Nslcd: Difference between revisions

From SambaWiki
m (Switched order of changing nsswitch.conf and start of nslcd)
m (add the sudo apt install line in "code" field)
 
(16 intermediate revisions by 2 users not shown)
Line 1: Line 1:
= Introduction =
= Advantages and disadvantages of nslcd =


The <code>nslcd</code> service enables you to configure your local system to load users and groups from an LDAP directory, such as Active Directory (AD).
''Because people may find that some of the disadvantages are advantages or vice versa in their environment, we won't classify here.''


To enable the <code>nslcd</code> service to load user and group information, you have to set the Unix attributes for users and groups in AD. For details, see [[Maintaining_Unix_Attributes_in_AD_using_ADUC|Maintaining Unix Attributes in AD using ADUC]].
* Fast and easy to configure.


{{Imbox
* Requires central storage of posix data (UID/GID, home directory, shell, etc.) in AD. Your domain have to be provisioned/upgraded with <tt>--use-rfc2307</tt> to store this data.
| type = note
| text = Samba does not provide support for the <code>nslcd</code> service, other than what is on this page.
}}


* UIDs/GIDs are the same on every server, because of the central storage inside the directory.


* Doesn't require the machine to be joined to the domain. Only a LDAP and Kerberos (if used) connection is used.


* Requires nslcd, Cyrus SASL GSSAPI and pam_ldap installed on your system.


* Resolving of nested groups is supported in nslcd 0.9.0 and later (<tt>nss_nested_groups yes</tt>).


= Configuring the nslcd Service =


== Authenticating nslcd to AD Using Kerberos ==


To enable the <code>nslcd</code> service to authenticate to Active Directory (AD) using Kerberos:


* On a Samba AD DC, create a new user in AD. For example: <code>nslcd-ad</code>
: Set the following options in the account's settings:
:* Set a random password
:* Password never expires
:* User cannot change password


= Installation =


Extract the Kerberos keytab for the nslcd-ad account to the /tmp directory
Most distributions ship nss-pam-ldapd, which contains nslcd, in their default installation. If you intent do use Kerberos, you additionally require to install Cyrus SASL with GSSAPI support. Depending on the version of nlscd you use, not all required Kerberos features may be supported. See the manpage of nslcd.conf for the supported options.


sudo samba-tool domain exportkeytab /tmp/krb5.nslcd.keytab --principal=nslcd-ad
If you want to authenticate local *nix services on your server against AD, additionaly you require <tt>pam_ldap</tt>.
Export one principal to /tmp/krb5.nslcd.keytab




Copy the keytab to the Unix domain member:
sudo scp /tmp/krb5.nslcd.keytab auser@deb11:/home/auser/
auser@deb11's password:
krb5.nslcd.keytab 100% 237 72.3KB/s 00:00




Now go to the Unix domain member (Debian 11 in this instance) and install the following packages:


sudo apt install nslcd nslcd-utils libnss-ldapd libpam-ldapd libsasl2-modules-gssapi-heimdal
= Configuring nslcd =


{{Imbox
== Method 1: Connecting to AD via Bind DN and password ==
| type = note
| text = It is understood that Samba is already installed and working.
}}


The following basic example of an <tt>nslcd.conf</tt> let the daemon retrieve it's information by binding via an AD account. Connections with this setup will be <u>unencrypted</u>, except you have setup [[Setup_LDAPS_on_a_DC|LDAP over SSL]] on your DC and change the following example nslcd.conf accordingly!


Move the keytab to the correct location and ensure it has the correct permissions:
* Create a new user account in your AD, nslcd will use to bind via LDAP and retrieve it's information. Make sure, that you configure this account with the „Password never expires“ option! It's recommented also to set „User cannot change password“. Remember the DN (distinguished name) of the new account. The following example uses the DN „cn=ldap-connect,cn=Users,dc=SAMDOM,dc=example,dc=com“.


sudo mv /home/auser/krb5.nslcd.keytab /etc/krb5.nslcd.keytab
* Currently not all required posix information could be retrieved via LDAP ([https://bugzilla.samba.org/show_bug.cgi?id=9788 Bug report #9788]), because of incorrect directory ACLs. As a workaround, simply add the following to your <tt>smb.conf</tt> on the DC, nslcd is connecting to and restart Samba:
sudo chown nslcd:root /etc/krb5.nslcd.keytab
sudo chmod 600 /etc/krb5.nslcd.keytab


[global]
...
acl:search = no


* Use the following content in your <tt>/etc/nslcd.conf</tt>:
* Edit the <code>/etc/nslcd.conf</code> file and set the following settings:


