Login using Active Directory in Linux using Kerberos 5

linux active-directory ldap kerberos nis

Solution 1:

If you want "the easy way" I had some good experiences with system-config-authentication and Winbind doing it the GUI way. Obviously, this is not expressly Kerberos, so downvote me appropriately if you feel inclined. You can do Winbind, but it also expressly allows LDAP if that fits your requirements better. I get an ominous red error about NSS-LDAP libraries,

The /lib64/libnss_ldap.so.2 file was not found, but it is required for LDAP support to work properly. Install the nss-pam-ldapd package, which provides this file.

but I am sure you can install that with yum with a minimal amount of effort. You say you want Kerberos, but than say only NIS/LDAP is allowed. So why not just access AD as if it were LDAP. That is definitely possible in my experience. It also gives you the option of configuring Kerberos. See the screenshot.Sample screenshot of the GUI utility I am talking about

Hint, hint, it is Fedora 15, not Fedora Core, and has not been "Core" for quite a while. I will not make jokes about the bloat in relation to the name change (as a pretty dedicated Fedora user myself).

Solution 2:

It's one thing to be authenticated by kerberos, it's another thing to be able to login. To login, you need:

  1. Valid authentication (partially done: provided by kerberos. Must check if pam login/auth considers this to be enough)
  2. Valid userid and groupid (normally provided by winbind, likewise, ldap, Centrify, AD services for unix. Or locally in the /etc/passwd, /etc/group files)
  3. Valid lookup entries and order in /etc/nsswitch.conf, for user, and group.
  4. Valid shell and home (normally pre-created, or automount)

Note1: Since you can do getent passwd but not getent group, I suspect you are using the Active-Directory Services for Unix map to LDAP approach. Do you have valid gid set inside for Domain\Domainusers? AFAIK, Kerberos does not provide (or check) for groups. Able to see uid entries means LDAP is mapping properly, but gid entries may not be in LDAP.

Note2: There is also a limit to the number of entires LDAP can return in a single query, and possibly some time needed to pull the results. Did you wait long enough? Can you check the entries specifically, like getent passwd user1, getent passwd Domain\\user1, getent group domain-groupname-shown-in-getent-passwd. This should bypass the lookup time, or even timeout.

Related

How to check how and when a user checked their Exchange 2010 mailbox?
CBL This IP address is HELO'ing as "localhost.localdomain"
Add Pictures to Active Directory for Outlook Contacts
What is causing the limit of 300 connections per second in Apache 2.2?
Scaling server cluster setup
.htaccess file hacked, how to prevent this in future? [closed]
16 Cores 12 GB RAM Dedicated MySql Configuration
HP Procurve 5406ZL - How to enable port-mirroring?
What is the best way to setup a mail server in this day and age? [closed]
How can I cache a Subversion password on a server, without storing it in unencrypted form?
apache locationmatch negative regex
Updating vSphere 5?