Nslcd: Difference between revisions
Mmuehlfeld (talk | contribs) (Reworked HowTo and added Kerberos support for nslcd) |
m (/* update kerberos section) |
||
(15 intermediate revisions by 2 users not shown) | |||
Line 1: | Line 1: | ||
= Introduction = |
|||
= Advantages and disadvantages of nslcd = |
|||
The <code>nslcd</code> service enables you to configure your local system to load users and groups from an LDAP directory, such as Active Directory (AD). |
|||
''Because people may find that some of the disadvantages are advantages or vice versa in their environment, we won't classify here.'' |
|||
To enable the <code>nslcd</code> service to load user and group information, you have to set the Unix attributes for users and groups in AD. For details, see [[Maintaining_Unix_Attributes_in_AD_using_ADUC|Maintaining Unix Attributes in AD using ADUC]]. |
|||
* Fast and easy to configure. |
|||
{{Imbox |
|||
* Requires central storage of posix data (UID/GID, home directory, shell, etc.) in AD. Your domain have to be provisioned/upgraded with <tt>--use-rfc2307</tt> to store this data. |
|||
| type = note |
|||
| text = Samba does not provide support for the <code>nslcd</code> service, other than what is on this page. |
|||
}} |
|||
* UIDs/GIDs are the same on every server, because of the central storage inside the directory. |
|||
* Doesn't require the machine to be joined to the domain. Only a LDAP and Kerberos (if used) connection is used. |
|||
* Requires nslcd, Cyrus SASL GSSAPI and pam_ldap installed on your system. |
|||
* Resolving of nested groups is supported in nslcd 0.9.0 and later (<tt>nss_nested_groups yes</tt>). |
|||
= Configuring the nslcd Service = |
|||
== Authenticating nslcd to AD Using a User Name and Password == |
|||
To enable the <code>nslcd</code> service to authenticate to Active Directory (AD) using a user name and password: |
|||
* Create a new user in AD. For example: <code>nslcd-ad</code> |
|||
: Set the following options in the account's settings: |
|||
:* Password never expires |
|||
:* User cannot change password |
|||
* Add the following parameter to the <code>[global]</code> section of your <code>smb.conf</code> file: |
|||
= Installation = |
|||
acl:search = no |
|||
Most distributions ship nss-pam-ldapd, which contains nslcd, in their default installation. If you intent do use Kerberos, you additionally require to install Cyrus SASL with GSSAPI support. Depending on the version of nlscd you use, not all required Kerberos features may be supported. See the manpage of nslcd.conf for the supported options. |
|||
* Restart Samba. |
|||
If you want to authenticate local *nix services on your server against AD, additionaly you require <tt>pam_ldap</tt>. |
|||
= Configuring nslcd = |
|||
== Method 1: Connecting to AD via Bind DN and password == |
|||
The following basic example of an <tt>nslcd.conf</tt> let the daemon retrieve it's information by binding via an AD account. Connections with this setup will be <u>unencrypted</u>, except you have setup [[Setup_LDAPS_on_a_DC|LDAP over SSL]] on your DC and change the following example nslcd.conf accordingly! |
|||
* Create a new user account in your AD, nslcd will use to bind via LDAP and retrieve it's information. Make sure, that you configure this account with the „Password never expires“ option! It's recommented also to set „User cannot change password“. Remember the DN (distinguished name) of the new account. The following example uses the DN „cn=ldap-connect,cn=Users,dc=SAMDOM,dc=example,dc=com“. |
|||
* Currently not all required posix information could be retrieved via LDAP ([https://bugzilla.samba.org/show_bug.cgi?id=9788 Bug report #9788]), because of incorrect directory ACLs. As a workaround, simply add the following to your <tt>smb.conf</tt> on the DC, nslcd is connecting to and restart Samba: |
|||
[global] |
|||
... |
|||
acl:search = no |
|||
* |
* Edit the <code>/etc/nslcd.conf</code> file and set the following settings: |
||
# Local user account and group, nslcd uses. |
|||
# User/group with which the daemon should run (must be a local account!) |
|||
uid nslcd |
uid nslcd |
||
gid ldap |
gid ldap |
||
# |
# Active Directory server settings (SSL encryption) |
||
uri |
uri ldaps://127.0.0.1:636/ |
||
ssl on |
|||
base dc=SAMDOM,dc=example,dc=com |
|||
tls_reqcert allow |
|||
base dc=SAMDOM,dc=example,dc=com |
|||
pagesize 1000 |
|||
referrals off |
|||
nss_nested_groups yes |
|||
# LDAP bind account (AD account created in earlier) |
|||
# Some settings for AD |
|||
binddn cn=nslcd-ad,cn=Users,dc=SAMDOM,dc=example,dc=com |
|||
pagesize 1000 |
|||
bindpw ... |
|||
referrals off |
|||
# Filters |
|||
# Filters (only required if your accounts doesn't have objectClass=posixAccount |
|||
# and your groups haven't objectClass=posixGroup. This objectClasses won't be added |
|||
# by ADUC. So they won't be there automatically!) |
|||
filter passwd (objectClass=user) |
filter passwd (objectClass=user) |
||
filter group (objectClass=group) |
filter group (objectClass=group) |
||
# Attribute mappings |
|||
# Attribut mappings (depending on your nslcd version, some might not be |
|||
# necessary or can cause errors and can/must be removed) |
|||
map passwd uid sAMAccountName |
map passwd uid sAMAccountName |
||
map passwd homeDirectory unixHomeDirectory |
map passwd homeDirectory unixHomeDirectory |
||
map passwd gecos displayName |
map passwd gecos displayName |
||
map passwd gidNumber primaryGroupID |
map passwd gidNumber primaryGroupID |
||
map group uniqueMember member |
|||
: For details about the parameter, see the <code>nslcd.conf (5)</code> man page. |
|||
# LDAP bind (Account in AD that is used from nslcd to bind to the directory) |
|||
binddn cn=ldap-connect,cn=Users,dc=SAMDOM,dc=example,dc=com |
|||
bindpw xxxxx |
|||
* To enable LDAP databases for the name service switch (NSS), add the <code>ldap</code> option to the following lines in the <code>/etc/nsswitch.conf</code> file: |
|||
* Start the nslcd daemon. |
|||
* Append <tt>ldap</tt> to the <tt>passwd</tt> and <tt>group</tt> entry of your <tt>/etc/nsswitch.conf</tt>, to let the system query LDAP for these databases. |
|||
passwd: files ldap |
passwd: files ldap |
||
group: files ldap |
group: files ldap |
||
* Start the <code>nslcd</code> service. |
|||
* All domain accounts/groups are now available to the local system. |
|||
== |
== Authenticating nslcd to AD Using Kerberos == |
||
To enable the <code>nslcd</code> service to authenticate to Active Directory (AD) using Kerberos: |
|||
The following basic example of an nslcd.conf let nslcd retrieve it's information by using Kerberos. The connection will be <u>encrypted</u>. |
|||
* Create a new user in AD. For example: <code>nslcd-ad</code> |
|||
* Create a new user account in your AD. Make sure, that you configure this account with the „Password never expires“ option! It's recommented also to set „User cannot change password“. If the machine is joined to the domain, you can skip this step and use the machine account instead, if you want. The following example uses the domain account „ldap-connect“. |
|||
: Set the following options in the account's settings: |
|||
:* Password never expires |
|||
:* User cannot change password, note: this can only be set from Windows |
|||
* Extract the Kerberos keytab for the <code>nslcd-ad</code> account to the <code>/etc/krb5.nslcd.keytab</code> file, run: |
|||
* Add a [http://msdn.microsoft.com/en-us/library/windows/desktop/ms677949%28v=vs.85%29.aspx SPN (service principal name)] to the account you've created. On your Samba host this can be done by the following command (replace „dc1.samdom.example.com“ with the name of the host you'll run nslcd on): |
|||
# samba-tool |
# samba-tool domain exportkeytab /etc/krb5.nslcd.keytab --principal=nslcd-ad |
||
* Extract the keytab for this account and make sure, it is readable only for the user nslcd runs under: |
|||
# samba-tool domain exportkeytab /etc/krb5.nslcd.keytab --principal=ldap-connect |
|||
# chown nslcd:root /etc/krb5.nslcd.keytab |
# chown nslcd:root /etc/krb5.nslcd.keytab |
||
# chmod 600 /etc/krb5.nslcd.keytab |
# chmod 600 /etc/krb5.nslcd.keytab |
||
