We have a number of compliance obligations at the grind and need to keep our AD implementation tight: passwords have got to expire within 60 days, you've got to choose unique passwords with a certain number of uppercase and lowercase alphanumeric characters, special characters, et cetera. Nothing groundbreaking here.
...and oh, yeah: those compliance requirements actually apply to all of the accounts in your environment. We run VMWare ESX server, and a few other services that run on Linux and Unix distributions, so...
How in the world do we enforce our password domain policies on Linux boxes?
I mean, come on, everyone just logs into the console as root anyway, right?
Well simple, join 'em to the domain, stupid. I googled this for months before someone finally clued me into a great product: LikeWiseOpen.
If you google'd it as much as I did you'd see a lot of people want you to install PAM modules and screw around with the guts of Linux. I had no luck with it until I found this product. (In the interests of full disclosure: Linux is not my first language - I'm a Microsoft guy.)
Assuming you've met the licensing requirements to use their product this is how you'd install it on say, an ESX host running whatever Red Hat distribution VMWare is using these days:
- Review the licensing, usage, and legal requirements for LikeWiseOpen's download.
- Copy it to your Linux box. The file you're copying will be called something to the effect of LikewiseOpen-22.214.171.12421-linux-i386-rpm-installer. For the sake of this example let's say you choose to copy it to /CoolProducts/likewiseopen/.
- Grant execute rights via chmod a+x /CoolProducts/likewiseopen/*
- Run the installer: /CoolProducts/likewiseopen/Likewise*
- Let's say you were joining the Linux box to the ryanboyer.net domain using the Tallarico user account in that domain: /usr/centeris/bin/domainjoin-cli join ryanboyer.net tallarico
- I generally will execute the “domainjoin-cli” command twice until the only feedback generated is “SUCCESS”.
- If applicable stop the likewiseopen service via this console command: service likewise-open stop
- Add the following line to /etc/samba/lwiauthd.conf: winbind use default domain = yes
- Now restart likewiseopen via service likewise-open stop then service likewise-open start.
- Modify sudo access:
Input sudo visudo which will take you into vi (the only way to edit sudoers). I use nano as a text editor wherever I can (again - I'm a lowly Microsoft guy), but here's how to navigate vi for sudo modification:
Hit i to enter insert mode then append the document with the following lines:
%RYANBOYER.NET\\CritterClub ALL=(ALL) ALL
%RYANBOYER.NET\\Domain^Admins ALL=(ALL) ALL
Where "%%RYANBOYER.NET" is the name of the domain. Note that the domain group Domain Admins has been modified with a carat (^) instead of a space. The CritterClub is any domain group you choose to create to govern who can log into your Linux machines. Use your imagination.
- Once the sudoers file has been correctly appended you may save and close the file by exiting “insert” mode with the ESC key then mashing ZZ. Again - mashing ZZ when you're in the unforgiving vi interface saves the file, so if you do not wish to save the file exit out of “insert” mode with ESC then mash these three keys (colon, ‘q’, exclamation point) like this: :q!
- Again - if you screw something up when editing sudoers (which allows you to specify people cool enough to jump up to root in the Linux world you'll want to mash ESC then :q! a lot. A lot.
- Edit the /etc/security/pam_lwidentity.conf on the Linux box (i.e. using the command nano /etc/security/pam_lwidentity.conf if you are as vi-challenged as me). Uncomment the line starting with require_membership_of and modify it like so:
require_membership_of = Domain Admins,CritterClub
Here’s a quick primer on editing text files in the Red Hat distribution found on ESX boxes:
For example the pam_lwidentity.conf file can be edited by inputting nano /etc/security/pam_lwidentity.conf then making your changes. Once ready to finalize simultaneously mash Ctrl and X then follow onscreen prompts to save as the appropriate file name.
I believe ESX boxes wisely deny establishing SSH sessions via root by default. So now I can puTTY into Linux/ESX boxes with the username tallarico and my Active Directory domain password for the domain account, "tallarico".
Lastly don't forget to move the computer object to the appropriate OU from your Active Directory Users and Computers console.