<div dir="ltr"><div><div><div><div>if I can make a suggestion you may be a lot better off with pam_krb5 than winbind or LDAP. </div>AD's Kerberos server is compatible with the MIT Kerberos 5 client. </div>Ive done this with web apps many times with AD, Heimdal, and MIT Kerberos 5 servers and it works quite well with any of them. For spacewalks purposes all you really need from your AD server is for it to verify that the username and password is correct which is exactly what the Kerberos 5 protocol does no more no less. So all the other methods mentioned before in this string are really over complicated over kill. The best part is its easy to configure and maintain because it can mostly auto configure based on DNS entries AD needs to operate any way. </div>here is an example of a /etc/krb5.conf that should work ' [libdefaults] default_realm = <MY.AD.DOMIAN.HERE> dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h renew_lifetime = 7d forwardable = true ' </div><div>The rest of the config file isn't really needed but its not a bad idea to populate the domain_realm section. </div><div>Also unless you want your users to be able to reset their passwords on the box you don't have to bother with all the keytab rigamarole. </div> <div><div> </div></div></div><div class="gmail_extra"> <div class="gmail_quote">On Wed, Jul 17, 2013 at 9:17 AM, J Epperson <<a href="mailto:spacewalk@epperson.homelinux.net" target="_blank">spacewalk@epperson.homelinux.net</a>> wrote: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> <div style="font-family:Verdana,Geneva,sans-serif"> AD is a somewhat proprietary implementation of LDAP. The link provided is for a more extensive integration of LDAP/AD into spacewalk/Satellite than the GUI user PAM authentication you want to do (although it does contain a link to the doc on implementing PAM authentication). Here are our working notes from our Satellite installation journals. <table style="width:648px" cellpadding="0" cellspacing="0" border="0"> <tbody> <tr> <td colspan="2" width="648" valign="top"> ALLOWING AD USERS TO LOGIN TO SATELLITE WITH AD CREDENTIALS USING WINBIND </td> </tr> <tr> <td colspan="2" width="648" valign="top"> To have satellite authenticate via pam to an external source, multiple steps must be performed. NOTE: Unless the host has winbind enabled for passwd in /etc/nssswitch.conf, users must have an account that matches their windows login in the local passwd/shadow file. </td> </tr> <tr> <td width="91" valign="top"> 1 </td> <td width="556" valign="top"> Install winbind and authconfig-tui yum –y install samba-winbind samba-winbind-clients authconfig </td> </tr> <tr> <td width="91" valign="top"> 2 </td> <td width="556" valign="top"> Configure winbind with authconfig-tui on the command line <ul> <li>Select Use Winbind and Local Authorization is sufficient click next</li> <li>Select ads for security model</li> <li>In the Domain enter the NETBIOS domain (not the AD fqdn)</li> <li>In Domain Controllers enter the AD domain</li> <li>In ADS Realm enter the AD domain again</li> <li>Unless you want to allow every windows user in your enterprise AD to SSH into your satellite server, set Template Shell to /sbin/nologin</li> <li>Do not join the domain via the TUI, it is broken. Select OK and save the changes</li> <li>On the command line enter the following command:</li> </ul> /usr/bin/net ads join –U <user with AD admin credentials> To test AD connectivity: wbinfo –t To see if an AD user can be found: wbinfo –i <test AD user> </td> </tr> <tr> <td width="91" valign="top"> 3 </td> <td width="556" valign="top"> In order to not require that a login be prepended with the domain (IE: DOMAIN\user) modify /etc/samba/smb.conf. In the [general] section, add: winbind use default domain </td> </tr> <tr> <td width="91" valign="top"> 4 </td> <td width="556" valign="top"> Enable PAM within satellite. Edit the file /etc/rhn/rhn.conf and add the following line: pam_auth_service = rhn-satellite </td> </tr> <tr> <td width="91" valign="top"> 5 </td> <td width="556" valign="top"> Create the file /etc/pam.d/rhn-satellite and populate with the following text: auth sufficient pam_winbind.so account sufficient pam_winbind.so password sufficient pam_winbind.so use_authtok </td> </tr> <tr> <td width="91" valign="top"> 6 </td> <td width="556" valign="top"> Restart satellite rhn-satellite restart </td> </tr> <tr> <td width="91" valign="top"> 7 </td> <td width="556" valign="top"> Enable PAM on a per user basis. In the satellite GUI: New Users: Users->Create New User(use the user’s windows AD login name as the login name) Check “Enable PAM” Existing Users (assuming existing user’s login matches their AD login): Users->Select Username to enable->Check “Enable PAM” Click update </td> </tr> <tr> <td width="91" valign="top"> 8 </td> <td width="556" valign="top"> If winbind is not enabled in NSS for local password file entries or if you do not have enterprise authorization such as LDAP, the user must be created in the local password file. A script similar to this can create a locked user: #!