Monday, 1 February 2010

How to setup Linux (Ubuntu) Active Directory Authentication with Cached Credentials (Kerberos)

Running Linux, I'm using Kerberos & Samba to authenticate myself using Microsoft Windows Active Directory credentials from our domain controller. I used the guide for Ubuntu to get this setup. However, this would not allow me to login to my computer using AD credentials unless I was connected to the network (and it could access the domain controller). This is how I enabled "credential caching" for offline kerberos / Active Directory authentication on Ubuntu Linux.

I used two tutorials - Ubuntu Community Howto, and Cat in the Red Hat. Basically, since I already had Kerberos authentication working, I just installed the necessary packages:

sudo apt-get install nss-updatedb libnss-db libpam-ccreds

and then edited my /etc/pam.d/common-auth file as per Cat in the Red Hat's instructions.

Listed here is the entire contents of my /etc/pam.d/common-auth file (this allows me to authenticate using first AD credentials, then Unix accounts, then cached credentials):

auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth [default=ignore success=1 service_err=reset] pam_krb5.so use_first_pass
auth [default=die success=done] pam_ccreds.so action=validate use_first_pass
auth sufficient pam_ccreds.so action=store use_first_pass
auth required pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth required pam_permit.so
# and here are more per-package modules (the "Additional" block)
# end of pam-auth-update config


Some of the errors I encountered:

Firstly, caching will not work if you have a line like the following:

#Windows Domain Auth
#auth sufficient pam_winbind.so krb5_auth krb5_ccache_type=FILE


This basically skips everything else when a successful kerberos authentication is made. I just commented this line out, and it worked fine.

If you receive an error such as "su: Error in service module" when trying to login, it may be that your file is misconfigured. Check whether /var/cache/.security.db is being created or updated - if it isn't, then most likely PAM isn't reaching the line where pam_ccreds.so is referenced. Check that you don't have any auth sufficient lines where they shouldn't be.

If you're interested, there's also quite a nice GUI for Active Directory integration at Likewise. I haven't used it, but looks like an easy way to setup AD authentication from Ubuntu without editing heaps of config files.

No comments: