Samba/LDAP Active Directory Integration

Issues related to software problems.

Samba/LDAP Active Directory Integration

Postby someguy » 2012/01/24 22:02:32

Here's what I'm trying to do:

I run a Windows Active Directory Domain. I have a ton of Linux servers that I need to be able to use the same active directory credentials. My understanding is that this can be achieved with a combination of Winbind, Samba, LDAP, and idmap.

I'm trying to figure out exactly how all the components go together- Winbind translates Windows SIDs to unix uid/gid numbers, and then in conjunction with Samba, stores them in a idmap table in LDAP. I can get a server to join the AD domain, and get data into my ldap idmap table. I can even get users to login to that server with their domain credentials (through winbind). The part I seem to be having trouble with, is how to have servers authenticate against the idmap table in LDAP (so the same uid/gid is persistent across all servers).

I guess the main questions would be: If I have a server running winbind, ldap, and samba that's storing translations in an idmap table, how to I get other linux servers to authenticate against the data stored in ldap? This is more of a conceptual question at this point than wondering for an exact configuration.

I've tried countless configurations on this, and can't seem to get it working just right. I'm wondering if this is even possible.

If this is possible, I'll get a setup as far as I can, and post configs. Of note, working on CentOS 5.5 with Samba3x.


Thanks for any help anyone can provide, my brain is about to explode...
someguy
 
Posts: 5
Joined: 2012/01/24 21:47:45

Samba/LDAP Active Directory Integration

Postby pschaff » 2012/01/25 00:11:41

Welcome to the CentOS fora. Please see the recommended reading for new users linked in my signature.

someguy wrote:
...working on CentOS 5.5 with Samba3x...


The first step is to update to a current/supported release. CentOS-5.7 is the current release. See the CentOS 5.7 Release Notes for details. By not updating you are implicitly accepting that you will live with numerous bugs and security issues (and associated known exploits) that have subsequently been fixed.

If still having problems, you may have to post more details of your configuration, and details of any errors. CentOS can certainly work with LDAP and/or AD, but I am having a hard time understanding where your difficulties lie. The problem description is rather general.
pschaff
Retired Moderator
 
Posts: 18277
Joined: 2006/12/13 20:15:34
Location: Tidewater, Virginia, North America

Re: Samba/LDAP Active Directory Integration

Postby someguy » 2012/01/25 16:38:31

Phil, thanks for the response. I understand the frustration/annoyance of lack of information, but my post wasn't intended to be a configuration review- it was just intended to be an overview discussion to see if anyone could point me at the right place to look. Re-reading it, I realized it may have not come out that clearly.

Now that I've had some sleep, let me see if I can phrase it a little more clearly-


- I'm setting up a server that will host LDAP/Samba/Winbind, and use idmap with LDAP (we'll call it LDAPSERVER). The idea is that this server will connect as a domain member to my Active Directory domain, and hold the translations from SIDs to uids/gids.
- Other servers will then allow users to login by authentication against the idmap information stored in LDAP on LDAPSERVER- the idea being a centralized mapping of SIDs to uids/gids for the entire infrastructure.
- I can get Winbind to do the translations and store mappings in the idmap table (I'm not sure it's storing complete/correct information, but I see things there).
- Here's where the problem comes in- I can't get my servers to authenticate against the idmap info in LDAPSERVER



HERE IS THE ACTUAL QUESTION- Does anyone know where I might look to have a server allow logins using a remote server's LDAP (with idmap)? All I'm looking for is application names/subsystems. I'm guessing that it's somewhere in pam/nsswitch, but I don't know for certain.



I will take your advice and look into upgrading to 5.7. Let me set up my server again to get it as far along as I can get it, then I will post all appropriate information (versions, configs, logs, etc). Make take a day or two, but will add when ready.

Thanks!
someguy
 
Posts: 5
Joined: 2012/01/24 21:47:45

Re: Samba/LDAP Active Directory Integration

Postby someguy » 2012/01/25 17:58:48

Here's what I'm trying to do- I want to setup a CentOS server that stores translated Active Directory login credentials in LDAP, and allow other CentOS servers to authenticate against the stored credentials in LDAP on this server.

Here's my detailed setup and configuration:

I start with my base install, which is CentOS 5.5x64, with a handful of required packages. The name of my server is "smbtest2". This is the server that will host the LDAP database and Winbind to do the translations.

Here is the system info
Code: Select all
[root@smbtest2 ~]# uname -a
Linux smbtest2.domain.local 2.6.18-128.el5xen #1 SMP Wed Jan 21 11:12:42 EST 2009 x86_64 x86_64 x86_64 GNU/Linux


I will be taking advice and attempting to upgrade to CentOS 5.7 next.


Here's a walk through how I set the server up. Below, I've substitued my actual domain name for "DOMAIN.LOCAL" everywhere.

First, I edited the hosts file
Code: Select all
::1             localhost6.localdomain6 localhost6
127.0.0.1     smbtest2.domain.local smbtest2 localhost


Then, I edited the hostname.
First, in /etc/sysconfig/network
Code: Select all
NETWORKING=yes
NETWORKING_IPV6=no
GATEWAY=x.x.x.x #my gateway
HOSTNAME=smbtest2.domain.local

Code: Select all
[root@smbtest2 ~]# hostname smbtest2.domain.local


Then, I edited the /etc/resolv.conf (to point at my Active Directory PDC)
Code: Select all
nameserver x.x.x.x #my AD PDC



Then, I install required packages:
Code: Select all
yum install samba3x samba3x-common samba3x-winbind openldap openldap-clients openldap-servers nss_ldap -y


Here is some info on the packages:
With rpm -qa:
Code: Select all
samba3x-winbind-3.5.4-0.83.el5_7.2
samba3x-3.5.4-0.83.el5_7.2
samba3x-common-3.5.4-0.83.el5_7.2
samba3x-winbind-3.5.4-0.83.el5_7.2
openldap-servers-2.3.43-12.el5_7.10
nss_ldap-253-42.el5_7.4
openldap-2.3.43-12.el5_7.10
nss_ldap-253-42.el5_7.4
openldap-clients-2.3.43-12.el5_7.10
openldap-2.3.43-12.el5_7.10
krb5-libs-1.6.1-36.el5_5.6
pam_krb5-2.2.14-15
krb5-workstation-1.6.1-36.el5_5.6
krb5-libs-1.6.1-36.el5_5.6
pam_krb5-2.2.14-15


Next, I edit the Kerberos /etc/krb5.conf file
Code: Select all
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = DOMAIN.LOCAL
 dns_lookup_realm = true
 dns_lookup_kdc = true
 ticket_lifetime = 24h
 forwardable = yes

[realms]
 DOMAIN.LOCAL = {
  kdc = DOMAIN.LOCAL:88
  admin_server = DOMAIN.LOCAL:749
  default_domain = domain.local
 }

[domain_realm]
 .domain.local = DOMAIN.LOCAL
 domain.local = DOMAIN.LOCAL

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }


Next, is the configuration of /etc/nsswitch.conf.
Code: Select all
passwd:     files winbind
shadow:     files winbind
group:      files winbind
hosts:      files dns
bootparams: nisplus [NOTFOUND=return] files
ethers:     files
netmasks:   files
networks:   files
protocols:  files winbind
rpc:        files
services:   files winbind
netgroup:   nisplus winbind
publickey:  nisplus
automount:  files winbind
aliases:    files nisplus


Next is the configuration of /etc/pam.d/system-auth
Code: Select all
auth        required     pam_env.so
auth        sufficient    pam_unix.so likeauth nullok
auth        sufficient    pam_krb5.so use_first_pass
auth        sufficient    pam_winbind.so use_first_pass
auth        required     pam_deny.so

account     required     pam_unix.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     sufficient    pam_krb5.so
account     sufficient    pam_winbind.so
account     required     pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    sufficient    pam_krb5.so use_authtok
password    sufficient    pam_winbind.so use_authtok
password    required      pam_deny.so

session     required      pam_limits.so
session     required     pam_unix.so
session     optional     pam_mkhomedir.so skel=/etc/skel umask=0022
session     optional     pam_krb5.so


