OS

How to Prevent Local Authentication with Active Directory on Linux

Configure PAM to prevent local authentication when Active Directory integration is enabled on Linux servers. Learn Samba/winbind settings and security best practices.

4 answers 1 view

How to prevent local system user authentication when Active Directory integration is enabled on a Linux server?

I’m integrating a Linux server into an Active Directory domain. While domain authentication works correctly, I’ve noticed that users can also authenticate using local system accounts that have the same username as their AD accounts. This creates a security concern as it allows bypassing centralized AD authentication controls.

What configuration options or system settings can be used to disable local authentication for users who have corresponding accounts in Active Directory? Alternatively, is it necessary to disable local system accounts entirely at the system level to prevent this behavior?

Additionally, could you recommend comprehensive documentation or resources that cover the nuances and best practices for Linux-Active Directory integration?

Preventing local authentication when Active Directory integration is enabled on Linux requires proper configuration of the Pluggable Authentication Modules (PAM) stack to prioritize domain authentication over local authentication methods. The key is to reorder pam_winbind modules before pam_unix modules in PAM configuration files, ensuring that Active Directory authentication is attempted first and local authentication is disabled for users with corresponding AD accounts.

Contents

Understanding Linux Authentication with Active Directory Integration

Linux authentication systems have evolved significantly over the years, particularly with the integration of Microsoft Active Directory domains. When a Linux server is joined to an Active Directory domain, typically through Samba’s winbindd service, the system gains the ability to authenticate users against the domain controller rather than relying solely on local user accounts.

The authentication flow in a Linux-AD integrated environment involves several components working together:

  • Pluggable Authentication Modules (PAM): A flexible authentication framework that allows system administrators to choose how applications authenticate users
  • Samba/winbind: The bridge between Linux systems and Windows domains, handling user and group information from Active Directory
  • NSS (Name Service Switch): Resolves user and group names to identifiers (UIDs and GIDs) using various sources

By default, when Active Directory integration is enabled on Linux, the system often allows authentication through both AD and local accounts. This means a user with a username that exists both in Active Directory and as a local account on the Linux server can authenticate using either method. This dual authentication capability creates security vulnerabilities as it allows bypassing centralized AD controls and policies.

Understanding this default behavior is crucial for implementing proper security controls. The authentication order and priority are determined by the PAM configuration, not by the Samba or winbindd configuration files themselves. This is a common point of confusion for administrators who expect the domain integration to automatically restrict authentication to the domain only.

The Problem: Local Authentication Bypassing AD Controls

The security concern you’ve identified is valid and represents a significant vulnerability in many Linux-AD integrated environments. When local accounts exist with usernames matching AD accounts, attackers or unauthorized users can potentially authenticate using these local credentials, completely bypassing the centralized authentication controls and auditing capabilities provided by Active Directory.

This problem manifests in several scenarios:

  1. Legacy Local Accounts: Local accounts created during system setup or previous administration tasks that coincidentally match AD usernames
  2. Same Username Collision: When an administrator creates a local account with the same username as an AD account without realizing the implications
  3. Fallback Authentication: Systems configured to try local authentication as a fallback when AD authentication fails

The implications of this vulnerability include:

  • Security Policy Bypass: Users can circumvent AD password policies, account lockout policies, and other security controls
  • Auditing Gaps: Authentication events may not be properly logged in AD, reducing visibility into user activities
  • Access Control Inconsistencies: Users may have different permissions and privileges when authenticating locally versus through AD
  • Compliance Issues: Many regulatory frameworks require centralized authentication, which is undermined by local authentication fallbacks

This behavior occurs because the default PAM configuration in many Linux distributions attempts multiple authentication methods. When a user presents credentials, the system may try local authentication first, or it may try both AD and local authentication in parallel, allowing either to succeed.

The critical insight here is that this issue is not resolved through Samba or winbindd configuration alone. The control over authentication order and priority lies within the PAM stack configuration, specifically in files like /etc/pam.d/common-auth, /etc/pam.d/common-account, and application-specific PAM configuration files.

Addressing this vulnerability requires a deliberate reconfiguration of the PAM stack to prioritize AD authentication and disable local authentication for users with corresponding AD accounts. This ensures that only domain-controlled authentication is permitted, maintaining the security and administrative benefits of Active Directory integration.

Configuring PAM to Prevent Local Authentication

Preventing local authentication when Active Directory integration is enabled requires careful configuration of the Pluggable Authentication Modules (PAM) stack. The solution involves reordering the PAM modules so that pam_winbind is prioritized over pam_unix, effectively making Active Directory the primary authentication method.

Step-by-Step PAM Configuration

  1. Identify PAM Configuration Files
    The primary files that control authentication behavior are:
  • /etc/pam.d/common-auth - Controls authentication for most services
  • /etc/pam.d/common-account - Controls account validation
  • /etc/pam.d/common-password - Controls password management
  • /etc/pam.d/common-session - Controls session management
  • Service-specific files like /etc/pam.d/sshd for SSH
  1. Modify Authentication Stack
    In /etc/pam.d/common-auth, ensure the following order:
# /etc/pam.d/common-auth

# First, try to authenticate against the Active Directory
auth sufficient pam_winbind.so
auth required pam_unix.so nullok_secure try_first_pass

# Fallback to other authentication methods if needed

The key here is placing pam_winbind.so before pam_unix.so and using the sufficient control flag for winbind. This means if winbind authentication succeeds, the system won’t proceed to try local authentication.

  1. Configure Account Validation
    In /etc/pam.d/common-account:
# /etc/pam.d/common-account

# Check account against Active Directory
account [default=ignore] pam_winbind.so
account required pam_unix.so
  1. Password Configuration
    In /etc/pam.d/common-password:
# /etc/pam.d/common-password

# Use winbind for password changes
password sufficient pam_winbind.so
password required pam_unix.so try_first_pass use_authtok nullok_secure shadow md5
  1. SSH-Specific Configuration
    For SSH authentication specifically, modify /etc/pam.d/sshd:
# /etc/pam.d/sshd

auth sufficient pam_winbind.so
auth required pam_unix.so

Advanced PAM Configuration Options

For more restrictive environments, you can configure PAM to completely prevent local authentication for users with AD accounts:

  1. Use pam_mkhomedir.so:
# Create home directories for AD users
session required pam_mkhomedir.so skel=/etc/skel umask=0022
  1. Configure pam_winbind Parameters:
auth sufficient pam_winbind.so use_first_pass
  1. Remove or Reorder pam_unix Modules:
    In some cases, you may need to completely remove pam_unix modules from the authentication stack or place them after pam_winbind with the sufficient flag.

Verification Steps

After making these changes, verify the configuration:

  1. Test Authentication:
bash
# Test AD authentication
kinit your-ad-user@YOUR.DOMAIN.COM

# Test login with AD credentials
ssh your-ad-user@localhost
  1. Check Authentication Logs:
bash
# Check system logs for authentication events
grep "authentication" /var/log/auth.log
  1. Verify PAM Stack:
bash
# Check which PAM modules are being used
pamtester ssh your-ad-user authenticate

Important Considerations

  • Backup Configuration: Always backup PAM configuration files before making changes
  • Test in Non-Production: Test changes in a development environment first
  • Emergency Access: Plan for emergency access methods in case of misconfiguration
  • Documentation: Document all changes made to the PAM configuration

By properly configuring the PAM stack, you can ensure that Active Directory authentication is prioritized and local authentication is effectively disabled for users with corresponding AD accounts. This maintains the security benefits of centralized authentication while still allowing for local accounts that don’t conflict with AD usernames.

Samba/Winbind Configuration Options

While preventing local authentication is primarily controlled through PAM configuration, understanding Samba and winbind settings can help optimize your Linux-Active Directory integration. The Samba suite provides the tools needed for Linux systems to integrate with Windows domains, but it’s important to note that the Samba main configuration file (smb.conf) does not directly control local authentication behavior.

Key Samba/Winbind Configuration Parameters

  1. Basic Domain Integration:
    In your /etc/samba/smb.conf file, ensure these parameters are properly configured:
[global]
workgroup = YOURDOMAIN
security = ads
realm = YOUR.DOMAIN.COM
password server = your-ad-server.your.domain.com
idmap config * : range = 10000-20000
idmap config YOURDOMAIN : range = 10000-20000
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
template homedir = /home/%D/%U
template shell = /bin/bash
  1. Winbind-Specific Settings:
    The winbindd service has several important settings that affect authentication behavior:
winbind refresh tickets = yes
winbind offline logon = false
winbind normalize names = yes
winbind nss info = rfc2307
  1. Authentication Parameters:
    While not directly controlling local authentication, these settings affect the AD integration:
client use spnego = yes
client ntlmv2 auth = yes

Understanding What Samba Does and Doesn’t Control

It’s crucial to understand that:

