Difference between revisions of "Nslcd"

From SambaWiki
m (/* update kerberos section)
m (add the sudo apt install line in "code" field)
 
(One intermediate revision by one other user not shown)
Line 16: Line 16:
 
= Configuring the nslcd Service =
 
= Configuring the nslcd Service =
   
== Authenticating nslcd to AD Using a User Name and Password ==
+
== Authenticating nslcd to AD Using Kerberos ==
   
To enable the <code>nslcd</code> service to authenticate to Active Directory (AD) using a user name and password:
+
To enable the <code>nslcd</code> service to authenticate to Active Directory (AD) using Kerberos:
   
* Create a new user in AD. For example: <code>nslcd-ad</code>
+
* On a Samba AD DC, create a new user in AD. For example: <code>nslcd-ad</code>
 
: Set the following options in the account's settings:
 
: Set the following options in the account's settings:
  +
:* Set a random password
 
:* Password never expires
 
:* Password never expires
 
:* User cannot change password
 
:* User cannot change password
   
* Add the following parameter to the <code>[global]</code> section of your <code>smb.conf</code> file:
 
   
  +
Extract the Kerberos keytab for the nslcd-ad account to the /tmp directory
acl:search = no
 
   
  +
sudo samba-tool domain exportkeytab /tmp/krb5.nslcd.keytab --principal=nslcd-ad
* Restart Samba.
 
  +
Export one principal to /tmp/krb5.nslcd.keytab
   
* Edit the <code>/etc/nslcd.conf</code> file and set the following settings:
 
   
  +
Copy the keytab to the Unix domain member:
# Local user account and group, nslcd uses.
 
  +
sudo scp /tmp/krb5.nslcd.keytab auser@deb11:/home/auser/
uid nslcd
 
  +
auser@deb11's password:
gid ldap
 
  +
krb5.nslcd.keytab 100% 237 72.3KB/s 00:00
 
# Active Directory server settings (SSL encryption)
 
uri ldaps://127.0.0.1:636/
 
ssl on
 
tls_reqcert allow
 
base dc=SAMDOM,dc=example,dc=com
 
pagesize 1000
 
referrals off
 
nss_nested_groups yes
 
 
# LDAP bind account (AD account created in earlier)
 
binddn cn=nslcd-ad,cn=Users,dc=SAMDOM,dc=example,dc=com
 
bindpw ...
 
 
# Filters
 
filter passwd (objectClass=user)
 
filter group (objectClass=group)
 
 
# Attribute mappings
 
map passwd uid sAMAccountName
 
map passwd homeDirectory unixHomeDirectory
 
map passwd gecos displayName
 
map passwd gidNumber primaryGroupID
 
 
: For details about the parameter, see the <code>nslcd.conf (5)</code> man page.
 
 
* To enable LDAP databases for the name service switch (NSS), add the <code>ldap</code> option to the following lines in the <code>/etc/nsswitch.conf</code> file:
 
 
passwd: files ldap
 
group: files ldap
 
 
* Start the <code>nslcd</code> service.
 
 
 
 
== Authenticating nslcd to AD Using Kerberos ==
 
 
To enable the <code>nslcd</code> service to authenticate to Active Directory (AD) using Kerberos:
 
 
* Create a new user in AD. For example: <code>nslcd-ad</code>
 
: Set the following options in the account's settings:
 
:* Password never expires
 
:* User cannot change password, note: this can only be set from Windows
 
   
* Extract the Kerberos keytab for the <code>nslcd-ad</code> account to the <code>/etc/krb5.nslcd.keytab</code> file, run:
 
   
  +
Now go to the Unix domain member (Debian 11 in this instance) and install the following packages:
# samba-tool domain exportkeytab /etc/krb5.nslcd.keytab --principal=nslcd-ad
 
# chown nslcd:root /etc/krb5.nslcd.keytab
 
# chmod 600 /etc/krb5.nslcd.keytab
 
   
  +
sudo apt install nslcd nslcd-utils libnss-ldapd libpam-ldapd libsasl2-modules-gssapi-heimdal
* Make sure that the Kerberos ticket is automatically renewed before it expires. For example, to auto-renew Kerberos tickets using the <code>k5start</code> utility:
 
   
  +
{{Imbox
# k5start -f /etc/krb5.nslcd.keytab -U -o nslcd -K 360 -b -k /tmp/nslcd.tkt
 
  +
| type = note
  +
| text = It is understood that Samba is already installed and working.
  +
}}
   
: For details about the parameters, see the <code>k5start (5)</code> man page. Make sure that the utility used for renewal is automatically started at boot time.
 
