Slashdot Mirror
pam_ldap/pam_krb5 Authentication Against Active Directory?
Very Jerry asks: "Here's my problem. I'm currently in the middle of unifying all of our logins here at my place of work because of all the usual reasons (users forget passwords all too often, leaving them more resistant to setting up more complex passwords). Now we have an Active Directory domain setup here, and I was hoping to have all the users authenticate to that. SFU 2.0 is out of the question because it still leaves you to define extra attributes on the user in Active Directory Users and Domains. After a bit of searching, I've found out that pam_krb5 and pam_ldap have been used with success for authentication, but wherever I turn, there are no specific details. I'm currently 2 weeks deep in to this with no progress and a looming deadline. If anyone could point me to some good, specific instructions (specific to Active Directory, not just OpenLDAP) or help me out with a couple tips, it would be much appreciated."
NDS is absolutely the way to go. We currently use NDS on all of our servers: NetWare, NT, 2000, and Unix. Single point of management, fully LDAP compliant (unlike Minion of Satan's), fully leveragable. How else could only three guys run a 10 server, 3000+ user network?
Hi,
We have had similar issues regarding Microsoft's Active Directory product at Amaa Fui. We were switching from a Unix based kerberos system to one that used Microsoft's.
Here are some solutions to the same problems you had. Firstly, you need to patch your w2k boxes to the latest pack. Then install the beta k5 updates from Microsoft beta w2k site. These updates remove the slight changes Microsoft made to kerberos, and thus makes it compatible with your other systems.
Once those are patched in, you need to install Heesi optimizer (This can be found on any download site), I recommend this, cause this would go through your AD configuration and kerberos setup and tell you exectly where your security is weak and so on.
Once everthing is in place, you can move to more secure passwords and corportation wide access to single passwords. But let me warn you, you still need different passwords on resources that are of a criticial nature.
Also ensure everthing is behind firewalls and if your using VPN install the latest patches from Microsoft site, We run OpenBSD and Ipsec, they work very well with the current configuration.
Our systems include, Windows 2k/nt, Linux i386/alpha/ppc, Mac OS 9/X, HP/UX, IBM AIX, Solaris and an old VAX system. All of them are maintained by the w2k based kereberos authentication systme and LDAP for directory stuff.
Everthing works well and I'm very satisfied, only concern we have is that Microsoft's version of kerberos is very slow to authenticate our user. This creates some problems, specially since some of our internal services have authentication decay in it, to solve this problem we just moved to better hardware, but this is something Microsoft has to solve on their own.
Good luck with your setup and hope this helps, if not you can send me an e-mail to, fadaboi@NOSPAM.riyaasath.com
Fadaboi Kesbe
Done at least half of that...
Authenticating users against AD with pam_krb5 works fine. Just list the DNS names of your Win2k domain controllers in the config file just as if they were normal Kerberos servers, and use the AD domain as the Kerberos realm.
When I did this, I still had local passwd and group files. But it should be possible to move that stuff into AD. You would have to modify the AD schema to include that info in the directory (that's not a task for the faint of heart). Once you do that, though, it's pretty easy to query AD from Linux.
Where I work, we master all of our accounts for UNIX and NT, along with all of our email routing, our NFS volume definitions, our automounter configuration, and our DNS, in Ganymede.
We synchronize passwords from Ganymede into NIS, Samba, and our Windows NT PDC. We also configure tacacs and radius, and LDAP from the same master database. Ganymede provides a high quality GUI interface, and allows you to designate privileges over the directory database to as many classes of administrators as you like. Several people can be simultaneously browsing and making changes to the database, and when transactions are committed, a background thread updates all of the network services. Ganymede is the closest thing that the open source community has to NDS or Active Directory, in terms of being a complete management solution, even though it is not based on LDAP and it does not scale anywhere near as well as an Active Directory or NDS. If you are looking to manage a single location, however, Ganymede will do the job right.
Take a look at the web site in my .signature, below. Ganymede 1.0 is due out within the next week, along with a userKit that supports password synchronization for UNIX, Samba, and Windows NT, with password quality checking handled by Clyde
Hoover's excellent nPasswd
passwd validation suite.
- jon
- jon
Ganymede, a GPL'ed metadirectory for UNIX
Okay. Enough of this shit. FUD killing time.
/etc/passwd) in two formats: the encrypted NTLM passwords, and the LAN Manager hashes. Since the LAN Manager hashes = NT passwords, that's how L0phtcrack gets your pwd's. But, NT has to be SHUT DOWN (when installed on an NTFS part) to get the SAM file to feed it into L0phtcrack. That's where physical security comes in. And, since NT can't protect the passwords when it's shut down, since SP3 there's a utility called SYSKEY which encrypts the SAM when NT is shut down. L0phtCrack can't touch the hashes then. BTW, SYSKEY is not on by default on NT. It is on Win2k boxes with SAM's (Pro and non-DC member servers). Go figure.
Let's get this straight. MS Does NOT pass clear text passwords over the network. There are basically three types of authentication on MS networks:
1. LAN Manager hashes: This is where the password is simply 'hashed' (weak obfuscation) and not encrypted. Used by LAN Manager, Win 3.x, DOS, and 9x clients authenticating to NT and Win2k DC's. Also used by NT in a non-trust same username/password on both sides situation. Easily snooped, and when fed into L0phtcrack, can be broken. ie: if two users' passwords were "luser", they'd have the same hash representing them.
2. NTLM (NT LAN Manager): Used by WinNT against all DC's and Win2k boxes authenticating against NT DC's. Totally encrypted. The client does a secure, encrypted RPC "trust" with the domain controller, and then passes the name/password combo to the DC, which then passes back an access token. CANNOT BE SNOOPED OR BROKEN. Two versions: NTLM v1 and NTLM v2.
