Chris et al,
I intended to put an experiences note out to the nss_ldap forum's but
have not found one suitable yet. So here is the short canned version of
how I made this all work.
First get a Windows 200x environment with the RFC2307 extensions added
to the Schema. The easiest way to do this is to use Windows 2003 R2.
However, it is also possible to do this by using LDIF's from the wider
community to add this to a 2003 or a 2000 schema. I can dig out an
example of this is anybody is interested. This step is scary as in
a production environment if you get this wrong in the right way you
have an unrecoverable Windows environment so I recommend either a new
forest using Windows 2003 R2 or back everything up. Note I have done
this for a very big global domain and will hold anybodies hand if they
are thinking of doing this in a production domain.
Next assign all of your real Unix users with AD accounts - make
the user names conform to the Posix rules (Windows samAccountName) i.e.
8 characters starting with a letter, all in lower case. Give them
uidNumber's and gidNumber's, loginShell and unixHomeDirectory
attributes. I use displayName for the GECOS field.
Create relevant groups in the AD I have used samAccountName for the
groupName, you can also use CN but you have to be careful about the
names and make sure they are valid in the Unix and Windows world I
stick to lower case starting with a letter and no spaces in the
samAccountName.
For example: I declare a superusers group to which I add users I would
have added to wheel and use this in sudo - you can only add users
declared in AD to groups declared in AD. superusers is a member of
"Domain Admins" and "Enterprise Admins" in our systems.
With this you are now ready to set up the unix side of the fence. I use
pam_krb5 to authenticate and nss_ldap to handle the maps. The pam stack
looks like this
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth sufficient /lib/security/$ISA/pam_krb5.so use_first_pass
auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_unix.so broken_shadow
account sufficient /lib/security/$ISA/pam_succeed_if.so uid <
100 quiet
account [default=bad success=ok user_unknown=ignore]
/lib/security/$ISA/pam_krb5.so
account required /lib/security/$ISA/pam_permit.so
password requisite /lib/security/$ISA/pam_cracklib.so retry=3
password sufficient /lib/security/$ISA/pam_unix.so nullok
use_authtok md5 shadow
password sufficient /lib/security/$ISA/pam_krb5.so use_authtok
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
session optional /lib/security/$ISA/pam_krb5.so
I set up kerberos to access the active directory as follows.
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = COHERENT.COHTECH.CO.UK
dns_lookup_realm = true
dns_lookup_kdc = true
forwardable = false
[realms]
COHERENT.COHTECH.CO.UK = {
kdc = coherent.cohtech.co.uk
}
[domain_realm]
city.cohtech.co.uk = COHERENT.COHTECH.CO.UK
.city.cohtech.co.uk = COHERENT.COHTECH.CO.UK
coherent.cohtech.co.uk = COHERENT.COHTECH.CO.UK
.coherent.cohtech.co.uk = COHERENT.COHTECH.CO.UK
finsbury.cohtech.co.uk = COHERENT.COHTECH.CO.UK
.finsbury.cohtech.co.uk = COHERENT.COHTECH.CO.UK
stokie.cohtech.co.uk = COHERENT.COHTECH.CO.UK
.stokie.cohtech.co.uk = COHERENT.COHTECH.CO.UK
cohtech.co.uk = COHERENT.COHTECH.CO.UK
.cohtech.co.uk = COHERENT.COHTECH.CO.UK
[kdc]
profile = "">
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
And create a machine keytab using Samba - currently samba-3.0.23a. Note
my machines are in the finsbury.cohtech.co.uk zone, while the AD is
domain coherent.cohtech.co.uk.
The nsswitch.conf file contains ...
passwd: files ldap
shadow: files ldap
group: files ldap
statements.
ldap.conf contains ...
