<html><head></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">Really thanks Brian. Things appears to be working now... but I've some issues, can you help-me solving this?<br><br>First of all, I cannot really understand what is going on. Kerberos is still needed, as I can see.<br><br>I've emerged: sys-auth/nss-ldapd and sys-auth/pam_krb5; why nss-ldapd and not nss_ldap? Because I can't get it working. Through your links I've found this: <a href="https://help.ubuntu.com/community/ADWin2k8KerberosLDAP?highlight=((ActiveDirectoryHowto))">https://help.ubuntu.com/community/ADWin2k8KerberosLDAP?highlight=%28%28ActiveDirectoryHowto%29%29</a><br><br>I followed the instructions but skipped the key tab generation in Windows CLI. But configured the /etc/krb5.conf like this:<br><br><div>auth ~ # cat /etc/krb5.conf</div><div>[libdefaults]</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>default_realm = IF.UFRJ.BR</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>dns_lookup_realm = true</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>dns_lookup_kdc = true</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>ticket_lifetime = 24h</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>renew_lifetime = 7d</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>forwardable = true</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>verify_ap_req_nofail = false</div><div><br></div><div>[appdefaults]</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>kinit = {</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>renewable = true</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>forwardable = true</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>}</div><div><br></div><div>[realms]</div><div># use "kdc = ..." if realm admins haven't put SRV records into DNS</div><div><br></div><div><span class="Apple-tab-span" style="white-space:pre"> </span>IF.UFRJ.BR = {</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>kdc = <a href="http://ad.if.ufrj.br">ad.if.ufrj.br</a></div><div><span class="Apple-tab-span" style="white-space:pre"> </span>default_domain = <a href="http://if.ufrj.br">if.ufrj.br</a></div><div><span class="Apple-tab-span" style="white-space:pre"> </span>}</div><div><span class="Apple-tab-span" style="white-space:pre"> </span></div><div>[domain_realm]</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>.if.ufrj.br = IF.UFRJ.BR</div><div><span class="Apple-tab-span" style="white-space:pre"> </span><a href="http://if.ufrj.br">if.ufrj.br</a> = IF.UFRJ.BR</div><div><br></div><div>[logging]</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>default = FILE:/var/log/krb5libs.log</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>kdc = FILE:/var/log/krb5kdc.log</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>admin_server = FILE:/var/log/kadmind.log</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>kdc_rotate = {</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>period = 1d</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>version = 10</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>}</div><div><br>Other files that may interest:<br><br>/etc/nss-ldapd.conf</div><div><div>uri <a href="ldap://ad.if.ufrj.br">ldap://ad.if.ufrj.br</a></div><div><br></div><div>base dc=if,dc=ufrj,dc=br</div><div>scope sub</div><div><br></div><div>binddn cn=ldapquery,cn=Users,dc=if,dc=ufrj,dc=br</div><div>bindpw procur4NOel3d4p3 </div><div><br></div><div>filter passwd (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))</div><div>map passwd uid sAMAccountName</div><div>map passwd uidnumber uidNumber</div><div>map passwd homedirectory unixHomeDirectory</div><div>map passwd loginshell loginShell</div><div>map passwd gecos displayName</div><div>filter shadow (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))</div><div>map shadow uid sAMAccountName</div><div>filter group (objectClass=group)</div><div>map group uniqueMember member</div></div><div><br>/etc/nsswitch.conf<br><div># $Header: /var/cvsroot/gentoo/src/patchsets/glibc/extra/etc/nsswitch.conf,v 1.1 2006/09/29 23:52:23 vapier Exp $</div><div><br></div><div># ldap added for AD Integration</div><div>passwd: compat ldap </div><div>shadow: compat </div><div>group: compat ldap</div><div><br></div><div># passwd: db files nis</div><div># shadow: db files nis</div><div># group: db files nis</div><div><br></div><div>hosts: files dns</div><div>networks: files dns</div><div><br></div><div>services: db files</div><div>protocols: db files</div><div>rpc: db files</div><div>ethers: db files</div><div>netmasks: files</div><div>netgroup: files</div><div>bootparams: files</div><div><br></div><div>automount: files</div><div>aliases: files</div><div><br></div>And finally the most messed one: /etc/pam.d/system-auth<br><div>auth ~ # cat /etc/pam.d/system-auth</div><div>auth<span class="Apple-tab-span" style="white-space:pre"> </span>required<span class="Apple-tab-span" style="white-space:pre"> </span>pam_env.so </div><div>auth<span class="Apple-tab-span" style="white-space:pre"> </span>sufficient<span class="Apple-tab-span" style="white-space:pre"> </span>pam_krb5.so try_first_pass</div><div>auth<span class="Apple-tab-span" style="white-space:pre"> </span>required<span class="Apple-tab-span" style="white-space:pre"> </span>pam_unix.so likeauth nullok </div><div>auth<span