Active Directory Authentication for linux based system

About the document:

This document gives the details of how we can used centralized authentication and authorization to manage our environment using Active Directory. Below are key components for this setup.

1) Active Directory Domain Controller

2) Adding the Server/workstation in the domain

3) Create a role base access control policy for the Users.

What is Central Authentication Services?

Authentication is the process that determines whether a person or computer really is who he/she claim to be. Authentication to the application us usually managed by username followed by password.

What is Central Authorization service?

An authentication service can be used by several different systems and applications to ensure the identity of the users who are trying to connect to them.

A web based login service allows users to access multiple password-protected web services by logging in once. This is often called single-sign on (SSO).

What is an AD?

Active Directory is Microsoft's directory service based on the LDAP protocol which allows administrators to assign policies, deploy software, and apply updates for an entire organization. AD also allows users to store data in a central location, where it is backed up

What is the advantages of using the Active Directory Domain Service for Centralized authentication?  

1)      We can centrally manage our security policy from the domain controller and it is better than reach any Server/Workstation physically/remotely and manage the security policy for that individual Server/Workstation.

2)      Single set of administrators will manage all the security policies in the environment. Only these users have permissions to add/modify/delete the security policies.

3)      Enforce an Organization-wide security policy to force the users to change their password after a certain period.

4)      Directory service or Global Catalog (GC) means a single platform for all other directory-wire services, including monitoring and messaging.

5)      Service task, such as software deployment, inventory object management can be performed centrally.

Adding Linux Server/Workstation in the domain

Step1 (download and install the prerequisites):-

1)      Download the “DirectManage Deployment Manager” software from the centrify website. The link of the software given below.

http://downloads.centrify.com/products/directmanage/5.1.2/Centrify-DirectManage-Express-5.1.2-win64.zip

2)    Install the “DirectManage Deployment Manager” software in the Domain Controller.

Step2 (Adding the Ubuntu Server in the domain):-

Before joining the Ubuntu Server in the domain we need to modify the DNS setting and install portmap on the Ubuntu server.

To modify the DNS setting of the Ubuntu server we need to edit the /etc/resolve.conf  file and add the Active Directory DNS server IP address.

 Portmap needs to be installed on Ubuntu Server because “DirectManage Deployment Manager” use NIS server to talk with the client.

Installing  Portmap on Ubuntu Server

Once all the prerequisites are installed successfully, we will be able to add the Ubuntu server to the domain.

For joining the Server to the domain go to the domain controller and login with the Administrator Credential.

Open the “DirectManage Deployment Manager” console

Then click on Add Computer 

Click on Add a Single computer and specify the IP address of the Ubuntu server and click on next.

You will get a notification massage stating that “The following computer is discovered”. Please click on next.

Then click on the “specify a new set of account information” and click on next

In next prompt it will ask for account information.

Specify the username you used to login in Ubuntu Server. The default name is “ubuntu”.  Click in the check box “specify privilege command in task that require root privilege”.

It will ask you the “authentication method”. Click on the “Authentication using private key” and give the “pem” key associated with the instance( if linux server is on AWS Cloud then specify pem key or else select simple username and password based authentication ).

Click on next and finish to add the Ubuntu Server in the server to “DirectManage Deployment Manager” computer list.

Click on download software and you need to provide the user id and password of your registered centrify account.

Click on next to complete the download.

Analyze the environment and see everything good or not. If you have any issue you can check in open issues console.

Make sure everything is working perfectly and go ahead to deploy the software. Check on Deploy and select the option “Centrify suite standard edition”.

Finish the installation process by clicking finish.

Now we need to go back in the Ubuntu server and check we are able to login with windows credential or not.

So I am login with the Active directory credential in the Ubuntu server. To verify please type “id” in Ubuntu shell and press enter.

As you can see the user belongs from the “domain_users” group. So we are successfully login with our domain credential.

Adding REDHAT/CENTOS Server in the Domain

For adding REDHAT and CENTOS Server in the domain we just need to change the DNS server in the /etc/resolv.conf file and repeat the process which we deed for Ubuntu. We do not need to install portmap in the REDHAT/CENTOS Server.

Create a role base access policy for the users

 For creating role base access policy we need to remember two thing.

1)      Who will be able to access those AD joined servers.

2)      If user are able to access the server with sudo credential or he will only have a normal user privilege. 

If we need to give the login permission to specific user, we need to give it from Active Directory Users and Computers console.

1)      Go to the Active Directory users and computer and select the properties of the user.

2)      Select the Account tab and click on  “Log in to” 

Select the option “The following Computers” and add the netbios name of the pc and click on add.

As you can see in our example user name Dileep are only able to access three Server/workstation in the domain.

Now go ahead and test the access policy will work or not for that user. We have two linux Server in the example. I have given the netbisos name and IP details below in the list.

NETBIOS NAME OF THE SERVER	IP DETAILS	UNIX  INSTANCE            TYPE
IP-172-16-0-226	172.16.0.226	UBUNTU
IP-172-16-0-227	172.16.0.227	REDHAT

  In our example the user Dileep have only access to the server IP-172-16-0-226.So he will be successfully login the server IP-172-16-0-226 but he will not be able to access the IP-172-16-0-227.

So we are successfully able to login in the IP-172-16-0-226 server.

Now go to the server IP-172-16-0-227 and check that user Dileep is able to access the server or not.

As you can see in the screen we are not be able to login with the user Dileep .So access policy which we created for user Dileep  in the Active directory based on that he is able to login the server IP-172-16-0-226 but not in the server IP-172-16-0-227.

Assign sudo permission to the Active Directory Users to perform Administrative tasks

1)      To assign sudo permission to the user we need to login with our default user and add     the user in visudo list. After that he will be able to perform all administrative task.

2)      If any Active Directory user have the permission to login to the server but not added to the visudo list he will not be able to perform administrative task.

Below step shows how to add the user in visudo list.

Open the visudo file and add the user in the list .After add the user in the list he will be able to perform all administrative task.

Below in the example user sudipta is added in the visudo list. So he will able to perform all administrative task in the domain.

END