“UbuntuHelp:ActiveDirectoryHowto”的版本间的差异
来自Ubuntu中文
小 (新页面: {{From|https://help.ubuntu.com/community/ActiveDirectoryHowto}} {{Languages|UbuntuHelp:ActiveDirectoryHowto}} '''Active Directory''' from Microsoft is a directory service that uses some o...) |
小 |
||
| 第1行: | 第1行: | ||
{{From|https://help.ubuntu.com/community/ActiveDirectoryHowto}} | {{From|https://help.ubuntu.com/community/ActiveDirectoryHowto}} | ||
{{Languages|UbuntuHelp:ActiveDirectoryHowto}} | {{Languages|UbuntuHelp:ActiveDirectoryHowto}} | ||
| + | == Active Directory == | ||
'''Active Directory''' from Microsoft is a directory service that uses some open protocols, like | '''Active Directory''' from Microsoft is a directory service that uses some open protocols, like | ||
Kerberos, ldap and SSL. | Kerberos, ldap and SSL. | ||
| − | There are | + | There are several ways to use AD for authentication, you can use pam_krb5, LDAP or winbind. For Winbind see [ActiveDirectoryWinbindHowto]. |
=== Kerberos: pam_krb5 === | === Kerberos: pam_krb5 === | ||
| − | ==== | + | ==== Configuration and Installation ==== |
| − | + | To install pam_krb5 you need to install '''krb5-user''' and '''libpam-krb5''' from the '''Universe Repository'''. Also you don't have to configure anything in Active Directory for pam_krb5. | |
| − | + | Then to setup pam_krb5 go to /etc/krb5.conf and open it up using your favorite text editor. | |
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
<pre><nowiki> | <pre><nowiki> | ||
| 第45行: | 第40行: | ||
</nowiki></pre> | </nowiki></pre> | ||
| − | + | You need to replace windc.example.com with the IP or FQDN of your Windows domain controller and EXAMPLE.COM with your | |
| − | kerberos realm, typically is this the | + | kerberos realm, typically is this the domain name in uppercase. |
| − | + | Then try to see if you can receive a kerberos ticket: | |
<pre><nowiki> | <pre><nowiki> | ||
| 第66行: | 第61行: | ||
</nowiki></pre> | </nowiki></pre> | ||
| − | set up /etc/pam.d/common-auth | + | Then you need to set up /etc/pam.d/common-auth and then |
<pre><nowiki> | <pre><nowiki> | ||
| 第74行: | 第69行: | ||
</nowiki></pre> | </nowiki></pre> | ||
| − | set up /etc/pam.d/common-session | + | set up /etc/pam.d/common-session. |
<pre><nowiki> | <pre><nowiki> | ||
| 第85行: | 第80行: | ||
https://help.ubuntu.com/community/IconsPage?action=AttachFile&do=get&target=IconNote.png The user from AD have to exist in /etc/passwd on the ubuntu workstation, you can also use libnss-ldap to get the account info also from AD. | https://help.ubuntu.com/community/IconsPage?action=AttachFile&do=get&target=IconNote.png The user from AD have to exist in /etc/passwd on the ubuntu workstation, you can also use libnss-ldap to get the account info also from AD. | ||
| − | === LDAP: | + | |
| + | |||
| + | === LDAP === | ||
| + | |||
| + | |||
| + | ==== TestQuery: Windows ==== | ||
| + | Assuming you do not maintain the Active Directory, You will want to determine the structure of AD before trying to connect to it from Linux. From a windows PC connected to AD you should perform a query using Microsoft's Active Directory Application Mode (ADAM). ADAM is a package of tools that includes CSVDE, which we will be using to perform our queries. | ||
| + | |||
| + | Type this into google, the download page should be the second hit. | ||
| + | <pre><nowiki> | ||
| + | adam microsoft | ||
| + | </nowiki></pre> | ||
| + | |||
| + | Install. | ||
| + | Open the command prompt. | ||
| + | Start>RUN and type 'cmd' | ||
| + | Navigate to the installation directory, default is c:\windows\ADAM | ||
| + | |||
| + | Example Queries: | ||
| + | Query a user entry | ||
| + | <pre><nowiki> | ||
| + | CSVDE -f export.csv -r "(&(objectClass=user)(sn=lastname))" | ||
| + | </nowiki></pre> | ||
| + | |||
| + | wildcards work as well | ||
| + | <pre><nowiki> | ||
| + | CSVDE -f export.csv -r "(&(objectClass=user)(sn=last*))" | ||
| + | </nowiki></pre> | ||
| + | Query a computer entry | ||
| + | <pre><nowiki> | ||
| + | CSVDE -f export.csv -r "(&(objectClass=computer)(cn=computername))" | ||
| + | </nowiki></pre> | ||
