Nslcd: Difference between revisions
Mmuehlfeld (talk | contribs) m (Removed article) |
m (add the sudo apt install line in "code" field) |
||
(2 intermediate revisions by one other user not shown) | |||
Line 7: | Line 7: | ||
{{Imbox |
{{Imbox |
||
| type = note |
| type = note |
||
| text = Samba does not support the <code>nslcd</code> service. |
| text = Samba does not provide support for the <code>nslcd</code> service, other than what is on this page. |
||
}} |
}} |
||
Line 16: | Line 16: | ||
= Configuring the nslcd Service = |
= Configuring the nslcd Service = |
||
== Authenticating nslcd to AD Using |
== Authenticating nslcd to AD Using Kerberos == |
||
To enable the <code>nslcd</code> service to authenticate to Active Directory (AD) using |
To enable the <code>nslcd</code> service to authenticate to Active Directory (AD) using Kerberos: |
||
* |
* On a Samba AD DC, create a new user in AD. For example: <code>nslcd-ad</code> |
||
: Set the following options in the account's settings: |
: Set the following options in the account's settings: |
||
:* Set a random password |
|||
:* Password never expires |
:* Password never expires |
||
:* User cannot change password |
:* User cannot change password |
||
* Add the following parameter to the <code>[global]</code> section of your <code>smb.conf</code> file: |
|||
Extract the Kerberos keytab for the nslcd-ad account to the /tmp directory |
|||
acl:search = no |
|||
sudo samba-tool domain exportkeytab /tmp/krb5.nslcd.keytab --principal=nslcd-ad |
|||
* Restart Samba. |
|||
Export one principal to /tmp/krb5.nslcd.keytab |
|||
* Edit the <code>/etc/nslcd.conf</code> file and set the following settings: |
|||
Copy the keytab to the Unix domain member: |
|||
# Local user account and group, nslcd uses. |
|||
sudo scp /tmp/krb5.nslcd.keytab auser@deb11:/home/auser/ |
|||
uid nslcd |
|||
auser@deb11's password: |
|||
gid ldap |
|||
krb5.nslcd.keytab 100% 237 72.3KB/s 00:00 |
|||
# Active Directory server settings (SSL encryption) |
|||
uri ldaps://127.0.0.1:636/ |
|||
ssl on |
|||
tls_reqcert allow |
|||
base dc=SAMDOM,dc=example,dc=com |
|||
pagesize 1000 |
|||
referrals off |
|||
nss_nested_groups yes |
|||
# LDAP bind account (AD account created in earlier) |
|||
binddn cn=nslcd-ad,cn=Users,dc=SAMDOM,dc=example,dc=com |
|||
bindpw ... |
|||
# Filters. Disable, if your: |
|||
# * user accounts have the "posixAccount" object class set. |
|||
# * groups have the "posixGroup" object class set. |
|||
filter passwd (objectClass=user) |
|||
filter group (objectClass=group) |
|||
# Attribut mappings |
|||
map passwd uid sAMAccountName |
|||
map passwd homeDirectory unixHomeDirectory |
|||
map passwd gecos displayName |
|||
map passwd gidNumber primaryGroupID |
|||
map group uniqueMember member |
|||
: For details about the parameter, see the <code>nslcd.conf (5)</code> man page. |
|||
Now go to the Unix domain member (Debian 11 in this instance) and install the following packages: |
|||
* To enable LDAP databases for the name service switch (NSS), add the <code>ldap</code> option to the following lines in the <code>/etc/nsswitch.conf</code> file: |
|||
sudo apt install nslcd nslcd-utils libnss-ldapd libpam-ldapd libsasl2-modules-gssapi-heimdal |
|||
passwd: files ldap |
|||
group: files ldap |
|||
{{Imbox |
|||
* Start the <code>nslcd</code> service. |
|||
| type = note |
|||
| text = It is understood that Samba is already installed and working. |
|||
}} |
|||
Move the keytab to the correct location and ensure it has the correct permissions: |
|||
sudo mv /home/auser/krb5.nslcd.keytab /etc/krb5.nslcd.keytab |
|||
== Authenticating nslcd to AD Using Kerberos == |
|||
sudo chown nslcd:root /etc/krb5.nslcd.keytab |
|||
sudo chmod 600 /etc/krb5.nslcd.keytab |
|||
To enable the <code>nslcd</code> service to authenticate to Active Directory (AD) using Kerberos: |
|||
* Create a new user in AD. For example: <code>nslcd-ad</code> |
|||
: Set the following options in the account's settings: |
|||
:* Password never expires |
|||
:* User cannot change password |
|||
* To add the <code>nslcd/DC_name.samdom.example.com</code> Kerberos service principal name (SPN) to the <code>nslcd-ad</code> account, enter on the Samba domain controller (DC): |
|||
# samba-tool spn add nslcd/DC_name.samdom.example.com ldap-connect |
|||
* Extract the Kerberos keytab for the <code>nslcd-ad</code> account to the <code>/etc/krb5.nslcd.keytab</code> file, run: |
|||
# samba-tool domain exportkeytab /etc/krb5.nslcd.keytab --principal=nslcd-ad |
|||
# chown nslcd:root /etc/krb5.nslcd.keytab |
|||
# chmod 600 /etc/krb5.nslcd.keytab |
|||
* Make sure that the Kerberos ticket is automatically renewed before it expires. For example, to auto-renew Kerberos tickets using the <code>k5start</code> utility: |
|||
# k5start -f /etc/krb5.nslcd.keytab -U -o nslcd -K 360 -b -k /tmp/nslcd.tkt |
|||
: For details about the parameters, see the <code>k5start (5)</code> man page. Make sure that the utility used for renewal is automatically started at boot time. |
