[Spacewalk-list] Active Directory and Spacewalk

J Epperson spacewalk at epperson.homelinux.net
Wed Jul 17 13:17:50 UTC 2013 

 

AD is a somewhat proprietary implementation of LDAP. The link
provided is for a more extensive integration of LDAP/AD into
spacewalk/Satellite than the GUI user PAM authentication you want to do
(although it does contain a link to the doc on implementing PAM
authentication). Here are our working notes from our Satellite
installation journals. 

ALLOWING AD USERS TO LOGIN TO SATELLITE WITH AD
CREDENTIALS USING WINBIND 

To have satellite authenticate via pam to an
external source, multiple steps must be performed. 

NOTE: Unless the
host has winbind enabled for passwd in /etc/nssswitch.conf, users must
have an account that matches their windows login in the local
passwd/shadow file. 

1 

Install winbind and authconfig-tui 

 yum -y
install samba-winbind samba-winbind-clients authconfig 

2 

Configure
winbind with authconfig-tui on the command line 

 	* Select Use Winbind
and Local Authorization is sufficient click next
 	* Select ads for
security model
 	* In the Domain enter the NETBIOS domain (not the AD
fqdn)
 	* In Domain Controllers enter the AD domain
 	* In ADS Realm
enter the AD domain again
 	* Unless you want to allow every windows
user in your enterprise AD to SSH into your satellite server, set
Template Shell to /sbin/nologin
 	* Do not join the domain via the TUI,
it is broken. Select OK and save the changes
 	* On the command line
enter the following command:

 /usr/bin/net ads join -U <user with AD
admin credentials> 

To test AD connectivity: 

 wbinfo -t 

To see if
an AD user can be found: 

 wbinfo -i <test AD user> 

3 

In order to
not require that a login be prepended with the domain (IE: DOMAINuser)
modify /etc/samba/smb.conf. In the [general] section, add: 

 winbind
use default domain 

4 

Enable PAM within satellite. Edit the file
/etc/rhn/rhn.conf and add the following line: 

 pam_auth_service =
rhn-satellite 

5 

Create the file /etc/pam.d/rhn-satellite and
populate with the following text: 

 auth sufficient pam_winbind.so 


account sufficient pam_winbind.so 

 password sufficient pam_winbind.so
use_authtok 

6 

Restart satellite 

 rhn-satellite restart 

7


Enable PAM on a per user basis. In the satellite GUI: 

NEW USERS: 


Users->Create New User(use the user's windows AD login name as the login
name) 

 Check "Enable PAM" 

EXISTING USERS (ASSUMING EXISTING USER’S
LOGIN MATCHES THEIR AD LOGIN): 

 Users->Select Username to
enable->Check "Enable PAM" 

 Click update 

8 

If winbind is not
enabled in NSS for local password file entries or if you do not have
enterprise authorization such as LDAP, the user must be created in the
local password file. A script similar to this can create a locked user:


#!/bin/bash 

user="$1" 

[ -z "$user" ] && { echo "Usage:
addsatuser.sh <username>";exit 1; } 

adduser -M -N -g nobody $user &&
passwd -l $user 

On 2013-07-17 8:42, Wimpelberg, Matthew wrote: 

> I
am using AD though not LDAP 
> 
> FROM:
spacewalk-list-bounces at redhat.com
[mailto:spacewalk-list-bounces at redhat.com] ON BEHALF OF Jens Neu
> SENT:
Wednesday, July 17, 2013 8:37 AM
> TO: spacewalk-list at redhat.com
>
SUBJECT: Re: [Spacewalk-list] Active Directory and Spacewalk 
> 
>> I
have setup winbind on my server and am able to list all of my 
>> Active
Directory Users. I have created a user in spacewalk AD
>> username and
am unable to login as this user on the webconsole. 
>> What am I doing
wrong?
> 
> https://fedorahosted.org/spacewalk/wiki/SpacewalkWithLDAP
[2]
> 
> regards
> Jens
> 
> www.biotronik.com [3] 
> 
>
-------------------------
> 
> BIOTRONIK - Celebrating 50 years of
excellence
> 
> Founded in 1963 with the development of the first German
pacemaker, BIOTRONIK has brought innovations and the highest quality
standards to the cardiac rhythm management and vascular intervention
fields in more than 100 countries around the world. We've developed
advanced technologies such as BIOTRONIK Home Monitoring(R), Closed Loop
Stimulation (CLS) and Orsiro, the industry's first hybrid drug eluting
stent. BIOTRONIK also offers the broadest portfolio of cardiac devices
with ProMRI(R), an advanced technology that gives patients access to
magnetic resonance (MR) scanning. 
> 
> -------------------------
> 
>
BIOTRONIK SE & Co. KG
> Woermannkehre 1, 12359 Berlin, Germany
> Sitz
der Gesellschaft: Berlin, Registergericht: Berlin HRA 6501
> 
>
Vertreten durch ihre Komplementärin:
> BIOTRONIK MT SE
> Sitz der
Gesellschaft: Berlin, Registergericht: Berlin HRB 118866 B
>
Geschäftsführende Direktoren: Christoph Böhmer, Dr. Lothar Krings 
> 
>
-------------------------
> 
> This e-mail and the information it
contains including attachments are confidential and meant only for use
by the intended recipient(s); disclosure or copying is strictly
prohibited. If you are not addressed, but in the possession of this
e-mail, please notify the sender immediately and delete the document. 
>

> -------------------------
> 
> The information contained in this
communication is confidential and may contain information that is
privileged or exempt from disclosure under applicable law. If you are
not a named addressee, please notify the sender immediately and delete
this email from your system. If you have received this communication,
and are not a named recipient, you are hereby notified that any
dissemination, distribution or copying of this communication is strictly
prohibited. 
> -------------------------
> 
>
_______________________________________________
> Spacewalk-list mailing
list
> Spacewalk-list at redhat.com
>
https://www.redhat.com/mailman/listinfo/spacewalk-list [1]




Links:
------
[1]
https://www.redhat.com/mailman/listinfo/spacewalk-list
[2]
https://fedorahosted.org/spacewalk/wiki/SpacewalkWithLDAP
[3]
http://www.biotronik.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/spacewalk-list/attachments/20130717/8f27d098/attachment.htm>

More information about the Spacewalk-list mailing list