Samba/Active Directory Guide

Centralized authentication with Samba/Win AD

This might look a bit weird at 1st but when working on the migration from samba 3 with LDAP to samba 4 AD.
This seem to be the only choice we have as we have to remove the LDAP Server on the server that running Samba 4 AD.

Else you would have 2 server.
Windows Client using Samba 4 AD and Linux client using an LDAP Server from another which is no longer centralized and defeated the purpose.

Working method and choice

There are a few method.

1. nslcd or nss_pam_ldapd
2. sssd

nslcd or nss_pam_ldapd

If you are using 64 bit system, you will need to unmask it.

#nss-pam-ldapd replacement of both nss_ldap and nss_pam
sys-auth/nss-pam-ldapd

This package will provide what is currently provide by nss_ldap and also nss_pam thus the 2 package have to be removed.

Now we can start install nss_pam_ldapd:

Configuration

There are at least 2 method to work on this solution, the result are same but the way of working it are different.

Pick one...

nss-pam-ldapd Setup^[1]
Samba Wiki:Local_user_management_and_authentication/nslcd^[2]

Method 1: Connecting to AD via LDAP Bind DN and password

This method will configure /etc/nslcd.conf to make LDAP binding via an AD account. Communication with AD with this setup is unencrypted, unless your AD and nslcd had setup LDAP over SSL.

Please create a new user with username nslcdconnect and password secret in the AD Server.
You will need to do the following:

• Enable - disable user change password on next logon
• Disable - user change password
• Enable - Password never expired.

Assuming that:

• Samba AD is running locally and accessible via 127.0.0.1
• LDAP Base DN is dc=headoffice,dc=location1,dc=company,dc=com

# The uri pointing to the LDAP server to use for name lookups.
# Multiple entries may be specified. The address that is used
# here should be resolvable without using LDAP (obviously).
#uri ldap://127.0.0.1/
#uri ldaps://127.0.0.1/
#uri ldapi://%2fvar%2frun%2fldapi_sock/
# Note: %2f encodes the '/' used as directory separator
uri ldap://127.0.0.1/

# The distinguished name of the search base.
base dc=headoffice,dc=location1,dc=company,dc=com

#LDAP Bind Config
# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
binddn cn=nslcdconnect,cn=Users,dc=headoffice,dc=location1,dc=company,dc=com

# The credentials to bind with.
# Optional: default is no credentials.
# Note that if you set a bindpw you should check the permissions of this file.
bindpw secret

# The distinguished name to perform password modifications by root by.
rootpwmoddn cn=Administrator,cn=Users,dc=headoffice,dc=location1,dc=company,dc=com

# Mappings for Active Directory
pagesize 1000
referrals off
idle_timelimit 800
filter passwd (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
map    passwd uid              sAMAccountName
map    passwd homeDirectory    unixHomeDirectory
map    passwd gecos            displayName
filter shadow (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
map    shadow uid              sAMAccountName
map    shadow shadowLastChange pwdLastSet
filter group  (objectClass=group)

Method 2: Connecting to AD via Kerberos

This method are very similar with the 1st method specially in the configuration you will still need to change the configure /etc/nslcd.conf to make LDAP connection to an AD Server with the help of Kerberos. But you don't need to specified a bind account and also the communication with AD with this setup is encrypted.

Please create a new user with username nslcdconnect and password secret in the AD Server.
You will need to do the following:

• Enable - disable user change password on next logon
• Disable - user change password
• Enable - Password never expired.

Assuming that:

• Samba is running locally and accessible via 127.0.0.1
• LDAP Base DN is dc=headoffice,dc=location1,dc=company,dc=com
• /etc/hosts and also /etc/conf.d/hostname have the same result with your Samba AD DNS (There will be problem if there are not the same of cannot resolve).
• hostname = samba4-1.headoffice.company.com
• AD = headoffice.company.com
• REALM = HEADOFFICE.COMPANY.COM
• DOMAINNAME ( NT Style ) COMPANY
• Already have Kerberos install either mit-krb5 or heimdal.

Now we should export the keytab from AD server for user nslcdconnect. With this keytab we can connect via Kerberos without the need of key in the password for nslcdconnect if configure correctly.

The command below will kept nslcdconnect to the AD server via kerberos using keytab. You will need app-crypt/kstart so the Kerberos ticket and key will be automatically renew when it expired or needed.

Now we can change our nslcd.conf to suit Kerberos setup.

# The uri pointing to the LDAP server to use for name lookups.
# Multiple entries may be specified. The address that is used
# here should be resolvable without using LDAP (obviously).
#uri ldap://127.0.0.1/
#uri ldaps://127.0.0.1/
#uri ldapi://%2fvar%2frun%2fldapi_sock/
# Note: %2f encodes the '/' used as directory separator
uri ldap://127.0.0.1/

# The distinguished name of the search base.
base dc=headoffice,dc=location1,dc=company,dc=com

# Kerberos Connection to AD
sasl_mech GSSAPI
sasl_realm HEADOFFICE.COMPANY.COM
krb5_ccname /run/nslcd/nslcd.tkt

# Mappings for Active Directory
pagesize 1000
referrals off
idle_timelimit 800
filter passwd (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
map    passwd uid              sAMAccountName
map    passwd homeDirectory    unixHomeDirectory
map    passwd gecos            displayName
filter shadow (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
map    shadow uid              sAMAccountName
map    shadow shadowLastChange pwdLastSet
filter group  (objectClass=group)

Editing /etc/init.d/nslcd to start k5start together

We need to make some change to start k5strt with nslcd so the kerberos ticket will work.

#!/sbin/openrc-run
# Copyright 1999-2013 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
# $Header: /var/cvsroot/gentoo-x86/sys-auth/nss-pam-ldapd/files/nslcd-init,v 1.2 2013/02/07 18:11:37 prometheanfire Exp $

extra_commands="checkconfig"
cfg="/etc/nslcd.conf"

depend() {
        need net
        use dns logger
}

checkconfig() {
        if [ ! -f "$cfg" ] ; then
                eerror "Please create $cfg"
                eerror "Example config: /usr/share/nss-ldapd/nslcd.conf"
                return 1
        fi
        return 0
}
start() {
    checkpath -q -d /var/run/nslcd -o nslcd:nslcd
        checkconfig || return $?

        ebegin "Starting nslcd"
        start-stop-daemon --start --pidfile /var/run/nslcd/nslcd.pid \
                --exec /usr/sbin/nslcd
        start-stop-daemon --start --pidfile /var/run/nslcd/nslcd.k5start.pid \
                --exec /usr/bin/k5start -- -f /etc/krb5.nslcd.keytab -U -o nslcd -K 360 -b -k /var/run/nslcd/nslcd.tkt -p /var/run/nslcd/nslcd.k5start.pid
        eend $? "Failed to start nslcd"
}

stop() {
        ebegin "Stopping nslcd"
        start-stop-daemon --stop --pidfile /var/run/nslcd/nslcd.pid
        start-stop-daemon --stop --pidfile /var/run/nslcd/nslcd.k5start.pid
        eend $? "Failed to stop nslcd"

nssswitch.conf connfiguration

You will need to edit your /etc/nsswitch.conf according to the following. This meant that nsswitch will use the new nss-pam-ldapd module.

passwd:      compat ldap
group:       compat ldap

Executing

We can now start nslcd daemon

to check if our Samba is working fine with our local host use these to verify:

You should see your Users or Groups which have unit UID or GID.

If you don't have it. check your /etc/nslcd.conf again.

You can now add nslcd using rc-update

References