Difference between revisions of "Nslcd"

m (Removed article)
m (/* update kerberos section)
 
Line 7: Line 7:
 
{{Imbox
 
{{Imbox
 
| type = note
 
| type = note
| text = Samba does not support the <code>nslcd</code> service.
+
| text = Samba does not provide support for the <code>nslcd</code> service, other than what is on this page.
 
}}
 
}}
  
Line 50: Line 50:
 
  bindpw ...
 
  bindpw ...
 
   
 
   
  # Filters. Disable, if your:
+
  # Filters
# * user accounts have the "posixAccount" object class set.
 
# * groups have the "posixGroup" object class set.
 
 
  filter  passwd  (objectClass=user)
 
  filter  passwd  (objectClass=user)
 
  filter  group  (objectClass=group)
 
  filter  group  (objectClass=group)
 
   
 
   
  # Attribut mappings
+
  # Attribute mappings
 
  map    passwd  uid                sAMAccountName
 
  map    passwd  uid                sAMAccountName
 
  map    passwd  homeDirectory      unixHomeDirectory
 
  map    passwd  homeDirectory      unixHomeDirectory
 
  map    passwd  gecos              displayName
 
  map    passwd  gecos              displayName
 
  map    passwd  gidNumber          primaryGroupID
 
  map    passwd  gidNumber          primaryGroupID
  map    group  uniqueMember      member
+
   
 
 
 
: For details about the parameter, see the <code>nslcd.conf (5)</code> man page.
 
: For details about the parameter, see the <code>nslcd.conf (5)</code> man page.
  
Line 81: Line 78:
 
: Set the following options in the account's settings:
 
: Set the following options in the account's settings:
 
:* Password never expires
 
:* Password never expires
:* User cannot change password
+
:* User cannot change password, note: this can only be set from Windows
 
 
* To add the <code>nslcd/DC_name.samdom.example.com</code> Kerberos service principal name (SPN) to the <code>nslcd-ad</code> account, enter on the Samba domain controller (DC):
 
 
 
# samba-tool spn add nslcd/DC_name.samdom.example.com ldap-connect
 
  
 
* Extract the Kerberos keytab for the <code>nslcd-ad</code> account to the <code>/etc/krb5.nslcd.keytab</code> file, run:
 
* Extract the Kerberos keytab for the <code>nslcd-ad</code> account to the <code>/etc/krb5.nslcd.keytab</code> file, run:
Line 109: Line 102:
 
  # Local user account and group, nslcd uses.
 
  # Local user account and group, nslcd uses.
 
  uid nslcd
 
  uid nslcd
  gid ldap
+
  gid nslcd
 
   
 
   
  # Active Directory server settings (SSL encryption)
+
  # Active Directory server settings
  uri            ldaps://127.0.0.1:636/
+
  uri            ldap://dc1.samdom.example.com/
ssl            on
+
  base            dc=samdom,dc=example,dc=com
tls_reqcert    allow
 
  base            dc=SAMDOM,dc=example,dc=com
 
 
  pagesize        1000
 
  pagesize        1000
 
  referrals      off
 
  referrals      off
Line 125: Line 116:
 
  krb5_ccname    /tmp/nslcd.tkt
 
  krb5_ccname    /tmp/nslcd.tkt
 
   
 
   
  # Filters. Disable, if your:
+
  # Filters
# * user accounts have the "posixAccount" object class set.
 
# * groups have the "posixGroup" object class set.
 
 
  filter  passwd  (objectClass=user)
 
  filter  passwd  (objectClass=user)
 
  filter  group  (objectClass=group)
 
  filter  group  (objectClass=group)
Line 135: Line 124:
 
  map    passwd  homeDirectory      unixHomeDirectory
 
  map    passwd  homeDirectory      unixHomeDirectory
 
  map    passwd  gecos              displayName
 
  map    passwd  gecos              displayName
  map    passwd  gidNumber          primaryGroupID
+
  # Uncomment the following line to use Domain Users as the users primary group
  map    group  uniqueMember      member
+
#map    passwd  gidNumber          primaryGroupID
 
+
   
 
: For details about the parameter, see the <code>nslcd.conf (5)</code> man page.
 