| + | |||
| + | Return everything in the following AD folder | ||
| + | <pre><nowiki> | ||
| + | CSVDE -d "OU=Pathology,OU=Departmental OUs,OU=Medcenter,DC=Med,DC=University,DC=edu" -f export.csv | ||
| + | </nowiki></pre> | ||
| + | |||
| + | The output of these queries would be placed within export.csv inside c:\windows\ADAM. Which can then be viewed as a spreadsheet editor. | ||
| + | |||
| + | For more on querying with ADAM's CSVDE | ||
| + | [www.computerperformance.co.uk/Logon/Logon_CSVDE.htm] | ||
| + | |||
==== Configure AD ==== | ==== Configure AD ==== | ||
| 第92行: | 第129行: | ||
SFU: http://www.microsoft.com/windows/sfu/ | SFU: http://www.microsoft.com/windows/sfu/ | ||
| − | + | https://help.ubuntu.com/community/IconsPage?action=AttachFile&do=get&target=IconNote.png Installing SFU 3.5 on Windows Server 2003 (non R2) does not appear to add the necessary LDAP schema extensions. | |
In order to extend the LDAP schema, it is necessary to install the "Server for NIS" component. The installation needs to be performed using an account that has Enterprise Admin privileges in order for the schema to be extended successfully (indeed, Enterprise Admin privileges are required even if the schema has already been extended). In Active Directory, schema extensions are non-reversible, so if the NIS Server is not required, it can be removed once the schema extension is complete. If the SFU Server for NIS is installed however, it will extend the Active Directory Users and Computers tool with a UNIX Attributes tab which allows GUI editing of the UNIX attributes for users, groups and computers. | In order to extend the LDAP schema, it is necessary to install the "Server for NIS" component. The installation needs to be performed using an account that has Enterprise Admin privileges in order for the schema to be extended successfully (indeed, Enterprise Admin privileges are required even if the schema has already been extended). In Active Directory, schema extensions are non-reversible, so if the NIS Server is not required, it can be removed once the schema extension is complete. If the SFU Server for NIS is installed however, it will extend the Active Directory Users and Computers tool with a UNIX Attributes tab which allows GUI editing of the UNIX attributes for users, groups and computers. | ||
| 第98行: | 第135行: | ||
In Windows Server 2003 R2, the Active Directory schema is already extended with an RFC2307-compliant schema. This differs from the schema extensions used in SFU3.5, requiring a different libnss-ldap configuration. It is still necessary to install Server for NIS to extend the Active Directory Users and Computers tool with the UNIX Attributes tab to allow GUI editing of UNIX attributes for users, groups and computers. | In Windows Server 2003 R2, the Active Directory schema is already extended with an RFC2307-compliant schema. This differs from the schema extensions used in SFU3.5, requiring a different libnss-ldap configuration. It is still necessary to install Server for NIS to extend the Active Directory Users and Computers tool with the UNIX Attributes tab to allow GUI editing of UNIX attributes for users, groups and computers. | ||
| − | ==== | + | ==== TestQuery: Linux ==== |
| + | We will want to perform a testquery in linux before we attempt to configure AD. Its much simpler to determine how to connect on the commandline, and then configure, rather than reconfigure a file repeatedly. | ||
| − | + | We will need at least these two packages to perform test queries on Active Directory. | |
<pre><nowiki> | <pre><nowiki> | ||
| − | + | sudo apt-get install libnss-ldap ldap-utils | |
</nowiki></pre> | </nowiki></pre> | ||
| − | + | We perform queries with 'ldapsearch' | |
| + | We must specify these minimum parameters: | ||
| + | |||
| + | We need to specify the LDAP Server (Domain Controller) | ||
| + | <pre><nowiki> | ||
| + | ldapsearch -h medcenterdc01 | ||
| + | </nowiki></pre> | ||
| + | |||
| + | and the authentication type: simple or SASL | ||
| + | |||
| + | SASL authentication off, simple on | ||
