|
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
|
Re: [PLUG] using OpenLDAP with Active Directory
|
Ben Love had this to say:
> * Mike Leone wrote on [2010-03-24 22:57:55 -0400]:
>> I'm trying to configure lib-nss to use OpenLDAP against my Active
>> Directory. But I seem to be having lots of problems even getting it to
>> bind properly.
>
> From an earlier message of yours, it sounds like you are also using
> samba and are joining the machine to the domain.
Exactly.
<various snipping>
> $ cat /etc/samba/smb.conf
> use kerberos keytab = true
> client use spnego = true
Those are new to me .. OK ...
>
> # WINBIND
> #idmap domains = COMPANY
> idmap config COMPANY: default = true
> idmap config COMPANY: backend = rid
I have "idmap backend = ad"
The Samba part is working fine, I think. I have it joined to the AD:
turgon@workhorse:~$ sudo net ads info
LDAP server: 10.0.0.60
LDAP server name: dim-win2300.DaCrib.local
Realm: DACRIB.LOCAL
Bind Path: dc=DACRIB,dc=LOCAL
LDAP port: 389
Server time: Fri, 26 Mar 2010 20:50:19 EDT
KDC server: 10.0.0.60
Server time offset: 0
> <edit nsswitch.conf to add winbind to group and passwd>
> $ head -3 /etc/nsswitch.conf
> passwd: compat winbind
> group: compat winbind
I have "compat winbind ldap"
> shadow: compat
>
> <test winbind/nss/AD integration with getent>
> $ getent passwd
> <SNIP: lots of output, including AD users>
> $ getend group
> <SNIP: lots of output, including AD groups>
I don't see the AD users ... but I *do* see AD groups ...
> <fix PAM to use pam_winbind/pam_mkhomedir>
Followed exactly ...
>
> <you should be able to log in now with an AD user who the box has never
> seen before>
Unfortunately not ...
"LeoneM" is a valid AD user, who does not exist as a local Linux user ..
Mar 26 21:12:31 workhorse sshd[3942]: Invalid user LeoneM from 10.0.0.24
Mar 26 21:12:31 workhorse sshd[3942]: Failed none for invalid user
LeoneM from 10.0.0.24 port 4922 ssh2
Mar 26 21:12:36 workhorse sshd[3942]: pam_unix(sshd:auth): check pass;
user unknown
Mar 26 21:12:36 workhorse sshd[3942]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.0.24
Mar 26 21:12:36 workhorse sshd[3942]: pam_winbind(sshd:auth): getting
password (0x00000180)
Mar 26 21:12:39 workhorse sshd[3942]: Failed password for invalid user
LeoneM from 10.0.0.24 port 4922 ssh2
>
> <as AD user>
> <AD users should have a krb5 credential cache now>
> $ klist
> <SNIP: output confirming valid krb ticket>
If I log in as a Linux user, I can do a "kinit", specifying AD user
credentials, and get a ticket, which I do see with "klist".
> <as root again>
> $ apt-get install ldap-utils
> $ apt-get install libsasl2-modules-gssapi-mit
> $ cat /etc/ldap/ldap.conf
> BASE dc=company,dc=com
> URI ldap://domaincontrollers.company.com
> SASL_MECH GSSAPI
>
> <as AD user again>
> <now you can use the kerberos credentials to talk to AD>
> $ ldapsearch '(objectClass=User)'
> <SNIP: waaaayyy too much output>
Well, THAT finally worked! :-) Thanks. I guess I just needed the GSSAPI
modules.
>
> <as root again>
> <last thing is to get SSH to take/user kerberos credentials>
> $ tail -3 /etc/ssh/sshd_config
> # GSSAPI options
> GSSAPIAuthentication yes
> GSSAPICleanupCredentials yes
>
> I hope that helps. I may have forgotten something, but ask and I'll
> remember.
Well, my ldapsearches finally work now - thanks! - but I still can't
seem to log in as an AD user. Not via SSH; haven't tried it from the
console, but I imagine I'll have the same results.
___________________________________________________________________________
Philadelphia Linux Users Group -- http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug
|
|