Authenticating Linux with Active Directory for CVS This documents the findings of the pilot project to have a Linux box authenticate against Active Directory for CVS access.

The reason for pursuing this pilot was to satisfy the following requirements:

• Developers need to use their Windows login/password to access CVS

• UNIX clients must have access to the repository which means that pserver access must be supported

Recommendation The pilot Linux box was successfully configured to bind to the Windows domain using Active Directory. CVS was then able to authenticate users against Active Directory using their Windows user name and password. The authenticated user was then able to access the CVS repository.

Required Packages This project used Redhat Enterprise Linux 3 update 4 as the base operating system. The packages that make it possible to authenticate CVS against Active Directory are:

• Kerberos – provides strong encryption for authentication.

• Name Service – specifies Linux name services other than the default password and group files are to be consulted for system authorization information. ( Winbind )

• Samba – this package is typically used to provide access to services (printers and shared disks) residing on a Linux server to Windows clients. As of version 3.0, the package also provides winbind which allows the server to authenticate against an Windows domain.

• Pluggable Authentication Modules (PAM) – provides an API so that applications such as CVS can seamlessly delegate authentication to variety of modules. Modules exist to support the traditional password file as well as LDAP. This pilot made use of a winbind PAM module provided by Samba.

• Pam_require.so – Is a PAM module that matches an AD Group to a User attempting to use a service. Allows a fine grained approach to authenticating AD users to Unix services

• xinetd – this internet services daemon provides network access to many Linux applications including CVS.

Also, the version 1.12.12 of CVS is required. This is the first release of CVS to support PAM. The version used for this pilot was version 1.12.11. This version is only available from source at this time. When compiling from source the following command is required to enable the application to use PAM:

���������� ������������

See “Version Management with CVS” by Per Cedervqvist for more information on compiling and configuring CVS.

Network Configuration In order for Active Directory servers to allow transitive trust, the machine must resolve to the same domain as the Active Directory server on a reverse DNS lookup. Therefore, the DNS search path must include entries for each domain containing an Active Directory server. Below is the /etc/resolv.conf in use.

�������������������������������������

�����������������������

��������������������� �

���������������������

!������!�����������

����"�!�����������������������#�������������������������������

Authentication Configuration Bring up the Redhat authentication configuration tool by executing the following command:

redgat-config-authentication

On the “User Information” tab, enable option to cache user information. Below is how the “User Information” tab should appear.

Also, enable winbind support and configure it as follows. You must use a system administrator on the Active Directory server in order to join the domain and establish trust.

On the “Authentication” tab, enable Kerberos, SMB, Winbind support. Also enable the use of shadow passwords and MD5 passwords. Below is how the configuration should appear.

The Kerberos configuration should appear as below:

Below is the SMB configuration:

The winbind configuration appears the same as it did earlier.

Kerberos Configuration Kerberos must be configured to access the Windows Active Directory server. This is because the Active Directory server uses Kerberos protocol for authentication. There three files for configuring Kerberos.

The /etc/krb5.conf file binds the Kerberos agent to one or more servers that use the Kerberos protocol. Below are the contents of this file from the pilot box: ����������

�!������$�%&'()��������*�+���������

�*!��$�%&'()��������*�+*!������

��!���,�����$�%&'()��������*�!���!�����

�

����!��������

�!�����,�����$�-(.�/%&�0/1�

�!��,���*�,�����$����

�!��,���*�,*!��$����

�

��������

�-(.�/%&�0/1�$�2�

��*!��$�!���!���!����������) �

���!���,�����$�!���!���!����������)��3�

��!�����,!������$�!���!���!�����������

�4�

�

�!�����,������

��!�����������$�-(.�/%&�0/1�

�!�����������$�-(.�/%&�0/1�

�

�*!���

��������$�����*������*�+*!��*!�������

�

����!��������

�����$�2�

���!����$�������

������*��,���������$��5666�

������7,���������$��5666�

�����7�!�����$����

���*��,�������$�������

�4�

The configuration file /etc/krb.conf contains information about the default realm that serving as a host for this client. Below are the entries added for the pilot: -(.�/%&�0/1�

-(.�/%&�0/1�����!���!���!����������) �

-(.�/%&�0/1�����!���!���!����������)��3��!���������

Finally, the /etc/krb.realms file contains domain/host to realm mappings. Below is the entry added for the pilot project: �-(.�/%&�0/1����-(.�/%&�0/1�

Once kerberos is configured, the following command can be used to test the configuration: *�����8�������9�-(.�/%&�0/1�

The program will prompt for a password and then attempt to authenticate the user against the Windows Domain server using Kerberos.

