I have managed to set up FreeNX to work quite smoothly with MS Active Directory authentication. Here are few steps to be done (assuming Fedora Core 5 as a FreeNX server):
1. Make the linux server where FreeNX will be installed an AD member
For this we will need samba and kerberos stuff which are either installed or easily retrieved with yum. So I will not bother describing on how to get packages :) If some configs mentioned below are missing, then obviously you are missing some packages
In /etc/samba/smb.conf:
[global]
netbios name = myhost
realm = mydomain.int
workgroup = mydomain
security = ADS
password server = pdc.mydomain.int bdc.mydomain.int
socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
idmap uid = 10000-20000
winbind enum users = yes
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind separator = +
winbind use default domain = yes
encrypt passwords = yes
log level = 3 passdb:5 auth:10 winbind:5
template shell = /bin/bash
In /etc/krb5.conf
[libdefaults]
ticket_lifetime = 600
default_realm = mydomain.int
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
mydomain.int = {
kdc = pdc.mydomain.int:88
kdc = bdc.mydomain.int:88
admin_server = pdc.mydomain.int:749
default_domain = mydomain.int
}
[domain_realm]
.mydomain.int = pdc.mydomain.int
mydomain.int = pdc.mydomain.int
[kdc]
profile = /etc/krb5kdc/kdc.conf
[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log
This is enough to be a member of AD. Just make sure that smbd and winbindd are running. To join the domain, use net join ads command with required options (see net help join for more info)
2. Make domain users be able to login to linux server with SSH
I suppose there are many ways to do this, but I went with modifying the /etc/pam.d/ssh the next way
#%PAM-1.0
#auth include system-auth
#account required pam_nologin.so
#account include system-auth
#password include system-auth
auth required /lib/security/pam_securetty.so
auth required /lib/security/pam_nologin.so
auth sufficient /lib/security/pam_winbind.so
auth required /lib/security/pam_unix.so use_first_pass shadow nullok
account sufficient /lib/security/pam_winbind.so
account required pam_nologin.so
account include system-auth
session include system-auth
session required pam_loginuid.so
and now make system look for AD users by modifying the /etc/nsswitch.conf to contain the next lines:
passwd: files winbind
shadow: files
group: files winbind
#hosts: db files nisplus nis dns
hosts: files dns winbind
From now on the system will allow domain users to login with SSH.
3. Make it work
Now just install freenx:
# yum install freenx
Optionally make it work with default nomachine keys (so that clients will have less configurations to do) by reconfiguring freenx:
# nxsetup --override --install --setup-nomachine-key --clean --purge)
start nxserver
# nxserver --start
create home for desired domain users
# mkdir /home/mydomain/myusername
and finally allow the user to use FreeNX
# nxserver --adduser mydomain+myusername
4. Troubleshooting
All problems are seen in log files under /var/log
5. Other benefits
The way the samba is configured now, it is very easy to add SQUID with NTLM auth ;) If you are interested in this - just let me know in the comments - I will post the samples of config files.