Next is the configuration of /etc/samba/smb.conf
Code: Select all
[global]
workgroup = DOMAIN
netbios name = smbtest2
server string = smbtest2
log file = /var/log/samba/%m.log
max log size = 50
security = ADS
realm = DOMAIN.LOCAL
encrypt passwords = yes
smb passwd file = /etc/samba/smbpasswd
allow trusted domains = yes
unix password sync = Yes
passwd program = /usr/bin/passwd %u
passwd chat = *New*password* %n\n *Retype*new*password* %n\n
*passwd:*all*authentication*tokens*updated*su\
ccessfully*
pam password change = yes
obey pam restrictions = yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
dns proxy = no
idmap uid = 10000-10000000
idmap gid = 10000-10000000
winbind use default domain = yes
winbind separator = -
winbind enum users = yes
winbind enum groups = yes
template shell = /bin/bash
template homedir = /home/%U

ldap admin dn = cn=Manager,dc=domain,dc=local
ldap idmap suffix = ou=idmap
ldap suffix = dc=domain,dc=local
idmap backend = ldap:ldap://smbtest2.domain.local

ldap ssl = off


And then I edit the /etc/openldap/slapd.conf file
Code: Select all
include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/nis.schema
include         /etc/openldap/schema/samba.schema

allow bind_v2

pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args

database        bdb
suffix          "dc=domain,dc=local"
rootdn          "cn=Manager,dc=domain,dc=local"
rootpw          {SSHA}dsq0mHzDS7f74c4TFLVMJaB21GViIKU3

directory   /var/lib/ldap
index objectClass   eq
index uidNumber         eq
index gidNumber         eq
index cn                eq
index sambaSID          eq


Now, I start LDAP
Code: Select all
[root@smbtest2 ~]# service ldap start
Checking configuration files for slapd:  config file testing succeeded
                                                           [  OK  ]
Starting slapd:                                            [  OK  ]


And now, I create the base structure, with base.ldif
Code: Select all
ldapadd -xWv -D "cn=Manager,dc=domain,dc=local" -f base.ldif


Here are the contents of the ldif:
Code: Select all
dn: dc=domain,dc=local
objectClass: dcObject
objectClass: organization
dc: domain
o: Test
description: Posix and Samba LDAP Identity Database

dn: cn=Manager,dc=domain,dc=local
objectClass: organizationalRole
cn: Manager
description: Directory Manager

dn: ou=Idmap,dc=domain,dc=local
objectClass: organizationalUnit
ou: idmap


Adding of the base.ldif file returns ok, with a modify complete message.

Next, I set the smb password
Code: Select all
[root@smbtest2 yum.repos.d]# smbpasswd -w my_password
Setting stored password for "cn=Manager,dc=domain,dc=local" in secrets.tdb


Now, I join this server to my Active Directory Domain
Code: Select all
[root@smbtest2]# net ads join -UAdmin
Enter Admin's password:
Using short domain name -- DOMAIN
Joined 'SMBTEST2' to realm 'domain.local'


At this point, I start other needed services:
Code: Select all
[root@smbtest2 ~]# /etc/init.d/smb start
Starting SMB services:                                     [  OK  ]
[root@smbtest2 ~]# /etc/init.d/winbind start
Starting Winbind services:                                 [  OK  ]


Now, check that winbind is retrieving data:
Code: Select all
wbinfo -u
wbinfo -g

I omitted the results, but both of these commands return user and group listings containg the proper AD domain users and groups

Now, check that getent commands work
Code: Select all
getent passwd
getent group

Again, omitted the results. I am able to see users and groups properly from these commands.

Now, check that I can actually login over ssh:
Code: Select all
someguy@someguysdesktop:~> ssh someguy@x.x.x.x
someguy@x.x.x.x's password:
Creating directory '/home/someguy'.
Creating directory '/home/someguy/.mozilla'.
Creating directory '/home/someguy/.mozilla/extensions'.
Creating directory '/home/someguy/.mozilla/plugins'.
[someguy@smbtest2 ~]$


Excellent! Now I can login. However, my understanding is that winbind is being used instead of the data stored in ldap. This is all fine and good, but if I conenct another server in this same way (with winbind/samba), the UID/GID mappings of domain users are not the same on both servers. THIS IS WHERE I'M HAVING THE BIG PROBLEM- At this point, how do I configure my system to authenticate against the idmap data in LDAP instead of the data in winbind?