| + | <pre><nowiki> | ||
| + | ldapsearch -h medcenterdc01 -x | ||
| + | </nowiki></pre> | ||
| + | |||
| + | and the folder we want to search in | ||
| + | <pre><nowiki> | ||
| + | ldapsearch -h medcenterdc01 -x -b "OU=Pathology,OU=Departmental OUs,OU=medcenter,DC=mc,DC=university,DC=edu" | ||
| + | </nowiki></pre> | ||
| + | |||
| + | and who to authenticate as | ||
| + | <pre><nowiki> | ||
| + | ldapsearch -h medcenterdc01 -x -b "OU=Pathology,OU=Departmental OUs,OU=medcenter,DC=mc,DC=university,DC=edu" -D "CN=last name\\, firstname,OU=Users,OU=Pathology,OU=Departmental OUs,OU=medcenter,DC=mc,DC=university,DC=edu" | ||
| + | </nowiki></pre> | ||
| + | |||
| + | we'll have it prompt for the password, instead of specifying it in the command | ||
| + | <pre><nowiki> | ||
| + | ldapsearch -h medcenterdc01 -x -b "OU=Pathology,OU=Departmental OUs,OU=medcenter,DC=mc,DC=university,DC=edu" -D "CN=last name\\, firstname,OU=Users,OU=Pathology,OU=Departmental OUs,OU=medcenter,DC=mc,DC=university,DC=edu" -W | ||
| + | </nowiki></pre> | ||
| + | |||
| + | and lets search for sammy's account | ||
| + | <pre><nowiki> | ||
| + | ldapsearch -h medcenterdc01 -x -b "OU=Pathology,OU=Departmental OUs,OU=medcenter,DC=mc,DC=university,DC=edu" -D "CN=last name\\, firstname,OU=Users,OU=Pathology,OU=Departmental OUs,OU=medcenter,DC=mc,DC=university,DC=edu" -W "sAMAccountName=sammy" | ||
| + | </nowiki></pre> | ||
| + | |||
| + | https://help.ubuntu.com/community/IconsPage?action=AttachFile&do=get&target=IconNote.png One doesn't need to worry about spaces, but to specify a comma as part of the path we need to prefix the comma with '\\' | ||
| + | <pre><nowiki> | ||
| + | CN=last name\\, firstname | ||
| + | </nowiki></pre> | ||
| + | |||
| + | ==== libnss-ldap ==== | ||
| + | |||
| + | You can install '''libnss-ldap''' and '''nscd''' from the '''Universe''' Repository. | ||
| + | |||
| − | set up /etc/nsswitch.conf for ldap | + | Now you need to set up /etc/nsswitch.conf for ldap. |
<pre><nowiki> | <pre><nowiki> | ||
| − | passwd: | + | passwd: compat |
| − | shadow: | + | group: compat |
| − | + | shadow: compat | |
| + | passwd_compat: ldap | ||
| + | group_compat: ldap | ||
| + | shadow_compat: ldap | ||
hosts: files dns | hosts: files dns | ||
| 第130行: | 第214行: | ||
</nowiki></pre> | </nowiki></pre> | ||
| − | + | https://help.ubuntu.com/community/IconsPage?action=AttachFile&do=get&target=IconNote.png If you have trouble when you attempt to ping and your network has a wins server you will want to append 'wins' to the hosts line of nsswitch.conf - you may only notice this only when you try to ping a static ip linux pc from another linux pc - I believe wins is a part of the samba package and the IP addresses for wins servers are stored in /etc/samba/dhcp.conf, the static ip machine also needs to specify its netbios name within /etc/samba/smb.conf | |
| − | set up /etc/libnss-ldap.conf | + | https://help.ubuntu.com/community/IconsPage?action=AttachFile&do=get&target=IconNote.png When fiddling with /etc/nsswitch.conf, it is best to turn the Name Services Caching Daemon off - ''/etc/init.d/nscd stop'' or you will be confused by cached results. Turn it on afterwards. |
| + | |||
| + | Then you need to set up /etc/libnss-ldap.conf. | ||
| + | AKA: /etc/ldap.conf | ||
<pre><nowiki> | <pre><nowiki> | ||
| 第173行: | 第260行: | ||
nss_map_attribute cn sAMAccountName | nss_map_attribute cn sAMAccountName | ||
</nowiki></pre> | </nowiki></pre> | ||
| + | |||
| + | |||
''I think it only needs rootbinddn, no binddn, with the bindpw in /etc/libnss-ldap.secret, not here. | ''I think it only needs rootbinddn, no binddn, with the bindpw in /etc/libnss-ldap.secret, not here. | ||
I have also successfully combined /etc/ldap/ldap.conf, /etc/libnss-ldap.conf, and /etc/pam_ldap.conf, symlinking them all to /etc/ldap/ldap.conf - AndyRabagliati'' | I have also successfully combined /etc/ldap/ldap.conf, /etc/libnss-ldap.conf, and /etc/pam_ldap.conf, symlinking them all to /etc/ldap/ldap.conf - AndyRabagliati'' | ||
