PDC Authentication HOWTO

Anthony E. Greene <tony@greene-family.org>
Sun Nov 27 12:35:06 UTC 2005

This document describes configuring a Linux box to authenticate logins using either a Windows PDC or a local password file.

Table of Contents

1. Introduction
2. Requirements
3. Installation
4. Configuration
5. Testing
6. Copyright

Introduction

I have a server and a Laptop that both run Linux in an environment that is otherwise dominated by Windows clients and servers. We use Windows NT Domain logins for our Windows clients. To make it easy for users, I use the same passwords for services provided by Linux (login, POP3, FTP, Samba file/print) as are used when users login to their Windows desktops.

Initially, I had done this by manually updating users' Linux passwords when their domain passwords changed. Recently my organization shortened the domain password expiration interval. Additionally, the Linux server has become an integral part of our office's operation and I needed to set it up for easier long term maintenance. One of the things that I needed to do to satisfy both these requirements was reduce or eliminate password maintenance overhead. This also improves security by eliminating my need for access to users' passwords.

I decided that if I could authenticate users using either their domain username/password or their local password, then local passwords would only need to be managed for those users that did not have a domain account (ie; root). I would still need to add/delete user accounts on the machine, but that would only need to be done on the infrequent occasion that someone joins or leaves our workgroup.

There is a way to enable logins for users that do not have a local account, but there are security issues that should be considered. If you want to do this, you should read the Linux-PAM documents.

Requirements

• A Linux system that supports Pluggable Authentication Modules (PAM). Most popular distributions do.
• The pam_smb_auth package, currently available in tar.gz format from http://www.csn.ul.ie/~airlied/pam_smb/. This package comes installed on all popular Linux distros.
• A server capable of providing SMB authentication. This could be a Windows PDC or a Samba server setup as a PDC.
• Some knowledge of Linux-PAM and/or the Linux-PAM documentation from /usr/share/doc/pam-<version>/html/pam.html on your Linux system.
• A means to open multiple simultaneous logins to your Linux box. This could be several xterm windows, or multiple SSH sessions from another machine, or [Alt]-[F2 thru F6] at the console. Test this first to be sure it will work.

Installation

    su
    cd /usr/local/src
    tar -zxvf /path/pam_smb_auth-<version>.tar.gz

    cd pam_smb_auth-<version>
    less README

Configuration

I'll only cover the configuration of the login and xdm services in this document. Configuring other services is similar and usually simpler.

The first step is to create the /etc/pam_smb.conf file. This file contains three lines. The first is the name of your Windows domain. The second and third are the names of two machines that can perform authentication for your user accounts. The file might look like this:

    MyDomain
    MyPDC
    MyBDC

The authentication servers must be specified by their NETBIOS names. These NETBIOS names should be included in the local hosts file (/etc/hosts) to ensure fast name resolution:

    192.168.1.50	mypdc.mydomain.tld	mypdc
    192.168.1.51	mybdc.mydomain.tld	mybdc

The login and xdm PAM configuration files are /etc/pam.d/login and /etc/pam.d/xdm, respectively. On my Red Hat 6.2 box, the login file looks like this:

    auth      required  /lib/security/pam_securetty.so
    auth      required  /lib/security/pam_pwdb.so shadow nullok
    auth      required  /lib/security/pam_nologin.so
    account   required  /lib/security/pam_pwdb.so
    password  required  /lib/security/pam_cracklib.so
    password  required  /lib/security/pam_pwdb.so nullok use_authtok md5 shadow
    session   required  /lib/security/pam_pwdb.so
    session   optional  /lib/security/pam_console.so

The lines we are interested in are the ones that authenticate the user. In this case, that's the first three lines. These lines make up the auth module. Make a backup copy of the file (cp login login.original) before starting your edit. This will make it easier to return to your original configuration if this procedure does not work.