3. Kerberos: Used by Win2k clients against Win2k DC's. Even more secure ticket-passing scheme. 'Nuff said.
Now. You see what I said that NT passwords can't be snooped or broken? I'm serious. It's impossible. LAN Manager hashes, however...Easy. So, you asked how in the hell does L0phtcrack break NT passwords?
Here's the funny part: it doesn't.
On every NT box, the passwords are stored in the SAM (equivalent of
On Win2k DC's, everything is stored in the AD database. Try and crack that. I'm sure it'll eventually be done...but it'll take a long while.
So, in short: Don't use downlevel (non NT) clients, turn on SYSKEY, and the LAN Manager hash scourge will all but be eliminated.
However, there is a Directory Services Client for 9x/NT that allows it to use NTLM v2 in a Win2k network. I still wouldn't use 9x.
In other words...don't talk about which you do not know.
Cheers,
-Kevin, MCSE+I/MCT
My posts don't reflect the opinion of my employer, and my employer's opinion doesn't influence the content of my posts.
We did that where I work, under Solaris, last summer. What we did is use a perl script I wrote to create a passwd file out of Active Directory (with all the passwords set to NP), then did the authentication using pam_krb5. Set Kerberos up like normal, it it pretty much all falls into place. The only hard parts are programs that don't play nice with pam. I think I can find the Perl script if you'd like it. Email me at lopresto@writeme.com. Good luck!
Visit me on #weirdness on the Galaxynet.
Well, you could replace the 2k kerberos auth with MIT Kerberos ...
n ning/security/kerbsteps.asp
http://microsoft.com/technet/win2000/rsvpker.asp
And 2k clients could still authenticate with no problems, but you have a *NIX based KDC, with the obvious advantages that brings.
Microsoft even publishes a step-by-step guide to doing this!
http://www.microsoft.com/windows2000/techinfo/pla
I'm certainly not a Microsoft fan, but I have to stop FUD when I see it. The above is false. The SMB side of my network is 95/98/NT/2000, and there are no clear-text SMB passwords floating around. The Win 95/98 machines authenticate against the NT domain, and do it without plain-text passwords. Same thing when the Linux machines need to connect to an SMB share. So, sorry, but that's just not true.
They do pass around password information that L0phtcrack can work with, though, so if the passwords are weak, they'll be easily broken. It's essentially the equivalent of sending out /etc/shadow entries unencrypted on the network.
Gumbo
Somewhere on MS's site is some code for adding/deleteing/modifying users from Active Directory along with a script that could cull the users from active directory and allow you to import that into a passwd file (minus the passwords, which would be authenticated via kerberos). This is certainly not for the faint-at-heart, and I looked into it for a while and eventually gave up on that idea because it was simply too complex and too likely to break for no apparent reason.
I used up all my sick days, so I'm calling in dead.
Comment removed based on user account deletion
I have not looked into Novell stuff for about 6months, but I think you are mistaken..
e-directory (your name NDS) is NDS that can run on NetwareOS, WinNT/2K and Linux..
a) On WinNT/2K it actually replaces domain/AD as the authenticator.
b) on Linux it replaces the password file by using PAM modules to redirect authentications to NDS
What you are thinking of is DirXML a directory synchronizing daemon that maps parts of AD to NDS and vice-versa. IMO it is the slickest software from Novell since Netware 3.11 came out.
You create the mapping of NDS schema to/from AD and you can tell it what part of (container / organizational unit) your NDS maps to what part of AD. You are still running two directories which are being synchronized at an interval you decide. What makes it kick ass is the schema and attributes synch is all visual, point and click.
This sig space tolet, reasonable rate.
The problem with unifying your logins is of course that once an attacker has compromised ANY of your user's passwords, they now not only have access to your network, but they also have authenticated access to ANY resource which that user has access to. From here, it won't be long before they own your network.
Is this what you really want? Again, it isn't, if you care about security.
Now, because I gotta get my shots in, you also should not be doing your authentication on a Windows machine, because Windows-based authentication is inherently brain-dead.
If an attacker manages to get onto your network, they'll probably be able to sniff someone's password within about 5 minutes since Windows will use plain text unless you're in an all-NT/2000 environment. Once they have that, it will take about 2 minutes to get your password database. At this point, they can log off, crack passwords at their lesiure, and within about 4 hrs they'll have over 90% of your passwords using l0phtcrack (which, by the way, will happily sniff passwords off the network for you too).
You should use a solution that allows encrypted authentication, and that pretty much means Unix or a third-party authentication package for Windows. Throw AD away.
Have a nice day!
Novell has already made a pam modules for NDS. Just install NDS for linux/solaris on the server and copy the PAM module over. Problem solved. You can also use DirXML to sync an AD "tree" with and NDS tree, so in turn you can login to the tree and have the user object on the AD tree.
I use the term tree with AD loosely; understand it that AD isn't truly a hierarchical system. It's a flat database just like their old Domain system. Don't believe me? Test it, create an OU, and make a user called "bsmith". Now create another OU anywhere else and try and create a user named "bsmith". You can't. Seriously look into Novell's NDS as a directory solution, you can't even partition an AD tree. That means the entire database is transmitted to every server, even if their OU has nothing to do with that system. Partitioning a tree keeps the traffic to a minimum while still replicating to other specific servers for redundancy. Also know that in AD, when you edit an attribute in an object, the entire object is resent out to all the servers. Not just that attribute for the object. AD is still not even remotely close to NDS.
NDS runs on Netware, NT, Win2000, Linux, Solaris.
AD runs on Windows2000, and to really use it all your workstations have to be Windows 2000!