| − | + | https://help.ubuntu.com/community/IconsPage?action=AttachFile&do=get&target=warning.png Incorrect nss_map settings will prevent one from authenticating, and reading AD in general. These settings are dependent on the column names within your AD database. In older systems the database (schema) needs to be extended as described in the 'Configure AD' section. Once these *NIX attributes are part of the schema they can be modified with the MMC snap-in Active directory Users and Groups, as long as idmu.exe has been installed from the Windows Server 2003 R2 Administration Tools Pack. If *NIX group membership has been administered by modifying the list in the UNIX attributes tab of AD Users and Computers (which is REQUIRED in a NIS environment), then 'uniqueMember' should be mapped to 'msSFU30PosixMember' (or 'posixMember' for WS03R2) as 'member' only includes the membership listed in the Windows group. | |
| + | For Windows Server 2003 R2, the schema extensions are RFC2307 compliant - no longer prefixed 'msSFU30' and with the next letter in lower case (e.g. msSFU30UidNumber is now uidNumber). | ||
| + | |||
| + | https://help.ubuntu.com/community/IconsPage?action=AttachFile&do=get&target=IconNote.png Further optimizations of the queries can be made for the nss_base properties: | ||
| + | <pre><nowiki> | ||
| + | nss_base_passwd dc=mydomain,dc=com?sub?(&(objectClass=user)(uidnumber=*)) | ||
| + | nss_base_shadow dc=mydomain,dc=com?sub?(&(objectClass=user)(uidnumber=*)) | ||
| + | nss_base_group dc=mydomain,dc=com?sub?(&(objectClass=group)(gidnumber=*)) | ||
| + | |||
| + | |||
| + | The ampersand in the queries above merely specifies AND logic | ||
| + | |||
| + | AND (&(filter)(filter)) | ||
| + | OR (|(filter)(filter)) | ||
| + | NOT (!(filter)(filter)) | ||
| + | </nowiki></pre> | ||
| + | |||
| + | ===== Debugging ===== | ||
| + | |||
| + | https://help.ubuntu.com/community/IconsPage?action=AttachFile&do=get&target=IconBug.png To debug LDAP queries one should make sure nscd is off and use the getent command | ||
| + | <pre><nowiki> | ||
| + | sudo /etc/init.d/nscd stop | ||
| + | |||
| + | getent passwd | ||
| + | getent shadow | ||
| + | getent group | ||
| + | </nowiki></pre> | ||
| + | |||
| + | To follow the actions of the command use strace | ||
| + | <pre><nowiki> | ||
| + | strace getent passwd | ||
| + | </nowiki></pre> | ||
| + | |||
| + | If thats not enough you can place a line in the configuration file for output: | ||
| + | <pre><nowiki> | ||
| + | debug 10 | ||
| + | </nowiki></pre> | ||
| + | This can be a value anywhere from 1 to 10, 10 being the most verbose. | ||
https://help.ubuntu.com/community/IconsPage?action=AttachFile&do=get&target=IconNote.png With this config is the LDAP Traffic unencrypted and someone can sniff it. To make it secure use SSL | https://help.ubuntu.com/community/IconsPage?action=AttachFile&do=get&target=IconNote.png With this config is the LDAP Traffic unencrypted and someone can sniff it. To make it secure use SSL | ||
| − | set up /etc/pam.d/common-auth | + | Now you need to set up /etc/pam.d/common-auth and |
<pre><nowiki> | <pre><nowiki> | ||
| 第197行: | 第323行: | ||
</nowiki></pre> | </nowiki></pre> | ||
| − | set up /etc/pam.d/common-account | + | set up /etc/pam.d/common-account. |
<pre><nowiki> | <pre><nowiki> | ||
| 第212行: | 第338行: | ||
</nowiki></pre> | </nowiki></pre> | ||
| − | other useful config files: | + | https://help.ubuntu.com/community/IconsPage?action=AttachFile&do=get&target=IconNote.png We are still using Kerberos for authentication, but now we are storing the information that would normally be stored in /etc/passwd using Active Directory. |
| − | login.defs | + | |
| + | Here are some other useful config files: | ||
| + | *** login.defs | ||
| − | nscd.conf | + | *** nscd.conf |
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
---- | ---- | ||
| − | + | [[category:CategorySecurity]] | |
[[category:UbuntuHelp]] | [[category:UbuntuHelp]] | ||
2007年11月22日 (四) 11:58的版本
目录
Active Directory
Active Directory from Microsoft is a directory service that uses some open protocols, like Kerberos, ldap and SSL.