   
  +
Move the keytab to the correct location and ensure it has the correct permissions:
* Add the following parameter to the <code>[global]</code> section of your <code>smb.conf</code> file:
 
   
  +
sudo mv /home/auser/krb5.nslcd.keytab /etc/krb5.nslcd.keytab
acl:search = no
 
  +
sudo chown nslcd:root /etc/krb5.nslcd.keytab
  +
sudo chmod 600 /etc/krb5.nslcd.keytab
   
* Restart Samba.
 
   
 
* Edit the <code>/etc/nslcd.conf</code> file and set the following settings:
 
* Edit the <code>/etc/nslcd.conf</code> file and set the following settings:
   
  +
# /etc/nslcd.conf
# Local user account and group, nslcd uses.
 
  +
# nslcd configuration file. See nslcd.conf(5)
  +
# for details.
  +
  +
# The user and group nslcd should run as.
 
uid nslcd
 
uid nslcd
 
gid nslcd
 
gid nslcd
 
 
  +
# The location at which the LDAP server(s) should be reachable.
# Active Directory server settings
 
 
uri ldap://dc1.samdom.example.com/
 
uri ldap://dc1.samdom.example.com/
  +
# Note: add lines for all your Samba DC's
base dc=samdom,dc=example,dc=com
 
  +
pagesize 1000
 
  +
# The search base that will be used for all queries.
referrals off
 
  +
base dc=samdom,dc=example,dc=com
  +
pagesize 1000
  +
referrals off
 
nss_nested_groups yes
 
nss_nested_groups yes
 
 
  +
# The LDAP protocol version to use.
# Kerberos authentication to AD
 
  +
#ldap_version 3
sasl_mech GSSAPI
 
  +
sasl_realm SAMDOM.EXAMPLE.COM
 
  +
sasl_mech GSSAPI
krb5_ccname /tmp/nslcd.tkt
 
  +
sasl_realm SAMDOM.EXAMPLE.COM
  +
krb5_ccname /tmp/nslcd.tkt
 
 
 
# Filters
 
# Filters
filter passwd (objectClass=user)
+
filter passwd (objectclass=user)
filter group (objectClass=group)
+
filter group (objectclass=group)
 
 
# Attribut mappings
+
# Attribute mappings
 
map passwd uid sAMAccountName
 
map passwd uid sAMAccountName
 
map passwd homeDirectory unixHomeDirectory
 
map passwd homeDirectory unixHomeDirectory
 
map passwd gecos displayName
 
map passwd gecos displayName
  +
map passwd gidNumber primaryGroupID
# Uncomment the following line to use Domain Users as the users primary group
 
  +
#map passwd gidNumber primaryGroupID
 
 
 
: For details about the parameter, see the <code>nslcd.conf (5)</code> man page.
+
: For details about the parameters, see the <code>nslcd.conf (5)</code> man page.
  +
   
 
* To enable LDAP databases for the name service switch (NSS), add the <code>ldap</code> option to the following lines in the <code>/etc/nsswitch.conf</code> file:
 
* To enable LDAP databases for the name service switch (NSS), add the <code>ldap</code> option to the following lines in the <code>/etc/nsswitch.conf</code> file:
Line 133: Line 101:
 
passwd: files ldap
 
passwd: files ldap
 
group: files ldap
 
group: files ldap
 
   
   
Line 167: Line 134:
 
# getent passwd demo
 
# getent passwd demo
 
demo:*:10001:10001:demo1:/home/demo:/bin/bash
 
demo:*:10001:10001:demo1:/home/demo:/bin/bash
  +
  +
* If you do not get any output, leave the domain, then join again and reboot
   
 
* To list a group, enter:
 
* To list a group, enter:

Latest revision as of 11:30, 28 January 2022

Introduction

The nslcd service enables you to configure your local system to load users and groups from an LDAP directory, such as Active Directory (AD).

