FreeNX and MS Active Directory

I have managed to set up FreeNX to work quite smoothly with MS Active Directory authentication. Here are few steps to be done (assuming Fedora Core 5 as a FreeNX server):

1. Make the linux server where FreeNX will be installed an AD member

For this we will need samba and kerberos stuff which are either installed or easily retrieved with yum. So I will not bother describing on how to get packages :) If some configs mentioned below are missing, then obviously you are missing some packages
In /etc/samba/smb.conf:

[global]
netbios name = myhost
realm = mydomain.int
workgroup = mydomain
security = ADS
password server = pdc.mydomain.int bdc.mydomain.int
socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
idmap uid = 10000-20000
winbind enum users = yes
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind separator = +
winbind use default domain = yes
encrypt passwords = yes
log level = 3 passdb:5 auth:10 winbind:5
template shell = /bin/bash

In /etc/krb5.conf

[libdefaults]
ticket_lifetime = 600
default_realm = mydomain.int
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
dns_lookup_realm = false
dns_lookup_kdc = false

[realms]
mydomain.int = {
kdc = pdc.mydomain.int:88
kdc = bdc.mydomain.int:88
admin_server = pdc.mydomain.int:749
default_domain = mydomain.int
}

[domain_realm]
.mydomain.int = pdc.mydomain.int
mydomain.int = pdc.mydomain.int

[kdc]
profile = /etc/krb5kdc/kdc.conf

[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log

This is enough to be a member of AD. Just make sure that smbd and winbindd are running. To join the domain, use net join ads command with required options (see net help join for more info)

2. Make domain users be able to login to linux server with SSH

I suppose there are many ways to do this, but I went with modifying the /etc/pam.d/ssh the next way

#%PAM-1.0
#auth include system-auth
#account required pam_nologin.so
#account include system-auth
#password include system-auth

auth required /lib/security/pam_securetty.so
auth required /lib/security/pam_nologin.so
auth sufficient /lib/security/pam_winbind.so
auth required /lib/security/pam_unix.so use_first_pass shadow nullok
account sufficient /lib/security/pam_winbind.so
account required pam_nologin.so
account include system-auth
session include system-auth
session required pam_loginuid.so

and now make system look for AD users by modifying the /etc/nsswitch.conf to contain the next lines:

passwd: files winbind
shadow: files
group: files winbind

#hosts: db files nisplus nis dns
hosts: files dns winbind
From now on the system will allow domain users to login with SSH.

3. Make it work

Now just install freenx:

# yum install freenx

Optionally make it work with default nomachine keys (so that clients will have less configurations to do) by reconfiguring freenx:

# nxsetup --override --install --setup-nomachine-key --clean --purge)

start nxserver

# nxserver --start

create home for desired domain users

# mkdir /home/mydomain/myusername

and finally allow the user to use FreeNX

# nxserver --adduser mydomain+myusername

4. Troubleshooting
All problems are seen in log files under /var/log

5. Other benefits

The way the samba is configured now, it is very easy to add SQUID with NTLM auth ;) If you are interested in this - just let me know in the comments - I will post the samples of config files.

One thought on “FreeNX and MS Active Directory”

  1. Thank you for the explanation.
    I have everything working to login against the AD, and I can login with ssh, but I still can’t seem to get freenx to work with AD. The authentication seems to go OK, but then finally mysteriously fails.

    Do you have any ideas?

    Thanks,
    Mylo

    Here is the output from /var/log/secure and /var/log/messages:

    Jun 2 17:57:12 vmsvb63 sshd[19781]: Accepted publickey for nx from 10.0.0.99 port 1760 ssh2
    Jun 2 17:57:13 vmsvb63 sshd[19781]: pam_unix(sshd:session): session opened for user nx by (uid=0)
    Jun 2 17:57:16 vmsvb63 sshd[19917]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost.localdomain user=mylo
    Jun 2 17:57:26 vmsvb63 nss_wins[19917]: pam_krb5[19917]: authentication succeeds for ‘mylo’ (mylo@STONE.COM)
    Jun 2 17:57:26 vmsvb63 nss_wins[19917]: pam_winbind(sshd:account): user ‘mylo’ OK
    Jun 2 17:57:26 vmsvb63 nss_wins[19917]: pam_winbind(sshd:account): user ‘mylo’ granted access
    Jun 2 17:57:26 vmsvb63 sshd[19917]: Accepted password for mylo from 127.0.0.1 port 60384 ssh2
    Jun 2 17:57:27 vmsvb63 sshd[19917]: pam_unix(sshd:session): session opened for user mylo by (uid=0)
    Jun 2 17:57:27 vmsvb63 sshd[19917]: pam_unix(sshd:session): session closed for user mylo

    ==> /var/log/messages /var/log/secure <==
    Jun 2 17:57:30 vmsvb63 sshd[19781]: pam_unix(sshd:session): session closed for user nx

Leave a Reply