There are several ways to use AD for authentication, you can use pam_krb5, LDAP or winbind. For Winbind see [ActiveDirectoryWinbindHowto].
Kerberos: pam_krb5
Configuration and Installation
To install pam_krb5 you need to install krb5-user and libpam-krb5 from the Universe Repository. Also you don't have to configure anything in Active Directory for pam_krb5.
Then to setup pam_krb5 go to /etc/krb5.conf and open it up using your favorite text editor.
[logging]
default = FILE:/var/log/krb5lib.log
[libdefaults]
ticket_lifetime = 24000
default_realm = EXAMPLE.COM
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
[realms]
EXAMPLE.COM = {
kdc = windc.example.com
admin_server = windc.example.com
default_domain = example.com
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
You need to replace windc.example.com with the IP or FQDN of your Windows domain controller and EXAMPLE.COM with your kerberos realm, typically is this the domain name in uppercase.
Then try to see if you can receive a kerberos ticket:
# kinit user Password for [email protected]: ... # klist Ticket cache: FILE:/tmp/krb5cc_1003 Default principal: [email protected] Valid starting Expires Service principal 11/26/04 11:23:53 11/26/04 21:23:53 krbtgt/[email protected] Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached
Then you need to set up /etc/pam.d/common-auth and then
auth sufficient pam_krb5.so ccache=/tmp/krb5cc_%u auth sufficient pam_unix.so likeauth nullok use_first_pass auth required pam_deny.so
set up /etc/pam.d/common-session.
session required pam_unix.so session required pam_mkhomedir.so skel=/etc/skel/ umask=0077
kpasswd for password changing does not work.
The user from AD have to exist in /etc/passwd on the ubuntu workstation, you can also use libnss-ldap to get the account info also from AD.
LDAP
TestQuery: Windows
Assuming you do not maintain the Active Directory, You will want to determine the structure of AD before trying to connect to it from Linux. From a windows PC connected to AD you should perform a query using Microsoft's Active Directory Application Mode (ADAM). ADAM is a package of tools that includes CSVDE, which we will be using to perform our queries.
Type this into google, the download page should be the second hit.
adam microsoft
Install. Open the command prompt. Start>RUN and type 'cmd' Navigate to the installation directory, default is c:\windows\ADAM
Example Queries: Query a user entry
CSVDE -f export.csv -r "(&(objectClass=user)(sn=lastname))"
wildcards work as well
CSVDE -f export.csv -r "(&(objectClass=user)(sn=last*))"
Query a computer entry
CSVDE -f export.csv -r "(&(objectClass=computer)(cn=computername))"
Return everything in the following AD folder
CSVDE -d "OU=Pathology,OU=Departmental OUs,OU=Medcenter,DC=Med,DC=University,DC=edu" -f export.csv
The output of these queries would be placed within export.csv inside c:\windows\ADAM. Which can then be viewed as a spreadsheet editor.
For more on querying with ADAM's CSVDE [www.computerperformance.co.uk/Logon/Logon_CSVDE.htm]
Configure AD
In Windows Server versions prior to WS03 R2, it is necessary to extend the LDAP schema from AD with the UNIX attributes. Install "Windows Services for UNIX" from Microsoft (I used version 3.5). SFU: http://www.microsoft.com/windows/sfu/
Installing SFU 3.5 on Windows Server 2003 (non R2) does not appear to add the necessary LDAP schema extensions.
In order to extend the LDAP schema, it is necessary to install the "Server for NIS" component. The installation needs to be performed using an account that has Enterprise Admin privileges in order for the schema to be extended successfully (indeed, Enterprise Admin privileges are required even if the schema has already been extended). In Active Directory, schema extensions are non-reversible, so if the NIS Server is not required, it can be removed once the schema extension is complete. If the SFU Server for NIS is installed however, it will extend the Active Directory Users and Computers tool with a UNIX Attributes tab which allows GUI editing of the UNIX attributes for users, groups and computers.
In Windows Server 2003 R2, the Active Directory schema is already extended with an RFC2307-compliant schema. This differs from the schema extensions used in SFU3.5, requiring a different libnss-ldap configuration. It is still necessary to install Server for NIS to extend the Active Directory Users and Computers tool with the UNIX Attributes tab to allow GUI editing of UNIX attributes for users, groups and computers.
TestQuery: Linux
We will want to perform a testquery in linux before we attempt to configure AD. Its much simpler to determine how to connect on the commandline, and then configure, rather than reconfigure a file repeatedly.
We will need at least these two packages to perform test queries on Active Directory.
sudo apt-get install libnss-ldap ldap-utils
We perform queries with 'ldapsearch' We must specify these minimum parameters:
We need to specify the LDAP Server (Domain Controller)
ldapsearch -h medcenterdc01
and the authentication type: simple or SASL
SASL authentication off, simple on
ldapsearch -h medcenterdc01 -x
and the folder we want to search in
ldapsearch -h medcenterdc01 -x -b "OU=Pathology,OU=Departmental OUs,OU=medcenter,DC=mc,DC=university,DC=edu"
and who to authenticate as
ldapsearch -h medcenterdc01 -x -b "OU=Pathology,OU=Departmental OUs,OU=medcenter,DC=mc,DC=university,DC=edu" -D "CN=last name\\, firstname,OU=Users,OU=Pathology,OU=Departmental OUs,OU=medcenter,DC=mc,DC=university,DC=edu"
we'll have it prompt for the password, instead of specifying it in the command
ldapsearch -h medcenterdc01 -x -b "OU=Pathology,OU=Departmental OUs,OU=medcenter,DC=mc,DC=university,DC=edu" -D "CN=last name\\, firstname,OU=Users,OU=Pathology,OU=Departmental OUs,OU=medcenter,DC=mc,DC=university,DC=edu" -W
and lets search for sammy's account
ldapsearch -h medcenterdc01 -x -b "OU=Pathology,OU=Departmental OUs,OU=medcenter,DC=mc,DC=university,DC=edu" -D "CN=last name\\, firstname,OU=Users,OU=Pathology,OU=Departmental OUs,OU=medcenter,DC=mc,DC=university,DC=edu" -W "sAMAccountName=sammy"
One doesn't need to worry about spaces, but to specify a comma as part of the path we need to prefix the comma with '\\'
CN=last name\\, firstname
libnss-ldap
You can install libnss-ldap and nscd from the Universe Repository.
Now you need to set up /etc/nsswitch.conf for ldap.
passwd: compat group: compat shadow: compat passwd_compat: ldap group_compat: ldap shadow_compat: ldap hosts: files dns networks: files dns services: db files protocols: db files rpc: db files ethers: db files netmasks: files netgroup: files bootparams: files automount: files aliases: files
If you have trouble when you attempt to ping and your network has a wins server you will want to append 'wins' to the hosts line of nsswitch.conf - you may only notice this only when you try to ping a static ip linux pc from another linux pc - I believe wins is a part of the samba package and the IP addresses for wins servers are stored in /etc/samba/dhcp.conf, the static ip machine also needs to specify its netbios name within /etc/samba/smb.conf
When fiddling with /etc/nsswitch.conf, it is best to turn the Name Services Caching Daemon off - /etc/init.d/nscd stop or you will be confused by cached results. Turn it on afterwards.
Then you need to set up /etc/libnss-ldap.conf. AKA: /etc/ldap.conf
# Replace windc.example.com with your Windows DC uri ldap://windc.example.com/ base dc=example,dc=com ldap_version 3 # Add a user to AD, that can read the container # with the users, that you want use. binddn cn=ldapreader,cn=Users,dc=example,dc=com bindpw cvfd123 scope sub timelimit 30 pam_filter objectclass=User pam_login_attribute sAMAccountName pam_lookup_policy yes # Modify cn=User,dc=e... to your container with your users. nss_base_passwd cn=User,dc=example,dc=com?sub nss_base_shadow cn=User,dc=example,dc=com?sub nss_base_group cn=User,dc=example,dc=com?sub # For MSSFU: nss_map_objectclass posixAccount User nss_map_objectclass shadowAccount User nss_map_attribute uid sAMAccountName nss_map_attribute uniqueMember member nss_map_attribute uidNumber msSFU30UidNumber nss_map_attribute gidNumber msSFU30GidNumber nss_map_attribute userPassword msSFU30Password nss_map_attribute homeDirectory msSFU30HomeDirectory nss_map_attribute loginShell msSFU30LoginShell nss_map_attribute gecos name nss_map_attribute cn sAMAccountName
I think it only needs rootbinddn, no binddn, with the bindpw in /etc/libnss-ldap.secret, not here. I have also successfully combined /etc/ldap/ldap.conf, /etc/libnss-ldap.conf, and /etc/pam_ldap.conf, symlinking them all to /etc/ldap/ldap.conf - AndyRabagliati
Incorrect nss_map settings will prevent one from authenticating, and reading AD in general. These settings are dependent on the column names within your AD database. In older systems the database (schema) needs to be extended as described in the 'Configure AD' section. Once these *NIX attributes are part of the schema they can be modified with the MMC snap-in Active directory Users and Groups, as long as idmu.exe has been installed from the Windows Server 2003 R2 Administration Tools Pack. If *NIX group membership has been administered by modifying the list in the UNIX attributes tab of AD Users and Computers (which is REQUIRED in a NIS environment), then 'uniqueMember' should be mapped to 'msSFU30PosixMember' (or 'posixMember' for WS03R2) as 'member' only includes the membership listed in the Windows group.
For Windows Server 2003 R2, the schema extensions are RFC2307 compliant - no longer prefixed 'msSFU30' and with the next letter in lower case (e.g. msSFU30UidNumber is now uidNumber).
Further optimizations of the queries can be made for the nss_base properties:
nss_base_passwd dc=mydomain,dc=com?sub?(&(objectClass=user)(uidnumber=*)) nss_base_shadow dc=mydomain,dc=com?sub?(&(objectClass=user)(uidnumber=*)) nss_base_group dc=mydomain,dc=com?sub?(&(objectClass=group)(gidnumber=*)) The ampersand in the queries above merely specifies AND logic AND (&(filter)(filter)) OR (|(filter)(filter)) NOT (!(filter)(filter))
Debugging
To debug LDAP queries one should make sure nscd is off and use the getent command
sudo /etc/init.d/nscd stop getent passwd getent shadow getent group
To follow the actions of the command use strace
strace getent passwd
If thats not enough you can place a line in the configuration file for output:
debug 10
This can be a value anywhere from 1 to 10, 10 being the most verbose.
With this config is the LDAP Traffic unencrypted and someone can sniff it. To make it secure use SSL
Now you need to set up /etc/pam.d/common-auth and
# # /etc/pam.d/common-auth - authentication settings common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of the authentication modules that define # the central authentication scheme for use on the system # (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the # traditional Unix authentication mechanisms. # auth sufficient pam_ldap.so auth required pam_unix.so nullok_secure use_first_pass
set up /etc/pam.d/common-account.
# # /etc/pam.d/common-account - authorization settings common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of the authorization modules that define # the central access policy for use on the system. The default is to # only deny service to users whose accounts are expired in /etc/shadow. # account sufficient pam_ldap.so account required pam_unix.so
We are still using Kerberos for authentication, but now we are storing the information that would normally be stored in /etc/passwd using Active Directory.
Here are some other useful config files:
- login.defs
- nscd.conf
