So, I’ve been spending a good portion of the last six months designing a software distribution system, and looking for a good way to manage user access in an AD environment, where LDAP is fractured, at best. A few months ago, we were approved to procure Centrify as a provider of AD integration, so we could get rid (entirely) of winbind, and samba related services.
Finally, we are approaching handover, and time to integrate Spacewalk is here.
Spacewalk does NOT integrate directly to Active Directory. Never has, probably never will. It will, however, authenticate to PAM, and PAM does have methods to authenticate to AD- mostly with winbind. Centrify is supposed to be the bridge between them, and much more reliable than using winbind, but as we discovered (quickly), Spacewalk’s documentation does not cover connecting to AD or winbind or anything similar. A quick google finds a few tutorials on how to connect to winbind, but none on Centrify.
Long story short: we did get AD working: and the trick was using system-auth instead of satellite-rhn for the rhn.conf file. Apparently Centrify adds some magic deep in the system-auth file ( /etc/pam.d/system-auth ) that allows PAM to connect.
Long story long:
The tutorials we found on “the Google” were really trying their best to be helpful, but never quite got there.
The default for Spacewalk is to set the contents of /etc/rhn/rhn.conf to
pam_auth_service = rhn-satellite
The default file is that rhn-satellite – /etc/pam.d/rhn-satellite . If Spacewalk were authenticating to LDAP or NIS or whatever, that file would be correct. Granted, it’s just a short PAM tree, five or so lines of sufficient, requisite, etc.
Further investigation reveals that Centrify needs to add a few lines, and change the others:
Original rhn-satellite :
auth required pam_env.so auth sufficient pam_sss.so auth required pam_deny.so account sufficient pam_sss.so account required pam_deny.so
The suggested fix found on a few sites:
auth required pam_centrify.so
auth requisite pam_centrify.so deny
account sufficient pam_centrify.so
account requisite pam_centrify.so deny
session required pam_centrify.so homedir
password sufficient pam_centrify.so try_first_pass
password requisite pam_centrify.so deny
On the surface, this looks like it’s correct, but we could never get it to work.
However, further searching had located some people who had made it work by just pointing line in rhn.conf to “password-auth” instead of “rhn-satellite”, since Centrify adds several extra lines to integrate with the specific AD domains there (which I won’t share for obvious security reasons). However, newer versions don’t have a “password-auth” file, and use “system-auth” instead. Making /etc/rhn/rhn.conf read:
pam_auth_service = system-auth
…finally did the trick. You’ll need to look at those files your self: password-auth and or system-auth to determine where the settings you need are: you can copy them to rhn-satellite, or simply point the pam_auth_service to it directly. The latter is what I did.
Hopefully this will help a few people out there!
Bootnote: this should work both with Spacewalk and Satellite equally.