class="Apple-tab-span" style="white-space:pre"> </span>optional<span class="Apple-tab-span" style="white-space:pre"> </span>pam_permit.so</div><div> </div><div>account<span class="Apple-tab-span" style="white-space:pre"> </span>required<span class="Apple-tab-span" style="white-space:pre"> </span>pam_unix.so </div><div>account<span class="Apple-tab-span" style="white-space:pre"> </span>optional<span class="Apple-tab-span" style="white-space:pre"> </span>pam_permit.so</div><div> </div><div>password<span class="Apple-tab-span" style="white-space:pre"> </span>required<span class="Apple-tab-span" style="white-space:pre"> </span>pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3 </div><div>password<span class="Apple-tab-span" style="white-space:pre"> </span>required<span class="Apple-tab-span" style="white-space:pre"> </span>pam_unix.so use_authtok nullok sha512 shadow </div><div>password<span class="Apple-tab-span" style="white-space:pre"> </span>sufficient<span class="Apple-tab-span" style="white-space:pre"> </span>pam_krb5.so use_authtok</div><div>password<span class="Apple-tab-span" style="white-space:pre"> </span>optional<span class="Apple-tab-span" style="white-space:pre"> </span>pam_permit.so</div><div> </div><div>session<span class="Apple-tab-span" style="white-space:pre"> </span>required<span class="Apple-tab-span" style="white-space:pre"> </span>pam_limits.so </div><div>session<span class="Apple-tab-span" style="white-space:pre"> </span>required<span class="Apple-tab-span" style="white-space:pre"> </span>pam_env.so </div><div>session<span class="Apple-tab-span" style="white-space:pre"> </span>required<span class="Apple-tab-span" style="white-space:pre"> </span>pam_unix.so </div><div>session<span class="Apple-tab-span" style="white-space:pre"> </span>optional<span class="Apple-tab-span" style="white-space:pre"> </span>pam_permit.so</div><div><br></div><div>I really need help in pam.d; don't know what I'm doing. But I'll continue mixing this.</div><div><br></div><div>PS: The only disadvantage is the difficult to set it up working.</div><br>On Nov 1, 2011, at 10:58 PM, Brian Kroth wrote:<br><br><blockquote type="cite">Actually, you don't even need kerberos for the authentication portion of it. You can have pam test the user's provided password by binding against ldap directly to do that step. I find this easier because it avoids all the complexities of maintaining kerberos service tickets on linux hosts entirely. You may still wish to do that for some services (eg: for single sign on for apache websites from windows ad clients, but they probably still need to support passwords from non-domain clients, so it's never seemed like a big win to me). Doing that then requires that your linux clients have tickets to make use of them, which is another hassle. It works in Windows clients a little bit more naturally.<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">Anyways, on how to do it ...<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">there used to be some nice gentoo wiki articles on it. They're giving me 500 errors at the moment, so ... <br></blockquote><blockquote type="cite">The ubuntu page here [1] gives a reasonably good explanation of it except that it also includes kerberos integration. Basically to avoid that, skip those sections, and rather than specifying pam_krb5.so in those files, specify pam_ldap.so [2].<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">The handful of gotchas as I recall them:<br></blockquote><blockquote type="cite">- you have to setup a proxy user in order to do the base queries for libnss-ldap [3] to find your account's dn so that pam_ldap can attempt to bind as it.<br></blockquote><blockquote type="cite">- ad wants all of its connections to be ssl. That might also mean that you have to setup the cert for it (usually obtainable from your ad's ca) as "trusted" in the system wide ldap confs (/etc/openldap/ldap.conf or /etc/ldap/ldap.conf).<br></blockquote><blockquote type="cite">- depending upon your ad schema you might need to remap some attributes to what the libnss-ldap libraries want them to be. The ubuntu page has some details on that (nss_map_attribute). In more flexible environments you can actually use these to do some fancy service tricks (eg: different shell/homedir for sftp only hosts).<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">Some other tips:<br></blockquote><blockquote type="cite">- make sure you can do all these steps with the command line ldapsearch utility first<br></blockquote><blockquote type="cite">- adsi edit (or some such - should be available in mmc) is the windows utility to browse it's ldap store<br></blockquote><blockquote type="cite">- use nscd or one of the other tools I mention below to cache ldap data<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">So, following all those goodies, you should hopefully be able to get ldap only id mapping and authentication going.<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">You can also tell samba (or apache, freeradius, etc.) to use those details for id mapping and authentication, again avoiding the need for kerberos entirely. Have a look at the ldap settings within smb.conf for details. In all cases, tls/ssl is your friend.