Samba/LDAP Active Directory Integration

Issues related to software problems.
Post Reply
someguy
Posts: 5
Joined: 2012/01/24 21:47:45

Samba/LDAP Active Directory Integration

Post by someguy » 2012/01/24 22:02:32

Here's what I'm trying to do:

I run a Windows Active Directory Domain. I have a ton of Linux servers that I need to be able to use the same active directory credentials. My understanding is that this can be achieved with a combination of Winbind, Samba, LDAP, and idmap.

I'm trying to figure out exactly how all the components go together- Winbind translates Windows SIDs to unix uid/gid numbers, and then in conjunction with Samba, stores them in a idmap table in LDAP. I can get a server to join the AD domain, and get data into my ldap idmap table. I can even get users to login to that server with their domain credentials (through winbind). The part I seem to be having trouble with, is how to have servers authenticate against the idmap table in LDAP (so the same uid/gid is persistent across all servers).

I guess the main questions would be: If I have a server running winbind, ldap, and samba that's storing translations in an idmap table, how to I get other linux servers to authenticate against the data stored in ldap? This is more of a conceptual question at this point than wondering for an exact configuration.

I've tried countless configurations on this, and can't seem to get it working just right. I'm wondering if this is even possible.

If this is possible, I'll get a setup as far as I can, and post configs. Of note, working on CentOS 5.5 with Samba3x.


Thanks for any help anyone can provide, my brain is about to explode...

pschaff
Retired Moderator
Posts: 18276
Joined: 2006/12/13 20:15:34
Location: Tidewater, Virginia, North America
Contact:

Samba/LDAP Active Directory Integration

Post by pschaff » 2012/01/25 00:11:41

Welcome to the CentOS fora. Please see the recommended reading for new users linked in my signature.

[quote]
someguy wrote:
...working on CentOS 5.5 with Samba3x...[/quote]

The first step is to update to a current/supported release. CentOS-5.7 is the current release. See the [url=http://wiki.centos.org/Manuals/ReleaseNotes/CentOS5.7]CentOS 5.7 Release Notes[/url] for details. By not updating you are implicitly accepting that you will live with numerous bugs and security issues (and associated known exploits) that have subsequently been fixed.

If still having problems, you may have to post more details of your configuration, and details of any errors. CentOS can certainly work with LDAP and/or AD, but I am having a hard time understanding where your difficulties lie. The problem description is rather general.

someguy
Posts: 5
Joined: 2012/01/24 21:47:45

Re: Samba/LDAP Active Directory Integration

Post by someguy » 2012/01/25 16:38:31

Phil, thanks for the response. I understand the frustration/annoyance of lack of information, but my post wasn't intended to be a configuration review- it was just intended to be an overview discussion to see if anyone could point me at the right place to look. Re-reading it, I realized it may have not come out that clearly.

Now that I've had some sleep, let me see if I can phrase it a little more clearly-


- I'm setting up a server that will host LDAP/Samba/Winbind, and use idmap with LDAP (we'll call it LDAPSERVER). The idea is that this server will connect as a domain member to my Active Directory domain, and hold the translations from SIDs to uids/gids.
- Other servers will then allow users to login by authentication against the idmap information stored in LDAP on LDAPSERVER- the idea being a centralized mapping of SIDs to uids/gids for the entire infrastructure.
- I can get Winbind to do the translations and store mappings in the idmap table (I'm not sure it's storing complete/correct information, but I see things there).
- Here's where the problem comes in- I can't get my servers to authenticate against the idmap info in LDAPSERVER



HERE IS THE ACTUAL QUESTION- Does anyone know where I might look to have a server allow logins using a remote server's LDAP (with idmap)? All I'm looking for is application names/subsystems. I'm guessing that it's somewhere in pam/nsswitch, but I don't know for certain.



I will take your advice and look into upgrading to 5.7. Let me set up my server again to get it as far along as I can get it, then I will post all appropriate information (versions, configs, logs, etc). Make take a day or two, but will add when ready.

