Difference between revisions of "Nslcd"

m (Added information since which version nslcd supports nested groups)
m (/* update kerberos section)
 
(16 intermediate revisions by 2 users not shown)
Line 1: Line 1:
= Advantages / Disadvantages =
+
= Introduction =
  
''Because people may find that some of the disadvantages are advantages or vice versa in their environment, we won't classify here.''
+
The <code>nslcd</code> service enables you to configure your local system to load users and groups from an LDAP directory, such as Active Directory (AD).
  
* Fast and easy to configure.
+
To enable the <code>nslcd</code> service to load user and group information, you have to set the Unix attributes for users and groups in AD. For details, see [[Maintaining_Unix_Attributes_in_AD_using_ADUC|Maintaining Unix Attributes in AD using ADUC]].
  
* Requires central storage of posix data (UID/GID, home directory, shell, etc.) in AD. Your domain have to be provisioned/upgraded with <tt>--use-rfc2307</tt> to store this data. Accounts/groups can be administrated e. g. via ADUC on Windows then.
+
{{Imbox
 +
| type = note
 +
| text = Samba does not provide support for the <code>nslcd</code> service, other than what is on this page.
 +
}}
  
* UIDs/GIDs are the same on every server.
 
  
* Doesn't require the machine to be joined to the domain. A simple LDAP connection to the DC (389/tcp for LDAP or 646/tcp for LDAPs) is enough.
 
  
* Requires nslcd and pam_ldap to be installed on your system.
 
  
* Resolving of nested groups is supported since nslcd 0.8.13 (<tt>nss_nested_groups yes</tt>).
 
  
 +
= Configuring the nslcd Service =
  
 +
== Authenticating nslcd to AD Using a User Name and Password ==
  
 +
To enable the <code>nslcd</code> service to authenticate to Active Directory (AD) using a user name and password:
  
 +
* Create a new user in AD. For example: <code>nslcd-ad</code>
 +
: Set the following options in the account's settings:
 +
:* Password never expires
 +
:* User cannot change password
 +
 +
* Add the following parameter to the <code>[global]</code> section of your <code>smb.conf</code> file:
 +
 +
acl:search = no
 +
 +
* Restart Samba.
 +
 +
* Edit the <code>/etc/nslcd.conf</code> file and set the following settings:
 +
 +
# Local user account and group, nslcd uses.
 +
uid nslcd
 +
gid ldap
 +
 +
# Active Directory server settings (SSL encryption)
 +
uri            ldaps://127.0.0.1:636/
 +
ssl            on
 +
tls_reqcert    allow
 +
base            dc=SAMDOM,dc=example,dc=com
 +
pagesize        1000
 +
referrals      off
 +
nss_nested_groups yes
 +
 +
# LDAP bind account (AD account created in earlier)
 +
binddn cn=nslcd-ad,cn=Users,dc=SAMDOM,dc=example,dc=com
 +
bindpw ...
 +
 +
# Filters
 +
filter  passwd  (objectClass=user)
 +
filter  group  (objectClass=group)
 +
 +
# Attribute mappings
 +
map    passwd  uid                sAMAccountName
 +
map    passwd  homeDirectory      unixHomeDirectory
 +
map    passwd  gecos              displayName
 +
map    passwd  gidNumber          primaryGroupID
 +
 +
: For details about the parameter, see the <code>nslcd.conf (5)</code> man page.
 +
 +
* To enable LDAP databases for the name service switch (NSS), add the <code>ldap</code> option to the following lines in the <code>/etc/nsswitch.conf</code> file:
 +
 +
passwd:    files ldap
 +
group:      files ldap
 +
 +
* Start the <code>nslcd</code> service.
  
= Installation =
 
  
Most distributions already ship nslcd in their default installation. In RHEL6 the package is named <tt>nss-pam-ldapd</tt>.
 
  
If you want to authenticate local *nix services on your server against AD, additionaly you require <tt>pam_ldap</tt>.
+
== Authenticating nslcd to AD Using Kerberos ==
  
 +
To enable the <code>nslcd</code> service to authenticate to Active Directory (AD) using Kerberos:
  
 +
* Create a new user in AD. For example: <code>nslcd-ad</code>
 +
: Set the following options in the account's settings:
 +
:* Password never expires
 +
:* User cannot change password, note: this can only be set from Windows
  
 +
* Extract the Kerberos keytab for the <code>nslcd-ad</code> account to the <code>/etc/krb5.nslcd.keytab</code> file, run:
  
 +
# samba-tool domain exportkeytab /etc/krb5.nslcd.keytab --principal=nslcd-ad
 +
# chown nslcd:root /etc/krb5.nslcd.keytab
 +
# chmod 600 /etc/krb5.nslcd.keytab
  
= Configuring nslcd =
+
* Make sure that the Kerberos ticket is automatically renewed before it expires. For example, to auto-renew Kerberos tickets using the <code>k5start</code> utility:
  
The following basic example let nslcd retrieve it's information from AD through an separate account. nslcd is also capable to use Kerberos. This would not be part of this HowTo.
+
# k5start -f /etc/krb5.nslcd.keytab -U -o nslcd -K 360 -b -k /tmp/nslcd.tkt
  
* Create a new user account in your AD, nslcd uses to bind via LDAP and retrieve it's information. Make sure, that you configure this account with the „password never expires“ option! Remember the DN (distinguished name) of the new user. The following example uses the DN „cn=ldap-connect,cn=Users,dc=SAMDOM,dc=example,dc=com“.
+
: For details about the parameters, see the <code>k5start (5)</code> man page. Make sure that the utility used for renewal is automatically started at boot time.
  
* Currently not all required posix information could be retrieved via LDAP ([https://bugzilla.samba.org/show_bug.cgi?id=9788 Bug report #9788]), because of incorrect directory ACLs. As a workaround, simply add the following to your <tt>smb.conf</tt> on the DC, nslcd is connecting to and restart Samba:
+
* Add the following parameter to the <code>[global]</code> section of your <code>smb.conf</code> file:
  
[global]
 
...
 
 
  acl:search = no
 
  acl:search = no
  
* Use the following content in your <tt>/etc/nslcd.conf</tt>:
+
* Restart Samba.
 +
 
 +
* Edit the <code>/etc/nslcd.conf</code> file and set the following settings:
  
  #Mappings for Active Directory
+
  # Local user account and group, nslcd uses.
  pagesize 1000
+
uid nslcd
  referrals off
+
gid nslcd
 +
 +
# Active Directory server settings
 +
uri            ldap://dc1.samdom.example.com/
 +
base            dc=samdom,dc=example,dc=com
 +
  pagesize       1000
 +
  referrals       off
 +
nss_nested_groups yes
 +
 +
# Kerberos authentication to AD
 +
sasl_mech      GSSAPI
 +
sasl_realm      SAMDOM.EXAMPLE.COM
 +
krb5_ccname    /tmp/nslcd.tkt
 
   
 
   
  # Passwd
+
  # Filters
  filter  passwd  (&(objectClass=user)(!(objectClass=computer))(uidNumber=*))
+
  filter  passwd  (objectClass=user)
 +
filter  group  (objectClass=group)
 +
 +
# Attribut mappings
 
  map    passwd  uid                sAMAccountName
 
  map    passwd  uid                sAMAccountName
 
  map    passwd  homeDirectory      unixHomeDirectory
 
  map    passwd  homeDirectory      unixHomeDirectory
 
  map    passwd  gecos              displayName
 
  map    passwd  gecos              displayName
  map    passwd  gidNumber          primaryGroupID
+
  # Uncomment the following line to use Domain Users as the users primary group
+
#map    passwd  gidNumber          primaryGroupID
# Groups
 
filter  group  (&(objectClass=group)(gidNumber=*))
 
map    group  uniqueMember      member
 
 
# User/group with which the daemon should run (must be a local account!)
 
uid nslcd
 
gid ldap
 
 
# LDAP server settings
 
uri ldap://127.0.0.1:389/
 
base dc=SAMDOM,dc=example,dc=com
 
 
   
 
   
# Account in AD that is used from nslcd to bind to the directory
+
: For details about the parameter, see the <code>nslcd.conf (5)</code> man page.
binddn cn=ldap-connect,cn=Users,dc=SAMDOM,dc=example,dc=com
 
bindpw xxxxx
 
 
 
* Start the nslcd daemon.
 
  
* Append <tt>ldap</tt> to the <tt>passwd</tt> and <tt>group</tt> entry of your <tt>/etc/nsswitch.conf</tt>, to let the system query LDAP for this this databases.
+
* To enable LDAP databases for the name service switch (NSS), add the <code>ldap</code> option to the following lines in the <code>/etc/nsswitch.conf</code> file:
  
 
  passwd:    files ldap
 
  passwd:    files ldap
 
  group:      files ldap
 
  group:      files ldap
  
* All accounts/groups are now available to the local system.
 
