Samba/Active Directory Guide

From Gentoo Wiki
< Samba
Jump to: navigation, search
The information in this article is probably outdated as of April 07th, 2015. You can help the Gentoo Wiki by verifying and updating this article.
This article is a stub. You can help by expanding it.

Centralized authentication with Samba/Win AD

This might look a bit weird at 1st but when working on the migration from samba 3 with LDAP to samba 4 AD.
This seem to be the only choice we have as we have to remove the LDAP Server on the server that running Samba 4 AD.

Else you would have 2 server.
Windows Client using Samba 4 AD and Linux client using an LDAP Server from another which is no longer centralized and defeated the purpose.

Working method and choice

There are a few method.

  1. nslcd or nss_pam_ldapd
  2. sssd

nslcd or nss_pam_ldapd

If you are using 64 bit system, you will need to unmask it.

FILE /etc/portage/package.accept_keywords
#nss-pam-ldapd replacement of both nss_ldap and nss_pam
sys-auth/nss-pam-ldapd

This package will provide what is currently provide by nss_ldap and also nss_pam thus the 2 package have to be removed.

root #emerge --unmerge --ask nss_ldap nss_pam

Now we can start emerge nss_pam_ldapd

root #emerge --ask nss_pam_ldapd

Configuration

There are at least 2 method to work on this solution, the result are same but the way of working it are different.

Pick one...

nss-pam-ldapd Setup[1]
Samba Wiki:Local_user_management_and_authentication/nslcd[2]

Method 1: Connecting to AD via LDAP Bind DN and password

This method will configure /etc/nslcd.conf to make LDAP binding via an AD account. Communication with AD with this setup is unencrypted, unless your AD and nslcd had setup LDAP over SSL.

Please create a new user with username nslcdconnect and password secret in the AD Server.
You will need to do the following:

  • Enable - disable user change password on next logon
  • Disable - user change password
  • Enable - Password never expired.

Assuming that:

  • Samba AD is running locally and accessible via 127.0.0.1
  • LDAP Base DN is dc=headoffice,dc=location1,dc=company,dc=com
FILE /etc/nslcd.confChange some line below
# The uri pointing to the LDAP server to use for name lookups.
# Multiple entries may be specified. The address that is used
# here should be resolvable without using LDAP (obviously).
#uri ldap://127.0.0.1/
#uri ldaps://127.0.0.1/
#uri ldapi://%2fvar%2frun%2fldapi_sock/
# Note: %2f encodes the '/' used as directory separator
uri ldap://127.0.0.1/

# The distinguished name of the search base.
base dc=headoffice,dc=location1,dc=company,dc=com

#LDAP Bind Config
# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
binddn cn=nslcdconnect,cn=Users,dc=headoffice,dc=location1,dc=company,dc=com

# The credentials to bind with.
# Optional: default is no credentials.
# Note that if you set a bindpw you should check the permissions of this file.
bindpw secret

# The distinguished name to perform password modifications by root by.
rootpwmoddn cn=Administrator,cn=Users,dc=headoffice,dc=location1,dc=company,dc=com

# Mappings for Active Directory
pagesize 1000
referrals off
idle_timelimit 800
filter passwd (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
map    passwd uid              sAMAccountName
map    passwd homeDirectory    unixHomeDirectory
map    passwd gecos            displayName
filter shadow (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
map    shadow uid              sAMAccountName
map    shadow shadowLastChange pwdLastSet
filter group  (objectClass=group)

Method 2: Connecting to AD via Kerberos

This method are very similar with the 1st method specially in the configuration you will still need to change the configure /etc/nslcd.conf to make LDAP connection to an AD Server with the help of Kerberos. But you don't need to specified a bind account and also the communication with AD with this setup is encrypted.

Please create a new user with username nslcdconnect and password secret in the AD Server.
You will need to do the following:

  • Enable - disable user change password on next logon
  • Disable - user change password
  • Enable - Password never expired.