Thanks!

someguy
Posts: 5
Joined: 2012/01/24 21:47:45

Re: Samba/LDAP Active Directory Integration

Post by someguy » 2012/01/25 17:58:48

Here's what I'm trying to do- I want to setup a CentOS server that stores translated Active Directory login credentials in LDAP, and allow other CentOS servers to authenticate against the stored credentials in LDAP on this server.

Here's my detailed setup and configuration:

I start with my base install, which is CentOS 5.5x64, with a handful of required packages. The name of my server is "smbtest2". This is the server that will host the LDAP database and Winbind to do the translations.

Here is the system info
[code]
[root@smbtest2 ~]# uname -a
Linux smbtest2.domain.local 2.6.18-128.el5xen #1 SMP Wed Jan 21 11:12:42 EST 2009 x86_64 x86_64 x86_64 GNU/Linux
[/code]

I will be taking advice and attempting to upgrade to CentOS 5.7 next.


Here's a walk through how I set the server up. Below, I've substitued my actual domain name for "DOMAIN.LOCAL" everywhere.

First, I edited the hosts file
[code]
::1 localhost6.localdomain6 localhost6
127.0.0.1 smbtest2.domain.local smbtest2 localhost
[/code]

Then, I edited the hostname.
First, in /etc/sysconfig/network
[code]
NETWORKING=yes
NETWORKING_IPV6=no
GATEWAY=x.x.x.x #my gateway
HOSTNAME=smbtest2.domain.local
[/code]
[code]
[root@smbtest2 ~]# hostname smbtest2.domain.local
[/code]

Then, I edited the /etc/resolv.conf (to point at my Active Directory PDC)
[code]
nameserver x.x.x.x #my AD PDC
[/code]


Then, I install required packages:
[code]
yum install samba3x samba3x-common samba3x-winbind openldap openldap-clients openldap-servers nss_ldap -y
[/code]

Here is some info on the packages:
With rpm -qa:
[code]
samba3x-winbind-3.5.4-0.83.el5_7.2
samba3x-3.5.4-0.83.el5_7.2
samba3x-common-3.5.4-0.83.el5_7.2
samba3x-winbind-3.5.4-0.83.el5_7.2
openldap-servers-2.3.43-12.el5_7.10
nss_ldap-253-42.el5_7.4
openldap-2.3.43-12.el5_7.10
nss_ldap-253-42.el5_7.4
openldap-clients-2.3.43-12.el5_7.10
openldap-2.3.43-12.el5_7.10
krb5-libs-1.6.1-36.el5_5.6
pam_krb5-2.2.14-15
krb5-workstation-1.6.1-36.el5_5.6
krb5-libs-1.6.1-36.el5_5.6
pam_krb5-2.2.14-15
[/code]

Next, I edit the Kerberos /etc/krb5.conf file
[code]
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = DOMAIN.LOCAL
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes

[realms]
DOMAIN.LOCAL = {
kdc = DOMAIN.LOCAL:88
admin_server = DOMAIN.LOCAL:749
default_domain = domain.local
}

[domain_realm]
.domain.local = DOMAIN.LOCAL
domain.local = DOMAIN.LOCAL

[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
[/code]

Next, is the configuration of /etc/nsswitch.conf.
[code]
passwd: files winbind
shadow: files winbind
group: files winbind
hosts: files dns
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files winbind
rpc: files
services: files winbind
netgroup: nisplus winbind
publickey: nisplus
automount: files winbind
aliases: files nisplus
[/code]

Next is the configuration of /etc/pam.d/system-auth
[code]
auth required pam_env.so
auth sufficient pam_unix.so likeauth nullok
auth sufficient pam_krb5.so use_first_pass
auth sufficient pam_winbind.so use_first_pass
auth required pam_deny.so

account required pam_unix.so
account sufficient pam_succeed_if.so uid < 500 quiet
account sufficient pam_krb5.so
account sufficient pam_winbind.so
account required pam_permit.so

password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password sufficient pam_krb5.so use_authtok
password sufficient pam_winbind.so use_authtok
password required pam_deny.so

session required pam_limits.so
session required pam_unix.so
session optional pam_mkhomedir.so skel=/etc/skel umask=0022
session optional pam_krb5.so
[/code]

Next is the configuration of /etc/samba/smb.conf
[code]
[global]
workgroup = DOMAIN
netbios name = smbtest2
server string = smbtest2
log file = /var/log/samba/%m.log
max log size = 50
security = ADS
realm = DOMAIN.LOCAL
encrypt passwords = yes
smb passwd file = /etc/samba/smbpasswd
allow trusted domains = yes
unix password sync = Yes
passwd program = /usr/bin/passwd %u
passwd chat = *New*password* %n\n *Retype*new*password* %n\n
*passwd:*all*authentication*tokens*updated*su\
ccessfully*
pam password change = yes
obey pam restrictions = yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
dns proxy = no
idmap uid = 10000-10000000
idmap gid = 10000-10000000
winbind use default domain = yes
winbind separator = -
winbind enum users = yes
winbind enum groups = yes
template shell = /bin/bash
template homedir = /home/%U

ldap admin dn = cn=Manager,dc=domain,dc=local
ldap idmap suffix = ou=idmap
ldap suffix = dc=domain,dc=local
idmap backend = ldap:ldap://smbtest2.domain.local

ldap ssl = off
[/code]

And then I edit the /etc/openldap/slapd.conf file
[code]
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/samba.schema

allow bind_v2

pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args

database bdb
suffix "dc=domain,dc=local"
rootdn "cn=Manager,dc=domain,dc=local"
rootpw {SSHA}dsq0mHzDS7f74c4TFLVMJaB21GViIKU3

directory /var/lib/ldap
index objectClass eq
index uidNumber eq
index gidNumber eq
index cn eq
index sambaSID eq
[/code]

Now, I start LDAP
[code]
[root@smbtest2 ~]# service ldap start
Checking configuration files for slapd: config file testing succeeded
[ OK ]
Starting slapd: [ OK ]
[/code]

And now, I create the base structure, with base.ldif
[code]
ldapadd -xWv -D "cn=Manager,dc=domain,dc=local" -f base.ldif
[/code]

Here are the contents of the ldif:
[code]
dn: dc=domain,dc=local
objectClass: dcObject
objectClass: organization
dc: domain
o: Test
description: Posix and Samba LDAP Identity Database

dn: cn=Manager,dc=domain,dc=local
objectClass: organizationalRole
cn: Manager
description: Directory Manager

dn: ou=Idmap,dc=domain,dc=local
objectClass: organizationalUnit
ou: idmap
[/code]

Adding of the base.ldif file returns ok, with a modify complete message.

Next, I set the smb password
[code]
[root@smbtest2 yum.repos.d]# smbpasswd -w my_password
Setting stored password for "cn=Manager,dc=domain,dc=local" in secrets.tdb
[/code]

Now, I join this server to my Active Directory Domain
[code]
[root@smbtest2]# net ads join -UAdmin
Enter Admin's password:
Using short domain name -- DOMAIN
Joined 'SMBTEST2' to realm 'domain.local'
[/code]

At this point, I start other needed services:
[code]
[root@smbtest2 ~]# /etc/init.d/smb start
Starting SMB services: [ OK ]
[root@smbtest2 ~]# /etc/init.d/winbind start
Starting Winbind services: [ OK ]
[/code]

Now, check that winbind is retrieving data:
[code]
wbinfo -u
wbinfo -g
[/code]
I omitted the results, but both of these commands return user and group listings containg the proper AD domain users and groups

Now, check that getent commands work
[code]
getent passwd
getent group
[/code]
Again, omitted the results. I am able to see users and groups properly from these commands.

Now, check that I can actually login over ssh:
[code]
someguy@someguysdesktop:~> ssh someguy@x.x.x.x
someguy@x.x.x.x's password:
Creating directory '/home/someguy'.
Creating directory '/home/someguy/.mozilla'.
Creating directory '/home/someguy/.mozilla/extensions'.
Creating directory '/home/someguy/.mozilla/plugins'.
[someguy@smbtest2 ~]$
[/code]

Excellent! Now I can login. However, my understanding is that winbind is being used instead of the data stored in ldap. This is all fine and good, but if I conenct another server in this same way (with winbind/samba), the UID/GID mappings of domain users are not the same on both servers. THIS IS WHERE I'M HAVING THE BIG PROBLEM- At this point, how do I configure my system to authenticate against the idmap data in LDAP instead of the data in winbind?

Here are my assumptions. To get this to work,:
- I need to change the configuration in /etc/nsswitch.conf to use "files ldap" instead of "files winbind" for passwd, shadow, and group
- I need to configure the ldap client, by editing the /etc/ldap.conf file (or using a utility like authconfig)
- I need to make the ldap client aware that it needs to be querying against the idmap table
- I may need to change some PAM configurations

I'm going to proceed with working on some of my assumptions here, and will update the post when I have more relevant information. If anyone has any ideas on how to do the ldap client configuration, it would be much appreciated. Also, let me know if I can post any particular log data that may be benficial.

Thanks!

someguy
Posts: 5
Joined: 2012/01/24 21:47:45

Re: Samba/LDAP Active Directory Integration

Post by someguy » 2012/01/25 21:04:00

I have a bit more information. Using the same setup as described in the last post, I'm trying to change the server to authenticate using ldap instead of winbind.

Here's the how I set it up, and the resulting findings:

First, use authconfig-tui to configure ldap authentication
[code]
[root@smbtest2 ~]# authconfig-tui
[/code]

Here are the pages, and the options selected with authconfig-tui:
- Authentication Configuration
- User Information
- Checked "USE LDAP"
- Authentication
- Checked "Use MD5 Passwords"
- Checked "Use Shadow Passwords"
- Checked "Use LDAP Authentication
- LDAP Settings
- Server: ldap://127.0.0.1
- Base DN: dc=domain,dc=local

Authconfig exits, and I'm back at the shell.

My /etc/nsswitch.conf file has changed
[code]
passwd: files ldap
shadow: files ldap
group: files ldap
hosts: files dns
bootparams: nisplus [NOTFOUND=return] files

ethers: files
netmasks: files
networks: files
protocols: files winbind
rpc: files
services: files winbind

netgroup: files ldap

publickey: nisplus

automount: files ldap
aliases: files nisplus
[/code]

My /etc/pam.d/system-auth has changed as well
[code]
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so

account required pam_unix.so broken_shadow
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so

password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password sufficient pam_ldap.so use_authtok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_ldap.so
[/code]

These are the only two I've checked so far for changes.

I configured the /etc/ldap.conf ldap client file:
[code]
base dc=domain,dc=local
uri ldap://127.0.0.1/
binddn cn=Manager,dc=domain,dc=local
bindpw {SSHA}dsq0mHzDS7f74c4TFLVMJaB21GViIKU3
rootbinddn cn=Manager,dc=domain,dc=local

timelimit 120
bind_timelimit 120
idle_timelimit 3600
nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm

ssl no
tls_cacertdir /etc/openldap/cacerts
pam_password md5
[/code]

Following the instructions in the ldap.conf file, I created the /etc/ldap.secret file, and restart the ldap server
[code]
echo "my_pass" > /etc/ldap.secret
chmod 600 /etc/ldap.secret
service ldap restart
[/code]

Here, I execute a getent passwd
[code]
[root@smbtest2 ~]# getent passwd
[/code]

The results only return local system accounts (from /etc/passwd).

However, if I look at the ldap logging, here's what I see as a result of "getent passwd":
[code]
Jan 25 13:48:27 smbtest2 slapd[12944]: conn=3 fd=12 ACCEPT from IP=127.0.0.1:33681 (IP=0.0.0.0:389)
Jan 25 13:48:27 smbtest2 slapd[12944]: conn=3 op=0 BIND dn="cn=Manager,dc=domain,dc=local" method=128
Jan 25 13:48:27 smbtest2 slapd[12944]: conn=3 op=0 BIND dn="cn=Manager,dc=domain,dc=local" mech=SIMPLE ssf=0
Jan 25 13:48:27 smbtest2 slapd[12944]: conn=3 op=0 RESULT tag=97 err=0 text=
Jan 25 13:48:27 smbtest2 slapd[12944]: conn=3 op=1 SRCH base="dc=domain,dc=local" scope=2 deref=0 filter="(objectClass=posixAccount)"
Jan 25 13:48:27 smbtest2 slapd[12944]: conn=3 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass
Jan 25 13:48:27 smbtest2 slapd[12944]: conn=3 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text=
Jan 25 13:48:27 smbtest2 slapd[12944]: conn=3 fd=12 closed (connection lost)
[/code]

Looking at that, it looks like it's searching for the "objectClass=posixAccount". This doesn't appear to be specified in my idmap.

Here is a snippet of the output from an ldapsearch:
[code]
[root@smbtest2 ~]# ldapsearch -x -b 'dc=domain,dc=local' -D "cn=Manager,dc=domain,dc=local" '(objectclass=*)' -W

...
# S-1-5-21-1778281613-3892822526-1609039206-498, idmap, domain.local
dn: sambaSID=S-1-5-21-1778281613-3892822526-1609039206-498,ou=idmap,dc=domain,dc=local
objectClass: sambaIdmapEntry
objectClass: sambaSidEntry
gidNumber: 10115
sambaSID: S-1-5-21-1778281613-3892822526-1609039206-498
...
[/code]

I see the sambaIdmapEntry and sambaSidEntry, but no posixAccount, which is what the ldap client appears to be querying for (also, I do not see other attributes logged by ldap, the uid, userPassword, etc).

I see a bunch of nss_base and nss_map entries in the /etc/ldap.conf ldap client file. As of right now, I'm thinking that this section may be where at least part of the problem lies. Past that, I'm wondering if the information being stored in ldap/idmap is complete or accurate.

Onto continue looking!

someguy
Posts: 5
Joined: 2012/01/24 21:47:45

Re: Samba/LDAP Active Directory Integration

Post by someguy » 2012/01/26 15:12:05

I've got a little more information. It appears as though the ldap querying is working correctly (sort of?). I went ahead and modified one of the sambaSID entries in ldap created by winbind
[code]
ldapmodify -xWv -D "cn=Manager,dc=domain,dc=local" -f test2.ldif
[/code]

Here's the contents of that test2.ldif:
[code]
dn: sambaSID=S-1-5-21-1778281613-3892822526-1609039206-3211,ou=idmap,dc=domain,dc=local
objectClass: sambaIdmapEntry
objectClass: sambaSidEntry
objectClass: posixAccount
uidNumber: 10130
gidNumber: 10130
sambaSID: S-1-5-21-1778281613-3892822526-1609039206-3211
cn: S-1-5-21-1778281613-3892822526-1609039206-3211
uid: someaduser
homeDirectory: /home/ldap
[/code]

To explain this ldif, I took the info that was already there, added the posixAccount class, and the gidNumber, uid, and homeDirectory attributes. It modified the entry successfully.

Now, a if I run getent passwd, that modifications shows up (with no other changes):
[code]
...
someaduser:*:10130:10130:S-1-5-21-1778281613-3892822526-1609039206-3211:/home/ldap:
[root@smbtest2 ~]#
[/code]

What I take from this is that the ldap queries are working okay, they're just not finding the information they require (apparently the posixAccount class). I'm having a bit of trouble understanding what pieces are doing what in this. Is winbind not storing the correct information in the ldap database, or is the ldap client not interpreting/translating the results properly?

gotchapt
Posts: 1
Joined: 2012/05/10 10:25:52

Re: Samba/LDAP Active Directory Integration

Post by gotchapt » 2012/05/10 10:29:02

Hi, did you manage to authenticate through LDAP? If you did, can you explain how? Your thread was very useful. Thanks :-)

pschaff
Retired Moderator
Posts: 18276
Joined: 2006/12/13 20:15:34
Location: Tidewater, Virginia, North America
Contact:

Re: Samba/LDAP Active Directory Integration

Post by pschaff » 2012/05/10 21:19:19

Welcome to the CentOS fora. Please see the recommended reading for new users linked in my signature.

After reading those links you should realize why you should not hijack threads as you have done. Many people may miss your post hidden away under a stale thread. Please start a new Topic for your issue to get the attention you need, providing a link to this one if required for context.

Post Reply