Authenticating UNIX/Linux to Windows 2008R2. Part 1 : Set up Windows

Background

Prior to using Windows, UNIX (eg Solaris) managed users and groups using /etc/passwd, /etc/group files, or using NIS or NIS+. Since Solaris 8, NIS+ was deprecated, with LDAP being the preferred authentication method.

However, whilst Windows 2008R2 Active Directory does act as a LDAP server, it doesn’t provide any authentication. Authentication is done via Kerberos/V5. This blog will document the steps required to set up Windows 2008R2 to act as a Kerberos and LDAP server to support both Linux and Solaris.

VMware Workstation will be used to do the Proof-of-concept. It is expected that the SPARC version of Solaris 10 would act the same as the Intel version of Solaris 10.

The following Guest UNIX Operating systems will be tested:

  • Solaris 10 Update 9, (x86_64)
  • Red Hat Enterprise Linux 5 Update 6 (x86_64)
  • Red Hat Enterprise Linux 6 (x86_64)

Windows 2008R2 (x64) Standard Edition will be used.

Requirements

  • VMware Workstation 7.1.4 used as the proof-of-concept hosting platform.
  • Active Directory must be the source of truth.
  • Windows 2008R2 will also provide DNS.
  • No Additional self-supported software allowed.
  • Configuration files may be edited and documented (eg pam.conf)
  • Encryption must be used (ie LDAPS, not LDAP).
  • Certificates must be used to provide positive authentication of servers (to prevent spoofing). This applies to both LDAP and Kerberos.
  • Users must be able to manage their own passwords (ie this isn’t password synchronisation).
  • Password expiry controls must be honoured.
  • Kerberos features, such as single sign on (from Windows to UNIX, or UNIX to UNIX) must be supported.

Network and Host IP Addresses

  1. Subnet: 192.168.102.0/24
  2. Default Router: None
  3. DNS Domain: example.com
  4. Kerberos Realm: EXAMPLE.COM
  5. AD server hostname: adserver.example.com
  6. AD server IP address: 192.168.102.10
  7. Solaris guest 1 hostname: sol10host1.example.com
  8. Solaris guest 1 IP address: 192.168.102.20
  9. Solaris guest 2 hostname: sol10host2.example.com
  10. Solaris guest 2 IP address: 192.168.102.30
  11. RHEL5.6 guest 1 hostname: rhel5host1.example.com
  12. RHEL5.6 guest 1 IP address: 192.168.102.40
  13. RHEL5.6 guest 2 hostname: rhel5host2.example.com
  14. RHEL5.6 guest 2 IP address: 192.168.102.50
  15. RHEL6.0 guest 1 hostname: rhel6host1.example.com
  16. RHEL6.0 guest 1 IP address: 192.168.102.60
  17. RHEL6.0 guest 2 hostname: rhel6host2.example.com
  18. RHEL6.0 guest 2 IP address: 192.168.102.70

