Ben Love on 26 Mar 2010 16:56:35 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] using OpenLDAP with Active Directory

* Mike Leone wrote on [2010-03-24 22:57:55 -0400]:
> I'm trying to configure lib-nss to use OpenLDAP against my Active 
> Directory. But I seem to be having lots of problems even getting it to 
> bind properly.

From an earlier message of yours, it sounds like you are also using
samba and are joining the machine to the domain.  We do this at work a
lot.  These are (roughly) the steps we use to set up a new box.

We do this with a stock install of Debian Stable or Ubuntu.  I'm not
sure of the edition of Ubuntu, but /etc/debian_version says 5.0.  The
domain controllers are Windows 2003R2 or some such.  I don't know
exactly, and I don't think it matters.  If you find it does, I can ask.

Most of these steps are run as root (obviously).

$ apt-get install krb5-user
$ apt-get install winbind

<create smb.conf>
$ cat /etc/samba/smb.conf
        # AD AUTH
        security = ADS
        workgroup = COMPANY
        realm = COMPANY.COM
        password server =
        use kerberos keytab = true
        client use spnego = true

        # WINBIND
        #idmap domains = COMPANY
        idmap config COMPANY: default = true
        idmap config COMPANY: backend = rid
        idmap config COMPANY: range = 70000-100000

        winbind cache time = 600
        winbind enum users = true
        winbind enum groups = true
        winbind use default domain = true
        winbind refresh tickets = true

        template shell = /bin/bash
        template homedir = /home/%u

        # OTHER
        dns proxy = false

        # LOGGING
        log file = /var/log/samba/log.%m
        max log size = 1000
        syslog = 0
        panic action = /usr/share/samba/panic-action %d

        # PAM AUTH
        encrypt passwords = true
        obey pam restrictions = true
        pam password change = true
        unix password sync = true
        # passwd program = /usr/bin/passwd %u
        # passwd chat = *Enter\snew\s*\spassword:* %n\n
        # *Retype\snew\s*\spassword:* %n\n
        # *password\supdated\ssuccessfully* .

<create krb5.conf>
$ cat /etc/krb5.conf
        default_realm = COMPANY.COM
        default_keytab_name = FILE:/etc/krb5.keytab
        ticket_lifetime = 24000

# The following krb5.conf variables are only for MIT Kerberos.
        krb4_config = /etc/krb.conf
        krb4_realms = /etc/krb.realms
        kdc_timesync = 1
        ccache_type = 4
        forwardable = true
        proxiable = true

        COMPANY.COM = {
                kdc =
                admin_server =

[domain_realm] = COMPANY.COM = COMPANY.COM

        krb4_convert = true
        krb4_get_tickets = false

<user = AD account with permission to join machines to the domain>
$ net -U <user> ads join
<sometimes this breaks.  if so, delete the machine account from AD
completely and try again>

<edit nsswitch.conf to add winbind to group and passwd>
$ head -3 /etc/nsswitch.conf
passwd:    compat winbind
group:     compat winbind
shadow:    compat

<test winbind/nss/AD integration with getent>
$ getent passwd
<SNIP: lots of output, including AD users>
$ getend group
<SNIP: lots of output, including AD groups>

<fix PAM to use pam_winbind/pam_mkhomedir>
<see PAM documentation for more info.  many of these options are beyond
the scope of this>
$ cat /etc/pam.d/common-account
account [success=2 new_authtok_reqd=done default=ignore]
account [success=1 new_authtok_reqd=done default=ignore]
account requisite             
account required              
$ cat /etc/pam.d/common-auth
auth    [success=2 default=ignore] nullok_secure
auth    [success=1 default=ignore] krb5_auth krb5_ccache_type=FILE
auth    requisite             
auth    required              
$ cat /etc/pam.d/common-session
session [default=1]           
session requisite             
session required              
session required               
session required               umask=0077 skel=/etc/skel

<you should be able to log in now with an AD user who the box has never
seen before>

<as AD user>
<AD users should have a krb5 credential cache now>
$ klist
<SNIP: output confirming valid krb ticket>

<as root again>
$ apt-get install ldap-utils
$ apt-get install libsasl2-modules-gssapi-mit
$ cat /etc/ldap/ldap.conf
BASE	dc=company,dc=com
URI	ldap://

<as AD user again>
<now you can use the kerberos credentials to talk to AD>
$ ldapsearch '(objectClass=User)'
<SNIP: waaaayyy too much output>

<as root again>
<last thing is to get SSH to take/user kerberos credentials>
$ tail -3 /etc/ssh/sshd_config
# GSSAPI options
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes

I hope that helps.  I may have forgotten something, but ask and I'll


Ben Love

Attachment: signature.asc
Description: Digital signature

Philadelphia Linux Users Group         --
Announcements -
General Discussion  --