# Set to some high number to get debug output -
very useful if kerberos is failing
debug 0
#base set to default container inside AD for Users - have not got this
working with multiple containers
base cn=Users,dc=coherent,dc=cohtech,dc=co,dc=uk
# Our servers have certificates and therefore are available over ssl
# Otherwise use
#uri ldap://coherent.cohtech.co.uk
uri ldaps://coherent.cohtech.co.uk
# The LDAP version to use (defaults to 3
# if supported by client library)
#ldap_version 3
ldap_version 3
# The distinguished name to bind to the server with.
# NEVER NEVER NEVER defined this if using SASL it breaks the bind
operation
#binddn cn=proxyuser,dc=example,dc=com
# The credentials to bind with.
# NEVER NEVER NEVER define this if using SASL it breaks the bind
operation
#bindpw secret
# The distinguished name to bind to the server with
# if the effective user ID is root. Password is
# stored in /etc/ldap.secret (mode 600)
#rootbinddn cn=manager,dc=example,dc=com
# The port.
# Optional: default is 389.
#port 389
# The search scope.
#scope sub
#scope one
#scope base
scope sub
# Search timelimit
#timelimit 30
timelimit 120
# Bind/connect timelimit
#bind_timelimit 30
bind_timelimit 120
# Reconnect policy: hard (default) will retry connecting to
# the software with exponential backoff, soft will fail
# immediately.
bind_policy soft
# Idle timelimit; client will close connections
# (nss_ldap only) if the server has not been contacted
# for the number of seconds specified below.
#idle_timelimit 3600
idle_timelimit 3600
.......
# Just assume that there are no supplemental groups for these named
users
nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon
# attribute/objectclass mapping
# Syntax:
#nss_map_attribute rfc2307attribute mapped_attribute
#nss_map_objectclass rfc2307objectclass mapped_objectclass
# RFC 2307 (AD) mappings
#nss_map_objectclass posixAccount user
#nss_map_objectclass shadowAccount user
#nss_map_attribute uid sAMAccountName
#nss_map_attribute homeDirectory unixHomeDirectory
#nss_map_attribute shadowLastChange pwdLastSet
#nss_map_objectclass posixGroup group
#nss_map_attribute uniqueMember member
#pam_login_attribute sAMAccountName
#pam_filter objectclass=User
#pam_password ad
nss_base_passwd cn=Users,dc=coherent,dc=cohtech,dc=co,dc=uk
nss_base_shadow cn=Users,dc=coherent,dc=cohtech,dc=co,dc=uk
nss_base_group cn=Users,dc=coherent,dc=cohtech,dc=co,dc=uk
nss_map_objectclass posixAccount User
nss_map_objectclass shadowAccount User
nss_map_attribute uid samAccountName
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute shadowLastChange pwdLastSet
nss_map_attribute uidNumber uidNumber
nss_map_attribute gidNumber gidNumber
nss_map_attribute loginShell loginShell
nss_map_attribute gecos displayName
nss_map_objectclass posixGroup Group
nss_map_attribute uniqueMember Member
nss_map_attribute cn samAccountName
nss_paged_results on
pam_login_attribute samAccountName
pam_filter objectclass=user
pam_member_attribute member
#pam_groupdn cn=unixusergroup,dc=coherent,dc=cohtech,dc=co,dc=uk
pam_passwd ad
# Disable SASL security layers. This is needed for AD.
#sasl_secprops maxssf=0
sasl_secprops maxssf=0
# Override the default Kerberos ticket cache location.
#krb5_ccname FILE:/etc/.ldapcache
krb5_ccname FILE:/etc/.ldapcache
# SASL mechanism for PAM authentication - use is experimental
# at present and does not support password policy control
#pam_sasl_mech DIGEST-MD5
use_sasl on
sasl_authid nssldap/beastie.finsbury.cohtech.co.uk
rootsasl_auth_id nssldap/beastie.finsbury.cohtech.co.uk
rootuse_sasl yes
The key feature here is the krb5_ccname which is used to override the
credentials passed in to the user. At present this file must have 0644
access as the nss_ldap code always overrides with this file. I intend
to supply a patch that will check for read access to this file and use
it only in this circumstance. A further enhancement would be to try to
access the directory using this file if readable, and if that fails or
if the file is not readable then use the KRB5CCNAME environment
variable if set and if that fails use the users credentials cache if
that exists.
