Difference between revisions of "Nslcd"

m (Updated link)
(Rewrote nslcd documentation. Clearer structure, removed unnecesary content, add statement that it's not supported by Samba)
Line 1: Line 1:
= Advantages and disadvantages of nslcd =
+
= Introduction =
  
''Because people may find that some of the disadvantages are advantages or vice versa in their environment, we won't classify here.''
+
The <code>nslcd</code> service enables you to configure your local system to load users and groups from an LDAP directory, such as Active Directory (AD).
  
* Fast and easy to configure.
+
To enable the <code>nslcd</code> service to load user and group information, you have to set the Unix attributes for users and groups in AD. For details, see [[Maintaining_Unix_Attributes_in_AD_using_ADUC|Maintaining Unix Attributes in AD using ADUC]].
  
* Requires central storage of posix data (UID/GID, home directory, shell, etc.) in AD. See [[Maintaining_Unix_Attributes_in_AD_using_ADUC|Managing Unix Attributes in Active Directory]].
+
{{Imbox
 +
| type = note
 +
| text = Samba does not support the <code>nslcd</code> service.
 +
}}
  
* UIDs/GIDs are the same on every server, because of the central storage inside the directory.
 
  
* Doesn't require the machine to be joined to the domain. Only a LDAP and Kerberos (if used) connection is used.
 
  
* Requires nslcd, Cyrus SASL GSSAPI and pam_ldap installed on your system.
 
  
* Resolving of nested groups is supported in nslcd 0.9.0 and later (<tt>nss_nested_groups yes</tt>).
 
  
 +
= Configuring the nslcd Service =
  
 +
== Authenticating nslcd to AD Using a User Name and Password ==
  
 +
To enable the <code>nslcd</code> service to authenticate to Active Directory (AD) using a user name and password:
  
 +
* Create a new user in AD. For example: <code>nslcd-ad</code>
 +
: Set the following options in the account's settings:
 +
:* Password never expires
 +
:* User cannot change password
  
= Installation =
+
* Add the following parameter to the <code>[global]</code> section of your <code>smb.conf</code> file:
  
Most distributions ship nss-pam-ldapd, which contains nslcd, in their default installation. If you intend to use Kerberos, you are additionally required to install Cyrus SASL with GSSAPI support. Depending on the version of nlscd you use, not all required Kerberos features may be supported. See the manpage of nslcd.conf for the supported options.
+
acl:search = no
 
 
If you want to authenticate local *nix services on your server against AD, you additionally require <tt>pam_ldap</tt>.
 
 
 
= Configuring nslcd =
 
 
 
== Method 1: Connecting to AD via Bind DN and password ==
 
 
 
The following basic example of an <tt>nslcd.conf</tt> let the daemon retrieve it's information by binding via an AD account. Connections with this setup are encrypted and use LDAP over SSL.
 
 
 
* Create a new user account in your AD, nslcd will use to bind via LDAP and retrieve it's information. Make sure, that you configure this account with the „Password never expires“ option! It's recommented also to set „User cannot change password“. Remember the DN (distinguished name) of the new account. The following example uses the DN „cn=ldap-connect,cn=Users,dc=SAMDOM,dc=example,dc=com“.
 
 
 
* Currently not all required posix information could be retrieved via LDAP ([https://bugzilla.samba.org/show_bug.cgi?id=9788 Bug report #9788]), because of incorrect directory ACLs. As a workaround, simply add the following to your <tt>smb.conf</tt> on the DC, nslcd is connecting to and restart Samba:
 
  
[global]
+
* Restart Samba.
...
 
acl:search = no
 
  
* Use the following content in your <tt>/etc/nslcd.conf</tt>:
+
* Edit the <code>/etc/nslcd.conf</code> file and set the following settings:
  
  # User/group with which the daemon should run (must be a local account!)
+
  # Local user account and group, nslcd uses.
 
  uid nslcd
 
  uid nslcd
 
  gid ldap
 
  gid ldap
 
   
 