# /etc/nslcd.conf
# User/group with which the daemon should run (must be a local account!)
# nslcd configuration file. See nslcd.conf(5)
# for details.
# The user and group nslcd should run as.
uid nslcd
uid nslcd
gid ldap
gid nslcd
# LDAP/AD server settings
# The location at which the LDAP server(s) should be reachable.
uri ldap://127.0.0.1:389
uri ldap://dc1.samdom.example.com/
# Note: add lines for all your Samba DC's
base dc=SAMDOM,dc=example,dc=com
# The search base that will be used for all queries.
# Some settings for AD
base dc=samdom,dc=example,dc=com
pagesize 1000
pagesize 1000
referrals off
referrals off
nss_nested_groups yes
# The LDAP protocol version to use.
# Filters (only required if your accounts doesn't have objectClass=posixAccount
#ldap_version 3
# and your groups haven't objectClass=posixGroup. This objectClasses won't be added
# by ADUC. So they won't be there automatically!)
filter passwd (objectClass=user)
filter group (objectClass=group)
sasl_mech GSSAPI
# Attribut mappings (depending on your nslcd version, some might not be
sasl_realm SAMDOM.EXAMPLE.COM
# necessary or can cause errors and can/must be removed)
krb5_ccname /tmp/nslcd.tkt
# Filters
filter passwd (objectclass=user)
filter group (objectclass=group)
# Attribute mappings
map passwd uid sAMAccountName
map passwd uid sAMAccountName
map passwd homeDirectory unixHomeDirectory
map passwd homeDirectory unixHomeDirectory
map passwd gecos displayName
map passwd gecos displayName
map passwd gidNumber primaryGroupID
map passwd gidNumber primaryGroupID

map group uniqueMember member
: For details about the parameters, see the <code>nslcd.conf (5)</code> man page.
# LDAP bind (Account in AD that is used from nslcd to bind to the directory)
binddn cn=ldap-connect,cn=Users,dc=SAMDOM,dc=example,dc=com
bindpw xxxxx



* Append <tt>ldap</tt> to the <tt>passwd</tt> and <tt>group</tt> entry of your <tt>/etc/nsswitch.conf</tt>, to let the system query LDAP for these databases.
* To enable LDAP databases for the name service switch (NSS), add the <code>ldap</code> option to the following lines in the <code>/etc/nsswitch.conf</code> file:


passwd: files ldap
passwd: files ldap
group: files ldap
group: files ldap


* Start the nslcd daemon.


Edit the /etc/default/nslcd file and set the following settings:
* All domain accounts/groups are now available to the local system.


# Defaults for nslcd init script


== Method 2: Connecting to AD via Kerberos ==

The following basic example of an nslcd.conf let nslcd retrieve it's information by using Kerberos. The connection will be <u>encrypted</u>.

* Create a new user account in your AD. Make sure, that you configure this account with the „Password never expires“ option! It's recommented also to set „User cannot change password“. If the machine is joined to the domain, you can skip this step and use the machine account instead, if you want. The following example uses the domain account „ldap-connect“.

* Add a [http://msdn.microsoft.com/en-us/library/windows/desktop/ms677949%28v=vs.85%29.aspx SPN (service principal name)] to the account you've created. On your Samba host this can be done by the following command (replace „dc1.samdom.example.com“ with the name of the host you'll run nslcd on):

# samba-tool spn add nslcd/dc1.samdom.example.com ldap-connect

* Extract the keytab for this account and make sure, it is readable only for the user nslcd runs under:

# samba-tool domain exportkeytab /etc/krb5.nslcd.keytab --principal=ldap-connect
# chown nslcd:root /etc/krb5.nslcd.keytab
# chmod 600 /etc/krb5.nslcd.keytab

* As Kerberos tickets have to be renewed before they expire, you have to take care of this job. <tt>k5start</tt> is a usefull tool for that. The following command starts k5start in background mode. The above created keytab is used and the owner of the the cache file will be the local account, nslcd uses to run (parameter „uid“ in <tt>nslcd.conf</tt>):

# k5start -f /etc/krb5.nslcd.keytab -U -o nslcd -K 360 -b -k /tmp/nslcd.tkt

:Remember to start k5start on system startup. Otherwise the ticket won't be renewed after reboot!