The authentication ID needs to be created in the AD and exported. This
is done by creating a user with a never expires password and then using
the ktpass command on Windows 200x to export the key. I use
ktpass -princ nssldap/<hostname>@DOMAIN -mapuser
nss<host>@domain -crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL
-mapo- set +desonly -pass <somepassword> -out <keytabfile>
The resulting file is copied to the target host, and I add it to the
system keytab file. It could equally be put in a separate file and used
from there.
The final pieces of magic are setting up the openldap ldap.conf file.
# $OpenLDAP:
pkg/ldap/libraries/libldap/ldap.conf,v 1.9 2000/09/04 19:57:01 kurt
Exp $
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
#BASE dc=example, dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
URI ldaps://coherent.cohtech.co.uk
#HOST coherent.cohtech.co.uk
BASE dc=coherent,dc=cohtech,dc=co,dc=uk
TLS_CACERTDIR /etc/openldap/cacerts
TLS_REQCERT never
And setting up nscd to cache requests, running nscd - I set the
environment with KRB5CCNAME=/etc/.ldapcache as a bit of belt and braces.
The following script is executed every 6 hours to keep the credentials
cache current.
#!/bin/sh
#
/usr/kerberos/bin/kinit -k -t /etc/krb5.keytab -c /etc/.ldapcache
nssldap/beastie.finsbury.cohtech.co.uk \
&& chown nscd:nscd /etc/.ldapcache \
&& chmod 0644 /etc/.ldapcache
exit 0
The 0644 will change to 0640 once I have a patch into nss_ldap. A point
to note nscd only provide caches for individual lookups so running
getent passwd will not work unless kerberos credentials are supplied
some other way - hence the need for 0644 at present.
Hope this all makes sense. Will try to produce a more comprehensive
guide later when I have fixed the niggles.
By the by.. This all required the latest version of openldap,
cyrus-sasl, nss_ldap as previous versions failed to talk to Windows
2003. These are currently drawn from fedora-development and are:
openldap-2.3.27-2, cyrus-sasl-2.1.22-3, & nss_ldap-251-1 (with the
enable-configurable-krb5-ccname-gssapi configuration flag turned on at
build time).
Chris Bradford wrote:
Howard
Wilkinson wrote:
I have been installing nss_Ldap for sasl
connections to a Windows 2003 R2 infrastructure and run into some
problems. It turns out that the package distributed with FC5 and in
development have an incorrect option set with the configuration for the
configuration file feature krb5_ccname to work.
The configure line currently uses --enable-configurable-krb5-ccname
which does not do anything useful. It should either read
--enable-configurable-krb5-ccname-env or
--enable-configurable-krb5-ccname-gssapi to make this work. I have
chosen the second as the first does not confer any advantage in
allowing the environment to override in the current implementation.
Without this setting then the calling environment must have a
credential cache set up for the code to work - the behaviour of both
the nscd and the general calling environment give local errors when
there is not credentials cache defined.
--
Howard Wilkinson
Phone:
+44(20)76907075
Coherent Technology Limited
Fax:
23 Northampton Square,
Mobile:
+44(7980)639379
London, United Kingdom, EC1V 0HL
Email:
howard@xxxxxxxxxxx
Click here
<https://www.mailcontrol.com/sr/wQw0zmjPoHdJTZGyOCrrhg==> to
report this email as spam.
Howard,
Could you please post details on you you have used sasl to connect to
AD? I am using nss_ldap to connect but not using sasl. Further details
on this can be seen here:
http://cb-net.co.uk/readarticle.php?article_id=5
-Chris
--
|
Howard Wilkinson
|
Phone:
|
+44(20)76907075
|
|
Coherent Technology Limited
|
Fax:
|
|
|
23
Northampton Square,
|
Mobile:
|
+44(7980)639379
|
|
London,
United Kingdom,
EC1V 0HL
|
Email:
|
howard@xxxxxxxxxxx
|
|