/bin/bash user="$1" [ -z "$user" ] && { echo "Usage: addsatuser.sh <username>";exit 1; } adduser -M -N –g nobody $user && passwd -l $user </td> </tr> </tbody> </table><div><div class="h5"> On 2013-07-17 8:42, Wimpelberg, Matthew wrote: </div></div><blockquote type="cite" style="padding-left:5px;border-left:#1010ff 2px solid;margin-left:5px;width:100%"><div><div class="h5"> <div> I am using AD though not LDAP From: <a href="mailto:spacewalk-list-bounces@redhat.com" target="_blank">spacewalk-list-bounces@redhat.com</a> [mailto:<a href="mailto:spacewalk-list-bounces@redhat.com" target="_blank">spacewalk-list-bounces@redhat.com</a>] On Behalf Of Jens Neu Sent: Wednesday, July 17, 2013 8:37 AM To: <a href="mailto:spacewalk-list@redhat.com" target="_blank">spacewalk-list@redhat.com</a> Subject: Re: [Spacewalk-list] Active Directory and Spacewalk <tt>> I have setup winbind on my server and am able to list all of my </tt> <tt>> Active Directory Users. I have created a user in spacewalk AD</tt> <tt>> \username and am unable to login as this user on the webconsole. </tt> <tt>> What am I doing wrong?</tt> <a href="https://fedorahosted.org/spacewalk/wiki/SpacewalkWithLDAP" target="_blank"><tt>https://fedorahosted.org/spacewalk/wiki/SpacewalkWithLDAP</tt></a> <tt>regards</tt> <tt>Jens</tt> <a href="http://www.biotronik.com" target="_blank">www.biotronik.com</a> <div class="MsoNormal" style="text-align:center" align="center"><hr style="color:#003579" width="100%" size="1" align="center"></div> <img alt="" width="125" height="75" border="0"> BIOTRONIK - Celebrating 50 years of excellence Founded in 1963 with the development of the first German pacemaker, BIOTRONIK has brought innovations and the highest quality standards to the cardiac rhythm management and vascular intervention fields in more than 100 countries around the world. We’ve developed advanced technologies such as BIOTRONIK Home Monitoring®, Closed Loop Stimulation (CLS) and Orsiro, the industry's first hybrid drug eluting stent. BIOTRONIK also offers the broadest portfolio of cardiac devices with ProMRI®, an advanced technology that gives patients access to magnetic resonance (MR) scanning. <div class="MsoNormal" style="text-align:center" align="center"><hr style="color:#003579" width="100%" size="1" align="center"></div> BIOTRONIK SE & Co. KG Woermannkehre 1, 12359 Berlin, Germany Sitz der Gesellschaft: Berlin, Registergericht: Berlin HRA 6501 Vertreten durch ihre Komplementärin: BIOTRONIK MT SE Sitz der Gesellschaft: Berlin, Registergericht: Berlin HRB 118866 B Geschäftsführende Direktoren: Christoph Böhmer, Dr. Lothar Krings <div class="MsoNormal" style="text-align:center" align="center"><hr style="color:#003579" width="100%" size="1" align="center"></div> This e-mail and the information it contains including attachments are confidential and meant only for use by the intended recipient(s); disclosure or copying is strictly prohibited. If you are not addressed, but in the possession of this e-mail, please notify the sender immediately and delete the document. </div> <hr> The information contained in this communication is confidential and may contain information that is privileged or exempt from disclosure under applicable law. If you are not a named addressee, please notify the sender immediately and delete this email from your system. If you have received this communication, and are not a named recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. <hr> </div></div><div class="im"><pre>_______________________________________________ Spacewalk-list mailing list <a href="mailto:Spacewalk-list@redhat.com" target="_blank">Spacewalk-list@redhat.com</a> <a href="https://www.redhat.com/mailman/listinfo/spacewalk-list" target="_blank">https://www.redhat.com/mailman/listinfo/spacewalk-list</a> </pre> </div></blockquote> <div> </div> </div> _______________________________________________ Spacewalk-list mailing list <a href="mailto:Spacewalk-list@redhat.com">Spacewalk-list@redhat.com</a> <a href="https://www.redhat.com/mailman/listinfo/spacewalk-list" target="_blank">https://www.redhat.com/mailman/listinfo/spacewalk-list</a> </blockquote></div> </div>