   
  # LDAP/AD server settings
+
  # Active Directory server settings (SSL encryption)
  uri ldap://127.0.0.1:636/
+
  uri             ldaps://127.0.0.1:636/
base dc=SAMDOM,dc=example,dc=com
 
 
# SSL Settings
 
 
  ssl            on
 
  ssl            on
 
  tls_reqcert    allow
 
  tls_reqcert    allow
 +
base            dc=SAMDOM,dc=example,dc=com
 +
pagesize        1000
 +
referrals      off
 +
nss_nested_groups yes
 
   
 
   
  # Some settings for AD
+
  # LDAP bind account (AD account created in earlier)
  pagesize 1000
+
  binddn cn=nslcd-ad,cn=Users,dc=SAMDOM,dc=example,dc=com
  referrals off
+
  bindpw ...
 
   
 
   
  # Filters (only required if your accounts doesn't have objectClass=posixAccount
+
  # Filters. Disable, if your:
  # and your groups haven't objectClass=posixGroup. This objectClasses won't be added
+
# * user accounts have the "posixAccount" object class set.
# by ADUC. So they won't be there automatically!)
+
  # * groups have the "posixGroup" object class set.
 
  filter  passwd  (objectClass=user)
 
  filter  passwd  (objectClass=user)
 
  filter  group  (objectClass=group)
 
  filter  group  (objectClass=group)
 
   
 
   
  # Attribut mappings (depending on your nslcd version, some might not be
+
  # Attribut mappings
# necessary or can cause errors and can/must be removed)
 
 
  map    passwd  uid                sAMAccountName
 
  map    passwd  uid                sAMAccountName
 
  map    passwd  homeDirectory      unixHomeDirectory
 
  map    passwd  homeDirectory      unixHomeDirectory
Line 70: Line 62:
 
  map    passwd  gidNumber          primaryGroupID
 
  map    passwd  gidNumber          primaryGroupID
 
  map    group  uniqueMember      member
 
  map    group  uniqueMember      member
 
# LDAP bind (Account in AD that is used from nslcd to bind to the directory)
 
binddn cn=ldap-connect,cn=Users,dc=SAMDOM,dc=example,dc=com
 
bindpw xxxxx
 
  
* Append <tt>ldap</tt> to the <tt>passwd</tt> and <tt>group</tt> entry of your <tt>/etc/nsswitch.conf</tt>, to let the system query LDAP for these databases.
+
: For details about the parameter, see the <code>nslcd.conf (5)</code> man page.
 +
 
 +
* To enable LDAP databases for the name service switch (NSS), add the <code>ldap</code> option to the following lines in the <code>/etc/nsswitch.conf</code> file:
  
 
  passwd:    files ldap
 
  passwd:    files ldap
 
  group:      files ldap
 
  group:      files ldap
  
* Start the nslcd daemon.
+
* Start the <code>nslcd</code> service.
 
 
* All domain accounts/groups are now available to the local system.
 
  
  
  
== Method 2: Connecting to AD via Kerberos ==
+
== Authenticating nslcd to AD Using Kerberos ==
  
The following basic example of an nslcd.conf let nslcd retrieve it's information by using Kerberos. The connection will be <u>encrypted</u>.
+
To enable the <code>nslcd</code> service to authenticate to Active Directory (AD) using Kerberos:
  
* Create a new user account in your AD. Make sure, that you configure this account with the „Password never expires“ option! It's recommented also to set „User cannot change password“. If the machine is joined to the domain, you can skip this step and use the machine account instead, if you want. The following example uses the domain account „ldap-connect“.
+
* Create a new user in AD. For example: <code>nslcd-ad</code>
 +
: Set the following options in the account's settings:
 +
:* Password never expires
 +
:* User cannot change password
  
