Re: [gentoo-server] Complete migration from Scientific Linux with new features (Samba+AD/Winbind)

Tue, 01 Nov 2011 18:05:21 -0700

Actually, you don't even need kerberos for the authentication portion of it. You can have pam test the user's provided password by binding against ldap directly to do that step. I find this easier because it avoids all the complexities of maintaining kerberos service tickets on linux hosts entirely. You may still wish to do that for some services (eg: for single sign on for apache websites from windows ad clients, but they probably still need to support passwords from non-domain clients, so it's never seemed like a big win to me). Doing that then requires that your linux clients have tickets to make use of them, which is another hassle. It works in Windows clients a little bit more naturally. 

Anyways, on how to do it ...
there used to be some nice gentoo wiki articles on it. They're giving me 500 errors at the moment, so ... The ubuntu page here [1] gives a reasonably good explanation of it except that it also includes kerberos integration. Basically to avoid that, skip those sections, and rather than specifying pam_krb5.so in those files, specify pam_ldap.so [2]. 

The handful of gotchas as I recall them:
- you have to setup a proxy user in order to do the base queries for libnss-ldap [3] to find your account's dn so that pam_ldap can attempt to bind as it. - ad wants all of its connections to be ssl. That might also mean that you have to setup the cert for it (usually obtainable from your ad's ca) as "trusted" in the system wide ldap confs (/etc/openldap/ldap.conf or /etc/ldap/ldap.conf). - depending upon your ad schema you might need to remap some attributes to what the libnss-ldap libraries want them to be. The ubuntu page has some details on that (nss_map_attribute). In more flexible environments you can actually use these to do some fancy service tricks (eg: different shell/homedir for sftp only hosts). 

Some other tips:
- make sure you can do all these steps with the command line ldapsearch utility first - adsi edit (or some such - should be available in mmc) is the windows utility to browse it's ldap store 
- use nscd or one of the other tools I mention below to cache ldap data
So, following all those goodies, you should hopefully be able to get ldap only id mapping and authentication going.
You can also tell samba (or apache, freeradius, etc.) to use those details for id mapping and authentication, again avoiding the need for kerberos entirely. Have a look at the ldap settings within smb.conf for details. In all cases, tls/ssl is your friend. 

Hope that helps,
Brian

[1] https://help.ubuntu.com/community/ActiveDirectoryHowto
[2] http://linux.die.net/man/5/pam_ldap
AD may very well be doing a kerberos auth behind the scenes when you bind to its ldap, but that doesn't really matter. That's a common way for people to configure openldap as well - use kerberos as the password hash store, but then you need a service ticket for openldap ...
[3] As an aside, there are also alternatives to libnss-ldap now including: nslcd, sssd. I think sssd is the more preferred one nowadays. Basically, they make a user program responsible for doing all ldap lookups so that you can save some shared memory and protect the proxy user's credentials. Really though, the sort of stuff you'll be querying in ldap is more or less "public" data as far as the rest of the system is concerned anyways, so I wouldn't be too concerned with that unless you've given the proxy user some ridiculous rights. That goes for openldap, opendirectory, whatever as well. 

Vinícius Ferrão <viniciusfer...@cc.if.ufrj.br> 2011-11-01 17:24:

  As I can understand we need Kerberos 5 for authentication and LDAP acting
  only as a directory service with UID, GID, home dir and etc.
  []'s
  On Nov 1, 2011, at 5:11 PM, gregorcy wrote:

    On Sun, Oct 30, 2011 at 1:55 PM, Brian Kroth <[1]bpkr...@gmail.com>
    wrote:

      gregorcy <[2]grego...@eng.utah.edu> 2011-10-29 10:52:

           What's missing: OpenLDAP replication from AD? Is this possible?
        Is this
           needed? Since I want another machines (running Linux) to
        authenticate it
           will be a good idea only ONE machine get information from AD and
           everyone else authenticate natively on this Gentoo Machine.

         No this is not needed.  If you are in a mixed environment (I think)
        it
         is much easier to just use AD as the one directory service and join
        all
         your linux boxes to it.  As long as your idmap ranges match your
        users
         will have the same uid on all boxes.

      I agree with this except for the need to "join all your linux boxes".
       AD is really just ldap+kerberos.  Most of the time you don't need the
      headache of kerberos and can just use the ldap component.  Modern AD
      schemas include all the of necessary attributes support for having
      Linux clients talk to it directly for uid/gid mapping, which is much
      nicer since it avoids the complexity of any samba requirements when
      you don't need them (eg: mail, web, etc.).

    So if he is using samba + winbind I don't see how you can not join all
    your machines to the AD.  Actually I would be really interested in how
    you configure your machines just using the ldap component.  I have been
    using winbind for the last couple of years but if there is a better way
    I would be interested in learning how it works.


References

  Visible links
  1. mailto:bpkr...@gmail.com
  2. mailto:grego...@eng.utah.edu

Attachment: signature.asc
Description: Digital signature

Reply via email to