* Make sure that the Kerberos ticket is automatically renewed before it expires. For example, to auto-renew Kerberos tickets using the <code>k5start</code> utility: |
|||
* As Kerberos tickets have to be renewed before they expire, you have to take care of this job. <tt>k5start</tt> is a usefull tool for that. The following command starts k5start in background mode. The above created keytab is used and the owner of the the cache file will be the local account, nslcd uses to run (parameter „uid“ in <tt>nslcd.conf</tt>): |
|||
# k5start -f /etc/krb5.nslcd.keytab -U -o nslcd -K 360 -b -k /tmp/nslcd.tkt |
# k5start -f /etc/krb5.nslcd.keytab -U -o nslcd -K 360 -b -k /tmp/nslcd.tkt |
||
: For details about the parameters, see the <code>k5start (5)</code> man page. Make sure that the utility used for renewal is automatically started at boot time. |
|||
:Remember to start k5start on system startup. Otherwise the ticket won't be renewed after reboot! |
|||
* |
* Add the following parameter to the <code>[global]</code> section of your <code>smb.conf</code> file: |
||
acl:search = no |
|||
# User/group with which the daemon should run (must be a local account!) |
|||
* Restart Samba. |
|||
* Edit the <code>/etc/nslcd.conf</code> file and set the following settings: |
|||
# Local user account and group, nslcd uses. |
|||
uid nslcd |
uid nslcd |
||
gid |
gid nslcd |
||
# |
# Active Directory server settings |
||
uri ldap:// |
uri ldap://dc1.samdom.example.com/ |
||
base dc= |
base dc=samdom,dc=example,dc=com |
||
pagesize 1000 |
|||
referrals off |
|||
nss_nested_groups yes |
|||
# |
# Kerberos authentication to AD |
||
sasl_mech GSSAPI |
|||
pagesize 1000 |
|||
sasl_realm SAMDOM.EXAMPLE.COM |
|||
referrals off |
|||
krb5_ccname /tmp/nslcd.tkt |
|||
# Filters |
|||
# Filters (only required if your accounts doesn't have objectClass=posixAccount |
|||
# and your groups haven't objectClass=posixGroup. This objectClasses won't be added |
|||
# by ADUC. So they won't be there automatically!) |
|||
filter passwd (objectClass=user) |
filter passwd (objectClass=user) |
||
filter group (objectClass=group) |
filter group (objectClass=group) |
||
# Attribut mappings |
# Attribut mappings |
||
# necessary or can cause errors and can/must be removed) |
|||
map passwd uid sAMAccountName |
map passwd uid sAMAccountName |
||
map passwd homeDirectory unixHomeDirectory |
map passwd homeDirectory unixHomeDirectory |
||
map passwd gecos displayName |
map passwd gecos displayName |
||
# Uncomment the following line to use Domain Users as the users primary group |
|||
map passwd gidNumber primaryGroupID |
|||
map |
#map passwd gidNumber primaryGroupID |
||
: For details about the parameter, see the <code>nslcd.conf (5)</code> man page. |
|||
# Kerberos |
|||
sasl_mech GSSAPI |
|||
sasl_realm SAMDOM.EXAMPLE.COM |
|||
krb5_ccname /tmp/nslcd.tkt |
|||
* To enable LDAP databases for the name service switch (NSS), add the <code>ldap</code> option to the following lines in the <code>/etc/nsswitch.conf</code> file: |
|||
* Start the nslcd daemon. |
|||
* Append <tt>ldap</tt> to the <tt>passwd</tt> and <tt>group</tt> entry of your <tt>/etc/nsswitch.conf</tt>, to let the system query LDAP for these databases. |
|||
passwd: files ldap |
passwd: files ldap |
||
group: files ldap |
group: files ldap |
||
* All domain accounts/groups are now available to the local system. |
|||
Edit the /etc/default/nslcd file and set the following settings: |
|||
# Defaults for nslcd init script |
|||
== Testing == |
|||
# Whether to start k5start (for obtaining and keeping a Kerberos ticket) |
|||
# By default k5start is started if nslcd.conf has sasl_mech set to GSSAPI |
|||
# and krb5_ccname is set to a file-type ticket cache. |
|||
# Set to "yes" to force starting k5start, any other value will not start |
|||
# k5start. |
|||
#K5START_START="yes" |
|||
# Options for k5start. |
|||
#K5START_BIN=/usr/bin/k5start |
|||
K5START_KEYTAB=/etc/krb5.nslcd.keytab |
|||
#K5START_CCREFRESH=60 |
|||
K5START_PRINCIPAL="nslcd-ad" |
|||
* Start the <code>nslcd</code> service. |
|||
