2012/10/18

Using Windows (Active Directory) passwords for Ubuntu

For various auditing reasons, we have centralized our passwords into our Active Directory environment. (Also because everybody gets a Windows account, and AD can easily enforce password changes, strong passwords, etc).

Most of our Linux systems are RHEL, and it's very easy to have them use AD for its password store, via kickstart. In the Kickstart file, set the "auth" options to include "--enablekrb5 --krb5kdc=winDC.your.dom.ain:88 --krb5adminserver=winDC.your.dom.ain:749 --krb5realm=YOUR.DOM.AIN"

But of course, Ubuntu doesn't use Kickstart, and if I had many Ubuntu machines to deploy I'd figure out how to set it up automatically. In the mean time, it's not too hard.

sudo apt-get install libpam-krb5 krb5-user
kinit myusername # Check that things work
sudo pam-auth-update # Tell PAM that you want both KRB and local authentication
ssh localhost # Use your windows password to log in
And then go in and change your /etc/shadow entry to lock out the password you initially set for your username, by changing the encrypted string to *KRB*.

No comments: