It takes a lot to run a Cyber Defense Competition beyond just a large VMware cluster, and many of those systems aren’t Windows boxes. I’ve seen solutions to bind *nix boxes to Active Directory using Kerberos, but that wasn’t really necessary. Here’s a solution for Debian that only requires LDAP.
Note that this requires you to install Identity Management for UNIX on your domain controllers; see this Technet article for instructions on how to do it.
First, install the necessary packages:
apt-get install libnss-ldapd libpam-ldapd
Now edit /etc/nslcd.conf:
# /etc/nslcd.conf # nslcd configuration file. See nslcd.conf(5) # for details. # The user and group nslcd should run as. uid nslcd gid nslcd # The location at which the LDAP server(s) should be reachable. uri ldap://windc1.example.com ldap://windc2.example.com # The search base that will be used for all queries. base dc=example,dc=com # The LDAP protocol version to use. ldap_version 3 # The DN to bind with for normal lookups. binddn email@example.com bindpw <password> # The DN used for password modifications by root. # Leave this blank unless you want to allow password changes from your debian systems # If so, you will need to place the password in /etc/ldap.secret - be sure it is only readable by root #rootpwmoddn cn=admin,dc=example,dc=com # The search scope. scope sub # Mappings for Active Directory # This is the important bit; these fields match up with the fields added by Directory Services for UNIX pagesize 1000 #referrals no filter passwd (&(&(objectClass=person)(uidNumber=*))(unixHomeDirectory=*)) map passwd uid sAMAccountName map passwd homeDirectory unixHomeDirectory map passwd gecos displayName # If you wish to override the shell given by LDAP, uncomment the next line #map passwd loginShell "/bin/bash" filter shadow (&(&(objectClass=person)(uidNumber=*))(unixHomeDirectory=*)) map shadow uid sAMAccountName map shadow shadowLastChange pwdLastSet filter group (&(objectClass=group)(gidNumber=*)) #map group gid member # SSL options tls_reqcert never #ssl start_tls #ssl on #tls_cacertfile /etc/ssl/ca.pem
# /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd: files ldap group: files ldap shadow: files ldap hosts: files dns ldap networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis
Make sure LDAP authentication is enabled by running
In /etc/pam.d/common-session add the following at the bottom of the file:
# make home directories session required pam_mkhomedir.so skel=/etc/skel/ umask=0077
This umask will prevent users from reading each others’ home directories. If you’d prefer to be more open, use umask=0022 instead.
If you wish to restrict who can login, edit /etc/pam.d/sshd and uncomment the following line:
# Uncomment and edit /etc/security/access.conf if you need to set complex # access limits that are hard to express in sshd_config. account required pam_access.so
You can do the same in /etc/pam.d/login for console logins.
Then edit /etc/security/access.conf and add the following lines at the bottom:
#these users can always log in + : root : ALL + : localadmin : ALL #anyone in the local ssh-users group can login + : (ssh-users) : ALL #deny everyone else : ALL - : ALL : ALL
Be sure to add users to the ssh-users group in /etc/group.
Reboot (or restart nslcd, nscd, and sshd) and you should be good to go!