* Test 1: Retrieving accounts via <tt>getent</tt>. This should show local and domain accounts with posix attributes. Please check that all fields contain the values set in AD (UID, primaryGroup, homeDirectory, shell). |
|||
# getent passwd |
|||
... |
|||
Administrator:*:10000:513::/home/Administrator:/bin/bash |
|||
demo1:*:10002:513:Demo User1:/home/demo1:/bin/false |
|||
* Test 2: Retrieving groups via <tt>getent</tt>. This should show local and domain groups with posix attributes. Please check that the output contains all fields set in AD (GID, members). |
|||
# getent group |
|||
... |
|||
Domain Users:*:10000:demo1 |
|||
demo-group:*:10003:demo1 |
|||
* Test 3: Change owner/group of of a file to a domain user/group: |
|||
# touch /tmp/testfile |
|||
# chown Administrator:"Domain Users" /tmp/testfile |
|||
# ls -l /tmp/testfile |
|||
-rw-r--r-- 1 Administrator Domain Users 0 26. Aug 22:35 /tmp/testfile |
|||
= Testing the User and Group Retrieval = |
|||
To list users and groups having Unix attributes in Active Directory (AD) set: |
|||
* To list a users account, enter: |
|||
# getent passwd demo |
|||
demo:*:10001:10001:demo1:/home/demo:/bin/bash |
|||
* To list a group, enter: |
|||
= Configuring PAM (pam_ldap) = |
|||
# getent group demo-group |
|||
== Method 1: Connecting to AD via Bind DN and password == |
|||
demo-group:*:10001:demo1 |
|||
To authenticate local services (SSH, FTP, etc.) which uses PAM, you can setup <tt>pam_ldap</tt> to authenticate against AD via LDAP. |
|||
* Edit <tt>/etc/pam_ldap.conf</tt>: |
|||
base dc=SAMDOM,dc=example,dc=com |
|||
binddn cn=ldap-connect,cn=Users,dc=SAMDOM,dc=example,dc=com |
|||
bindpw xxxxx |
|||
bind_policy soft |
|||
pam_login_attribute sAMAccountName |
|||
uri ldap://127.0.0.1:389:389/ |
|||
ssl no |
|||
* Edit your PAM configuration file(s) corresponding to the services you want to hook up. The following is an example for a PAM configuration, that can be used e. g. for ssh (<tt>/etc/pam.d/sshd</tt>). But be carefull: Change take effect immediately! |
|||
#%PAM-1.0M-1.0 |
|||
auth required pam_nologin.so |
|||
auth sufficient pam_ldap.so |
|||
auth required pam_unix.so use_first_pass # set_secrpc |
|||
account required pam_unix.so |
|||
password required pam_pwcheck.so |
|||
password required pam_ldap.so use_authtok |
|||
password required pam_unix.so use_first_pass use_authtok |
|||
session required pam_unix.so |
|||
session required pam_limits.so |
|||
session required pam_env.so |
|||
= Troubleshooting = |
|||
If the <code>getent</code> command fails to load users and groups from Active Directory (AD): |
|||
* Stop the <code>nslcd</code> service. |
|||
* Start the <code>nslcd</code> service in debug mode: |
|||
# nslcd -d |
|||
: The service will start in the foreground and the output is displayed on the screen. |
|||
== Testing == |
|||
* On a second terminal, run the failed <code>getent</code> command again and watch the <code>nslcd</code> debug output. |
|||
* Test 1: Try accessing a service or log into a service, you have configured to use pam_ldap. Example for ssh: |
|||
# ssh demo1@DC1 |
|||
demo1@dc1's password: |
|||
Last login: Mon Aug 26 22:59:40 2013 from pc01.samdom.example.com |
|||
[demo1@DC1 ~]$ |
Revision as of 08:23, 22 August 2019
Introduction
The nslcd
service enables you to configure your local system to load users and groups from an LDAP directory, such as Active Directory (AD).
To enable the nslcd
service to load user and group information, you have to set the Unix attributes for users and groups in AD. For details, see Maintaining Unix Attributes in AD using ADUC.
Samba does not provide support for the nslcd service, other than what is on this page. |
Configuring the nslcd Service
Authenticating nslcd to AD Using a User Name and Password
To enable the nslcd
service to authenticate to Active Directory (AD) using a user name and password:
- Create a new user in AD. For example:
nslcd-ad
- Set the following options in the account's settings:
- Password never expires
- User cannot change password
- Add the following parameter to the
[global]
section of yoursmb.conf
file:
acl:search = no
- Restart Samba.
