<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
Chris et al,<br>
<br>
I intended to put an experiences note out to the nss_ldap forum's but
have not found one suitable yet. So here is the short canned version of
how I made this all work.<br>
<br>
First get a Windows 200x environment with the RFC2307 extensions added
to the Schema. The easiest way to do this is to use Windows 2003 R2.
However, it is also possible to do this by using LDIF's from the wider
community to add this to a 2003 or a 2000 schema. I can dig out an
example of this is anybody is interested. <b>This step is scary as in
a production environment if you get this wrong in the right way you
have an unrecoverable Windows environment so I recommend either a new
forest using Windows 2003 R2 or back everything up. Note I have done
this for a very big global domain and will hold anybodies hand if they
are thinking of doing this in a production domain.<br>
</b><br>
Next assign all of your <b>real</b> Unix users with AD accounts - make
the user names conform to the Posix rules (Windows samAccountName) i.e.
8 characters starting with a letter, all in lower case. Give them
uidNumber's and gidNumber's, loginShell and unixHomeDirectory
attributes. I use displayName for the GECOS field.<br>
<br>
Create relevant groups in the AD I have used samAccountName for the
groupName, you can also use CN but you have to be careful about the
names and make sure they are valid in the Unix and Windows world I
stick to lower case starting with a letter and no spaces in the
samAccountName.<br>
<br>
For example: I declare a superusers group to which I add users I would
have added to wheel and use this in sudo - you can only add users
declared in AD to groups declared in AD. superusers is a member of
"Domain Admins" and "Enterprise Admins" in our systems.<br>
<br>
With this you are now ready to set up the unix side of the fence. I use
pam_krb5 to authenticate and nss_ldap to handle the maps. The pam stack
looks like this<br>
<br>
<blockquote type="cite">#%PAM-1.0<br>
# This file is auto-generated.<br>
# User changes will be destroyed the next time authconfig is run.<br>
auth required /lib/security/$ISA/pam_env.so<br>
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok<br>
auth sufficient /lib/security/$ISA/pam_krb5.so use_first_pass<br>
auth required /lib/security/$ISA/pam_deny.so<br>
<br>
account required /lib/security/$ISA/pam_unix.so broken_shadow<br>
account sufficient /lib/security/$ISA/pam_succeed_if.so uid <
100 quiet<br>
account [default=bad success=ok user_unknown=ignore]
/lib/security/$ISA/pam_krb5.so<br>
account required /lib/security/$ISA/pam_permit.so<br>
<br>
password requisite /lib/security/$ISA/pam_cracklib.so retry=3<br>
password sufficient /lib/security/$ISA/pam_unix.so nullok
use_authtok md5 shadow<br>
password sufficient /lib/security/$ISA/pam_krb5.so use_authtok<br>
password required /lib/security/$ISA/pam_deny.so<br>
<br>
session required /lib/security/$ISA/pam_limits.so<br>
session required /lib/security/$ISA/pam_unix.so<br>
session optional /lib/security/$ISA/pam_krb5.so<br>
</blockquote>
I set up kerberos to access the active directory as follows.<br>
<br>
<blockquote type="cite">[logging]<br>
default = <a class="moz-txt-link-freetext" href="FILE:/var/log/krb5libs.log">FILE:/var/log/krb5libs.log</a><br>
kdc = <a class="moz-txt-link-freetext" href="FILE:/var/log/krb5kdc.log">FILE:/var/log/krb5kdc.log</a><br>
admin_server = <a class="moz-txt-link-freetext" href="FILE:/var/log/kadmind.log">FILE:/var/log/kadmind.log</a><br>
<br>
[libdefaults]<br>
default_realm = COHERENT.COHTECH.CO.UK<br>
dns_lookup_realm = true<br>
dns_lookup_kdc = true<br>
forwardable = false<br>
<br>
[realms]<br>
COHERENT.COHTECH.CO.UK = {<br>
kdc = coherent.cohtech.co.uk<br>
}<br>
<br>
[domain_realm]<br>
city.cohtech.co.uk = COHERENT.COHTECH.CO.UK<br>
.city.cohtech.co.uk = COHERENT.COHTECH.CO.UK<br>
coherent.cohtech.co.uk = COHERENT.COHTECH.CO.UK<br>
.coherent.cohtech.co.uk = COHERENT.COHTECH.CO.UK<br>
finsbury.cohtech.co.uk = COHERENT.COHTECH.CO.UK<br>
.finsbury.cohtech.co.uk = COHERENT.COHTECH.CO.UK<br>
stokie.cohtech.co.uk = COHERENT.COHTECH.CO.UK<br>
.stokie.cohtech.co.uk = COHERENT.COHTECH.CO.UK<br>
cohtech.co.uk = COHERENT.COHTECH.CO.UK<br>
.cohtech.co.uk = COHERENT.COHTECH.CO.UK<br>
<br>
[kdc]<br>