The Ticket Granting Ticket (TGT) reserved by kinit seems to expire after a period of time. That period is controlled by the Active Directory server. Therefore, it is necessary after the initial configuration to install a keytab file so that machine remains authorized with the Active Directory server.

The Network Engineering group must supply a keytab file for the server. Below is the command to generate the keytab for the server. It is based on from Microsoft. *������������"����"��������.:�-.;�<(='1�.=1(��������������� ����������7�!� ����"��������*�#����

Once the keytab is on the Linux server it must be installed using Kerberos keytab file utility. Execute the following commands to load the keytab file. ���8*�#��������9������*�+�*�#����

*�����

��!,*�������*�+�*�#����

�����

>���

The list command above should list the keytab that was loaded.

Name Service Configuration Name service configuration is contained in the /etc/nsswitch.conf file. It must be updated so that services will consult winbind for authorization information. Below are the contents of the file used for the project pilot: ����7!)�����������7�����!�

�"�!�7)�����������7�����!�

���)������������7�����!�

"����)������������!���

���������)���������./:%/?.-$�����������

��"��)�����������

������*�)���������

���7�*�)���������

��������)��������7�����!�

��)��������������

�������)���������7�����!�

������)���������7�����!�

�����*�#)���������

Samba Configuration The configuration of Samba is contained in a single configuration file, but there are several parameters that must be specified. Below are the parameters that were overridden in the pilot project: ���������

�

��������������$�0@;���

���7�*����$�-(.�

��������$�-(.�/%&�0/1�

��������#�$�=-;�

�������7�!������$�!�������������

����������������#�����$�����

���7�����!����!������!������$����

���7�����!���������$�#���

���7�����!����������$�#���

����!�����!�$��5�����5���++�����

����!������!�$��5�����5���++�����

�������������"����$������������

������������"���!��$���������

���7�����!����"�������$��566�

���7�����!���������$���

�������������$���

�����*�����������$�:0A,./-('=B�;/,<0@C?%$ �3��;/,;.-C?%$ �3��

������!��������$����

������������$����������������������!�

�����D�������E��$�+666�

���!�����D#�$����

We will want to do further experimentation with the parameters specify the user, group, home, and shell. This is because the parameters specified above are probably too open for a production environment. For example, we probably want Windows users to have login access to the box.

Now the Linux server must be joined to the Windows domain to establish a trust relationship. Execute the following command to establish this trust: ����F�����;�-(.��?�8�!��������������9�

After configuring Samba the service winbindd must be running in order to authenticate against the Windows domain server.

Execute the following command to test that winbind can get a list of users from the Windows domain: 7��������

Execute the following command to test that machine has trust established to each domain. Each domain where trust is established will list a sequence identifier. Domains without trust will either read as DISCONNECTED or have a sequence identifier of -1. If some of the domains are not connected, make sure resolv.conf has an entry for the domain for the Active Directory server that is not connected. 7����������>�����

Execute the following command to test the ability of winbind to authenticate an individual user within the domain: 7���������-(.GG8�������9H8����7�!9�

Finally, the following command should be executed to test that the mapping of Windows domain users to Linux users is working. It will list the contents of the Linux password file along with mappings of each user in the Windows domain. �����������7!�

PAM Configuration Configuring CVS to use PAM requires that a configuration file be added to /etc/pam.d specifically for CVS access. The file specifies what level of authentication is required by the application as well as which modules are consulted to authenticate users. Below are the contents of /etc/pam.d/cvs from the pilot box:

Fedora Core 3 Example: �HA=1���6�

��"��������>��!� ���,������#����

��"��������>��!� ���,����*����������$�#�������"�

��"��������>��!� ���,�����������

�����������>��!� ���,����*����������$�#�������"�

����7�!����>��!� ���,����*����������$�#�������"�

�����,�����D�����������"��!�����"������������������

������������>��!� ���,�����D����������

������������>��!� ���,����*����������$�#�������"�

�������������������� ���,�����������

�����,�����D����������"��!�����"������������������

������������>��!� ���,�����D�����������������

This file was created by copying the contents of the login configuration file which delegates the modules consulted to the system-auth configuration. This delegation allows a system administrator to control the authentication chain for many applications with a single file.

