Authenticating Windows domain users on Linux Notebooks

Svedrin

2015-09-24 21:10

If you're working on a Linux notebook in an Active Directory environment and frequently accessing file shares, you'll soon find yourself annoyed by typing your password all the time. At least, I did. I thought it would be cool to use Kerberos (it is designed for just that use case), but completely rewiring my laptop's auth system to auth using Kerberos wouldn't work because when I'm on the move, there won't be no Domain Controller available, so I wouldn't be able to log in. This is obviously not acceptable.

I came up with a solution that works for me pretty well: My domain user and my local user have the same username and password. I chose to keep it that way, and just instruct PAM to try to reach the DC, and if successful, acquire a Kerberos ticket using the password I just entered. In case this worked, I'd have a Kerberos ticket for my session that I could then use to access file shares or kerberized web servers.

The setup is actually pretty simple. Join the domain, apt-get install libpam-krb5, and put the following lines at the very end of /etc/pam.d/common-auth:

# http://ubuntuforums.org/showthread.php?t=1205604
# skip the next 2 modules, UNLESS we have uid = 1000
auth   [default=2 success=ignore]      pam_succeed_if.so quiet uid eq 1000
# skip the next module, UNLESS we can ping the domain controller
auth    [default=1 success=ignore]     pam_exec.so quiet /bin/ping -c1 -w1 10.5.0.1
# login using kerberos and ignore failures
auth   [authinfo_unavail=ignore success=ok new_authtok_reqd=ok default=ignore] pam_krb5.so use_first_pass minimum_uid=999

This code will get you a Kerberos ticket whenever you're logging in as user id 1000 (to prevent breaking the login for root) and the DC is within reach (to prevent breaking login when you're on the move).

You can easily test this setup by running (as your user):

svedrin@damien:~$ su svedrin
Password:
svedrin@damien:~$ klist
Ticket cache: FILE:/tmp/krb5cc_1000_sBIZIb
Default principal: svedrin@LOCAL.LAN

Valid starting       Expires              Service principal
24.09.2015 21:08:16  25.09.2015 07:08:16  krbtgt/LOCAL.LAN@LOCAL.LAN
        renew until 25.09.2015 21:08:16

Note that I'd always recommend using the DC's IP address in the ping command because a DNS name won't resolve when your DNS server is out of reach.