: For details about the parameter, see the <code>nslcd.conf (5)</code> man page.
  
Line 144: Line 133:
 
  passwd:    files ldap
 
  passwd:    files ldap
 
  group:      files ldap
 
  group:      files ldap
 +
 +
 +
 +
Edit the /etc/default/nslcd file and set the following settings:
 +
 +
# Defaults for nslcd init script
 +
 +
# Whether to start k5start (for obtaining and keeping a Kerberos ticket)
 +
# By default k5start is started if nslcd.conf has sasl_mech set to GSSAPI
 +
# and krb5_ccname is set to a file-type ticket cache.
 +
# Set to "yes" to force starting k5start, any other value will not start
 +
# k5start.
 +
#K5START_START="yes"
 +
 +
# Options for k5start.
 +
#K5START_BIN=/usr/bin/k5start
 +
K5START_KEYTAB=/etc/krb5.nslcd.keytab
 +
#K5START_CCREFRESH=60
 +
K5START_PRINCIPAL="nslcd-ad"
  
 
* Start the <code>nslcd</code> service.
 
* Start the <code>nslcd</code> service.
Line 155: Line 163:
 
To list users and groups having Unix attributes in Active Directory (AD) set:
 
To list users and groups having Unix attributes in Active Directory (AD) set:
  
* To list all users accounts, enter:
+
* To list a users account, enter:
  
  # getent passwd
+
  # getent passwd demo
...
 
Administrator:*:10000:10000:Administrator:/home/Administrator:/bin/bash
 
 
  demo:*:10001:10001:demo1:/home/demo:/bin/bash
 
  demo:*:10001:10001:demo1:/home/demo:/bin/bash
  
: At the beginning of the list, all local accounts from the <code>/etc/passwd</code> database are listed.
+
* To list a group, enter:
  
* To list all groups, enter:
+
# getent group demo-group
 +
demo-group:*:10001:demo1
  
# getent group
 
...
 
Domain Users:*:10003:
 
demo-group:*:10001:demo1
 
  
: At the beginning of the list, all local groups from the <code>/etc/groups</code> database are listed.
 
  
  
Line 187: Line 189:
 
  # nslcd -d
 
  # nslcd -d
  
: The service is started in forground and the output is displayed on the screen.
+
: The service will start in the foreground and the output is displayed on the screen.
  
 
* On a second terminal, run the failed <code>getent</code> command again and watch the <code>nslcd</code> debug output.
 
* On a second terminal, run the failed <code>getent</code> command again and watch the <code>nslcd</code> debug output.

Latest revision as of 08:23, 22 August 2019

Introduction

The nslcd service enables you to configure your local system to load users and groups from an LDAP directory, such as Active Directory (AD).

To enable the nslcd service to load user and group information, you have to set the Unix attributes for users and groups in AD. For details, see Maintaining Unix Attributes in AD using ADUC.



Configuring the nslcd Service

Authenticating nslcd to AD Using a User Name and Password

To enable the nslcd service to authenticate to Active Directory (AD) using a user name and password:

  • Create a new user in AD. For example: nslcd-ad
Set the following options in the account's settings:
  • Password never expires
  • User cannot change password
  • Add the following parameter to the [global] section of your smb.conf file:
acl:search = no
  • Restart Samba.
  • Edit the /etc/nslcd.conf file and set the following settings:
# Local user account and group, nslcd uses.
uid nslcd
gid ldap

# Active Directory server settings (SSL encryption)
uri             ldaps://127.0.0.1:636/
ssl             on
tls_reqcert     allow
base            dc=SAMDOM,dc=example,dc=com
pagesize        1000
referrals       off
nss_nested_groups yes

# LDAP bind account (AD account created in earlier)
binddn cn=nslcd-ad,cn=Users,dc=SAMDOM,dc=example,dc=com
bindpw ...

# Filters
filter  passwd  (objectClass=user)
filter  group   (objectClass=group)

# Attribute mappings
map     passwd  uid                sAMAccountName
map     passwd  homeDirectory      unixHomeDirectory
map     passwd  gecos              displayName
map     passwd  gidNumber          primaryGroupID

For details about the parameter, see the nslcd.conf (5) man page.
  • To enable LDAP databases for the name service switch (NSS), add the ldap option to the following lines in the /etc/nsswitch.conf file:
passwd:     files ldap
group:      files ldap
  • Start the nslcd service.


