Support #326
Updated by Daniel Curtis about 10 years ago
While migrating my centralized user information server from an OpenLDAP/Kerberos to a Samba4 Active Directory, I needed a method to integrate using my existing server baseline, which is Debian 7. The method I previously used was very similar to this method in that I get a Kerberos keytab from my Kerberos authentication server and I use that keytab file as the authentication token to do user information lookups on the OpenLDAP server. This guide is to show how I connected an example server to a Samba4 Active Directory Domain Controller. Example machines: * dc.example.com: 192.168.1.200 * server.example.com: 192.168.1.33 Make sure /etc/resolv.conf points to the Active Directory Domain Controller's IP address: > search example.com > nameserver 192.168.1.200 To start, install some required packages: <pre> apt-get install krb5-user nslcd samba libnss-ldapd libpam-ldapd libsasl2-modules-gssapi-heimdal kstart </pre> Make sure to copy the */etc/krb5.conf* and *@/usr/local/samba/etc/smb.conf@* files from the Domain Controller to the */etc/krb5* and *+@/etc/samba/smb.conf@+*. If these files are not present, joining the domain will fail. h2. Join the Active Directory Domain <pre> net ads join -U administrator@EXAMPLE.COM </pre> Once the machine is joined to the domain, a keytab is generated at @/etc/krb5.keytab@. Now edit the /etc/default/nslcd file and make the following changes: <pre> vi /etc/default/nslcd </pre> > K5START_START="yes" > > #!# ## Options for k5start. > K5START_BIN=/usr/bin/k5start > K5START_KEYTAB=/etc/krb5.keytab > K5START_CCREFRESH=60 > K5START_PRINCIPAL="SERVER$" Note: Make sure the K5START_PRINCIPAL is set to the Active Directory machine name, which is appended with a *$*. This will automatically authenticate the keytab generated while joining the domain. This is necessary to allow access to the directory information on the domain controller. Reboot the machine to enable k5start: <pre> reboot </pre> After reboot, there should be a krb5cc_0 file in /tmp: <pre> ls -l /tmp </pre> > -rw------- 1 nslcd nslcd 2296 Feb 3 23:25 krb5cc_0 h2. Configure nslcd Edit the @/etc/nslcd.conf@ file and change the configuration as needed: <pre> vi /etc/nslcd.conf </pre> > uid nslcd > gid nslcd > > #!# LDAP/AD server settings > uri ldap://192.168.1.200:389 > base dc=example,dc=com > > #!# Some settings for AD > pagesize 1000 > referrals off > > #!# Filters (only required if your accounts doesn't have objectClass=posixAccount > #!# and your groups haven't objectClass=posixGroup. This objectClasses won't be added > #!# by ADUC. So they won't be there automatically!) > filter passwd (objectClass=user) > filter group (objectClass=group) > > #!# Attribute mappings (depending on your nslcd version, some might not be > #!# necessary or can cause errors and can/must be removed) > map passwd uid sAMAccountName > map passwd homeDirectory unixHomeDirectory > map passwd gecos displayName > map passwd gidNumber primaryGroupID > #map group Member member > > #!# Kerberos > sasl_mech GSSAPI > sasl_realm EXAMPLE.COM > krb5_ccname /tmp/krb5cc_0 And restart nslcd: <pre> service nslcd restart </pre> h2. Update the authentication services Once nslcd is configured, edit the @/etc/nsswitch.conf@ and modify it to look similar to the following: <pre> vi /etc/nsswitch.conf </pre> > passwd: compat ldap > group: compat ldap > shadow: compat Run the PAM configuration tool: <pre> pam-auth-update </pre> > [*] Unix authentication > [*] LDAP Authentication This will make the following changes, +if you ran the above command then you do not need to make these changes+: * /etc/pam.d/common-auth > ... > auth [success=2 default=ignore] pam_unix.so nullok_secure > auth [success=1 default=ignore] pam_ldap.so minimum_uid=1000 use_first_pass > ... * /etc/pam.d/common-account > ... > account required pam_permit.so > account [success=ok new_authtok_reqd=done ignore=ignore user_unknown=ignore authinfo_unavail=ignore default=bad] pam_ldap.so minimum_uid=1000 > ... * /etc/pam.d/common-session > ... > session required pam_unix.so > session [success=ok default=ignore] pam_ldap.so minimum_uid=1000 > ... * /etc/pam.d/common-password > ... > password [success=2 default=ignore] pam_unix.so obscure sha512 > password [success=1 default=ignore] pam_ldap.so minimum_uid=1000 try_first_pass > ... At this point, I was able to run @getent@ and get user information from the domain controller: <pre> getent passwd getent group </pre>