This section assumes you've already configured Kerberos, as done in . The next step is to see whether we can log on using AD credentials. In order to do so, we need to also use the AD LDAP service, and configure libnsswitch and PAM.
Configuring libnss
Note | |
---|---|
I like sssd better (see the next section). Below is a description of what worked in May 2012. I haven't pursued it since. |
Install libnss-ldap
:
apprentice@clnt-3-53:~$ sudo apt-get install -y libnss-ldap
... and configure it by editing /etc/ldap.conf
:
base ou=mydomain,dc=wspace,dc=mydomain,dc=com uri ldap://wspace.mydomain.com ldap_version 3 binddn CN=ListAccount,OU=Maintenance accounts,OU=Users,OU=MYDOMAIN,DC=wspace,DC=mydomain,DC=com bindpw ENUMpass referrals no nss_paged_results yes pagesize 800 logdir /var/log #debug 12 pam_min_uid 10000000 pam_max_uid 999999999 pam_password md5 pam_password_prohibit_message Please visit https://pwchange.mydomain.com/pwm/ to change your password. nss_base_passwd OU=Users,OU=MYDOMAIN,DC=wspace,DC=mydomain,DC=com?sub?uid=* nss_base_group OU=Workgroups,OU=MYDOMAIN,DC=wspace,DC=mydomain,DC=com?sub?gidNumber=* # RFC 2307 (AD) mappings nss_map_objectclass posixAccount user nss_map_objectclass shadowAccount user nss_map_attribute uid sAMAccountName nss_map_attribute homeDirectory unixHomeDirectory nss_map_attribute shadowLastChange pwdLastSet nss_map_objectclass posixGroup group nss_map_attribute uniqueMember member pam_login_attribute sAMAccountName pam_filter objectclass=User pam_password ad
I didn't verify whether these options are actually necessary, or even useful. The documentation of libnss-ldap seems to be incomplete and lag behind a bit. I found this nice page at CERN to be helpful. | |
The “attribute=*” limits the search results to those records for which the attribute is actually set. For the AD I'm currently working with, that's just three for the users, and zero for the groups. Without this setting, getent passwd breaks, but getent passwd U1234567 still works. OTOH, I don't know (yet) whether the settings as given here will work with thousands of accounts. | |
The RFC2307 mappings work. The Services for UNIX 3.5 mappings (not shown) almost work: no homedir is listed. |
Testing libnss
apprentice@clnt-3-53:~$ getent passwd U1234567
I can even do getent passwd, and I'll get the listing of both local and LDAP accounts.
U1234567:*:41234567:41234567:A. Prentice:/home/U1234567:/bin/sh
Installing libpam-heimdal
apprentice@clnt-3-53:~$ sudo apt-get install -y libpam-heimdal
apprentice@clnt-3-53:~$ echo libpam-runtime libpam-runtime/profiles multiselect krb5, unix, capability|sudo debconf-set-selections
apprentice@clnt-3-53:~$ sudo pam-auth-update --package # abuse --package option a bit
Try logging in
apprentice@remotehost:~$ ssh -o StrictHostKeyChecking=false U1234567@clnt-3-53.ict.mydomain.com
Warning: the RSA host key for 'clnt-3-53.ict.mydomain.com' differs from the key for the IP address '192.168.3.53'
U1234567@clnt-3-53.ict.mydomain.com's password:
Welcome to Ubuntu 12.04 LTS (GNU/Linux 3.2.0-23-generic x86_64)
<snip>
Last login: Wed May 2 09:38:36 2012 from remotehost.ict.mydomain.com
Could not chdir to home directory : No such file or directory
It works! (The home directories for LDAP accounts don't exist, but nsswitch and Kerberos work perfectly.)
Note | |
---|---|
To get around the nonexistent homedir, put the following in <snip> # end of pam-auth-update config session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
|
Note | |
---|---|
In order to speed up lookups, |