Authenticating nslcd to AD Using Kerberos

To enable the nslcd service to authenticate to Active Directory (AD) using Kerberos:

  • Create a new user in AD. For example: nslcd-ad
Set the following options in the account's settings:
  • Password never expires
  • User cannot change password, note: this can only be set from Windows
  • Extract the Kerberos keytab for the nslcd-ad account to the /etc/krb5.nslcd.keytab file, run:
# samba-tool domain exportkeytab /etc/krb5.nslcd.keytab --principal=nslcd-ad
# chown nslcd:root /etc/krb5.nslcd.keytab 
# chmod 600 /etc/krb5.nslcd.keytab
  • Make sure that the Kerberos ticket is automatically renewed before it expires. For example, to auto-renew Kerberos tickets using the k5start utility:
# k5start -f /etc/krb5.nslcd.keytab -U -o nslcd -K 360 -b -k /tmp/nslcd.tkt
For details about the parameters, see the k5start (5) man page. Make sure that the utility used for renewal is automatically started at boot time.
  • Add the following parameter to the [global] section of your smb.conf file:
acl:search = no
  • Restart Samba.
  • Edit the /etc/nslcd.conf file and set the following settings:
# Local user account and group, nslcd uses.
uid nslcd
gid nslcd

# Active Directory server settings
uri             ldap://dc1.samdom.example.com/
base            dc=samdom,dc=example,dc=com
pagesize        1000
referrals       off
nss_nested_groups yes

# Kerberos authentication to AD
sasl_mech       GSSAPI
sasl_realm      SAMDOM.EXAMPLE.COM
krb5_ccname     /tmp/nslcd.tkt

# Filters
filter  passwd  (objectClass=user)
filter  group   (objectClass=group)

# Attribut mappings
map     passwd  uid                sAMAccountName
map     passwd  homeDirectory      unixHomeDirectory
map     passwd  gecos              displayName
# Uncomment the following line to use Domain Users as the users primary group
#map     passwd  gidNumber          primaryGroupID

For details about the parameter, see the nslcd.conf (5) man page.
  • To enable LDAP databases for the name service switch (NSS), add the ldap option to the following lines in the /etc/nsswitch.conf file:
passwd:     files ldap
group:      files ldap


Edit the /etc/default/nslcd file and set the following settings:

# Defaults for nslcd init script

# Whether to start k5start (for obtaining and keeping a Kerberos ticket)
# By default k5start is started if nslcd.conf has sasl_mech set to GSSAPI
# and krb5_ccname is set to a file-type ticket cache.
# Set to "yes" to force starting k5start, any other value will not start
# k5start.
#K5START_START="yes"

# Options for k5start.
#K5START_BIN=/usr/bin/k5start
K5START_KEYTAB=/etc/krb5.nslcd.keytab
#K5START_CCREFRESH=60
K5START_PRINCIPAL="nslcd-ad"
  • Start the nslcd service.



Testing the User and Group Retrieval

To list users and groups having Unix attributes in Active Directory (AD) set:

  • To list a users account, enter:
# getent passwd demo
demo:*:10001:10001:demo1:/home/demo:/bin/bash
  • To list a group, enter:
# getent group demo-group
demo-group:*:10001:demo1




Troubleshooting

If the getent command fails to load users and groups from Active Directory (AD):

  • Stop the nslcd service.
  • Start the nslcd service in debug mode:
# nslcd -d
The service will start in the foreground and the output is displayed on the screen.
  • On a second terminal, run the failed getent command again and watch the nslcd debug output.