This article explains how to configure the GravityZone appliance to allow Active Directory users to log in to the configuration interface with root privileges.

• Configure the appliance hostname and domain name
• Install the required packages
• Configure Kerberos
• Configure Samba
• Configure the Name Service Switch
• Configure the NTP daemon
• Configure PAM
• Restart winbind
• Join the appliance in the domain
• Reconfigure the SSH daemon
• Configure sudo

Configure the appliance hostname and domain name

The Active Directory (AD) technology depends on proper DNS names. Therefore, make sure the GravityZone virtual appliance has the hostname and the domain name configured correctly.

To configure the hostname settings:

1. Access the GravityZone virtual appliance console from your virtualization management tool (for example, vSphere Client).
2. From the main menu, select Configure Hostname Settings.
3. Enter the hostname of the appliance and the Active Directory domain name.
4. Select OK to save the changes.
5. Reboot the appliance once configured.

Install the required packages

This KB article uses Samba to enable the Active Directory integration. Thus, you need to install these packages:

# apt-get install krb5-user winbind samba ntp

Configure Kerberos

Modify the file /etc/krb5.conf as in the following example:

[logging]
        default = FILE:/var/log/krb5.log

[libdefaults]
        default_realm = EXAMPLE.LOCAL
        kdc_timesync = 1
        ccache_type = 4
        forwardable = true
        proxiable = true

[realms]
        EXAMPLE.LOCAL = {
                kdc = adserver.example.local
                admin_server = adserver.example.local
                default_domain = EXAMPLE.LOCAL
        }

[domain_realm]
        .adserver.example.local = EXAMPLE.LOCAL
        adserver.example.local = EXAMPLE.LOCAL
        .kerberos.server = EXAMPLE.LOCAL
[login]
        krb4_convert = true
        krb4_get_tickets = false

Configure Samba

Modify the file /etc/samba/smb.conf as in the following example:

[global]
        log file = /var/log/samba/log.%m
        max log size = 1000
        security = ADS
        realm = EXAMPLE.LOCAL
        password server = 192.168.1.2
        workgroup = EXAMPLE
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        winbind enum users = yes
        winbind enum groups = yes
        template homedir = /home/%D/%U
        template shell = /bin/bash
        client use spnego = yes
        client ntlmv2 auth = yes
        encrypt passwords = true
        winbind use default domain = yes
        restrict anonymous = 2

Configure the Name Service Switch

Modify the file /etc/nsswitch.conf as in the following example:

passwd:         compat  winbind
group:          compat  winbind
shadow:         compat

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

Configure the NTP daemon

Change the time synchronization server to the AD server. Modify /etc/ntp.conf as in the following example:

...
server dc.example.local
...

Stop the NTP daemon:

# service ntp stop

Force a time synchronization:

# ntpdate dc.example.local

Restart the NTP daemon:

# service ntp start

Configure PAM

In Ubuntu 12.04 LTS and newer, the winbind package does most of the configuration work. However, there are some non-default options that should be present to facilitate the login.

To configure these options, add the following line in both /etc/pam.d/common-session and /etc/pam.d/sshd:

session    required    pam_mkhomedir.so    skel=/etc/skel/ umask=0022

Restart winbind

service winbind restart

Join the appliance in the domain

# net ads join -U [email protected]

Reconfigure the SSH daemon

Make sure the SSH daemon allows all users to log in, except the root:

...
# Authentication:
LoginGraceTime 120
PermitRootLogin no
StrictModes yes
...

This will also disable the restriction for bdadmin.

Configure sudo

Using the command visudo, enable priviledge elevation for a specific group. For example:

%vcservicesadmin ALL=(ALL) ALL

You can now connect through SSH to the GravityZone appliance using a domain user:

$ ssh EXAMPLE\\[email protected]

The home directory will be automatically created and the user will be able to gain root privileges, provided it belongs to the right group.