* Add a [http://msdn.microsoft.com/en-us/library/windows/desktop/ms677949%28v=vs.85%29.aspx SPN (service principal name)] to the account you've created. On your Samba host this can be done by the following command (replace „dc1.samdom.example.com“ with the name of the host you'll run nslcd on):
+
* To add the <code>nslcd/DC_name.samdom.example.com</code> Kerberos service principal name (SPN) to the <code>nslcd-ad</code> account, enter on the Samba domain controller (DC):
  
  # samba-tool spn add nslcd/dc1.samdom.example.com ldap-connect
+
  # samba-tool spn add nslcd/DC_name.samdom.example.com ldap-connect
  
* Extract the keytab for this account and make sure, it is readable only for the user nslcd runs under:
+
* Extract the Kerberos keytab for the <code>nslcd-ad</code> account to the <code>/etc/krb5.nslcd.keytab</code> file, run:
  
  # samba-tool domain exportkeytab /etc/krb5.nslcd.keytab --principal=ldap-connect
+
  # samba-tool domain exportkeytab /etc/krb5.nslcd.keytab --principal=nslcd-ad
 
  # chown nslcd:root /etc/krb5.nslcd.keytab  
 
  # chown nslcd:root /etc/krb5.nslcd.keytab  
 
  # chmod 600 /etc/krb5.nslcd.keytab
 
  # chmod 600 /etc/krb5.nslcd.keytab
  
* As Kerberos tickets have to be renewed before they expire, you have to take care of this job. <tt>k5start</tt> is a usefull tool for that. The following command starts k5start in background mode. The above created keytab is used and the owner of the the cache file will be the local account, nslcd uses to run (parameter „uid“ in <tt>nslcd.conf</tt>):
+
* Make sure that the Kerberos ticket is automatically renewed before it expires. For example, to auto-renew Kerberos tickets using the <code>k5start</code> utility:
  
 
  # k5start -f /etc/krb5.nslcd.keytab -U -o nslcd -K 360 -b -k /tmp/nslcd.tkt
 
  # k5start -f /etc/krb5.nslcd.keytab -U -o nslcd -K 360 -b -k /tmp/nslcd.tkt
  
:Remember to start k5start on system startup. Otherwise the ticket won't be renewed after reboot!
+
: For details about the parameters, see the <code>k5start (5)</code> man page. Make sure that the utility used for renewal is automatically started at boot time.
 +
 
 +
* Add the following parameter to the <code>[global]</code> section of your <code>smb.conf</code> file:
 +
 
 +
acl:search = no
  
* Use the following content in your <tt>/etc/nslcd.conf</tt>:
+
* Restart Samba.
  
  # User/group with which the daemon should run (must be a local account!)
+
* Edit the <code>/etc/nslcd.conf</code> file and set the following settings:
 +
 
 +
  # Local user account and group, nslcd uses.
 
  uid nslcd
 
  uid nslcd
 
  gid ldap
 
  gid ldap
 
   
 
   
  # LDAP/AD server settings
+
  # Active Directory server settings (SSL encryption)
  uri ldap://127.0.0.1:636/
+
  uri             ldaps://127.0.0.1:636/
base dc=SAMDOM,dc=example,dc=com
 
 
# SSL Settings
 
 
  ssl            on
 
  ssl            on
 
  tls_reqcert    allow
 
  tls_reqcert    allow
 +
base            dc=SAMDOM,dc=example,dc=com
 +
pagesize        1000
 +
referrals      off
 +
nss_nested_groups yes
 
   
 
   
  # Some settings for AD
+
  # Kerberos authentication to AD
  pagesize 1000
+
  sasl_mech      GSSAPI
  referrals off
+
  sasl_realm      SAMDOM.EXAMPLE.COM
 +
krb5_ccname    /tmp/nslcd.tkt
 
   
 