* Use the following content in your <tt>/etc/nslcd.conf</tt>:

# User/group with which the daemon should run (must be a local account!)
uid nslcd
gid ldap
# Whether to start k5start (for obtaining and keeping a Kerberos ticket)
# LDAP/AD server settings
# By default k5start is started if nslcd.conf has sasl_mech set to GSSAPI
uri ldap://127.0.0.1:389
# and krb5_ccname is set to a file-type ticket cache.
base dc=SAMDOM,dc=example,dc=com
# Set to "yes" to force starting k5start, any other value will not start
# k5start.
#K5START_START="yes"
# Some settings for AD
# Options for k5start.
#K5START_BIN=/usr/bin/k5start
pagesize 1000
K5START_KEYTAB=/etc/krb5.nslcd.keytab
referrals off
#K5START_CCREFRESH=60
K5START_PRINCIPAL="nslcd-ad"
# Filters (only required if your accounts doesn't have objectClass=posixAccount
# and your groups haven't objectClass=posixGroup. This objectClasses won't be added
# by ADUC. So they won't be there automatically!)
filter passwd (objectClass=user)
filter group (objectClass=group)
# Attribut mappings (depending on your nslcd version, some might not be
# necessary or can cause errors and can/must be removed)
map passwd uid sAMAccountName
map passwd homeDirectory unixHomeDirectory
map passwd gecos displayName
map passwd gidNumber primaryGroupID
map group uniqueMember member
# Kerberos
sasl_mech GSSAPI
sasl_realm SAMDOM.EXAMPLE.COM
krb5_ccname /tmp/nslcd.tkt


* Start the <code>nslcd</code> service.
* Append <tt>ldap</tt> to the <tt>passwd</tt> and <tt>group</tt> entry of your <tt>/etc/nsswitch.conf</tt>, to let the system query LDAP for these databases.


passwd: files ldap
group: files ldap


* Start the nslcd daemon.


* All domain accounts/groups are now available to the local system.




= Testing the User and Group Retrieval =


To list users and groups having Unix attributes in Active Directory (AD) set:
== Testing ==


* To list a users account, enter:
* Test 1: Retrieving accounts via <tt>getent</tt>. This should show local and domain accounts with posix attributes. Please check that all fields contain the values set in AD (UID, primaryGroup, homeDirectory, shell).


# getent passwd
# getent passwd demo
demo:*:10001:10001:demo1:/home/demo:/bin/bash
...
Administrator:*:10000:513::/home/Administrator:/bin/bash
demo1:*:10002:513:Demo User1:/home/demo1:/bin/false


* If you do not get any output, leave the domain, then join again and reboot
* Test 2: Retrieving groups via <tt>getent</tt>. This should show local and domain groups with posix attributes. Please check that the output contains all fields set in AD (GID, members).


# getent group
* To list a group, enter:
...
Domain Users:*:10000:demo1
demo-group:*:10003:demo1


# getent group demo-group
* Test 3: Change owner/group of of a file to a domain user/group:
demo-group:*:10001:demo1
# touch /tmp/testfile
# chown Administrator:"Domain Users" /tmp/testfile
# ls -l /tmp/testfile
-rw-r--r-- 1 Administrator Domain Users 0 26. Aug 22:35 /tmp/testfile




Line 178: Line 146:




= Configuring PAM (pam_ldap) =


== Method 1: Connecting to AD via Bind DN and password ==


= Troubleshooting =
To authenticate local services (SSH, FTP, etc.) which uses PAM, you can setup <tt>pam_ldap</tt> to authenticate against AD via LDAP.


If the <code>getent</code> command fails to load users and groups from Active Directory (AD):
* Edit <tt>/etc/pam_ldap.conf</tt>:


* Stop the <code>nslcd</code> service.
base dc=SAMDOM,dc=example,dc=com
binddn cn=ldap-connect,cn=Users,dc=SAMDOM,dc=example,dc=com
bindpw xxxxx
bind_policy soft
pam_login_attribute sAMAccountName
uri ldap://127.0.0.1:389:389/
ssl no

* Edit your PAM configuration file(s) corresponding to the services you want to hook up. The following is an example for a PAM configuration, that can be used e. g. for ssh (<tt>/etc/pam.d/sshd</tt>). But be carefull: Change take effect immediately!

#%PAM-1.0M-1.0
auth required pam_nologin.so
auth sufficient pam_ldap.so
auth required pam_unix.so use_first_pass # set_secrpc
account required pam_unix.so
password required pam_pwcheck.so
password required pam_ldap.so use_authtok
password required pam_unix.so use_first_pass use_authtok
session required pam_unix.so
session required pam_limits.so
session required pam_env.so


* Start the <code>nslcd</code> service in debug mode:


# nslcd -d


: The service will start in the foreground and the output is displayed on the screen.
== Testing ==


* On a second terminal, run the failed <code>getent</code> command again and watch the <code>nslcd</code> debug output.
* Test 1: Try accessing a service or log into a service, you have configured to use pam_ldap. Example for ssh:
# ssh demo1@DC1
demo1@dc1's password:
Last login: Mon Aug 26 22:59:40 2013 from pc01.samdom.example.com
[demo1@DC1 ~]$

Latest revision as of 11:30, 28 January 2022

Introduction

The nslcd service enables you to configure your local system to load users and groups from an LDAP directory, such as Active Directory (AD).

