Project

General

Profile

Support #326

Updated by Daniel Curtis almost 11 years ago

While migrating my centralized user information server from an OpenLDAP/Kerberos to a Samba4 Active Directory, I needed a method to integrate using my existing server baseline, which is Debian 7. The method I previously used was very similar to this method in that I get a Kerberos keytab from my Kerberos authentication server and I use that keytab file as the authentication token to do user information lookups on the OpenLDAP server. This guide is to show how I connected an example server to a Samba4 Active Directory Domain Controller.  

 Example machines: 
 * dc.example.com: 192.168.1.200 
 * server.example.com: 192.168.1.33 

 Make sure /etc/resolv.conf points to the Active Directory Domain Controller's IP address: 
 > search example.com 
 > nameserver 192.168.1.200 

 To start, install some required packages: 
 <pre> 
 apt-get install krb5-user nslcd samba libnss-ldapd libpam-ldapd libsasl2-modules-gssapi-heimdal kstart 
 </pre> 

 Make sure to copy the */etc/krb5.conf* and *@/usr/local/samba/etc/smb.conf@* files from the Domain Controller to the */etc/krb5* and *+@/etc/samba/smb.conf@+*. If these files are not present, joining the domain will fail.  

 h2. Join the Active Directory Domain 

 <pre> 
 net ads join -U administrator@EXAMPLE.COM 
 </pre> 

 Once the machine is joined to the domain, a keytab is generated at @/etc/krb5.keytab@. Now edit the /etc/default/nslcd file and make the following changes: 
 <pre> 
 vi /etc/default/nslcd 
 </pre> 
 > K5START_START="yes" 
 >  
 > ## Options for k5start. 
 > K5START_BIN=/usr/bin/k5start 
 > K5START_KEYTAB=/etc/krb5.keytab 
 > K5START_CCREFRESH=60 
 > K5START_PRINCIPAL="SERVER$" 

 Note: Make sure the K5START_PRINCIPAL is set to the Active Directory machine name, which is appended with a *$*. 
 This will automatically authenticate the keytab generated while joining the domain. This is necessary to allow access to the directory information on the domain controller. 

 Reboot the machine to enable k5start: 
 <pre> 
 reboot 
 </pre> 

 After reboot, there should be a krb5cc_0 file in /tmp: 
 <pre> 
 ls -l /tmp 
 </pre> 
 > -rw------- 1 nslcd nslcd 2296 Feb    3 23:25 krb5cc_0 

 h2. Configure nslcd 

 Edit the @/etc/nslcd.conf@ file and change the configuration as needed: 
 <pre> 
 vi /etc/nslcd.conf 
 </pre> 
 > uid nslcd 
 > gid nslcd 
 >  
 > #! ## LDAP/AD server settings 
 > uri ldap://192.168.1.200:389 
 > base dc=example,dc=com 
 >  
 > #! ## Some settings for AD 
 > pagesize 1000 
 > referrals off 
 >  
 > #! ## Filters (only required if your accounts doesn't have objectClass=posixAccount 
 > #! ## and your groups haven't objectClass=posixGroup. This objectClasses won't be added 
 > #! ## by ADUC. So they won't be there automatically!) 
 > filter    passwd    (objectClass=user) 
 > filter    group     (objectClass=group) 
 >  
 > #! ## Attribute mappings (depending on your nslcd version, some might not be 
 > #! ## necessary or can cause errors and can/must be removed) 
 > map       passwd    uid                  sAMAccountName 
 > map       passwd    homeDirectory        unixHomeDirectory 
 > map       passwd    gecos                displayName 
 > map       passwd    gidNumber            primaryGroupID 
 > #map       group     uniqueMember         member 
 >  
 > ## Kerberos 
 > sasl_mech GSSAPI 
 > sasl_realm EXAMPLE.COM 
 > krb5_ccname /tmp/krb5cc_0 

 And restart nslcd: 
 <pre> 
 service nslcd restart 
 </pre> 

 h2. Update the authentication services 

 Once nslcd is configured, edit the @/etc/nsswitch.conf@ and modify it to look similar to the following: 
 <pre> 
 vi /etc/nsswitch.conf 
 </pre> 
 > passwd:           compat ldap 
 > group:            compat ldap 
 > shadow:           compat 

 Run the PAM configuration tool: 
 <pre> 
 pam-auth-update 
 </pre> 
 > [*] Unix authentication 
 > [*] LDAP Authentication 

 This will make the following changes, +if you ran the above command then you do not need to make these changes+: 
 * /etc/pam.d/common-auth 
 > ... 
 > auth 	 [success=2 default=ignore] 	 pam_unix.so nullok_secure 
 > auth 	 [success=1 default=ignore] 	 pam_ldap.so minimum_uid=1000 use_first_pass 
 > ... 

 * /etc/pam.d/common-account 
 > ... 
 > account 	 required 			 pam_permit.so 
 > account 	 [success=ok new_authtok_reqd=done ignore=ignore user_unknown=ignore authinfo_unavail=ignore default=bad] 	 pam_ldap.so minimum_uid=1000 
 > ... 

 * /etc/pam.d/common-session 
 > ... 
 > session 	 required 	 pam_unix.so  
 > session 	 [success=ok default=ignore] 	 pam_ldap.so minimum_uid=1000 
 > ... 

 * /etc/pam.d/common-password 
 > ... 
 > password 	 [success=2 default=ignore] 	 pam_unix.so obscure sha512 
 > password 	 [success=1 default=ignore] 	 pam_ldap.so minimum_uid=1000 try_first_pass 
 > ... 

 At this point, I was able to run @getent@ and get user information from the domain controller: 
 <pre> 
 getent passwd 
 getent group 
 </pre>

Back