|||
* Add the following parameter to the <code>[global]</code> section of your <code>smb.conf</code> file: |
|||
acl:search = no |
|||
* Restart Samba. |
|||
* Edit the <code>/etc/nslcd.conf</code> file and set the following settings: |
* Edit the <code>/etc/nslcd.conf</code> file and set the following settings: |
||
# /etc/nslcd.conf |
|||
# Local user account and group, nslcd uses. |
|||
# nslcd configuration file. See nslcd.conf(5) |
|||
# for details. |
|||
# The user and group nslcd should run as. |
|||
uid nslcd |
uid nslcd |
||
gid |
gid nslcd |
||
# The location at which the LDAP server(s) should be reachable. |
|||
# Active Directory server settings (SSL encryption) |
|||
uri |
uri ldap://dc1.samdom.example.com/ |
||
# Note: add lines for all your Samba DC's |
|||
ssl on |
|||
tls_reqcert allow |
|||
# The search base that will be used for all queries. |
|||
base dc=SAMDOM,dc=example,dc=com |
|||
base dc=samdom,dc=example,dc=com |
|||
pagesize 1000 |
|||
pagesize 1000 |
|||
referrals off |
|||
referrals off |
|||
nss_nested_groups yes |
nss_nested_groups yes |
||
# The LDAP protocol version to use. |
|||
# Kerberos authentication to AD |
|||
#ldap_version 3 |
|||
sasl_mech GSSAPI |
|||
sasl_realm SAMDOM.EXAMPLE.COM |
|||
sasl_mech GSSAPI |
|||
krb5_ccname /tmp/nslcd.tkt |
|||
sasl_realm SAMDOM.EXAMPLE.COM |
|||
krb5_ccname /tmp/nslcd.tkt |
|||
# Filters |
# Filters |
||
filter passwd (objectclass=user) |
|||
# * user accounts have the "posixAccount" object class set. |
|||
filter group (objectclass=group) |
|||
# * groups have the "posixGroup" object class set. |
|||
filter passwd (objectClass=user) |
|||
filter group (objectClass=group) |
|||
# |
# Attribute mappings |
||
map passwd uid sAMAccountName |
map passwd uid sAMAccountName |
||
map passwd homeDirectory unixHomeDirectory |
map passwd homeDirectory unixHomeDirectory |
||
map passwd gecos displayName |
map passwd gecos displayName |
||
map passwd gidNumber primaryGroupID |
map passwd gidNumber primaryGroupID |
||
map group uniqueMember member |
|||
: For details about the parameter, see the <code>nslcd.conf (5)</code> man page. |
|||
: For details about the parameters, see the <code>nslcd.conf (5)</code> man page. |
|||
* To enable LDAP databases for the name service switch (NSS), add the <code>ldap</code> option to the following lines in the <code>/etc/nsswitch.conf</code> file: |
* To enable LDAP databases for the name service switch (NSS), add the <code>ldap</code> option to the following lines in the <code>/etc/nsswitch.conf</code> file: |
||
Line 144: | Line 101: | ||
passwd: files ldap |
passwd: files ldap |
||
group: files ldap |
group: files ldap |
||
Edit the /etc/default/nslcd file and set the following settings: |
|||
# Defaults for nslcd init script |
|||
# Whether to start k5start (for obtaining and keeping a Kerberos ticket) |
|||
# By default k5start is started if nslcd.conf has sasl_mech set to GSSAPI |
|||
# and krb5_ccname is set to a file-type ticket cache. |
|||
# Set to "yes" to force starting k5start, any other value will not start |
|||
# k5start. |
|||
#K5START_START="yes" |
|||
# Options for k5start. |
|||
#K5START_BIN=/usr/bin/k5start |
|||
K5START_KEYTAB=/etc/krb5.nslcd.keytab |
|||
#K5START_CCREFRESH=60 |
|||
K5START_PRINCIPAL="nslcd-ad" |
|||
* Start the <code>nslcd</code> service. |
* Start the <code>nslcd</code> service. |
||
Line 155: | Line 130: | ||
To list users and groups having Unix attributes in Active Directory (AD) set: |
To list users and groups having Unix attributes in Active Directory (AD) set: |
||
* To list |
* To list a users account, enter: |
||
# getent passwd |
# getent passwd demo |
||
... |
|||
Administrator:*:10000:10000:Administrator:/home/Administrator:/bin/bash |
|||
demo:*:10001:10001:demo1:/home/demo:/bin/bash |
demo:*:10001:10001:demo1:/home/demo:/bin/bash |
||
* If you do not get any output, leave the domain, then join again and reboot |
|||
: At the beginning of the list, all local accounts from the <code>/etc/passwd</code> database are listed. |
|||
* To list |
* To list a group, enter: |
||
# getent group |
# getent group demo-group |
||
... |
|||
Domain Users:*:10003: |
|||
demo-group:*:10001:demo1 |
demo-group:*:10001:demo1 |
||
: At the beginning of the list, all local groups from the <code>/etc/groups</code> database are listed. |
|||
Line 187: | Line 158: | ||
# nslcd -d |
# nslcd -d |
||
: The service |
: The service will start in the foreground and the output is displayed on the screen. |
||
* On a second terminal, run the failed <code>getent</code> command again and watch the <code>nslcd</code> debug output. |
* On a second terminal, run the failed <code>getent</code> command again and watch the <code>nslcd</code> debug output. |
Latest revision as of 11:30, 28 January 2022
Introduction
The nslcd
service enables you to configure your local system to load users and groups from an LDAP directory, such as Active Directory (AD).
