Skip to end of metadata
Go to start of metadata

LINUX

There are multiple options here depending on how you want to set things up. The simplest solution is probably just to configure PAM to authenticate via kerberos to the CIT AD. If that sounds like a workable solution to you then all you need to do is configure krb5.conf, pam.d/system-auth and pam.d/sshd (if you want remote authentication). This is all detailed in Tim's documentation but here is the cliff notes version (note that this is Centos 7 centric and might need some tweaks for other linux flavors):

/etc/krb5.conf

 
[libdefaults]
ticket_lifetime = 24000
default_realm = CIT.UCAR.EDU
dns_lookup_realm = false
dns_lookup_kdc = true
[realms]
CIT.UCAR.EDU = {
}
[domain realm]
cit.ucar.edu = CIT.UCAR.EDU
.cit.ucar.edu = CIT.UCAR.EDU

/etc/pam.d/system-auth:

.....
auth sufficient pam_krb5.so likeauth nullok try_first_pass realm=CIT.UCAR.EDU

.....

/etc/pam.d/sshd:

.....

#auth     sufficient  pam_radius_auth.so debug ruser conf=/usr/local/etc/token_server
auth     sufficient   pam_krb5.so likeauth nullok try_first_pass realm=CIT.UCAR.EDU

.....

Note that the first line is what ACOM uses as we restrict remote authentication to OTP only.

 

This method requires you to create local users manually but does eliminate the need for the "restriction" options (see MMM's notes) while also satisfying the need to centrally log all authentication attempts on the Domain Controllers. For those systems that are mobile you still need to set a local password as this method of "pass through" authentication does not cache credentials in any way. If you need that  functionality then you need to look at the "realm" command (also detailed in both ACOM's and MMM's notes).

 

If you go this route and want to make your linux filesystems available via SAMBA then you will need to take the extra step to join those machines to the domain (no password required when connecting):

net ads join createcomputer=/Divisions/XXX/Computers/ -UYourAdminAccount%password -S citdcfl02.cit.ucar.edu

 

ACOM Notes on joining Centos 7 systems to AD

MMM Notes on joining Centos 7 system to AD (restricting users)

 

MAC

ACOM Notes on joining MACs to AD

CISL Notes on joining MACs to AD

 

From MMM:
Mac (10.11):
     This allows us to pick only specific directory users allowed to log onto the machine.
Joining a Mac to Active Directory: ADTF Google Doc
This document includes multiple ways to join a Mac including through Casper and using dsconfigad.  It also includes how to migrate a local user account to a CIT account as well as information about ADPassMon for AD password kerberos renewal and expiration.
  • No labels