GNet Solutions » GNU/Linux Administration

While migrating my centralized user information server from an OpenLDAP/Kerberos to a Samba4 Active Directory, I needed a method to integrate using my existing server baseline, which is Debian 7. The method I previously used was very similar to this method in that I get a Kerberos keytab from my Kerberos authentication server and I use that keytab file as the authentication token to do user information lookups on the OpenLDAP server. This guide is to show how I connected an example server to a Samba4 Active Directory Domain Controller.

Example machines:

• dc.example.com: 192.168.1.200
• server.example.com: 192.168.1.33

Make sure /etc/resolv.conf points to the Active Directory Domain Controller's IP address:

search example.com
nameserver 192.168.1.200

To start, install some required packages:

apt-get install krb5-user nslcd samba libnss-ldapd libpam-ldapd libsasl2-modules-gssapi-heimdal kstart

Make sure to copy the /etc/krb5.conf and /usr/local/samba/etc/smb.conf files from the Domain Controller to the /etc/krb5 and /etc/samba/smb.conf. If these files are not present, joining the domain will fail.

Join the Active Directory Domain¶

net ads join -U administrator@EXAMPLE.COM

Once the machine is joined to the domain, a keytab is generated at /etc/krb5.keytab. Now edit the /etc/default/nslcd file and make the following changes:

vi /etc/default/nslcd

K5START_START="yes"

#!# Options for k5start.
K5START_BIN=/usr/bin/k5start
K5START_KEYTAB=/etc/krb5.keytab
K5START_CCREFRESH=60
K5START_PRINCIPAL="SERVER$"

Note: Make sure the K5START_PRINCIPAL is set to the Active Directory machine name, which is appended with a *$*.
This will automatically authenticate the keytab generated while joining the domain. This is necessary to allow access to the directory information on the domain controller.

Reboot the machine to enable k5start:

reboot

After reboot, there should be a krb5cc_0 file in /tmp:

ls -l /tmp

rw------ 1 nslcd nslcd 2296 Feb 3 23:25 krb5cc_0

Configure nslcd¶

Edit the /etc/nslcd.conf file and change the configuration as needed:

vi /etc/nslcd.conf

uid nslcd
gid nslcd

#!# LDAP/AD server settings
uri ldap://192.168.1.200:389
base dc=example,dc=com

#!# Some settings for AD
pagesize 1000
referrals off

#!# Filters (only required if your accounts doesn't have objectClass=posixAccount
#!# and your groups haven't objectClass=posixGroup. This objectClasses won't be added
#!# by ADUC. So they won't be there automatically!)
filter passwd (objectClass=user)
filter group (objectClass=group)

#!# Attribute mappings (depending on your nslcd version, some might not be
#!# necessary or can cause errors and can/must be removed)
map passwd uid sAMAccountName
map passwd homeDirectory unixHomeDirectory
map passwd gecos displayName
map passwd gidNumber primaryGroupID
#map group Member member

#!# Kerberos
sasl_mech GSSAPI
sasl_realm EXAMPLE.COM
krb5_ccname /tmp/krb5cc_0

And restart nslcd:

service nslcd restart

Update the authentication services¶

Once nslcd is configured, edit the /etc/nsswitch.conf and modify it to look similar to the following:

vi /etc/nsswitch.conf

passwd: compat ldap
group: compat ldap
shadow: compat

Run the PAM configuration tool:

pam-auth-update

[*] Unix authentication
[*] LDAP Authentication

This will make the following changes, if you ran the above command then you do not need to make these changes:

• /etc/pam.d/common-auth

...
auth [success=2 default=ignore] pam_unix.so nullok_secure
auth [success=1 default=ignore] pam_ldap.so minimum_uid=1000 use_first_pass
...

• /etc/pam.d/common-account

...
account required pam_permit.so
account [success=ok new_authtok_reqd=done ignore=ignore user_unknown=ignore authinfo_unavail=ignore default=bad] pam_ldap.so minimum_uid=1000
...

• /etc/pam.d/common-session

...
session required pam_unix.so
session [success=ok default=ignore] pam_ldap.so minimum_uid=1000
...

• /etc/pam.d/common-password

...
password [success=2 default=ignore] pam_unix.so obscure sha512
password [success=1 default=ignore] pam_ldap.so minimum_uid=1000 try_first_pass
...

At this point, I was able to run getent and get user information from the domain controller:

getent passwd
getent group