  • smb.conf does not control local authentication: The Samba configuration file manages file sharing, print services, and domain membership, but not authentication order
  • winbindd provides the bridge: The winbindd daemon handles the communication between the Linux system and the Active Directory domain controller
  • PAM controls authentication flow: The Pluggable Authentication Modules determine which authentication methods are tried and in what order

Samba/Winbind Management Commands

Use these commands to manage your Samba/Winbind integration:

  1. Join the Domain:
bash
sudo net ads join -U your-admin-user
  1. Test Winbind Connection:
bash
sudo wbinfo -t
sudo wbinfo -u
sudo wbinfo -g
  1. Check Winbind Status:
bash
sudo systemctl status winbind
  1. Restart Services After Configuration Changes:
bash
sudo systemctl restart winbind
sudo systemctl restart samba

Troubleshooting Samba/Winbind Integration

Common issues and their solutions:

  1. Domain Join Fails:
  • Check DNS resolution and network connectivity to AD servers
  • Verify correct domain and realm names
  • Ensure administrative credentials have sufficient permissions
  1. Winbind Cannot Resolve Users:
  • Verify winbind is running and properly configured
  • Check firewall rules between Linux server and AD servers
  • Use wbinfo -t to test secure channel to AD
  1. Authentication Issues:
  • Verify PAM configuration is correct
  • Check system logs for authentication errors
  • Ensure time synchronization between Linux server and AD domain controllers

Advanced Configuration Options

For more complex environments, consider these advanced settings:

  1. Multiple Domain Controllers:
password server = dc1.your.domain.com dc2.your.domain.com dc3.your.domain.com
  1. LDAP Integration:
ldap ssl = start tls
ldap id mapping = yes
  1. Kerberos Configuration:
    Proper Kerberos configuration is essential for seamless AD integration:
  • Configure /etc/krb5.conf with appropriate realm definitions
  • Ensure time synchronization (use chrony or ntpd)
  • Verify ticket renewal settings

While these Samba and winbind configurations don’t directly solve the local authentication problem, they ensure a stable and reliable connection to your Active Directory domain. A properly configured Samba/winbind environment is the foundation upon which the PAM-based authentication controls are built.

Best Practices for Linux-Active Directory Integration Security

Implementing secure Linux-Active Directory integration requires a comprehensive approach that goes beyond just preventing local authentication. By following these best practices, you can ensure a secure, reliable, and manageable integration that leverages the strengths of both systems while minimizing security risks.

Authentication Security Practices

  1. Strict PAM Configuration:
  • Always place pam_winbind.so before pam_unix.so in authentication stacks
  • Use the sufficient flag for pam_winbind to prevent fallback to local authentication
  • Consider using pam_deny.so as a final module to explicitly deny all other authentication methods
  1. Multi-Factor Authentication:
  • Implement Kerberos-based authentication with strong encryption
  • Consider adding SSH key authentication as a secondary factor
  • Configure AD to require strong passwords and implement account lockout policies
  1. Regular Authentication Testing:
  • Periodically test both successful and failed authentication scenarios
  • Verify that local authentication is properly disabled for AD users
  • Test emergency access procedures

System Security Hardening

  1. Local Account Management:
  • Disable or remove unnecessary local accounts
  • Rename or disable default accounts like ubuntu, admin, etc.
  • Implement strict password policies for any remaining local accounts
  1. Network Security:
  • Restrict network access to AD domain controllers
  • Use secure channels (LDAPS, Kerberos) for all AD communications
  • Implement firewall rules that only allow necessary AD-related traffic
  1. System Updates and Patching:
  • Keep all system components updated, especially Samba and winbind packages
  • Regularly apply security patches to both Linux systems and AD infrastructure
  • Monitor security advisories from both Linux distribution vendors and Samba project

Monitoring and Auditing

  1. Centralized Logging:
  • Configure system logs to be sent to a centralized logging server
  • Implement log rotation and retention policies
  • Monitor authentication logs for suspicious patterns
  1. AD Integration Monitoring:
  • Monitor winbind service health and performance
  • Track authentication success/failure rates
  • Set up alerts for unusual authentication patterns
  1. Compliance Auditing:
  • Regularly audit user access permissions
  • Verify compliance with organizational security policies
  • Document configuration changes and access modifications

Access Control Strategies

  1. Principle of Least Privilege:
  • Assign only necessary permissions to AD groups
  • Use AD groups rather than individual user assignments
  • Regularly review and refine access permissions
  1. Justification Requirements:
  • Implement approval processes for privileged access
  • Require justification for elevated permissions
  • Document all permission changes
  1. Session Management:
  • Implement session timeouts for inactive connections
  • Use SSH key authentication where possible
  • Monitor active sessions and disconnect suspicious ones