   
  # Filters (only required if your accounts doesn't have objectClass=posixAccount
+
  # Filters. Disable, if your:
  # and your groups haven't objectClass=posixGroup. This objectClasses won't be added
+
# * user accounts have the "posixAccount" object class set.
# by ADUC. So they won't be there automatically!)
+
  # * groups have the "posixGroup" object class set.
 
  filter  passwd  (objectClass=user)
 
  filter  passwd  (objectClass=user)
 
  filter  group  (objectClass=group)
 
  filter  group  (objectClass=group)
 
   
 
   
  # Attribut mappings (depending on your nslcd version, some might not be
+
  # Attribut mappings
# necessary or can cause errors and can/must be removed)
 
 
  map    passwd  uid                sAMAccountName
 
  map    passwd  uid                sAMAccountName
 
  map    passwd  homeDirectory      unixHomeDirectory
 
  map    passwd  homeDirectory      unixHomeDirectory
Line 139: Line 137:
 
  map    passwd  gidNumber          primaryGroupID
 
  map    passwd  gidNumber          primaryGroupID
 
  map    group  uniqueMember      member
 
  map    group  uniqueMember      member
 
# Kerberos
 
sasl_mech GSSAPI
 
sasl_realm SAMDOM.EXAMPLE.COM
 
krb5_ccname /tmp/nslcd.tkt
 
  
* Append <tt>ldap</tt> to the <tt>passwd</tt> and <tt>group</tt> entry of your <tt>/etc/nsswitch.conf</tt>, to let the system query LDAP for these databases.
+
: For details about the parameter, see the <code>nslcd.conf (5)</code> man page.
 +
 
 +
* To enable LDAP databases for the name service switch (NSS), add the <code>ldap</code> option to the following lines in the <code>/etc/nsswitch.conf</code> file:
  
 
  passwd:    files ldap
 
  passwd:    files ldap
 
  group:      files ldap
 
  group:      files ldap
  
* Start the nslcd daemon.
+
* Start the <code>nslcd</code> service.
 +
 
 +
 
  
* All domain accounts/groups are now available to the local system.
 
  
  
 +
= Testing the User and Group Retrieval =
  
== Testing ==
+
To list users and groups having Unix attributes in Active Directory (AD) set:
  
* Test 1: Retrieving accounts via <tt>getent</tt>. This should show local and domain accounts with posix attributes. Please check that all fields contain the values set in AD (UID, primaryGroup, homeDirectory, shell).
+
* To list all users accounts, enter:
  
 
  # getent passwd
 
  # getent passwd
 
  ...
 
  ...
  Administrator:*:10000:10513:Administrator:/home/Administrator:/bin/bash
+
  Administrator:*:10000:10000:Administrator:/home/Administrator:/bin/bash
  demo1:*:10008:10513:demo1:/home/demo1:/bin/bash
+
  demo:*:10001:10001:demo1:/home/demo:/bin/bash
 +
 
 +
: At the beginning of the list, all local accounts from the <code>/etc/passwd</code> database are listed.
  
* Test 2: Retrieving groups via <tt>getent</tt>. This should show local and domain groups with posix attributes. Please check that the output contains all fields set in AD (GID, members).
+
* To list all groups, enter:
  
 
  # getent group
 
  # getent group
 
  ...
 
  ...
  Domain Users:*:10513:
+
  Domain Users:*:10003:
  demo-group:*:10015:demo1
+
  demo-group:*:10001:demo1
  
* Test 3: Change owner/group of of a file to a domain user/group:
+
: At the beginning of the list, all local groups from the <code>/etc/groups</code> database are listed.
# touch /tmp/testfile
 
# chown Administrator:"Domain Users" /tmp/testfile
 
# ls -l /tmp/testfile
 
-rw-r--r-- 1  Administrator  Domain Users  0  26. Aug 22:35 /tmp/testfile
 
  
  
Line 182: Line 177:
  
  
= Configuring PAM (pam_ldap) =
+
= Troubleshooting =
  
== Method 1: Connecting to AD via Bind DN and password ==
+
If the <code>getent</code> command fails to load users and groups from Active Directory (AD):
  
To authenticate local services (SSH, FTP, etc.) which uses PAM, you can setup <tt>pam_ldap</tt> to authenticate against AD via LDAP.
+
* Stop the <code>nslcd</code> service.
 
