Nslcd

From SambaWiki
Revision as of 09:25, 19 November 2016 by Mmuehlfeld (talk | contribs) (Removed article)

Introduction

The nslcd service enables you to configure your local system to load users and groups from an LDAP directory, such as Active Directory (AD).

To enable the nslcd service to load user and group information, you have to set the Unix attributes for users and groups in AD. For details, see Maintaining Unix Attributes in AD using ADUC.



Configuring the nslcd Service

Authenticating nslcd to AD Using a User Name and Password

To enable the nslcd service to authenticate to Active Directory (AD) using a user name and password:

  • Create a new user in AD. For example: nslcd-ad
Set the following options in the account's settings:
  • Password never expires
  • User cannot change password
  • Add the following parameter to the [global] section of your smb.conf file:
acl:search = no
  • Restart Samba.
  • Edit the /etc/nslcd.conf file and set the following settings:
# Local user account and group, nslcd uses.
uid nslcd
gid ldap

# Active Directory server settings (SSL encryption)
uri             ldaps://127.0.0.1:636/
ssl             on
tls_reqcert     allow
base            dc=SAMDOM,dc=example,dc=com
pagesize        1000
referrals       off
nss_nested_groups yes

# LDAP bind account (AD account created in earlier)
binddn cn=nslcd-ad,cn=Users,dc=SAMDOM,dc=example,dc=com
bindpw ...

# Filters. Disable, if your:
# * user accounts have the "posixAccount" object class set.
# * groups have the "posixGroup" object class set.
filter  passwd  (objectClass=user)
filter  group   (objectClass=group)

# Attribut mappings
map     passwd  uid                sAMAccountName
map     passwd  homeDirectory      unixHomeDirectory
map     passwd  gecos              displayName
map     passwd  gidNumber          primaryGroupID
map     group   uniqueMember       member
For details about the parameter, see the nslcd.conf (5) man page.
  • To enable LDAP databases for the name service switch (NSS), add the ldap option to the following lines in the /etc/nsswitch.conf file:
passwd:     files ldap
group:      files ldap
  • Start the nslcd service.


Authenticating nslcd to AD Using Kerberos

To enable the nslcd service to authenticate to Active Directory (AD) using Kerberos:

  • Create a new user in AD. For example: nslcd-ad
Set the following options in the account's settings:
  • Password never expires
  • User cannot change password
  • To add the nslcd/DC_name.samdom.example.com Kerberos service principal name (SPN) to the nslcd-ad account, enter on the Samba domain controller (DC):
# samba-tool spn add nslcd/DC_name.samdom.example.com ldap-connect
  • Extract the Kerberos keytab for the nslcd-ad account to the /etc/krb5.nslcd.keytab file, run:
# samba-tool domain exportkeytab /etc/krb5.nslcd.keytab --principal=nslcd-ad
# chown nslcd:root /etc/krb5.nslcd.keytab 
# chmod 600 /etc/krb5.nslcd.keytab
  • Make sure that the Kerberos ticket is automatically renewed before it expires. For example, to auto-renew Kerberos tickets using the k5start utility:
# k5start -f /etc/krb5.nslcd.keytab -U -o nslcd -K 360 -b -k /tmp/nslcd.tkt
For details about the parameters, see the k5start (5) man page. Make sure that the utility used for renewal is automatically started at boot time.
  • Add the following parameter to the [global] section of your smb.conf file:
acl:search = no
  • Restart Samba.
  • Edit the /etc/nslcd.conf file and set the following settings:
# Local user account and group, nslcd uses.
uid nslcd
gid ldap

# Active Directory server settings (SSL encryption)
uri             ldaps://127.0.0.1:636/
ssl             on
tls_reqcert     allow
base            dc=SAMDOM,dc=example,dc=com
pagesize        1000
referrals       off
nss_nested_groups yes

# Kerberos authentication to AD
sasl_mech       GSSAPI
sasl_realm      SAMDOM.EXAMPLE.COM
krb5_ccname     /tmp/nslcd.tkt

# Filters. Disable, if your:
# * user accounts have the "posixAccount" object class set.
# * groups have the "posixGroup" object class set.
filter  passwd  (objectClass=user)
filter  group   (objectClass=group)

# Attribut mappings
map     passwd  uid                sAMAccountName
map     passwd  homeDirectory      unixHomeDirectory
map     passwd  gecos              displayName
map     passwd  gidNumber          primaryGroupID
map     group   uniqueMember       member
For details about the parameter, see the nslcd.conf (5) man page.
  • To enable LDAP databases for the name service switch (NSS), add the ldap option to the following lines in the /etc/nsswitch.conf file:
passwd:     files ldap
group:      files ldap
  • Start the nslcd service.



Testing the User and Group Retrieval

To list users and groups having Unix attributes in Active Directory (AD) set:

  • To list all users accounts, enter:
# getent passwd
...
Administrator:*:10000:10000:Administrator:/home/Administrator:/bin/bash
demo:*:10001:10001:demo1:/home/demo:/bin/bash
At the beginning of the list, all local accounts from the /etc/passwd database are listed.
  • To list all groups, enter:
# getent group
...
Domain Users:*:10003:
demo-group:*:10001:demo1
At the beginning of the list, all local groups from the /etc/groups database are listed.



Troubleshooting

If the getent command fails to load users and groups from Active Directory (AD):

  • Stop the nslcd service.
  • Start the nslcd service in debug mode:
# nslcd -d
The service is started in forground and the output is displayed on the screen.
  • On a second terminal, run the failed getent command again and watch the nslcd debug output.
Retrieved from "https://wiki.samba.org/index.php?title=Nslcd&oldid=12554"