- Edit the
/etc/nslcd.conf
file and set the following settings:
# Local user account and group, nslcd uses. uid nslcd gid ldap # Active Directory server settings (SSL encryption) uri ldaps://127.0.0.1:636/ ssl on tls_reqcert allow base dc=SAMDOM,dc=example,dc=com pagesize 1000 referrals off nss_nested_groups yes # LDAP bind account (AD account created in earlier) binddn cn=nslcd-ad,cn=Users,dc=SAMDOM,dc=example,dc=com bindpw ... # Filters filter passwd (objectClass=user) filter group (objectClass=group) # Attribute mappings map passwd uid sAMAccountName map passwd homeDirectory unixHomeDirectory map passwd gecos displayName map passwd gidNumber primaryGroupID
- For details about the parameter, see the
nslcd.conf (5)
man page.
- To enable LDAP databases for the name service switch (NSS), add the
ldap
option to the following lines in the/etc/nsswitch.conf
file:
passwd: files ldap group: files ldap
- Start the
nslcd
service.
Authenticating nslcd to AD Using Kerberos
To enable the nslcd
service to authenticate to Active Directory (AD) using Kerberos:
- Create a new user in AD. For example:
nslcd-ad
- Set the following options in the account's settings:
- Password never expires
- User cannot change password, note: this can only be set from Windows
- Extract the Kerberos keytab for the
nslcd-ad
account to the/etc/krb5.nslcd.keytab
file, run:
# samba-tool domain exportkeytab /etc/krb5.nslcd.keytab --principal=nslcd-ad # chown nslcd:root /etc/krb5.nslcd.keytab # chmod 600 /etc/krb5.nslcd.keytab
- Make sure that the Kerberos ticket is automatically renewed before it expires. For example, to auto-renew Kerberos tickets using the
k5start
utility:
# k5start -f /etc/krb5.nslcd.keytab -U -o nslcd -K 360 -b -k /tmp/nslcd.tkt
- For details about the parameters, see the
k5start (5)
man page. Make sure that the utility used for renewal is automatically started at boot time.
- Add the following parameter to the
[global]
section of yoursmb.conf
file:
acl:search = no
- Restart Samba.
- Edit the
/etc/nslcd.conf
file and set the following settings:
# Local user account and group, nslcd uses. uid nslcd gid nslcd # Active Directory server settings uri ldap://dc1.samdom.example.com/ base dc=samdom,dc=example,dc=com pagesize 1000 referrals off nss_nested_groups yes # Kerberos authentication to AD sasl_mech GSSAPI sasl_realm SAMDOM.EXAMPLE.COM krb5_ccname /tmp/nslcd.tkt # Filters filter passwd (objectClass=user) filter group (objectClass=group) # Attribut mappings map passwd uid sAMAccountName map passwd homeDirectory unixHomeDirectory map passwd gecos displayName # Uncomment the following line to use Domain Users as the users primary group #map passwd gidNumber primaryGroupID
- For details about the parameter, see the
nslcd.conf (5)
man page.
- To enable LDAP databases for the name service switch (NSS), add the
ldap
option to the following lines in the/etc/nsswitch.conf
file:
passwd: files ldap group: files ldap
Edit the /etc/default/nslcd file and set the following settings:
# Defaults for nslcd init script # Whether to start k5start (for obtaining and keeping a Kerberos ticket) # By default k5start is started if nslcd.conf has sasl_mech set to GSSAPI # and krb5_ccname is set to a file-type ticket cache. # Set to "yes" to force starting k5start, any other value will not start # k5start. #K5START_START="yes" # Options for k5start. #K5START_BIN=/usr/bin/k5start K5START_KEYTAB=/etc/krb5.nslcd.keytab #K5START_CCREFRESH=60 K5START_PRINCIPAL="nslcd-ad"
- Start the
nslcd
service.
Testing the User and Group Retrieval
To list users and groups having Unix attributes in Active Directory (AD) set:
- To list a users account, enter:
# getent passwd demo demo:*:10001:10001:demo1:/home/demo:/bin/bash
- To list a group, enter:
# getent group demo-group demo-group:*:10001:demo1
Troubleshooting
If the getent
command fails to load users and groups from Active Directory (AD):
- Stop the
nslcd
service.
- Start the
nslcd
service in debug mode:
# nslcd -d
- The service will start in the foreground and the output is displayed on the screen.
- On a second terminal, run the failed
getent
command again and watch thenslcd
debug output.