Redhat Enterprise Linux 3 Example: %���%�������������!����)�

�HA=1���6�

��"���������>��!���������,�������

��"������������������������,��D������*���"�����*�

��"������������������������,7�����!������,����,�����

��"���������>��!���������,!��#����

�

������������>��!��������,�>�������-(.�0@;�=!������-(.�0@;�?�����.B�0@;�?�

����

�

������������>��!��������,��D������*��,�"�!�7�

������������!�����$��!�������$�*���,�*��7�$����������,7�����!����

������������>��!��������,���������

�

����7�!�������������������,7�����!������,��"��*�

����7�!�������������������,��D��������*���,��"��*��!+��"�!�7�

����7�!����>��!���������,!��#����

�

������������>��!���������,��D����

xinetd Configuration This package provides internet access to many applications within Linux including CVS. Configuration for the services are stored in the /etc/xinet.d directory. Below is the configuration file /etc/xinet.d/cvspserver used for the pilot project to allow CVS access using pserver.���������������������������D����!�!�����������

��!�����)����

��!���������)�:"��������������������������������"��!����������.�7�B�*��

��!�-������

����������������

2�

�������������������������������$���6��

��������!�����������������������$����

��������7�����������������������$����

�����������*��,�#���������������$�������

�������������������������������$�����

������������������������������$�����

��������������������������������$�A=:I�

�����������,�#������������������$�%&'(�������������������

������������������������������$������������

������������,����������������$�������7����$�����������������������7����$�

������������������������7����$�����������������7����$�������������������7��

���$�������������������������7����$�������������"������������

4�

Once this service is configured, remote clients can access the CVS server using pserver.

CVS Usage Once the configuration is complete, users can access the CVS repository on the Linux box with their Windows user name and password. Below is a command line example showing how to login using the Windows user for authentication: �����!�)�����)-(.���D�+������"���)�����������������������

Also, UNIX users can export CVS root in the following manner to access the repository: -�����(D�����)�

�D����0@;<//:$J)�����)-(.�������������)����������J�

.B�(D�����)�

�D����0@;<//:$J)�����).B��#��D�������)�������������"J�

=���#����(D�����)�

�D����0@;<//:$J)�����)����#���������)����������J�

Security SAMBA/winbind creates a database mapping Active Directory users and groups to users and groups on the Linux system. Using normal file and group permissions, updates to any portion of the CVS repository can be limited using those users and groups that have been mapped to the Linux system. Groups within sub-domains must be global in order for mappings on the Linux system to be created.

Appendix A Below is a list of the packages installed on the system used to pilot this project along with their versions. Also, all of the packages may not be required, but there are dependencies between several of them.

Fedora Core 3 Example:

Package Version

kernel 2.6.10-1.766_FC3

kernel-utils 2.4-13.1.49_FC3

krb5-libs 1.3.6-2

samba 3.0.10-1.fc3

samba-common 3.0.10-1.fc3

openssl 0.9.7a-40

nss_ldap 220-3

nss_db 2.2-29

pam_passwdqc 0.7.5-2

pam 0.77-66.2

pam_smb 1.1.7-5

pam_krb5 2.1.2-1

pam_ccreds 1-3

openldap-clients 2.2.13-2

openldap 2.2.13-2

xinetd 2.3.13-4.25-2

RHEL 3 Example:

Package Version (RPM)

kernel kernel-smp-2.4.21-4.EL

kernel-utils kernel-utils-2.4-8.37

krb5-libs krb5-libs-1.2.7-47

samba samba-3.0.20-1 ( built by hand )

openssl openssl-0.9.7a-33.15

nss_ldap nss_ldap-207-2

pam pam-0.75-51

pam_smb pam_smb-1.1.7-1

pam_krb5 pam_krb5-1.70-1

pam_devel pam-devel-0.75-51

openldap-clients openldap-clients-2.0.27-11

openldap openldap-2.0.27-11

xinetd xinetd-2.3.12-2.3E

cvs 1.12.12 (config option –enable-pam )

References CVS. https://www.cvshome.org/

Cederqvist, Per. Version Management with CVS. https://ccvs.cvshome.org/files/documents/19/607/cederqvist-1.12.11.pdf

Smith, Roderick W. Linux in a Windows World. http://www.oreilly.com/catalog/linuxwinworld/

Vernooij, Jelmer R., et al. SAMBA HowTo Collection. http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/

Terpstra, John H., et al. Samba-3 by Example. http://www.samba.org/samba/docs/man/Samba3-ByExample/

HOW TO: Use Ktpass.exe in Windows 2000. http://support.microsoft.com/default.aspx?scid=kb;en-us;324144