To enable the nslcd service to load user and group information, you have to set the Unix attributes for users and groups in AD. For details, see Maintaining Unix Attributes in AD using ADUC.



Configuring the nslcd Service

Authenticating nslcd to AD Using Kerberos

To enable the nslcd service to authenticate to Active Directory (AD) using Kerberos:

  • On a Samba AD DC, create a new user in AD. For example: nslcd-ad
Set the following options in the account's settings:
  • Set a random password
  • Password never expires
  • User cannot change password


Extract the Kerberos keytab for the nslcd-ad account to the /tmp directory

sudo samba-tool domain exportkeytab /tmp/krb5.nslcd.keytab --principal=nslcd-ad
Export one principal to /tmp/krb5.nslcd.keytab


Copy the keytab to the Unix domain member:

sudo scp /tmp/krb5.nslcd.keytab auser@deb11:/home/auser/
auser@deb11's password: 
krb5.nslcd.keytab                             100%  237    72.3KB/s   00:00    


Now go to the Unix domain member (Debian 11 in this instance) and install the following packages:

sudo apt install nslcd nslcd-utils libnss-ldapd libpam-ldapd libsasl2-modules-gssapi-heimdal


Move the keytab to the correct location and ensure it has the correct permissions:

sudo mv /home/auser/krb5.nslcd.keytab /etc/krb5.nslcd.keytab
sudo chown nslcd:root /etc/krb5.nslcd.keytab 
sudo chmod 600 /etc/krb5.nslcd.keytab


  • Edit the /etc/nslcd.conf file and set the following settings:
# /etc/nslcd.conf
# nslcd configuration file. See nslcd.conf(5)
# for details.

# The user and group nslcd should run as.
uid nslcd
gid nslcd

# The location at which the LDAP server(s) should be reachable.
uri             ldap://dc1.samdom.example.com/
# Note: add lines for all your Samba DC's

# The search base that will be used for all queries.
base dc=samdom,dc=example,dc=com
pagesize 1000
referrals off
nss_nested_groups yes

# The LDAP protocol version to use.
#ldap_version 3

sasl_mech GSSAPI
sasl_realm SAMDOM.EXAMPLE.COM
krb5_ccname /tmp/nslcd.tkt

# Filters
filter passwd (objectclass=user)
filter group (objectclass=group)

# Attribute mappings
map     passwd  uid                sAMAccountName
map     passwd  homeDirectory      unixHomeDirectory
map     passwd  gecos              displayName
map     passwd  gidNumber          primaryGroupID


For details about the parameters, see the nslcd.conf (5) man page.


  • To enable LDAP databases for the name service switch (NSS), add the ldap option to the following lines in the /etc/nsswitch.conf file:
passwd:     files ldap
group:      files ldap


Edit the /etc/default/nslcd file and set the following settings:

# Defaults for nslcd init script

# Whether to start k5start (for obtaining and keeping a Kerberos ticket)
# By default k5start is started if nslcd.conf has sasl_mech set to GSSAPI
# and krb5_ccname is set to a file-type ticket cache.
# Set to "yes" to force starting k5start, any other value will not start
# k5start.
#K5START_START="yes"

# Options for k5start.
#K5START_BIN=/usr/bin/k5start
K5START_KEYTAB=/etc/krb5.nslcd.keytab
#K5START_CCREFRESH=60
K5START_PRINCIPAL="nslcd-ad"
  • Start the nslcd service.



Testing the User and Group Retrieval

To list users and groups having Unix attributes in Active Directory (AD) set:

  • To list a users account, enter:
# getent passwd demo
demo:*:10001:10001:demo1:/home/demo:/bin/bash
  • If you do not get any output, leave the domain, then join again and reboot
  • To list a group, enter:
# getent group demo-group
demo-group:*:10001:demo1




Troubleshooting

If the getent command fails to load users and groups from Active Directory (AD):

  • Stop the nslcd service.
  • Start the nslcd service in debug mode:
# nslcd -d
The service will start in the foreground and the output is displayed on the screen.
  • On a second terminal, run the failed getent command again and watch the nslcd debug output.