To enable the nslcd
service to load user and group information, you have to set the Unix attributes for users and groups in AD. For details, see Maintaining Unix Attributes in AD using ADUC.
Samba does not provide support for the nslcd service, other than what is on this page. |
Configuring the nslcd Service
Authenticating nslcd to AD Using Kerberos
To enable the nslcd
service to authenticate to Active Directory (AD) using Kerberos:
- On a Samba AD DC, create a new user in AD. For example:
nslcd-ad
- Set the following options in the account's settings:
- Set a random password
- Password never expires
- User cannot change password
Extract the Kerberos keytab for the nslcd-ad account to the /tmp directory
sudo samba-tool domain exportkeytab /tmp/krb5.nslcd.keytab --principal=nslcd-ad Export one principal to /tmp/krb5.nslcd.keytab
Copy the keytab to the Unix domain member:
sudo scp /tmp/krb5.nslcd.keytab auser@deb11:/home/auser/ auser@deb11's password: krb5.nslcd.keytab 100% 237 72.3KB/s 00:00
Now go to the Unix domain member (Debian 11 in this instance) and install the following packages:
sudo apt install nslcd nslcd-utils libnss-ldapd libpam-ldapd libsasl2-modules-gssapi-heimdal
It is understood that Samba is already installed and working. |
Move the keytab to the correct location and ensure it has the correct permissions:
sudo mv /home/auser/krb5.nslcd.keytab /etc/krb5.nslcd.keytab sudo chown nslcd:root /etc/krb5.nslcd.keytab sudo chmod 600 /etc/krb5.nslcd.keytab
- Edit the
/etc/nslcd.conf
file and set the following settings:
# /etc/nslcd.conf # nslcd configuration file. See nslcd.conf(5) # for details. # The user and group nslcd should run as. uid nslcd gid nslcd # The location at which the LDAP server(s) should be reachable. uri ldap://dc1.samdom.example.com/ # Note: add lines for all your Samba DC's # The search base that will be used for all queries. base dc=samdom,dc=example,dc=com pagesize 1000 referrals off nss_nested_groups yes # The LDAP protocol version to use. #ldap_version 3 sasl_mech GSSAPI sasl_realm SAMDOM.EXAMPLE.COM krb5_ccname /tmp/nslcd.tkt # Filters filter passwd (objectclass=user) filter group (objectclass=group) # Attribute mappings map passwd uid sAMAccountName map passwd homeDirectory unixHomeDirectory map passwd gecos displayName map passwd gidNumber primaryGroupID
- For details about the parameters, see the
nslcd.conf (5)
man page.
- To enable LDAP databases for the name service switch (NSS), add the
ldap
option to the following lines in the/etc/nsswitch.conf
file:
passwd: files ldap group: files ldap
Edit the /etc/default/nslcd file and set the following settings:
# Defaults for nslcd init script # Whether to start k5start (for obtaining and keeping a Kerberos ticket) # By default k5start is started if nslcd.conf has sasl_mech set to GSSAPI # and krb5_ccname is set to a file-type ticket cache. # Set to "yes" to force starting k5start, any other value will not start # k5start. #K5START_START="yes" # Options for k5start. #K5START_BIN=/usr/bin/k5start K5START_KEYTAB=/etc/krb5.nslcd.keytab #K5START_CCREFRESH=60 K5START_PRINCIPAL="nslcd-ad"
- Start the
nslcd
service.
Testing the User and Group Retrieval
To list users and groups having Unix attributes in Active Directory (AD) set:
- To list a users account, enter:
# getent passwd demo demo:*:10001:10001:demo1:/home/demo:/bin/bash
- If you do not get any output, leave the domain, then join again and reboot
- To list a group, enter:
# getent group demo-group demo-group:*:10001:demo1
Troubleshooting
If the getent
command fails to load users and groups from Active Directory (AD):
- Stop the
nslcd
service.
- Start the
nslcd
service in debug mode:
# nslcd -d
- The service will start in the foreground and the output is displayed on the screen.
- On a second terminal, run the failed
getent
command again and watch thenslcd
debug output.