellite and populate with the following
> text:
>
>          auth sufficient pam_winbind.so
>
>          account sufficient pam_winbind.so
>
>          password sufficient pam_winbind.so use_authtok
>
> 6
>
> Restart satellite
>
>         rhn-satellite restart
>
> 7
>
> Enable PAM on a per user basis.  In the satellite GUI:
>
> *New Users:*
>
>          Users->Create New User(use the user’s windows AD login name as
> the login name)
>
>         Check “Enable PAM”
>
>
>
> *Existing Users (assuming existing user’s login matches their AD login):*
>
>         Users->Select Username to enable->Check “Enable PAM”
>
>          Click update
>
> 8
>
> If winbind is not enabled in NSS for local password file entries or if you
> do not have enterprise authorization such as LDAP, the user must be created
> in the local password file.  A script similar to this can create a locked
> user:
>
>
>
> #!/bin/bash
>
> user="$1"
>
> [ -z "$user" ] && { echo "Usage: addsatuser.sh <username>";exit 1; }
>
> adduser -M -N –g nobody $user && passwd -l $user
>
>
>
>
>
>
>
> On 2013-07-17 8:42, Wimpelberg, Matthew wrote:
>
>  I am using AD though not LDAP
>
>
>
> *From:* spacewalk-list-bounces at redhat.com [mailto:
> spacewalk-list-bounces at redhat.com] *On Behalf Of *Jens Neu
> *Sent:* Wednesday, July 17, 2013 8:37 AM
> *To:* spacewalk-list at redhat.com
> *Subject:* Re: [Spacewalk-list] Active Directory and Spacewalk
>
>
>
> > I have setup winbind on my server and am able to list all of my
> > Active Directory Users.  I have created a user in spacewalk AD
> > \username and am unable to login as this user on the webconsole.
> > What am I doing wrong?
>
> https://fedorahosted.org/spacewalk/wiki/SpacewalkWithLDAP
>
> regards
> Jens
>
> www.biotronik.com
> ------------------------------
>
>
>
>
> *BIOTRONIK* - Celebrating 50 years of excellence
>
> Founded in 1963 with the development of the first German pacemaker,
> BIOTRONIK has brought innovations and the highest quality standards to the
> cardiac rhythm management and vascular intervention fields in more than 100
> countries around the world. We’ve developed advanced technologies such as
> BIOTRONIK Home Monitoring®, Closed Loop Stimulation (CLS) and Orsiro, the
> industry's first hybrid drug eluting stent. BIOTRONIK also offers the
> broadest portfolio of cardiac devices with ProMRI®, an advanced technology
> that gives patients access to magnetic resonance (MR) scanning.
> ------------------------------
>
> BIOTRONIK SE & Co. KG
> Woermannkehre 1, 12359 Berlin, Germany
> Sitz der Gesellschaft: Berlin, Registergericht: Berlin HRA 6501
>
> Vertreten durch ihre Komplementärin:
> BIOTRONIK MT SE
> Sitz der Gesellschaft: Berlin, Registergericht: Berlin HRB 118866 B
> Geschäftsführende Direktoren: Christoph Böhmer, Dr. Lothar Krings
> ------------------------------
>
> This e-mail and the information it contains including attachments are
> confidential and meant only for use by the intended recipient(s);
> disclosure or copying is strictly prohibited. If you are not addressed, but
> in the possession of this e-mail, please notify the sender immediately and
> delete the document.
>
>
>
>
> ------------------------------
>
>
>
> The information contained in this communication is confidential and may
> contain information that is privileged or exempt from disclosure under
> applicable law. If you are not a named addressee, please notify the sender
> immediately and delete this email from your system.  If you have received
> this communication, and are not a named recipient, you are hereby notified
> that any dissemination, distribution or copying of this communication is
> strictly prohibited.
> ------------------------------
>
>
>
> _______________________________________________
> Spacewalk-list mailing listSpacewalk-list at redhat.comhttps://www.redhat.com/mailman/listinfo/spacewalk-list
>
>
>
> _______________________________________________
> Spacewalk-list mailing list
> Spacewalk-list at redhat.com
> https://www.redhat.com/mailman/listinfo/spacewalk-list
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/spacewalk-list/attachments/20130717/c512ddcf/attachment.htm>