To enable the nslcd service to load user and group information, you have to set the Unix attributes for users and groups in AD. For details, see Maintaining Unix Attributes in AD using ADUC.



Configuring the nslcd Service

Authenticating nslcd to AD Using Kerberos

To enable the nslcd service to authenticate to Active Directory (AD) using Kerberos:

  • On a Samba AD DC, create a new user in AD. For example: nslcd-ad
Set the following options in the account's settings:
  • Set a random password
  • Password never expires
  • User cannot change password


Extract the Kerberos keytab for the nslcd-ad account to the /tmp directory

sudo samba-tool domain exportkeytab /tmp/krb5.nslcd.keytab --principal=nslcd-ad
Export one principal to /tmp/krb5.nslcd.keytab


Copy the keytab to the Unix domain member:

sudo scp /tmp/krb5.nslcd.keytab auser@deb11:/home/auser/
auser@deb11's password: 
krb5.nslcd.keytab                             100%  237    72.3KB/s   00:00    


Now go to the Unix domain member (Debian 11 in this instance) and install the following packages:

sudo apt install nslcd nslcd-utils libnss-ldapd libpam-ldapd libsasl2-modules-gssapi-heimdal


Move the keytab to the correct location and ensure it has the correct permissions:

sudo mv /home/auser/krb5.nslcd.keytab /etc/krb5.nslcd.keytab
sudo chown nslcd:root /etc/krb5.nslcd.keytab 
sudo chmod 600 /etc/krb5.nslcd.keytab


  • Edit the /etc/nslcd.conf file and set the following settings:
# /etc/nslcd.conf
# nslcd configuration file. See nslcd.conf(5)
# for details.

# The user and group nslcd should run as.
uid nslcd
gid nslcd

# The location at which the LDAP server(s) should be reachable.
uri             ldap://dc1.samdom.example.com/
# Note: add lines for all your Samba DC's

# The search base that will be used for all queries.
base dc=samdom,dc=example,dc=com
pagesize 1000
referrals off
nss_nested_groups yes

# The LDAP protocol version to use.
#ldap_version 3

sasl_mech GSSAPI
sasl_realm SAMDOM.EXAMPLE.COM
krb5_ccname /tmp/nslcd.tkt

# Filters
filter passwd (objectclass=user)
filter group (objectclass=group)

# Attribute mappings
map     passwd  uid                sAMAccountName
map     passwd  homeDirectory      unixHomeDirectory
map     passwd  gecos              displayName
map     passwd  gidNumber          primaryGroupID


For details about the parameters, see the nslcd.conf (5) man page.


  • To enable LDAP databases for the name service switch (NSS), add the ldap option to the following lines in the /etc/nsswitch.conf file:
passwd:     files ldap
group:      files ldap


Edit the /etc/default/nslcd file and set the following settings:

# Defaults for nslcd init script

# Whether to start k5start (for obtaining and keeping a Kerberos ticket)
# By default k5start is started if nslcd.conf has sasl_mech set to GSSAPI
# and krb5_ccname is set to a file-type ticket cache.
# Set to "yes" to force starting k5start, any other value will not start
# k5start.
#K5START_START="yes"

# Options for k5start.
#K5START_BIN=/usr/bin/k5start
K5START_KEYTAB=/etc/krb5.nslcd.keytab
#K5START_CCREFRESH=60
K5START_PRINCIPAL="nslcd-ad"
  • Start the nslcd service.



Testing the User and Group Retrieval

To list users and groups having Unix attributes in Active Directory (AD) set:

  • To list a users account, enter:
# getent passwd demo
demo:*:10001:10001:demo1:/home/demo:/bin/bash
  • If you do not get any output, leave the domain, then join again and reboot
  • To list a group, enter:
# getent group demo-group
demo-group:*:10001:demo1




Troubleshooting

If the getent command fails to load users and groups from Active Directory (AD):

  • Stop the nslcd service.
  • Start the nslcd service in debug mode:
# nslcd -d
The service will start in the foreground and the output is displayed on the screen.
  • On a second terminal, run the failed getent command again and watch the nslcd debug output.