profile = /var/kerberos/krb5kdc/kdc.conf<br>
<br>
[appdefaults]<br>
pam = {<br>
debug = false<br>
ticket_lifetime = 36000<br>
renew_lifetime = 36000<br>
forwardable = true<br>
krb4_convert = false<br>
}</blockquote>
<br>
<br>
And create a machine keytab using Samba - currently samba-3.0.23a. Note
my machines are in the finsbury.cohtech.co.uk zone, while the AD is
domain coherent.cohtech.co.uk.<br>
<br>
The nsswitch.conf file contains ... <br>
<br>
<blockquote type="cite">passwd: files ldap<br>
shadow: files ldap<br>
group: files ldap<br>
</blockquote>
<br>
statements.<br>
<br>
ldap.conf contains ...<br>
<br>
<blockquote type="cite"># Set to some high number to get debug output -
very useful if kerberos is failing<br>
</blockquote>
<blockquote type="cite">debug 0<br>
<br>
#base set to default container inside AD for Users - have not got this
working with multiple containers<br>
base cn=Users,dc=coherent,dc=cohtech,dc=co,dc=uk<br>
<br>
# Our servers have certificates and therefore are available over ssl<br>
# Otherwise use<br>
#uri <a class="moz-txt-link-freetext" href="ldap://coherent.cohtech.co.uk">ldap://coherent.cohtech.co.uk</a><br>
uri ldaps://coherent.cohtech.co.uk<br>
<br>
# The LDAP version to use (defaults to 3<br>
# if supported by client library)<br>
#ldap_version 3<br>
ldap_version 3<br>
<br>
# The distinguished name to bind to the server with.<br>
# NEVER NEVER NEVER defined this if using SASL it breaks the bind
operation<br>
#binddn cn=proxyuser,dc=example,dc=com<br>
<br>
# The credentials to bind with. <br>
# NEVER NEVER NEVER define this if using SASL it breaks the bind
operation<br>
#bindpw secret<br>
<br>
# The distinguished name to bind to the server with<br>
# if the effective user ID is root. Password is<br>
# stored in /etc/ldap.secret (mode 600)<br>
#rootbinddn cn=manager,dc=example,dc=com<br>
<br>
# The port.<br>
# Optional: default is 389.<br>
#port 389<br>
<br>
# The search scope.<br>
#scope sub<br>
#scope one<br>
#scope base<br>
scope sub<br>
<br>
# Search timelimit<br>
#timelimit 30<br>
timelimit 120<br>
<br>
# Bind/connect timelimit<br>
#bind_timelimit 30<br>
bind_timelimit 120<br>
<br>
# Reconnect policy: hard (default) will retry connecting to<br>
# the software with exponential backoff, soft will fail<br>
# immediately.<br>
bind_policy soft<br>
<br>
# Idle timelimit; client will close connections<br>
# (nss_ldap only) if the server has not been contacted<br>
# for the number of seconds specified below.<br>
#idle_timelimit 3600<br>
idle_timelimit 3600<br>
<br>
.......<br>
# Just assume that there are no supplemental groups for these named
users<br>
nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon<br>
<br>
# attribute/objectclass mapping<br>
# Syntax:<br>
#nss_map_attribute rfc2307attribute mapped_attribute<br>
#nss_map_objectclass rfc2307objectclass mapped_objectclass<br>
<br>
# RFC 2307 (AD) mappings<br>
#nss_map_objectclass posixAccount user<br>
#nss_map_objectclass shadowAccount user<br>
#nss_map_attribute uid sAMAccountName<br>
#nss_map_attribute homeDirectory unixHomeDirectory<br>
#nss_map_attribute shadowLastChange pwdLastSet<br>
#nss_map_objectclass posixGroup group<br>
#nss_map_attribute uniqueMember member<br>
#pam_login_attribute sAMAccountName<br>
#pam_filter objectclass=User<br>
#pam_password ad<br>
nss_base_passwd cn=Users,dc=coherent,dc=cohtech,dc=co,dc=uk<br>
nss_base_shadow cn=Users,dc=coherent,dc=cohtech,dc=co,dc=uk<br>
nss_base_group cn=Users,dc=coherent,dc=cohtech,dc=co,dc=uk<br>
<br>
nss_map_objectclass posixAccount User<br>
nss_map_objectclass shadowAccount User<br>
nss_map_attribute uid samAccountName<br>
nss_map_attribute homeDirectory unixHomeDirectory<br>
nss_map_attribute shadowLastChange pwdLastSet<br>
<br>
nss_map_attribute uidNumber uidNumber<br>
nss_map_attribute gidNumber gidNumber<br>
nss_map_attribute loginShell loginShell<br>
nss_map_attribute gecos displayName<br>
nss_map_objectclass posixGroup Group<br>
nss_map_attribute uniqueMember Member<br>
nss_map_attribute cn samAccountName<br>
nss_paged_results on<br>
<br>
pam_login_attribute samAccountName<br>
pam_filter objectclass=user<br>
pam_member_attribute member<br>
#pam_groupdn cn=unixusergroup,dc=coherent,dc=cohtech,dc=co,dc=uk<br>
pam_passwd ad<br>
<br>
<br>
# Disable SASL security layers. This is needed for AD.<br>
#sasl_secprops maxssf=0<br>