Here are my assumptions. To get this to work,:
- I need to change the configuration in /etc/nsswitch.conf to use "files ldap" instead of "files winbind" for passwd, shadow, and group
- I need to configure the ldap client, by editing the /etc/ldap.conf file (or using a utility like authconfig)
- I need to make the ldap client aware that it needs to be querying against the idmap table
- I may need to change some PAM configurations

I'm going to proceed with working on some of my assumptions here, and will update the post when I have more relevant information. If anyone has any ideas on how to do the ldap client configuration, it would be much appreciated. Also, let me know if I can post any particular log data that may be benficial.

Thanks!
someguy
 
Posts: 5
Joined: 2012/01/24 21:47:45

Re: Samba/LDAP Active Directory Integration

Postby someguy » 2012/01/25 21:04:00

I have a bit more information. Using the same setup as described in the last post, I'm trying to change the server to authenticate using ldap instead of winbind.

Here's the how I set it up, and the resulting findings:

First, use authconfig-tui to configure ldap authentication
Code: Select all
[root@smbtest2 ~]# authconfig-tui


Here are the pages, and the options selected with authconfig-tui:
- Authentication Configuration
- User Information
- Checked "USE LDAP"
- Authentication
- Checked "Use MD5 Passwords"
- Checked "Use Shadow Passwords"
- Checked "Use LDAP Authentication
- LDAP Settings
- Server: ldap://127.0.0.1
- Base DN: dc=domain,dc=local

Authconfig exits, and I'm back at the shell.

My /etc/nsswitch.conf file has changed
Code: Select all
passwd:     files ldap
shadow:     files ldap
group:      files ldap
hosts:      files dns
bootparams: nisplus [NOTFOUND=return] files

ethers:     files
netmasks:   files
networks:   files
protocols:  files winbind
rpc:        files
services:   files winbind

netgroup:   files ldap

publickey:  nisplus

automount:  files ldap
aliases:    files nisplus


My /etc/pam.d/system-auth has changed as well
Code: Select all
auth        required     pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_ldap.so use_first_pass
auth        required     pam_deny.so

account     required     pam_unix.so broken_shadow
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
account     required     pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    sufficient    pam_ldap.so use_authtok
password    required     pam_deny.so

session     optional     pam_keyinit.so revoke
session     required     pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required     pam_unix.so
session     optional     pam_ldap.so


These are the only two I've checked so far for changes.

I configured the /etc/ldap.conf ldap client file:
Code: Select all
base dc=domain,dc=local
uri ldap://127.0.0.1/
binddn cn=Manager,dc=domain,dc=local
bindpw {SSHA}dsq0mHzDS7f74c4TFLVMJaB21GViIKU3
rootbinddn cn=Manager,dc=domain,dc=local

timelimit 120
bind_timelimit 120
idle_timelimit 3600
nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm

ssl no
tls_cacertdir /etc/openldap/cacerts
pam_password md5


Following the instructions in the ldap.conf file, I created the /etc/ldap.secret file, and restart the ldap server
Code: Select all
echo "my_pass" > /etc/ldap.secret
chmod 600 /etc/ldap.secret
service ldap restart


Here, I execute a getent passwd
Code: Select all
[root@smbtest2 ~]# getent passwd


The results only return local system accounts (from /etc/passwd).

However, if I look at the ldap logging, here's what I see as a result of "getent passwd":
Code: Select all
Jan 25 13:48:27 smbtest2 slapd[12944]: conn=3 fd=12 ACCEPT from IP=127.0.0.1:33681 (IP=0.0.0.0:389)
Jan 25 13:48:27 smbtest2 slapd[12944]: conn=3 op=0 BIND dn="cn=Manager,dc=domain,dc=local" method=128
Jan 25 13:48:27 smbtest2 slapd[12944]: conn=3 op=0 BIND dn="cn=Manager,dc=domain,dc=local" mech=SIMPLE ssf=0
Jan 25 13:48:27 smbtest2 slapd[12944]: conn=3 op=0 RESULT tag=97 err=0 text=
Jan 25 13:48:27 smbtest2 slapd[12944]: conn=3 op=1 SRCH base="dc=domain,dc=local" scope=2 deref=0 filter="(objectClass=posixAccount)"
Jan 25 13:48:27 smbtest2 slapd[12944]: conn=3 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass
Jan 25 13:48:27 smbtest2 slapd[12944]: conn=3 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text=
Jan 25 13:48:27 smbtest2 slapd[12944]: conn=3 fd=12 closed (connection lost)


Looking at that, it looks like it's searching for the "objectClass=posixAccount". This doesn't appear to be specified in my idmap.

Here is a snippet of the output from an ldapsearch:
Code: Select all
[root@smbtest2 ~]# ldapsearch -x -b 'dc=domain,dc=local' -D "cn=Manager,dc=domain,dc=local" '(objectclass=*)' -W

...
# S-1-5-21-1778281613-3892822526-1609039206-498, idmap, domain.local
dn: sambaSID=S-1-5-21-1778281613-3892822526-1609039206-498,ou=idmap,dc=domain,dc=local
objectClass: sambaIdmapEntry
objectClass: sambaSidEntry
gidNumber: 10115
sambaSID: S-1-5-21-1778281613-3892822526-1609039206-498
...


I see the sambaIdmapEntry and sambaSidEntry, but no posixAccount, which is what the ldap client appears to be querying for (also, I do not see other attributes logged by ldap, the uid, userPassword, etc).

I see a bunch of nss_base and nss_map entries in the /etc/ldap.conf ldap client file. As of right now, I'm thinking that this section may be where at least part of the problem lies. Past that, I'm wondering if the information being stored in ldap/idmap is complete or accurate.

Onto continue looking!
someguy
 
Posts: 5
Joined: 2012/01/24 21:47:45

Re: Samba/LDAP Active Directory Integration

Postby someguy » 2012/01/26 15:12:05

I've got a little more information. It appears as though the ldap querying is working correctly (sort of?). I went ahead and modified one of the sambaSID entries in ldap created by winbind
Code: Select all
ldapmodify -xWv -D "cn=Manager,dc=domain,dc=local" -f test2.ldif


Here's the contents of that test2.ldif:
Code: Select all
dn: sambaSID=S-1-5-21-1778281613-3892822526-1609039206-3211,ou=idmap,dc=domain,dc=local
objectClass: sambaIdmapEntry
objectClass: sambaSidEntry
objectClass: posixAccount
uidNumber: 10130
gidNumber: 10130
sambaSID: S-1-5-21-1778281613-3892822526-1609039206-3211
cn: S-1-5-21-1778281613-3892822526-1609039206-3211
uid: someaduser
homeDirectory: /home/ldap


To explain this ldif, I took the info that was already there, added the posixAccount class, and the gidNumber, uid, and homeDirectory attributes. It modified the entry successfully.

Now, a if I run getent passwd, that modifications shows up (with no other changes):
Code: Select all
...
someaduser:*:10130:10130:S-1-5-21-1778281613-3892822526-1609039206-3211:/home/ldap:
[root@smbtest2 ~]#


What I take from this is that the ldap queries are working okay, they're just not finding the information they require (apparently the posixAccount class). I'm having a bit of trouble understanding what pieces are doing what in this. Is winbind not storing the correct information in the ldap database, or is the ldap client not interpreting/translating the results properly?
someguy
 
Posts: 5
Joined: 2012/01/24 21:47:45

Re: Samba/LDAP Active Directory Integration

Postby gotchapt » 2012/05/10 10:29:02

Hi, did you manage to authenticate through LDAP? If you did, can you explain how? Your thread was very useful. Thanks :-)
gotchapt
 
Posts: 1
Joined: 2012/05/10 10:25:52

Re: Samba/LDAP Active Directory Integration

Postby pschaff » 2012/05/10 21:19:19

Welcome to the CentOS fora. Please see the recommended reading for new users linked in my signature.

After reading those links you should realize why you should not hijack threads as you have done. Many people may miss your post hidden away under a stale thread. Please start a new Topic for your issue to get the attention you need, providing a link to this one if required for context.
pschaff
Retired Moderator
 
Posts: 18277
Joined: 2006/12/13 20:15:34
Location: Tidewater, Virginia, North America


Return to CentOS 5 - Software Support

Who is online

Users browsing this forum: No registered users and 2 guests