  
  
 +
Edit the /etc/default/nslcd file and set the following settings:
 +
 +
# Defaults for nslcd init script
 +
 +
# Whether to start k5start (for obtaining and keeping a Kerberos ticket)
 +
# By default k5start is started if nslcd.conf has sasl_mech set to GSSAPI
 +
# and krb5_ccname is set to a file-type ticket cache.
 +
# Set to "yes" to force starting k5start, any other value will not start
 +
# k5start.
 +
#K5START_START="yes"
 +
 +
# Options for k5start.
 +
#K5START_BIN=/usr/bin/k5start
 +
K5START_KEYTAB=/etc/krb5.nslcd.keytab
 +
#K5START_CCREFRESH=60
 +
K5START_PRINCIPAL="nslcd-ad"
 +
 +
* Start the <code>nslcd</code> service.
  
== Testing ==
 
  
* Test 1: Retrieving accounts via <tt>getent</tt>. This should show local and domain accounts (which have the required posix attributes).
 
  
# getent passwd
 
...
 
Administrator:*:10000:513::/home/Administrator:/bin/bash
 
demo1:*:10002:513:Demo User1:/home/demo1:/bin/false
 
  
* Test 2: Retrieving groups via <tt>getent</tt>. This should show local and domain groups (which have the required posix attributes).
 
  
# getent group
+
= Testing the User and Group Retrieval =
...
 
Domain Users:*:10000:demo1
 
demo-group:*:10003:demo1
 
  
* Test 3: Change owner/group of of a file to a domain user/group:
+
To list users and groups having Unix attributes in Active Directory (AD) set:
# touch /tmp/testfile
 
# chown Administrator:"Domain Users" /tmp/testfile
 
# ls -l /tmp/testfile
 
-rw-r--r-- 1  Administrator  Domain Users  0  26. Aug 22:35 /tmp/testfile
 
  
 +
* To list a users account, enter:
  
 +
# getent passwd demo
 +
demo:*:10001:10001:demo1:/home/demo:/bin/bash
  
 +
* To list a group, enter:
  
 +
# getent group demo-group
 +
demo-group:*:10001:demo1
  
= Configuring PAM (pam_ldap) =
 
  
To authenticate local services (SSH, FTP, etc.) which uses PAM, you can setup <tt>pam_ldap</tt> to authenticate against AD via LDAP.
 
  
* Edit <tt>/etc/pam_ldap.conf</tt>:
 
  
base dc=SAMDOM,dc=example,dc=com
 
binddn cn=ldap-connect,cn=Users,dc=SAMDOM,dc=example,dc=com
 
bindpw xxxxx
 
bind_policy soft
 
pam_login_attribute sAMAccountName
 
uri ldap://127.0.0.1:389:389/
 
ssl no
 
  
* Edit your PAM configuration file(s) corresponding to the services you want to hook up. The following is an example for a PAM configuration, that can be used e. g. for ssh (<tt>/etc/pam.d/sshd</tt>). But be carefull: Change take effect immediately!
 
  
#%PAM-1.0M-1.0
 
auth    required      pam_nologin.so
 
auth    sufficient    pam_ldap.so
 
auth    required      pam_unix.so      use_first_pass # set_secrpc
 
 
account  required      pam_unix.so
 
 
password required      pam_pwcheck.so
 
password required      pam_ldap.so      use_authtok
 
password required      pam_unix.so      use_first_pass use_authtok
 
 
session  required      pam_unix.so
 
session  required      pam_limits.so
 
session  required      pam_env.so
 
  
 +
= Troubleshooting =
 +
 +
If the <code>getent</code> command fails to load users and groups from Active Directory (AD):
 +
 +
* Stop the <code>nslcd</code> service.
 +
 +
* Start the <code>nslcd</code> service in debug mode:
  
 +
# nslcd -d
  
== Testing ==
+
: The service will start in the foreground and the output is displayed on the screen.
  
* Test 1: Try accessing a service or log into a service, you have configured to use pam_ldap. Example for ssh:
+
* On a second terminal, run the failed <code>getent</code> command again and watch the <code>nslcd</code> debug output.
# ssh demo1@DC1
 
demo1@dc1's password:
 
Last login: Mon Aug 26 22:59:40 2013 from pc01.samdom.example.com
 
[demo1@DC1 ~]$
 

Latest revision as of 08:23, 22 August 2019

Introduction

The nslcd service enables you to configure your local system to load users and groups from an LDAP directory, such as Active Directory (AD).

To enable the nslcd service to load user and group information, you have to set the Unix attributes for users and groups in AD. For details, see Maintaining Unix Attributes in AD using ADUC.