sasl_secprops maxssf=0<br>
<br>
# Override the default Kerberos ticket cache location.<br>
#krb5_ccname <a class="moz-txt-link-freetext" href="FILE:/etc/.ldapcache">FILE:/etc/.ldapcache</a><br>
krb5_ccname <a class="moz-txt-link-freetext" href="FILE:/etc/.ldapcache">FILE:/etc/.ldapcache</a><br>
<br>
# SASL mechanism for PAM authentication - use is experimental<br>
# at present and does not support password policy control<br>
#pam_sasl_mech DIGEST-MD5<br>
<br>
use_sasl on<br>
<br>
sasl_authid nssldap/beastie.finsbury.cohtech.co.uk<br>
<br>
rootsasl_auth_id nssldap/beastie.finsbury.cohtech.co.uk<br>
<br>
rootuse_sasl yes<br>
<br>
</blockquote>
The key feature here is the krb5_ccname which is used to override the
credentials passed in to the user. At present this file must have 0644
access as the nss_ldap code always overrides with this file. I intend
to supply a patch that will check for read access to this file and use
it only in this circumstance. A further enhancement would be to try to
access the directory using this file if readable, and if that fails or
if the file is not readable then use the KRB5CCNAME environment
variable if set and if that fails use the users credentials cache if
that exists.<br>
<br>
The authentication ID needs to be created in the AD and exported. This
is done by creating a user with a never expires password and then using
the ktpass command on Windows 200x to export the key. I use<br>
<br>
<blockquote>ktpass -princ nssldap/<hostname>@DOMAIN -mapuser
nss<host>@domain -crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL
-mapo- set +desonly -pass <somepassword> -out <keytabfile><br>
</blockquote>
The resulting file is copied to the target host, and I add it to the
system keytab file. It could equally be put in a separate file and used
from there.<br>
<br>
The final pieces of magic are setting up the openldap ldap.conf file.<br>
<br>
<blockquote type="cite"># $OpenLDAP:
pkg/ldap/libraries/libldap/ldap.conf,v 1.9 2000/09/04 19:57:01 kurt<br>
Exp $<br>
#<br>
# LDAP Defaults<br>
#<br>
<br>
# See ldap.conf(5) for details<br>
# This file should be world readable but not world writable.<br>
<br>
#BASE dc=example, dc=com<br>
#URI <a class="moz-txt-link-freetext" href="ldap://ldap.example.com">ldap://ldap.example.com</a> <a class="moz-txt-link-freetext" href="ldap://ldap-master.example.com:666">ldap://ldap-master.example.com:666</a><br>
<br>
#SIZELIMIT 12<br>
#TIMELIMIT 15<br>
#DEREF never<br>
URI ldaps://coherent.cohtech.co.uk<br>
#HOST coherent.cohtech.co.uk<br>
BASE dc=coherent,dc=cohtech,dc=co,dc=uk<br>
TLS_CACERTDIR /etc/openldap/cacerts<br>
TLS_REQCERT never<br>
</blockquote>
And setting up nscd to cache requests, running nscd - I set the
environment with KRB5CCNAME=/etc/.ldapcache as a bit of belt and braces.<br>
<br>
The following script is executed every 6 hours to keep the credentials
cache current.<br>
<blockquote type="cite">#!/bin/sh<br>
#<br>
<br>
/usr/kerberos/bin/kinit -k -t /etc/krb5.keytab -c /etc/.ldapcache
nssldap/beastie.finsbury.cohtech.co.uk \<br>
&& chown nscd:nscd /etc/.ldapcache \<br>
&& chmod 0644 /etc/.ldapcache<br>
<br>
exit 0<br>
</blockquote>
The 0644 will change to 0640 once I have a patch into nss_ldap. A point
to note nscd only provide caches for individual lookups so running
getent passwd will not work unless kerberos credentials are supplied
some other way - hence the need for 0644 at present.<br>
<br>
Hope this all makes sense. Will try to produce a more comprehensive
guide later when I have fixed the niggles.<br>
<br>
By the by.. This all required the latest version of openldap,
cyrus-sasl, nss_ldap as previous versions failed to talk to Windows
2003. These are currently drawn from fedora-development and are:
openldap-2.3.27-2, cyrus-sasl-2.1.22-3, & nss_ldap-251-1 (with the
enable-configurable-krb5-ccname-gssapi configuration flag turned on at
build time).<br>
<br>
<br>
<br>
Chris Bradford wrote:
<blockquote cite="mid4506F124.6000400@cambridge-news.co.uk" type="cite">Howard
Wilkinson wrote:
<br>
<blockquote type="cite">I have been installing nss_Ldap for sasl
connections to a Windows 2003 R2 infrastructure and run into some
problems. It turns out that the package distributed with FC5 and in
development have an incorrect option set with the configuration for the
configuration file feature krb5_ccname to work.
<br>
<br>
The configure line currently uses --enable-configurable-krb5-ccname
which does not do anything useful. It should either read
--enable-configurable-krb5-ccname-env or
--enable-configurable-krb5-ccname-gssapi to make this work. I have
chosen the second as the first does not confer any advantage in
allowing the environment to override in the current implementation.
<br>
<br>
Without this setting then the calling environment must have a
credential cache set up for the code to work - the behaviour of both
the nscd and the general calling environment give local errors when
there is not credentials cache defined.
<br>
-- <br>
<br>
Howard Wilkinson
<br>
<br>
<br>
<br>
Phone:
<br>
<br>
<br>
<br>
+44(20)76907075
<br>
<br>
Coherent Technology Limited
<br>
<br>
<br>
<br>
Fax:
<br>
<br>
<br>
<br>
<br>
<br>
23 Northampton Square,
<br>
<br>
<br>
<br>
Mobile:
<br>
<br>
<br>
<br>
+44(7980)639379
<br>
<br>
London, United Kingdom, EC1V 0HL
<br>
<br>
<br>
<br>
Email:
<br>
<br>
<br>
<br>
<a class="moz-txt-link-abbreviated" href="mailto:howard@cohtech.com">howard@cohtech.com</a>
<br>
<br>
<br>
<br>
<br>
<br>
Click here
<a class="moz-txt-link-rfc2396E" href="https://www.mailcontrol.com/sr/wQw0zmjPoHdJTZGyOCrrhg=="><https://www.mailcontrol.com/sr/wQw0zmjPoHdJTZGyOCrrhg==></a> to
report this email as spam.
<br>
<br>
</blockquote>
Howard,
<br>
<br>
Could you please post details on you you have used sasl to connect to
AD? I am using nss_ldap to connect but not using sasl. Further details
on this can be seen here:
<a class="moz-txt-link-freetext" href="http://cb-net.co.uk/readarticle.php?article_id=5">http://cb-net.co.uk/readarticle.php?article_id=5</a>
<br>
<br>
-Chris
<br>
<br>
</blockquote>
<br>
<div class="moz-signature">-- <br>
<meta http-equiv="Content-Type" content="text/html; ">
<meta name="ProgId" content="Word.Document">
<meta name="Generator" content="Microsoft Word 11">
<meta name="Originator" content="Microsoft Word 11">
<link rel="File-List" href="Howard%20Wilkinson_files/filelist.xml">
<title>Signature</title>
<o:SmartTagType
namespaceuri="urn:schemas-microsoft-com:office:smarttags"
name="country-region">
<o:SmartTagType
namespaceuri="urn:schemas-microsoft-com:office:smarttags" name="City"><o:SmartTagType
namespaceuri="urn:schemas-microsoft-com:office:smarttags" name="place">
<o:SmartTagType
namespaceuri="urn:schemas-microsoft-com:office:smarttags" name="Street"><o:SmartTagType
namespaceuri="urn:schemas-microsoft-com:office:smarttags"
name="address">
<!--[if gte mso 9]><xml>
<o:DocumentProperties>
<o:Author>Howard Wilkinson</o:Author>
<o:Template>Normal</o:Template>
<o:LastAuthor>Howard Wilkinson</o:LastAuthor>
<o:Revision>6</o:Revision>
<o:TotalTime>1</o:TotalTime>
<o:Created>2005-03-12T10:10:00Z</o:Created>
<o:LastSaved>2006-05-26T11:28:00Z</o:LastSaved>
<o:Pages>1</o:Pages>
<o:Words>38</o:Words>
<o:Characters>220</o:Characters>
<o:Company>Coherent Technology Limited</o:Company>
<o:Lines>1</o:Lines>
<o:Paragraphs>1</o:Paragraphs>
<o:CharactersWithSpaces>257</o:CharactersWithSpaces>
<o:Version>11.6568</o:Version>
</o:DocumentProperties>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:WordDocument>
<w:Zoom>BestFit</w:Zoom>
<w:SpellingState>Clean</w:SpellingState>
<w:GrammarState>Clean</w:GrammarState>
<w:ValidateAgainstSchemas/>
<w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid>
<w:IgnoreMixedContent>false</w:IgnoreMixedContent>
<w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlac
eholderText>
<w:BrowserLevel>MicrosoftInternetExplorer4</w:BrowserLevel>
</w:WordDocument>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:LatentStyles DefLockedState="false" LatentStyleCount="156">
</w:LatentStyles>
</xml><![endif]--><!--[if !mso]><object
classid="clsid:38481807-CA0E-42D2-BF39-B33AF135CC4D" id=ieooui></object>
<style>
st1\:*{behavior:url(#ieooui) }
</style>
<![endif]-->
<style>
<!--
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{mso-style-parent:"";
margin:0cm;
margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:12.0pt;
font-family:"Times New Roman";
mso-fareast-font-family:"Times New Roman";}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;
text-underline:single;}
a:visited, span.MsoHyperlinkFollowed
{color:blue;
text-decoration:underline;
text-underline:single;}
@page Section1
{size:595.3pt 841.9pt;
margin:72.0pt 90.0pt 72.0pt 90.0pt;
mso-header-margin:35.4pt;
mso-footer-margin:35.4pt;
mso-paper-source:0;}
div.Section1
{page:Section1;}
-->
</style><!--[if gte mso 10]>
<style>
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:10.0pt;
font-family:"Times New Roman";
mso-ansi-language:#0400;
mso-fareast-language:#0400;
mso-bidi-language:#0400;}
</style>
<![endif]-->
</o:SmartTagType></o:SmartTagType></o:SmartTagType></o:SmartTagType></o:SmartTagType>
<div class="Section1">
<table class="MsoNormalTable" style="width: 100%;" border="0"
cellpadding="0" width="100%">
<tbody>
<tr style="">
<td style="padding: 1.5pt;" valign="top">
<p class="MsoNormal">Howard Wilkinson</p>
</td>
<td style="padding: 1.5pt;" valign="top">
<p class="MsoNormal">Phone:</p>
</td>
<td style="padding: 1.5pt;" valign="top">
<p class="MsoNormal">+44(20)76907075</p>
</td>
</tr>
<tr style="">
<td style="padding: 1.5pt;" valign="top">
<p class="MsoNormal">Coherent Technology Limited</p>
</td>
<td style="padding: 1.5pt;" valign="top">
<p class="MsoNormal">Fax:</p>
</td>
<td style="padding: 1.5pt;" valign="top">
<p class="MsoNormal"><o:p> </o:p></p>
</td>
</tr>
<tr style="">
<td style="padding: 1.5pt;" valign="top">
<p class="MsoNormal"><st1:Street w:st="on"><st1:address w:st="on">23
Northampton Square</st1:address></st1:Street>,</p>
</td>
<td style="padding: 1.5pt;" valign="top">
<p class="MsoNormal"><st1:City w:st="on"><st1:place w:st="on">Mobile</st1:place></st1:City>:</p>
</td>
<td style="padding: 1.5pt;" valign="top">
<p class="MsoNormal">+44(7980)639379</p>
</td>
</tr>
<tr style="">
<td style="padding: 1.5pt;" valign="top">
<p class="MsoNormal"><st1:place w:st="on"><st1:City w:st="on">London</st1:City>,
<st1:country-region w:st="on">United Kingdom</st1:country-region></st1:place>,
EC1V 0HL</p>
</td>
<td style="padding: 1.5pt;" valign="top">
<p class="MsoNormal">Email:</p>
</td>
<td style="padding: 1.5pt;" valign="top">
<p class="MsoNormal"><a name="howardcohtech.com"></a><a class="moz-txt-link-abbreviated" href="mailto:howard@cohtech.com">howard@cohtech.com</a></p>
</td>
</tr>
</tbody>
</table>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
</body>
</html>