Mike Leone on 26 Mar 2010 18:44:41 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] using OpenLDAP with Active Directory

Ben Love had this to say:
> * Mike Leone wrote on [2010-03-24 22:57:55 -0400]:
>> I'm trying to configure lib-nss to use OpenLDAP against my Active 
>> Directory. But I seem to be having lots of problems even getting it to 
>> bind properly.
> From an earlier message of yours, it sounds like you are also using
> samba and are joining the machine to the domain.  


<various snipping>

> $ cat /etc/samba/smb.conf

>         use kerberos keytab = true
>         client use spnego = true

Those are new to me .. OK ...

>         # WINBIND
>         #idmap domains = COMPANY
>         idmap config COMPANY: default = true
>         idmap config COMPANY: backend = rid

I have "idmap backend = ad"

The Samba part is working fine, I think. I have it joined to the AD:

turgon@workhorse:~$ sudo net ads info
LDAP server:
LDAP server name: dim-win2300.DaCrib.local
Bind Path: dc=DACRIB,dc=LOCAL
LDAP port: 389
Server time: Fri, 26 Mar 2010 20:50:19 EDT
KDC server:
Server time offset: 0

> <edit nsswitch.conf to add winbind to group and passwd>
> $ head -3 /etc/nsswitch.conf
> passwd:    compat winbind
> group:     compat winbind

I have "compat winbind ldap"

> shadow:    compat
> <test winbind/nss/AD integration with getent>
> $ getent passwd
> <SNIP: lots of output, including AD users>
> $ getend group
> <SNIP: lots of output, including AD groups>

I don't see the AD users  ... but I *do* see AD groups ...

> <fix PAM to use pam_winbind/pam_mkhomedir>

Followed exactly ...
> <you should be able to log in now with an AD user who the box has never
> seen before>

Unfortunately not ...

"LeoneM" is a valid AD user, who does not exist as a local Linux user ..

Mar 26 21:12:31 workhorse sshd[3942]: Invalid user LeoneM from
Mar 26 21:12:31 workhorse sshd[3942]: Failed none for invalid user 
LeoneM from port 4922 ssh2
Mar 26 21:12:36 workhorse sshd[3942]: pam_unix(sshd:auth): check pass; 
user unknown
Mar 26 21:12:36 workhorse sshd[3942]: pam_unix(sshd:auth): 
authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=
Mar 26 21:12:36 workhorse sshd[3942]: pam_winbind(sshd:auth): getting 
password (0x00000180)
Mar 26 21:12:39 workhorse sshd[3942]: Failed password for invalid user 
LeoneM from port 4922 ssh2

> <as AD user>
> <AD users should have a krb5 credential cache now>
> $ klist
> <SNIP: output confirming valid krb ticket>

If I log in as a Linux user, I can do a "kinit", specifying AD user 
credentials, and get a ticket, which I do see with "klist".

> <as root again>
> $ apt-get install ldap-utils
> $ apt-get install libsasl2-modules-gssapi-mit
> $ cat /etc/ldap/ldap.conf
> BASE	dc=company,dc=com
> URI	ldap://domaincontrollers.company.com
> <as AD user again>
> <now you can use the kerberos credentials to talk to AD>
> $ ldapsearch '(objectClass=User)'
> <SNIP: waaaayyy too much output>

Well, THAT finally worked! :-) Thanks. I guess I just needed the GSSAPI 

> <as root again>
> <last thing is to get SSH to take/user kerberos credentials>
> $ tail -3 /etc/ssh/sshd_config
> # GSSAPI options
> GSSAPIAuthentication yes
> GSSAPICleanupCredentials yes
> I hope that helps.  I may have forgotten something, but ask and I'll
> remember.

Well, my ldapsearches finally work now - thanks! - but I still can't 
seem to log in as an AD user. Not via SSH; haven't tried it from the 
console, but I imagine I'll have the same results.

Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug