Open in app

Sign in

Write

Sign in

Authenticate your Servers in a Linux Active Directory [Part 10]

Valente Security Labs
5 min readMay 11, 2021

--

Authentication to a directory service allows a single point of authentication for users. Basically, the directory service allows the user to login to different systems from the central repository. It also allows users, groups, members of a group, relationships of trust, etc. to be created to facilitate the auditing of systems and also their security.

The most well-known and used directory service in almost all companies is known as Microsoft Active Directory, created by Microsoft.

With the popularization of the Linux operating system, a Directory Systems service was made possible from that operating system too.

And that is what we are going to configure in this article.

A directory system in a linux environment is created on top of SAMBA technology, widely used to exchange information between the Linux and Windows systems.

The highest AD DC domain and forest level that currently Samba4 can emulate is Windows 2008 R2.

Please, check this article to see the ports that must be opened to allow communication to and from your clients.

Installing Active Directory with SAMBA

We will use Ubuntu 18.04 operation system to perform this installation.

First update the packages.

$ sudo apt update

Install the required packages.

$ sudo apt -y install samba krb5-config winbind smbclient

During the installation you will be asked about domain parameters. So, type the following.

EXAMPLE.COM
ad1.example.com
ad1.example.com

Edit the hosts file to resolve your public IP address. Append the configuration below.

$ vim /etc/hosts<your_public_ip> ad1.example.com ad1

Save and exit.

Go into samba directory and make a backup copy of the configuration file.

$ cd /etc/samba/
$ mv smb.conf smb.conf.old

Provision the Domain Controller configuration and ask the questions as below.

$ sudo samba-tool domain provision
 Realm [EXAMPLE.COM]: <type enter>
 Domain [EXAMPLE]: <type enter>
 Server Role (dc, member, standalone) [dc]: <type enter>
 DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE)   [SAMBA_INTERNAL]: <type enter>
 DNS forwarder IP address (write 'none' to disable forwarding) [127.0.0.53]: 8.8.8.8
 Administrator password: <password must be strong>
 Retype password: <password must be strong>

Next, copy the Kerberos configuration to the working directory /etc/ .

$ sudo cp /var/lib/samba/private/krb5.conf /etc/

We have to disable some services, so they don’t intefere in the installation.

$ sudo systemctl disable --now smbd nmbd winbind systemd-resolved

By default, the samba-ad-dc service is masked. Umask the configuration and enable the service.

$ sudo systemctl disable --now smbd nmbd winbind systemd-resolved

Copy the provisioned kerberos configuration file to the kerberos configuration file location.

$ sudo systemctl unmask samba-ad-dc
$ sudo systemctl enable --now samba-ad-dc.service

We can check our configurations with the command.

$ samba-tool domain level show

The output of the command looks like:

We need to change some configurations related to our DNS.

Delete the actual resolv.conf file and create a new one with the following parameters.

$ sudo rm /etc/resolv.conf
$ sudo vim /etc/resolv.confnameserver 127.0.0.1

Almost done. Now, let’s create a user.

$ sudo samba-tool user create user1
 New Password: <must be a strong password>
 Retype Password: <must be a strong password>

Finally, check the configuration of our Active Directory.

$ smbclient -L localhost -N

Configuring Linux Client Authentication

First, in our client, we need to create a pointer to our Active Directory in /etc/hosts file.

$ sudo vim /etc/hosts<your_active_direcroty_ip> ad1 ad1.example.com

Update the packages.

$ sudo apt update

Install the required packages.

$ sudo apt install sssd heimdal-clients msktutil

Make a backup copy of Kerberos configuration file and create a new one with the following contents.

$ sudo mv /etc/krb5.conf /etc/krb5.conf.old
$ sudo vim /etc/krb5.conf [libdefaults]
 default_realm = EXAMPLE.COM
 rdns = no
 dns_lookup_kdc = true
 dns_lookup_realm = true [realms]
 EXAMPLE.COM = {
 kdc = ad1.example.com
 admin_server = ad1.example.com
 }

Initialize Kerberos and generate a keytab file.

$ kinit administrator
administrator@EXAMPLE.COM's Password: <type the administrator account created in the Active Directory>

We should see no output error confirming that the connection with the Active Directory was done successfully.

Check the configuration with klist command.

We will use the program mskutil is a keytab client for a Microsoft Active Directory environment. This program is capable of creating an account for this computer in Active Directory, adding service principals to that account, and creating a local keytab file so that kerberizied services can utilize Active directory as a Kerberos realm. This utility requires that the Kerberos client libraries are properly installed and configured to use Active Directory as a realm.

Create a key tab configuration as follows. Don’t forget to change the hostnames.

$ sudo msktutil -N -c -b 'CN=COMPUTERS' -s <CLIENT_HOSTNAME>/<client_hostname>.example.com -k my-keytab.keytab --computer-name <CLIENT_HOSTNAME> --upn <CLIENT_HOSTNAME>$ --server ad1.example.com --user-creds-only

Destroy the Kerberos credential cache. We do not need this configuration anymore.

$ sudo kdestroy

Move default keytab configuration to the sssd directory.

$ sudo mv my-keytab.keytab /etc/sssd/my-keytab.keytab

Create a new configuration file for sssd service and add the parameters below.

$ sudo vim /etc/sssd/sssd.conf[sssd]
services = nss, pam
config_file_version = 2
domains = example.com[nss]
entry_negative_timeout = 0
#debug_level = 5[pam]
#debug_level = 5[domain/example.com]
#debug_level = 10
enumerate = false
id_provider = ad
auth_provider = ad
chpass_provider = ad
access_provider = ad
dyndns_update = false
ad_hostname = <client_hostname>.example.com
ad_server = ad1.example.com
ad_domain = example.com
ldap_schema = ad
ldap_id_mapping = true
fallback_homedir = /home/%u
default_shell = /bin/bash
ldap_sasl_mech = gssapi
ldap_sasl_authid = NAGIOS$
krb5_keytab = /etc/sssd/my-keytab.keytab
ldap_krb5_init_creds = true

Change the permissions of the sssd configuration file.

$ sudo chmod 0600 /etc/sssd/sssd.conf

Here we are using the PAM module to control the authentication process.

Edit the common-session module to use /etc/skel as the baseline for ours clients.

Find the line that contains “session required pam_unix.so” near the bottom of the file and add the following configuration.

$ sudo vim /etc/pam.d/common-session
session required pam_mkhomedir.so skel=/etc/skel umask=0077

Add the administrator user.

$ sudo adduser administrator sudo

Test the conection with the Active Directory.

$ su -l administrator

Note that we do not have the administrator account in our local /etc/passwd file.

The output looks like.

Now, we are integrated with our Active Directory.

Wrap-up

In this post we saw how to create an Active Directory and integrate our linux clients.

--

--

Valente Security Labs
Valente Security Labs

Written by Valente Security Labs

75 Followers
49 Following

Information security for study purpose only and more!

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams