nss_ldap using sasl with gssapi. Kerberos credentials cache problem[Scanned]
Howard Wilkinson
howard at cohtech.com
Tue Sep 12 18:32:22 UTC 2006
Chris et al,
I intended to put an experiences note out to the nss_ldap forum's but
have not found one suitable yet. So here is the short canned version of
how I made this all work.
First get a Windows 200x environment with the RFC2307 extensions added
to the Schema. The easiest way to do this is to use Windows 2003 R2.
However, it is also possible to do this by using LDIF's from the wider
community to add this to a 2003 or a 2000 schema. I can dig out an
example of this is anybody is interested. *This step is scary as in a
production environment if you get this wrong in the right way you have
an unrecoverable Windows environment so I recommend either a new forest
using Windows 2003 R2 or back everything up. Note I have done this for a
very big global domain and will hold anybodies hand if they are thinking
of doing this in a production domain.
*
Next assign all of your *real* Unix users with AD accounts - make the
user names conform to the Posix rules (Windows samAccountName) i.e. 8
characters starting with a letter, all in lower case. Give them
uidNumber's and gidNumber's, loginShell and unixHomeDirectory
attributes. I use displayName for the GECOS field.
Create relevant groups in the AD I have used samAccountName for the
groupName, you can also use CN but you have to be careful about the
names and make sure they are valid in the Unix and Windows world I stick
to lower case starting with a letter and no spaces in the samAccountName.
For example: I declare a superusers group to which I add users I would
have added to wheel and use this in sudo - you can only add users
declared in AD to groups declared in AD. superusers is a member of
"Domain Admins" and "Enterprise Admins" in our systems.
With this you are now ready to set up the unix side of the fence. I use
pam_krb5 to authenticate and nss_ldap to handle the maps. The pam stack
looks like this
> #%PAM-1.0
> # This file is auto-generated.
> # User changes will be destroyed the next time authconfig is run.
> auth required /lib/security/$ISA/pam_env.so
> auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
> auth sufficient /lib/security/$ISA/pam_krb5.so use_first_pass
> auth required /lib/security/$ISA/pam_deny.so
>
> account required /lib/security/$ISA/pam_unix.so broken_shadow
> account sufficient /lib/security/$ISA/pam_succeed_if.so uid <
> 100 quiet
> account [default=bad success=ok user_unknown=ignore]
> /lib/security/$ISA/pam_krb5.so
> account required /lib/security/$ISA/pam_permit.so
>
> password requisite /lib/security/$ISA/pam_cracklib.so retry=3
> password sufficient /lib/security/$ISA/pam_unix.so nullok
> use_authtok md5 shadow
> password sufficient /lib/security/$ISA/pam_krb5.so use_authtok
> password required /lib/security/$ISA/pam_deny.so
>
> session required /lib/security/$ISA/pam_limits.so
> session required /lib/security/$ISA/pam_unix.so
> session optional /lib/security/$ISA/pam_krb5.so
I set up kerberos to access the active directory as follows.
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
> default_realm = COHERENT.COHTECH.CO.UK
> dns_lookup_realm = true
> dns_lookup_kdc = true
> forwardable = false
>
> [realms]
> COHERENT.COHTECH.CO.UK = {
> kdc = coherent.cohtech.co.uk
> }
>
> [domain_realm]
> city.cohtech.co.uk = COHERENT.COHTECH.CO.UK
> .city.cohtech.co.uk = COHERENT.COHTECH.CO.UK
> coherent.cohtech.co.uk = COHERENT.COHTECH.CO.UK
> .coherent.cohtech.co.uk = COHERENT.COHTECH.CO.UK
> finsbury.cohtech.co.uk = COHERENT.COHTECH.CO.UK
> .finsbury.cohtech.co.uk = COHERENT.COHTECH.CO.UK
> stokie.cohtech.co.uk = COHERENT.COHTECH.CO.UK
> .stokie.cohtech.co.uk = COHERENT.COHTECH.CO.UK
> cohtech.co.uk = COHERENT.COHTECH.CO.UK
> .cohtech.co.uk = COHERENT.COHTECH.CO.UK
>
> [kdc]
> profile = /var/kerberos/krb5kdc/kdc.conf
>
> [appdefaults]
> pam = {
> debug = false
> ticket_lifetime = 36000
> renew_lifetime = 36000
> forwardable = true
> krb4_convert = false
> }
And create a machine keytab using Samba - currently samba-3.0.23a. Note
my machines are in the finsbury.cohtech.co.uk zone, while the AD is
domain coherent.cohtech.co.uk.
The nsswitch.conf file contains ...
> passwd: files ldap
> shadow: files ldap
> group: files ldap
statements.
ldap.conf contains ...
> # Set to some high number to get debug output - very useful if
> kerberos is failing
> debug 0
>
> #base set to default container inside AD for Users - have not got this
> working with multiple containers
> base cn=Users,dc=coherent,dc=cohtech,dc=co,dc=uk
>
> # Our servers have certificates and therefore are available over ssl
> # Otherwise use
> #uri ldap://coherent.cohtech.co.uk
> uri ldaps://coherent.cohtech.co.uk
>
> # The LDAP version to use (defaults to 3
> # if supported by client library)
> #ldap_version 3
> ldap_version 3
>
> # The distinguished name to bind to the server with.
> # NEVER NEVER NEVER defined this if using SASL it breaks the bind
> operation
> #binddn cn=proxyuser,dc=example,dc=com
>
> # The credentials to bind with.
> # NEVER NEVER NEVER define this if using SASL it breaks the bind operation
> #bindpw secret
>
> # The distinguished name to bind to the server with
> # if the effective user ID is root. Password is
> # stored in /etc/ldap.secret (mode 600)
> #rootbinddn cn=manager,dc=example,dc=com
>
> # The port.
> # Optional: default is 389.
> #port 389
>
> # The search scope.
> #scope sub
> #scope one
> #scope base
> scope sub
>
> # Search timelimit
> #timelimit 30
> timelimit 120
>
> # Bind/connect timelimit
> #bind_timelimit 30
> bind_timelimit 120
>
> # Reconnect policy: hard (default) will retry connecting to
> # the software with exponential backoff, soft will fail
> # immediately.
> bind_policy soft
>
> # Idle timelimit; client will close connections
> # (nss_ldap only) if the server has not been contacted
> # for the number of seconds specified below.
> #idle_timelimit 3600
> idle_timelimit 3600
>
> .......
> # Just assume that there are no supplemental groups for these named users
> nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon
>
> # attribute/objectclass mapping
> # Syntax:
> #nss_map_attribute rfc2307attribute mapped_attribute
> #nss_map_objectclass rfc2307objectclass mapped_objectclass
>
> # RFC 2307 (AD) mappings
> #nss_map_objectclass posixAccount user
> #nss_map_objectclass shadowAccount user
> #nss_map_attribute uid sAMAccountName
> #nss_map_attribute homeDirectory unixHomeDirectory
> #nss_map_attribute shadowLastChange pwdLastSet
> #nss_map_objectclass posixGroup group
> #nss_map_attribute uniqueMember member
> #pam_login_attribute sAMAccountName
> #pam_filter objectclass=User
> #pam_password ad
> nss_base_passwd cn=Users,dc=coherent,dc=cohtech,dc=co,dc=uk
> nss_base_shadow cn=Users,dc=coherent,dc=cohtech,dc=co,dc=uk
> nss_base_group cn=Users,dc=coherent,dc=cohtech,dc=co,dc=uk
>
> nss_map_objectclass posixAccount User
> nss_map_objectclass shadowAccount User
> nss_map_attribute uid samAccountName
> nss_map_attribute homeDirectory unixHomeDirectory
> nss_map_attribute shadowLastChange pwdLastSet
>
> nss_map_attribute uidNumber uidNumber
> nss_map_attribute gidNumber gidNumber
> nss_map_attribute loginShell loginShell
> nss_map_attribute gecos displayName
> nss_map_objectclass posixGroup Group
> nss_map_attribute uniqueMember Member
> nss_map_attribute cn samAccountName
> nss_paged_results on
>
> pam_login_attribute samAccountName
> pam_filter objectclass=user
> pam_member_attribute member
> #pam_groupdn cn=unixusergroup,dc=coherent,dc=cohtech,dc=co,dc=uk
> pam_passwd ad
>
>
> # Disable SASL security layers. This is needed for AD.
> #sasl_secprops maxssf=0
> sasl_secprops maxssf=0
>
> # Override the default Kerberos ticket cache location.
> #krb5_ccname FILE:/etc/.ldapcache
> krb5_ccname FILE:/etc/.ldapcache
>
> # SASL mechanism for PAM authentication - use is experimental
> # at present and does not support password policy control
> #pam_sasl_mech DIGEST-MD5
>
> use_sasl on
>
> sasl_authid nssldap/beastie.finsbury.cohtech.co.uk
>
> rootsasl_auth_id nssldap/beastie.finsbury.cohtech.co.uk
>
> rootuse_sasl yes
>
The key feature here is the krb5_ccname which is used to override the
credentials passed in to the user. At present this file must have 0644
access as the nss_ldap code always overrides with this file. I intend to
supply a patch that will check for read access to this file and use it
only in this circumstance. A further enhancement would be to try to
access the directory using this file if readable, and if that fails or
if the file is not readable then use the KRB5CCNAME environment variable
if set and if that fails use the users credentials cache if that exists.
The authentication ID needs to be created in the AD and exported. This
is done by creating a user with a never expires password and then using
the ktpass command on Windows 200x to export the key. I use
ktpass -princ nssldap/<hostname>@DOMAIN -mapuser nss<host>@domain
-crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -mapo- set +desonly
-pass <somepassword> -out <keytabfile>
The resulting file is copied to the target host, and I add it to the
system keytab file. It could equally be put in a separate file and used
from there.
The final pieces of magic are setting up the openldap ldap.conf file.
> # $OpenLDAP: pkg/ldap/libraries/libldap/ldap.conf,v 1.9 2000/09/04
> 19:57:01 kurt
> Exp $
> #
> # LDAP Defaults
> #
>
> # See ldap.conf(5) for details
> # This file should be world readable but not world writable.
>
> #BASE dc=example, dc=com
> #URI ldap://ldap.example.com ldap://ldap-master.example.com:666
>
> #SIZELIMIT 12
> #TIMELIMIT 15
> #DEREF never
> URI ldaps://coherent.cohtech.co.uk
> #HOST coherent.cohtech.co.uk
> BASE dc=coherent,dc=cohtech,dc=co,dc=uk
> TLS_CACERTDIR /etc/openldap/cacerts
> TLS_REQCERT never
And setting up nscd to cache requests, running nscd - I set the
environment with KRB5CCNAME=/etc/.ldapcache as a bit of belt and braces.
The following script is executed every 6 hours to keep the credentials
cache current.
> #!/bin/sh
> #
>
> /usr/kerberos/bin/kinit -k -t /etc/krb5.keytab -c /etc/.ldapcache
> nssldap/beastie.finsbury.cohtech.co.uk \
> && chown nscd:nscd /etc/.ldapcache \
> && chmod 0644 /etc/.ldapcache
>
> exit 0
The 0644 will change to 0640 once I have a patch into nss_ldap. A point
to note nscd only provide caches for individual lookups so running
getent passwd will not work unless kerberos credentials are supplied
some other way - hence the need for 0644 at present.
Hope this all makes sense. Will try to produce a more comprehensive
guide later when I have fixed the niggles.
By the by.. This all required the latest version of openldap,
cyrus-sasl, nss_ldap as previous versions failed to talk to Windows
2003. These are currently drawn from fedora-development and are:
openldap-2.3.27-2, cyrus-sasl-2.1.22-3, & nss_ldap-251-1 (with the
enable-configurable-krb5-ccname-gssapi configuration flag turned on at
build time).
Chris Bradford wrote:
> Howard Wilkinson wrote:
>> I have been installing nss_Ldap for sasl connections to a Windows
>> 2003 R2 infrastructure and run into some problems. It turns out that
>> the package distributed with FC5 and in development have an incorrect
>> option set with the configuration for the configuration file feature
>> krb5_ccname to work.
>>
>> The configure line currently uses --enable-configurable-krb5-ccname
>> which does not do anything useful. It should either read
>> --enable-configurable-krb5-ccname-env or
>> --enable-configurable-krb5-ccname-gssapi to make this work. I have
>> chosen the second as the first does not confer any advantage in
>> allowing the environment to override in the current implementation.
>>
>> Without this setting then the calling environment must have a
>> credential cache set up for the code to work - the behaviour of both
>> the nscd and the general calling environment give local errors when
>> there is not credentials cache defined.
>> --
>>
>> Howard Wilkinson
>>
>>
>>
>> Phone:
>>
>>
>>
>> +44(20)76907075
>>
>> Coherent Technology Limited
>>
>>
>>
>> Fax:
>>
>>
>>
>>
>>
>> 23 Northampton Square,
>>
>>
>>
>> Mobile:
>>
>>
>>
>> +44(7980)639379
>>
>> London, United Kingdom, EC1V 0HL
>>
>>
>>
>> Email:
>>
>>
>>
>> howard at cohtech.com
>>
>>
>>
>>
>>
>> Click here <https://www.mailcontrol.com/sr/wQw0zmjPoHdJTZGyOCrrhg==>
>> to report this email as spam.
>>
> Howard,
>
> Could you please post details on you you have used sasl to connect to
> AD? I am using nss_ldap to connect but not using sasl. Further details
> on this can be seen here:
> http://cb-net.co.uk/readarticle.php?article_id=5
>
> -Chris
>
--
Howard Wilkinson
Phone:
+44(20)76907075
Coherent Technology Limited
Fax:
23 Northampton Square,
Mobile:
+44(7980)639379
London, United Kingdom, EC1V 0HL
Email:
howard at cohtech.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.fedoraproject.org/pipermail/users/attachments/20060912/ad842141/attachment-0002.html
More information about the users
mailing list