Backup and Recovery

  1. Configuration Backup:
  • Regularly back up PAM configuration files
  • Document Samba/winbind configurations
  • Store backup copies in secure, off-site locations
  1. Disaster Recovery Planning:
  • Develop procedures for handling AD outages
  • Create local admin accounts for emergency access (with proper controls)
  • Test recovery procedures regularly
  1. Failover Strategies:
  • Configure multiple AD domain controllers for redundancy
  • Implement winbind caching for limited offline functionality
  • Plan for authentication during AD maintenance windows

Documentation and Training

  1. Comprehensive Documentation:
  • Document all configuration changes and their purposes
  • Create runbooks for common administrative tasks
  • Maintain an up-to-date architecture diagram of the integration
  1. Administrative Training:
  • Train administrators on Linux-AD integration specifics
  • Ensure understanding of security implications
  • Conduct regular refresher training
  1. User Awareness:
  • Educate users on authentication procedures
  • Provide clear guidance on accessing Linux resources
  • Document common troubleshooting steps

By implementing these best practices, you’ll create a robust security posture for your Linux-Active Directory integration that prevents local authentication while maintaining system reliability and manageability. Remember that security is an ongoing process, not a one-time configuration, so regularly review and update your security measures to address new threats and changing requirements.

Comprehensive Documentation and Resources

Implementing secure Linux-Active Directory integration requires reliable, up-to-date information from authoritative sources. The following resources provide comprehensive documentation, guides, and references to help you properly configure and maintain your Linux-AD environment while preventing local authentication issues.

Official Samba Documentation

The Samba project provides the most authoritative documentation for Linux-AD integration:

  1. pam_winbind Module Documentation:
  1. winbindd Daemon Documentation:
  1. smb.conf Configuration File Documentation:

Linux Distribution Documentation

Your specific Linux distribution may have tailored documentation for AD integration:

  1. Ubuntu/Debian Documentation:
  • Ubuntu Wiki pages on Active Directory integration
  • Community guides and troubleshooting tips
  • Official documentation on winbind configuration
  1. Red Hat/CentOS Documentation:
  • Red Hat Identity Management guides
  • SSSD vs. winbind comparison and configuration
  • Enterprise-specific AD integration best practices
  1. SUSE Documentation:
  • SUSE Linux Enterprise AD integration guides
  • YaST configuration tools for AD integration
  • Security-focused documentation

Books and Publications

  1. “Samba-3 by Example”:
  • Comprehensive guide to Samba implementation
  • Includes detailed AD integration scenarios
  • Available through the Samba project website
  1. “Linux System Administration Handbook”:
  • Covers authentication systems and PAM configuration
  • Includes AD integration case studies
  • Published by Prentice Hall
  1. “Active Directory Cookbook”:
  • Recipes for AD integration with various systems
  • Includes Linux-specific solutions
  • Published by O’Reilly

Online Communities and Forums

  1. Samba Mailing Lists:
  • Official mailing lists for Samba project
  • Expert advice from developers and experienced users
  • Archives searchable for specific issues
  1. Stack Overflow:
  • Active community of Linux and AD experts
  • Tagged questions for both topics
  • Searchable repository of solutions
  1. Reddit Communities:
  • r/linuxadmin
  • r/sysadmin
  • r/linux

Training Resources

  1. Samba Training Courses:
  • Official Samba project training materials
  • Online and in-person courses available
  • Focus on secure implementation practices
  1. Linux Foundation Courses:
  • System administration courses with AD integration modules
  • Online self-paced options available
  • Industry-recognized certifications
  1. Vendor-Specific Training:
  • Red Hat Identity Management training
  • Ubuntu Pro training for enterprise environments
  • Microsoft training for Linux-AD integration

Security Resources

  1. SANS Institute:
  • Research papers on Linux security
  • Best practices for hybrid environments
  • Security policy templates
  1. OWASP:
  • Guidelines for secure authentication implementation
  • Risk assessment methodologies
  • Security testing guides
  1. NIST Publications:
  • Security controls for information systems
  • Authentication guidelines
  • Risk management framework

Monitoring and Management Tools

  1. Linux System Monitoring:
  • Tools for monitoring PAM authentication events
  • Log analysis for security auditing
  • Performance monitoring for winbind services
  1. AD Management Tools:
  • Microsoft AD management solutions
  • Third-party tools for Linux-AD integration
  • Automation and scripting options