 
* Edit <tt>/etc/pam_ldap.conf</tt>:
 
 
 
base dc=SAMDOM,dc=example,dc=com
 
binddn cn=ldap-connect,cn=Users,dc=SAMDOM,dc=example,dc=com
 
bindpw xxxxx
 
bind_policy soft
 
pam_login_attribute sAMAccountName
 
uri ldap://127.0.0.1:389:389/
 
ssl no
 
 
 
* If your distribution is shipped with a tool for doing changes on PAM configurations, you should use them, instead of editing manually. E. g. SLES provides <tt>pam-config</tt> and Debian <tt>pam-auth-update</tt> for that.
 
 
 
* Edit your PAM configuration file(s) corresponding to the services you want to hook up. The following is an example for a PAM configuration, that can be used e. g. for ssh (<tt>/etc/pam.d/sshd</tt>). But be carefull: Change take effect immediately!
 
 
 
#%PAM-1.0M-1.0
 
auth    required      pam_nologin.so
 
auth    sufficient    pam_ldap.so
 
auth    required      pam_unix.so      use_first_pass # set_secrpc
 
 
account  required      pam_unix.so
 
 
password required      pam_pwcheck.so
 
password required      pam_ldap.so      use_authtok
 
password required      pam_unix.so      use_first_pass use_authtok
 
 
session  required      pam_unix.so
 
session  required      pam_limits.so
 
session  required      pam_env.so
 
  
 +
* Start the <code>nslcd</code> service in debug mode:
  
 +
# nslcd -d
  
== Testing ==
+
: The service is started in the forground and the output is displayed on the screen.
  
* Test 1: Try accessing a service or log into a service, you have configured to use pam_ldap. Example for ssh:
+
* On a second terminal, run the failed <code>getent</code> command again and watch the <code>nslcd</code> debug output.
# ssh demo1@DC1
 
demo1@dc1's password:
 
Last login: Mon Aug 26 22:59:40 2013 from pc01.samdom.example.com
 
[demo1@DC1 ~]$
 

Revision as of 22:31, 10 November 2016

Introduction

The nslcd service enables you to configure your local system to load users and groups from an LDAP directory, such as Active Directory (AD).

To enable the nslcd service to load user and group information, you have to set the Unix attributes for users and groups in AD. For details, see Maintaining Unix Attributes in AD using ADUC.



Configuring the nslcd Service

Authenticating nslcd to AD Using a User Name and Password

To enable the nslcd service to authenticate to Active Directory (AD) using a user name and password:

  • Create a new user in AD. For example: nslcd-ad
Set the following options in the account's settings:
  • Password never expires
  • User cannot change password
  • Add the following parameter to the [global] section of your smb.conf file:
acl:search = no
  • Restart Samba.
  • Edit the /etc/nslcd.conf file and set the following settings:
# Local user account and group, nslcd uses.
uid nslcd
gid ldap

# Active Directory server settings (SSL encryption)
uri             ldaps://127.0.0.1:636/
ssl             on
tls_reqcert     allow
base            dc=SAMDOM,dc=example,dc=com
pagesize        1000
referrals       off
nss_nested_groups yes

# LDAP bind account (AD account created in earlier)
binddn cn=nslcd-ad,cn=Users,dc=SAMDOM,dc=example,dc=com
bindpw ...

# Filters. Disable, if your:
# * user accounts have the "posixAccount" object class set.
# * groups have the "posixGroup" object class set.
filter  passwd  (objectClass=user)
filter  group   (objectClass=group)

# Attribut mappings
map     passwd  uid                sAMAccountName
map     passwd  homeDirectory      unixHomeDirectory
map     passwd  gecos              displayName
map     passwd  gidNumber          primaryGroupID
map     group   uniqueMember       member
For details about the parameter, see the nslcd.conf (5) man page.
  • To enable LDAP databases for the name service switch (NSS), add the ldap option to the following lines in the /etc/nsswitch.conf file:
passwd:     files ldap
group:      files ldap
  • Start the nslcd service.


Authenticating nslcd to AD Using Kerberos

To enable the nslcd service to authenticate to Active Directory (AD) using Kerberos:

  • Create a new user in AD. For example: nslcd-ad
Set the following options in the account's settings:
  • Password never expires
  • User cannot change password
  • To add the nslcd/DC_name.samdom.example.com Kerberos service principal name (SPN) to the nslcd-ad account, enter on the Samba domain controller (DC):
# samba-tool spn add nslcd/DC_name.samdom.example.com ldap-connect
  • Extract the Kerberos keytab for the nslcd-ad account to the /etc/krb5.nslcd.keytab file, run:
# samba-tool domain exportkeytab /etc/krb5.nslcd.keytab --principal=nslcd-ad
# chown nslcd:root /etc/krb5.nslcd.keytab 
# chmod 600 /etc/krb5.nslcd.keytab
  • Make sure that the Kerberos ticket is automatically renewed before it expires. For example, to auto-renew Kerberos tickets using the k5start utility:
# k5start -f /etc/krb5.nslcd.keytab -U -o nslcd -K 360 -b -k /tmp/nslcd.tkt
For details about the parameters, see the k5start (5) man page. Make sure that the utility used for renewal is automatically started at boot time.
  • Add the following parameter to the [global] section of your smb.conf file:
acl:search = no
  • Restart Samba.
  • Edit the /etc/nslcd.conf file and set the following settings:
# Local user account and group, nslcd uses.
uid nslcd
gid ldap

# Active Directory server settings (SSL encryption)
uri             ldaps://127.0.0.1:636/
ssl             on
tls_reqcert     allow
base            dc=SAMDOM,dc=example,dc=com
pagesize        1000
referrals       off
nss_nested_groups yes

# Kerberos authentication to AD
sasl_mech       GSSAPI
sasl_realm      SAMDOM.EXAMPLE.COM
krb5_ccname     /tmp/nslcd.tkt

# Filters. Disable, if your:
# * user accounts have the "posixAccount" object class set.
# * groups have the "posixGroup" object class set.
filter  passwd  (objectClass=user)
filter  group   (objectClass=group)

# Attribut mappings
map     passwd  uid                sAMAccountName
map     passwd  homeDirectory      unixHomeDirectory
map     passwd  gecos              displayName
map     passwd  gidNumber          primaryGroupID
map     group   uniqueMember       member
For details about the parameter, see the nslcd.conf (5) man page.
  • To enable LDAP databases for the name service switch (NSS), add the ldap option to the following lines in the /etc/nsswitch.conf file:
passwd:     files ldap
group:      files ldap
  • Start the nslcd service.



Testing the User and Group Retrieval

To list users and groups having Unix attributes in Active Directory (AD) set:

  • To list all users accounts, enter:
# getent passwd
...
Administrator:*:10000:10000:Administrator:/home/Administrator:/bin/bash
demo:*:10001:10001:demo1:/home/demo:/bin/bash
At the beginning of the list, all local accounts from the /etc/passwd database are listed.
  • To list all groups, enter:
# getent group
...
Domain Users:*:10003:
demo-group:*:10001:demo1
At the beginning of the list, all local groups from the /etc/groups database are listed.



Troubleshooting

If the getent command fails to load users and groups from Active Directory (AD):

  • Stop the nslcd service.
  • Start the nslcd service in debug mode:
# nslcd -d
The service is started in the forground and the output is displayed on the screen.
  • On a second terminal, run the failed getent command again and watch the nslcd debug output.