<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">Hope that helps,<br></blockquote><blockquote type="cite">Brian<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">[1] <a href="https://help.ubuntu.com/community/ActiveDirectoryHowto">https://help.ubuntu.com/community/ActiveDirectoryHowto</a><br></blockquote><blockquote type="cite">[2] <a href="http://linux.die.net/man/5/pam_ldap">http://linux.die.net/man/5/pam_ldap</a><br></blockquote><blockquote type="cite">AD may very well be doing a kerberos auth behind the scenes when you bind to its ldap, but that doesn't really matter. That's a common way for people to configure openldap as well - use kerberos as the password hash store, but then you need a service ticket for openldap ...<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">[3] As an aside, there are also alternatives to libnss-ldap now including: nslcd, sssd. I think sssd is the more preferred one nowadays. Basically, they make a user program responsible for doing all ldap lookups so that you can save some shared memory and protect the proxy user's credentials. Really though, the sort of stuff you'll be querying in ldap is more or less "public" data as far as the rest of the system is concerned anyways, so I wouldn't be too concerned with that unless you've given the proxy user some ridiculous rights. That goes for openldap, opendirectory, whatever as well.<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">Vinícius Ferrão <<a href="mailto:viniciusferrao@...">viniciusferrao@...</a>> 2011-11-01 17:24:<br></blockquote><blockquote type="cite"><blockquote type="cite"> As I can understand we need Kerberos 5 for authentication and LDAP acting<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"> only as a directory service with UID, GID, home dir and etc.<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"> []'s<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"> On Nov 1, 2011, at 5:11 PM, gregorcy wrote:<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"> On Sun, Oct 30, 2011 at 1:55 PM, Brian Kroth <[1]<a href="mailto:bpkroth@...">bpkroth@...</a>><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"> wrote:<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"> gregorcy <[2]<a href="mailto:gregorcy@...">gregorcy@...</a>> 2011-10-29 10:52:<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"> What's missing: OpenLDAP replication from AD? Is this possible?<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"> Is this<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"> needed? Since I want another machines (running Linux) to<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"> authenticate it<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"> will be a good idea only ONE machine get information from AD and<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"> everyone else authenticate natively on this Gentoo Machine.<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"> No this is not needed. If you are in a mixed environment (I think)<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"> it<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"> is much easier to just use AD as the one directory service and join<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"> all<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"> your linux boxes to it. As long as your idmap ranges match your<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"> users<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"> will have the same uid on all boxes.<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"> I agree with this except for the need to "join all your linux boxes".<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"> AD is really just ldap+kerberos. Most of the time you don't need the<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"> headache of kerberos and can just use the ldap component. Modern AD<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"> schemas include all the of necessary attributes support for having<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"> Linux clients talk to it directly for uid/gid mapping, which is much<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"> nicer since it avoids the complexity of any samba requirements when<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"> you don't need them (eg: mail, web, etc.).<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"> So if he is using samba + winbind I don't see how you can not join all<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"> your machines to the AD. Actually I would be really interested in how<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"> you configure your machines just using the ldap component. I have been<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"> using winbind for the last couple of years but if there is a better way<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"> I would be interested in learning how it works.<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">References<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"> Visible links<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"> 1. <a href="mailto:bpkroth@...">mailto:bpkroth@...</a><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"> 2. <a href="mailto:gregorcy@...">mailto:gregorcy@...</a><br></blockquote></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite"><br></blockquote><br></div></body></html> |