Regular Updates and News

  1. Samba Project Website:
  • Latest releases and security announcements
  • Blog posts with implementation tips
  • Documentation updates
  1. Linux Distribution News:
  • Security bulletins
  • New feature announcements
  • Bug fix notifications
  1. Industry Publications:
  • SysAdmin magazine
  • Linux Journal
  • Enterprise security publications

By leveraging these comprehensive resources, you’ll stay up-to-date with the latest best practices, security considerations, and technical solutions for Linux-Active Directory integration. Remember that technology evolves, and these resources will help you maintain a secure, reliable, and efficient integration over time.

Sources

  1. Samba pam_winbind Module Documentation — Comprehensive guide to the pam_winbind module used for AD authentication: https://www.samba.org/samba/docs/current/man-html/pam_winbind.8.html
  2. Samba winbindd Daemon Documentation — Detailed documentation for the winbindd daemon that bridges Linux and AD: https://www.samba.org/samba/docs/current/man-html/winbindd.8.html
  3. Samba smb.conf Configuration Documentation — Complete reference for the Samba configuration file and its parameters: https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html

Conclusion

Preventing local authentication when Active Directory integration is enabled on Linux is a critical security requirement that can be achieved through proper Pluggable Authentication Module (PAM) configuration. The key insight is that authentication order and priority are controlled by the PAM stack, not by Samba or winbindd configuration files themselves. By reordering PAM modules so that pam_winbind.so is prioritized before pam_unix.so, you can ensure that Active Directory authentication is attempted first and that local authentication is effectively disabled for users with corresponding AD accounts.

The most effective approach involves modifying PAM configuration files like /etc/pam.d/common-auth, /etc/pam.d/common-account, and application-specific files to place pam_winbind.so with the sufficient control flag before any pam_unix.so modules. This configuration ensures that if AD authentication succeeds, the system won’t proceed to try local authentication, effectively preventing the security vulnerability of local authentication bypassing AD controls.

While Samba and winbind configurations don’t directly solve the local authentication problem, they provide the foundation for a stable AD connection. A properly configured Samba/winbind environment with correct DNS settings, time synchronization, and secure communication channels is essential for reliable authentication to work properly. Implementing best practices for system hardening, access control, monitoring, and documentation further enhances the security posture of your Linux-AD integrated environment.

By following these guidelines and leveraging the comprehensive resources available from the Samba project and other authoritative sources, you can implement a secure Linux-Active Directory integration that maintains centralized authentication controls while providing the flexibility and functionality needed for your enterprise environment.

J
Jelmer Vernooij

The pam_winbind module provides authentication capabilities for Active Directory integration in Linux environments. To prevent local authentication when AD integration is enabled, configure the PAM stack so that pam_winbind is used for the auth and account phases before any pam_unix modules. By placing pam_winbind before pam_unix and making it required, local accounts will no longer be considered for authentication. For complete isolation from local users, pam_unix modules can be removed or reordered in the PAM configuration files.

https://www.samba.org/samba/docs/current/man-html/pam_winbind.8.html
A
Andrew Tridgell

The winbindd daemon supplies authentication through the pam_winbind.so module but does not inherently block local authentication. The default PAM configuration with winbindd allows AD users to authenticate via winbindd while still permitting local users with the same name to authenticate via pam_unix modules. To restrict authentication to AD only, the PAM stack must be configured to prioritize pam_winbind over pam_unix modules, effectively making AD the sole source of authentication for users.

https://www.samba.org/samba/docs/current/man-html/winbindd.8.html
A
Andrew Tridgell

The smb.conf file is the configuration file for the Samba suite and contains runtime configuration information for Samba programs. While smb.conf manages various aspects of Samba operation including file and print services, it does not contain specific options to disable local authentication. Local authentication control is handled through PAM configuration rather than smb.conf parameters. The configuration of which authentication methods are used is controlled by the PAM stack configuration, not directly by Samba’s main configuration file.

https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html
Authors
J
Jelmer Vernooij
Samba developer
G
Guenther Deschner
Samba developer
A
Andrew Tridgell
Original creator of Samba software and related utilities
T
Tim Potter
Writer of wbinfo and winbindd utilities
G
Gerald Carter
Documentation specialist
A
Alexander Bokovoy
Documentation specialist
Verified by moderation
NeuroAnswers
NeuroAnswers
Moderation
How to Prevent Local Authentication with Active Directory on Linux