We will set up the authentication so that it checks the local password file first. If this succeeds, the user is authenticated and the SMB authentication is skipped. But if the password file authentication fails, then the same credentials (username/password) will be presented to the SMB authentication server. If this also fails then the authentication fails and the user will not be able to login.

The key changes we will make are:

• Change the pam_pwdb line from required to sufficient and move it so that it follows all other auth lines.
• Add an auth line for pam_smb_auth below the pam_pwdb line and make it required.

DO NOT EXIT THE ROOT LOGIN UNTIL YOU HAVE TESTED THE RESULT.

The updated login file should look something like this:

    auth      required   /lib/security/pam_securetty.so
    auth      required   /lib/security/pam_nologin.so
    auth      sufficient /lib/security/pam_pwdb.so shadow nullok
    auth      required   /lib/security/pam_smb.so use_first_pass
    account   required   /lib/security/pam_pwdb.so
    password  required   /lib/security/pam_cracklib.so
    password  required   /lib/security/pam_pwdb.so nullok use_authtok md5 shadow
    session   required   /lib/security/pam_pwdb.so
    session   optional   /lib/security/pam_console.so

The sufficient flag tells Linux-PAM that if the authentication module succeeds, then following authentication modules may be skipped. If the module fails, then the failure is not fatal and following authentication modules should be tried.

Since the pam_smb_auth module follows the pam_pwdb module, pam_smb_auth will only be run if pam_pwdb (local password file) fails. Since pam_smb_auth is a required module, it's failure will result in a failed authentication for the user. But if it passes, then the failed pam_pwdb authentication is ignored.

Testing

You will need to edit /etc/shadow to disable the password on a local account that also exists in the Windows domain. You will need to edit /etc/shadow. Copy/paste the encrypted/hashed password into a text editor or write it down. This is so you can recover easily. Alternatively, you can just delete the password and reset it from the root login later. Remember to safely discard the saved copy of the encrypted/hashed password after you finish.

Replace the encrypted/hashed password for the test user with an asterisk (*). The line should now look something like this:

    username:*:11034:0:99999:7:-1:-1:134550580

Save the file and close the editor, but do not logout.

Login on another console (ALT-F2), or open an xterm and ssh -l username localhost. Test the changes like this:

• Attempt to login with a non-existent username. This should fail.
• Attempt to login with a username other than the one whose password you removed (ie; root). This should succeed.
• Attempt to login with the username whose password you removed, but with an invalid password (don't do this several times in a row or you may lockout your account). This should fail.
• Attempt to login with the username whose password you removed, using the correct password. This should succeed (and it should reset any lockout counter).

If all tests give the expected results, then your password maintenance chores have just become easier. You can now edit the xdm file so that the auth section looks like the one in the login file. On my system, the gdm and kde files are essentially duplicates of the xdm file, so I renamed them and created links to the xdm file using their original names:

    mv gdm gdm.original
    mv kde kde.original
    ln -s xdm gdm
    ln -s xdm kde

Now all the graphical logins will use the same authentication scheme. You can edit the PAM configuration files for the other services if they need to be accessible to users (ie, Samba). For instance, if your users will be using a POP3 client to read their mail, then you should edit the imap and/or pop PAM config files to use pam_smb_auth too. If your users will need to be able to use the machine as an FTP server, then you should configure the ftp PAM config file.

In each case, the key is to make sure the pam_pwdb and pam_smb_auth lines are the last two in the auth section and that they are setup the same as in the login file.

You can now add and delete users on your Linux box using the standard useradd and userdel utilities or whatever GUI tool you prefer. If you don't set a local password, the authentication will automatically be done using your new pam_smb_auth module.

Copyright

Copyright © 2000-2005, Anthony E. Greene <tony@greene-family.org>
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.1 or any later version published by the Free Software Foundation, with no Invariant Sections, with no Front-Cover Texts, and with no Back-Cover Texts. A copy of the license is available on the Internet at http://www.gnu.org/copyleft/fdl.html or from the Free Software Foundation, 50 Temple Place - Suite 330, Boston, MA 02111-1307 USA.