Assuming that:

  • Samba is running locally and accessible via 127.0.0.1
  • LDAP Base DN is dc=headoffice,dc=location1,dc=company,dc=com
  • /etc/hosts and also /etc/conf.d/hostname have the same result with your Samba AD DNS (There will be problem if there are not the same of cannot resolve).
  • hostname = samba4-1.headoffice.company.com
  • AD = headoffice.company.com
  • REALM = HEADOFFICE.COMPANY.COM
  • DOMAINNAME ( NT Style ) COMPANY
  • Already have Kerberos install either mit-krb5 or heimdal.
root #samba-tool spn add nslcd/samba4-1.headoffice.company.com nslcdconnect

Now we should export the keytab from AD server for user nslcdconnect. With this keytab we can connect via Kerberos without the need of key in the password for nslcdconnect if configure correctly.

root #samba-tool domain exportkeytab /etc/krb5.nslcd.keytab --principal=nslcdconnect
root #chown nslcd:nslcd /etc/krb5.nslcd.keytab
root #chmod 600 /etc/krb5.nslcd.keytab

The command below will kept nslcdconnect to the AD server via kerberos using keytab. You will need app-crypt/kstart so the Kerberos ticket and key will be automatically renew when it expired or needed.

root #emerge --ask app-crypt/kstart
root #k5start -f /etc/krb5.nslcd.keytab -U -o nslcd -K 360 -b -k /run/nslcd/nslcd.tkt

Now we can change our nslcd.conf to suit Kerberos setup.

FILE /etc/nslcd.confChange some line below
# The uri pointing to the LDAP server to use for name lookups.
# Multiple entries may be specified. The address that is used
# here should be resolvable without using LDAP (obviously).
#uri ldap://127.0.0.1/
#uri ldaps://127.0.0.1/
#uri ldapi://%2fvar%2frun%2fldapi_sock/
# Note: %2f encodes the '/' used as directory separator
uri ldap://127.0.0.1/

# The distinguished name of the search base.
base dc=headoffice,dc=location1,dc=company,dc=com

# Kerberos Connection to AD
sasl_mech GSSAPI
sasl_realm HEADOFFICE.COMPANY.COM
krb5_ccname /run/nslcd/nslcd.tkt

# Mappings for Active Directory
pagesize 1000
referrals off
idle_timelimit 800
filter passwd (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
map    passwd uid              sAMAccountName
map    passwd homeDirectory    unixHomeDirectory
map    passwd gecos            displayName
filter shadow (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
map    shadow uid              sAMAccountName
map    shadow shadowLastChange pwdLastSet
filter group  (objectClass=group)
Warning
k5start don't have an start up script with Gentoo, and I cannot make a script the will work. Someone please help.

Editing /etc/init.d/nslcd to start k5start together

We need to make some change to start k5strt with nslcd so the kerberos ticket will work.

FILE /etc/init.d/nslcdAdd the 2 k5start line below.
#!/sbin/openrc-run
# Copyright 1999-2013 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
# $Header: /var/cvsroot/gentoo-x86/sys-auth/nss-pam-ldapd/files/nslcd-init,v 1.2 2013/02/07 18:11:37 prometheanfire Exp $

extra_commands="checkconfig"
cfg="/etc/nslcd.conf"

depend() {
        need net
        use dns logger
}

checkconfig() {
        if [ ! -f "$cfg" ] ; then
                eerror "Please create $cfg"
                eerror "Example config: /usr/share/nss-ldapd/nslcd.conf"
                return 1
        fi
        return 0
}
start() {
    checkpath -q -d /var/run/nslcd -o nslcd:nslcd
        checkconfig || return $?

        ebegin "Starting nslcd"
        start-stop-daemon --start --pidfile /var/run/nslcd/nslcd.pid \
                --exec /usr/sbin/nslcd
        start-stop-daemon --start --pidfile /var/run/nslcd/nslcd.k5start.pid \
                --exec /usr/bin/k5start -- -f /etc/krb5.nslcd.keytab -U -o nslcd -K 360 -b -k /var/run/nslcd/nslcd.tkt -p /var/run/nslcd/nslcd.k5start.pid
        eend $? "Failed to start nslcd"
}

stop() {
        ebegin "Stopping nslcd"
        start-stop-daemon --stop --pidfile /var/run/nslcd/nslcd.pid
        start-stop-daemon --stop --pidfile /var/run/nslcd/nslcd.k5start.pid
        eend $? "Failed to stop nslcd"


nssswitch.conf connfiguration

You will need to edit your /etc/nsswitch.conf according to the following. This meant that nsswitch will use the new nss-pam-ldapd module.

FILE /etc/nsswitch.conf
passwd:      compat ldap
group:       compat ldap

Executing

We can now start nslcd daemon

root #/etc/init.d/nslcd start

to check if our Samba is working fine with our local host use these to verify:

root #getent passwd
root #getent group

You should see your Users or Groups which have unit UID or GID.

If you don't have it. check your /etc/nslcd.conf again.

Note
nscd should be off under this condition

You can now add nslcd using rc-update

root #rc-update add nslcd default

References