Method

Windows Setup

    1. Create a Windows 2008R2 VM, with the following configuration:
      1. Custom Config, VMware Workstation 6.5 compatible
      2. I will install the operating system later.
      3. Guest OS : Microsoft Windows, Windows Server 2008 R2 x64
      4. VM Name: “adserver”
      5. 1 Processor, 1 Core per Processor
      6. 1024MB Memory
      7. Use Host-Only Networking
      8. IDE Controller type: ATAPI
      9. SCSI Controller type: LSI Logic SAS
      10. Disk: Create a new virtual disk, SCSI, Maximum Disk size, 40GB, Store as Single File, adserver.vmdk (on an NTFS filesystem).
      11. Insert the Windows installer CD (build 59754),
      12. Power on and Boot from CD.
    2. Install Windows 2008R2:
      1. Select English Language, English (Australian) Time/Currency, US Keyboard
      2. Install Now
      3. Select Windows 2008 R2 Standard (Full Installation)
      4. Accept the License Terms
      5. Select Custom->Advanced
      6. Select Drive 0, Unallocated Space
      7. Set hostname, timezone,
      8. Install VMware Tools. Use Typical Setup.
      9. Set VMware tools to use Time Synchronisation between the VM and the host.
      10. Reboot
      11. Configure Networking, using Static IPv4 address. Disable IPv6.
      12. Allow Remote Desktop, if required
      13. Disable Firewall
    3. Install AD Server Role, run “dcpromo”
      1. Advanced Mode Installation: yes
      2. New domain in a new forest: yes
      3. Domain FQDN: example.com
      4. Domain NETBIOS name: EXAMPLE
      5. Forest Functional Level: Windows Server 2008 R2
      6. Select the DNS Server Additional Option
      7. Use the standard folder names
      8. Enter a Directory Services Restore Mode Administrator Password
      9. Reboot
      10. Set the nameserver (same as parent folder) NS to use the FQDN. “adserver.example.com.”
      11. Set the nameserver for the Network Connection to “127.0.0.1”
      12. Set the DNS suffix for this connection to “example.com”
    4. Install the Identity Management for UNIX Role Service
    5. Install the Active Directory Certificate Services Role:
      1. Install just the Certificate Authority
      2. Setup Type : Enterprise
      3. CA Type: Root CA
      4. Private Key : Create a new private key
      5. Cryptographic Service Provider : RSA (default)
      6. Key Length : 2048 (default)
      7. Hashing Algorithm: SHA1 (default)
      8. Common Name for the CA : example-ADSERVER-CA
      9. Distinguished Name Suffix : DC=example,DC=com
      10. Validity Period : 5 Years
    6. Start Active Directory Users and Computers
      1. Create a user for doing LDAP bind (anonymous binds are not supported):
        1. Name the user
          (eg. “ldapsearch”).
        2. Set the password:
          (eg “ld@p53arch”)
        3. Set the user password to never expire, and not be changeable.
        4. The user must be a member of “Domain Users” (by default, it is).
      2. Create an OU, if required to contain UNIX objects,
        (eg. “OU=UNIX,DC=example,DC=com”).
      3. Create UNIX groups, as required:
        1. Create a Global Security Group. Name the group
          (eg. “unixgrp1”).
        2. Select the properties, UNIX Attibutes tab, and set as follows:
        3. NIS Domain: EXAMPLE
        4. GID: 10000
        5. Primary Group: 10000
      4. Create UNIX users, as required:
        1. Name the user, and give it a password.
        2. Select the properties, UNIX Attibutes tab, and set as follows:
        3. NIS Domain: EXAMPLE
        4. UID: 10000
        5. Login Shell: /bin/bash
        6. Home Directory: /home/unix1
        7. Primary Group: unixgrp1
    7. Using DNS Management, Add DNS entries for the hosts.
      Create A record, and PTR record
    8. Start Certificate Services (certsrv.msc), and export the certificate for “example-ADSERVER-CA”:
      1. Select Base-64 encoding X.509 (.CER)
      2. Save the file to “rootCA.cer”.
    9. Start Active Directory Users and Computers
      1. Create a computer object for each host. This will be used to map Kerberos host principals to a user.

Next up, setting up clients, Solaris 10, RHEL5.6, and RHEL6.

Also, see the information on encryption types for tickets and sessions

Advertisements

5 Responses to Authenticating UNIX/Linux to Windows 2008R2. Part 1 : Set up Windows

  1. Chase says:

    Pretty insightful. Thanks!

    My blog:
    dsl anbieter vergleichen und dsl anbieter

  2. ChrisP says:

    Step 7. Using DNS Management, Add DNS entries for the hosts.
    Create A record, and PTR record

    Is this DNS record for each of the unix clients?

    What about if the clients are the other side of a TMG or the like? Then PTR records may be a bit difficult to create…

  3. Thank you for posting this information. It still amazes me how hard this stuff is to setup. Especially on the UNIX side, and I’m a big unix fan.

  4. Jim says:

    I’ve done this on Windows Server 2003 twice successfully already, and its worked great. But like all things, Microsoft had to change how this works.

    So I’ve followed these steps verbatim, and I am running into a problem that is preventing me from continuing at Step 6.3.2 The Unix Attributes Tab is not there. Some quick research showed I need to register nisprop.dll, simple enough, but it will not register because “a file is missing” So I uninstalled everything and reinstalled. Same problem. Some more research showed that in order to get nisprop.dll working, you need to configure Server for NIS by running niscnfg.exe. Again, simple enough so I run the niscnfg.exe file and get an error saying msvcrtd.dll is missing. I tried several things including a sfc, installing .NET 4, installing the SUA subsystems and SDK, still same issue.

    I found the msvcrtd.dll file on another system and copied it over, then registered it (with an error) and after running niscnfg.exe again I got “The application was unable to start correctly. Click OK to close the application.” lovely.

    I really to appreciate the effort you put into this guide. Do you have any other resources besides Scott Lowe’s blog that you could pass along?

  5. Pingback: Unix interoperability with Microsoft | Jacques DALBERA's IT world

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: