• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 933
  • Last Modified:

Thinanywhere and winbind

We have installed the Thinanywhere product on a Red Hat Enterprise 5 box. When we try to connect to Thinanywhere we get an "Invalid login" returned.

Our Linux environment uses Winbind to authenticate against our AD environment so we have not created a shadow file on any of the local machines.

Has anyone been successful in deploying this product in a similar environment.
1 Solution
Check the steps given below if you have missed out any thing...

Preliminary Windows procedures
1> Download Windows Services for UNIX Version 3.5 (http://www.microsoft.com/downloads/en/details.aspx?FamilyID=896c9688-601b-44f1-81a4-02878ff11778&displaylang=en).

2> Authenticate to the domain controller as a user that has schema admin rights.

3> Take note of the structure of your directory service. Specifically, we are looking to note the location of your user and group objects. These objects are often located in a container similar to the following: CN=UserContainer,DC=NetBIOSDomain,DC=DNSDomain,DC=DNSSuffix  Or CN=UserContainer,DC=DNSDomain,DC=DNSSuffix For example: CN=Users,DC=LanRx,DC=com Or CN=Users,DC=LanRxDomain,DC=LanRx,DC=com

4> Extract the files from Microsoft's Services for Unix 3.5 to a location such as c:\temp\sfu

5> Run c:\temp\sfu\setup.exe to install the Services for Unix software -Accept the standard installation -Where prompted for "security settings", leave both boxes blank -Where prompted for "username mapping" select "Local Username Mapping Server" and subsequently "Network Information Services" -Select the Windows Domain Name -Reboot server when complete

6> Create basic user for LDAP bind. We recommend that you set the password to not expire, and that the user not be allowed to change the password. This account should be used only for binding the Linux device to the Active Directory.

Linux integration

1> rpm -Uvh nss_ldap-207-6.i386.rpm to install the new NSS_LDAP package

2> mv /etc/ldap.conf /etc/ldap.orig to backup your existing /etc/ldap.conf file.

3> vi /etc/ldap.conf to create your ldap.conf file.
Write the following lines in the ldap.conf file. These lines will provide the mapping for the PAM/NSS objects to pull the appropriate Unix POSIX attributes out of Active Directory in a manner that can be used by the PAM modules.

   host ip_of_your_ads
   base cn=Users,dc=lanrx,dc=com
   binddn cn=dirsearch,cn=Users, dc=lanrx,dc=com
   bindpw D1rectory
   scope sub
   ssl no
   nss_base_passwd cn=Users,dc=lanrx,dc=com?sub
   nss_base_shadow cn=Users,dc=lanrx,dc=com?sub
   nss_base_group cn=Users,dc=lanrx,dc=com?sub
   nss_map_objectclass posixAccount user
   nss_map_objectclass shadowAccount user
   nss_map_attribute uid sAMAccountName
   nss_map_attribute uidNumber msSFU30UidNumber
   nss_map_attribute gidNumber msSFU30GidNumber
   nss_map_attribute loginShell msSFU30LoginShell
   nss_map_attribute gecos name
   nss_map_attribute userPassword msSFU30Password
   nss_map_attribute homeDirectory msSFU30HomeDirectory
   nss_map_objectclass posixGroup Group
   nss_map_attribute uniqueMember msSFU30PosixMember
   nss_map_attribute cn cn
   pam_login_attribute sAMAccountName
   pam_filter objectclass=user
   pam_member_attribute msSFU30PosixMember
   pam_groupdn cn=unixusergroup,dc=lanrx,dc=com
   pam_password ad

Above, notice the line for pam_groupdn. It specifies that any user to gain access to this server needs to be a posixMember of this particular user group. Upon successful authentication, the system will verify that the authenticated user is a member of the appropriate group. If the user is a member, authentication will occur. If the user is not a member, the system will notify the user that he needs to be a member of the specified group to authenticate entirely.

4> vi /etc/nsswitch.conf  and write the following lines

shadow: files ldap
passwd: files ldap
group: files ldap

5> Run authconfig to perform the configuration of "Pluggable Authentication."
 a.) Select LDAP to provide NSS information
 b.) Select "Use LDAP"
 c.) In the "Server" field, confirm that the IP address of the domain controller appears. Note: Do NOT  select TLS. TLS is not supported with Active Directory until Certificate Services is installed. It is possible to leverage TLS within this infrastructure, but outside the scope of this document.
 d.) In the "BaseDN:" field, add the location of your user accounts to have access to this device i.e. "cn=Users,dc=ad,dc=lanrx,dc=com"
 e.) Click Next
 f.) Select LDAP to provide authentication
 g.) Select "Use Shadow Passwords"
 h.) Select "Use MD5 Passwords"
 i.) Select "Use LDAP Authentication"
 k.) Server should be prepopulated with the domain controller
 l.) BaseDN should also be prepopulated with the user location
 m.) Select OK

6> This process writes the /etc/pam.d/system-auth file. Once this process has been completed, you will want to prepend the following lines into the system-auth file prior to the account components. Note: This line provides us with the ability to authenticate locally as superuser in the event of a network failure.
      account sufficient /lib/security/pam_localuser.so

Active Directory object management

      As is the case with any other authentication mechanism, we need to configure the user objects for the users that are to use the system. However, if you are implementing this solution, more than likely your users already have Windows accounts. In that case, all we need to do is to modify the objects to be POSIX compliant.
   1. Open the Active Directory Users and Groups management tool.
      a.) Modify a group object to function as a POSIX group.
      b.) Right-click on the user group for assignment of a GID.
      c.) Click on the Unix Attributes tab.
      d.) Populate the NIS Domain dropdown and the GID number as appropriate.
   2. Modify a user object to function as a POSIX user.
      a.) Locate and activate the tab that says Unix Settings.
      b.) Under Unix Settings, set the UID and GID for the user, as well as the home directory location (on the Linux filesystem /home/). Note: You will need to ensure that the directory exists with the appropriate user object having access to the directory.
      c.) Reset the user's password. This causes the AD password and the Unix password attributes to synchronize.
   3. Add the user as a Unix member of the group.
      a.) After you have added the user as a Unix user, you will also need to come back to the group properties and add the user as a member on the Unix Attributes tab. Otherwise, the user will not be populated in the msSFU30PosixMember attribute.
   4. This user should now be able to authenticate onto the Linux machine via any desired mechanism, including an SSH session.
Note : One thing that can sometimes cause problems authenticating is to have the POSIX home directory be unavailable or not exist. Either you can create the directory manually, or you can run a script to collect the home directories and ensure that the directory exists.

Good Luck.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now