Configuring the nslcd Service

Authenticating nslcd to AD Using a User Name and Password

To enable the nslcd service to authenticate to Active Directory (AD) using a user name and password:

  • Create a new user in AD. For example: nslcd-ad
Set the following options in the account's settings:
  • Password never expires
  • User cannot change password
  • Add the following parameter to the [global] section of your smb.conf file:
acl:search = no
  • Restart Samba.
  • Edit the /etc/nslcd.conf file and set the following settings:
# Local user account and group, nslcd uses.
uid nslcd
gid ldap

# Active Directory server settings (SSL encryption)
uri             ldaps://127.0.0.1:636/
ssl             on
tls_reqcert     allow
base            dc=SAMDOM,dc=example,dc=com
pagesize        1000
referrals       off
nss_nested_groups yes

# LDAP bind account (AD account created in earlier)
binddn cn=nslcd-ad,cn=Users,dc=SAMDOM,dc=example,dc=com
bindpw ...

# Filters
filter  passwd  (objectClass=user)
filter  group   (objectClass=group)

# Attribute mappings
map     passwd  uid                sAMAccountName
map     passwd  homeDirectory      unixHomeDirectory
map     passwd  gecos              displayName
map     passwd  gidNumber          primaryGroupID

For details about the parameter, see the nslcd.conf (5) man page.
  • To enable LDAP databases for the name service switch (NSS), add the ldap option to the following lines in the /etc/nsswitch.conf file:
passwd:     files ldap
group:      files ldap
  • Start the nslcd service.


Authenticating nslcd to AD Using Kerberos

To enable the nslcd service to authenticate to Active Directory (AD) using Kerberos:

  • Create a new user in AD. For example: nslcd-ad
Set the following options in the account's settings:
  • Password never expires
  • User cannot change password, note: this can only be set from Windows
  • Extract the Kerberos keytab for the nslcd-ad account to the /etc/krb5.nslcd.keytab file, run:
# samba-tool domain exportkeytab /etc/krb5.nslcd.keytab --principal=nslcd-ad
# chown nslcd:root /etc/krb5.nslcd.keytab 
# chmod 600 /etc/krb5.nslcd.keytab
  • Make sure that the Kerberos ticket is automatically renewed before it expires. For example, to auto-renew Kerberos tickets using the k5start utility:
# k5start -f /etc/krb5.nslcd.keytab -U -o nslcd -K 360 -b -k /tmp/nslcd.tkt
For details about the parameters, see the k5start (5) man page. Make sure that the utility used for renewal is automatically started at boot time.
  • Add the following parameter to the [global] section of your smb.conf file:
acl:search = no
  • Restart Samba.
  • Edit the /etc/nslcd.conf file and set the following settings:
# Local user account and group, nslcd uses.
uid nslcd
gid nslcd

# Active Directory server settings
uri             ldap://dc1.samdom.example.com/
base            dc=samdom,dc=example,dc=com
pagesize        1000
referrals       off
nss_nested_groups yes

# Kerberos authentication to AD
sasl_mech       GSSAPI
sasl_realm      SAMDOM.EXAMPLE.COM
krb5_ccname     /tmp/nslcd.tkt

# Filters
filter  passwd  (objectClass=user)
filter  group   (objectClass=group)

# Attribut mappings
map     passwd  uid                sAMAccountName
map     passwd  homeDirectory      unixHomeDirectory
map     passwd  gecos              displayName
# Uncomment the following line to use Domain Users as the users primary group
#map     passwd  gidNumber          primaryGroupID

For details about the parameter, see the nslcd.conf (5) man page.
  • To enable LDAP databases for the name service switch (NSS), add the ldap option to the following lines in the /etc/nsswitch.conf file:
passwd:     files ldap
group:      files ldap


Edit the /etc/default/nslcd file and set the following settings:

# Defaults for nslcd init script

# Whether to start k5start (for obtaining and keeping a Kerberos ticket)
# By default k5start is started if nslcd.conf has sasl_mech set to GSSAPI
# and krb5_ccname is set to a file-type ticket cache.
# Set to "yes" to force starting k5start, any other value will not start
# k5start.
#K5START_START="yes"

# Options for k5start.
#K5START_BIN=/usr/bin/k5start
K5START_KEYTAB=/etc/krb5.nslcd.keytab
#K5START_CCREFRESH=60
K5START_PRINCIPAL="nslcd-ad"
  • Start the nslcd service.



Testing the User and Group Retrieval

To list users and groups having Unix attributes in Active Directory (AD) set:

  • To list a users account, enter:
# getent passwd demo
demo:*:10001:10001:demo1:/home/demo:/bin/bash
  • To list a group, enter:
# getent group demo-group
demo-group:*:10001:demo1




Troubleshooting

If the getent command fails to load users and groups from Active Directory (AD):

  • Stop the nslcd service.
  • Start the nslcd service in debug mode:
# nslcd -d
The service will start in the foreground and the output is displayed on the screen.
  • On a second terminal, run the failed getent command again and watch the nslcd debug output.