UIDs from AD LDAP in Debian/Ubuntu Linux, with libnsswitch

UIDs from AD LDAP in Debian/Ubuntu Linux, with libnsswitch
	Linux Authenticating against Active Directory

This section assumes you've already configured Kerberos, as done in . The next step is to see whether we can log on using AD credentials. In order to do so, we need to also use the AD LDAP service, and configure libnsswitch and PAM.

Configuring libnss

	Note
	I like sssd better (see the next section). Below is a description of what worked in May 2012. I haven't pursued it since.

Install libnss-ldap:

apprentice@clnt-3-53:~$ sudo apt-get install -y libnss-ldap

... and configure it by editing /etc/ldap.conf:

base ou=mydomain,dc=wspace,dc=mydomain,dc=com
uri ldap://wspace.mydomain.com
ldap_version 3

binddn CN=ListAccount,OU=Maintenance accounts,OU=Users,OU=MYDOMAIN,DC=wspace,DC=mydomain,DC=com
bindpw ENUMpass

referrals no

nss_paged_results yes 
pagesize 800 

logdir /var/log
#debug 12

pam_min_uid  10000000 
pam_max_uid 999999999 

pam_password md5 
pam_password_prohibit_message Please visit https://pwchange.mydomain.com/pwm/ to change your password.

nss_base_passwd OU=Users,OU=MYDOMAIN,DC=wspace,DC=mydomain,DC=com?sub?uid=* 
nss_base_group OU=Workgroups,OU=MYDOMAIN,DC=wspace,DC=mydomain,DC=com?sub?gidNumber=* 

# RFC 2307 (AD) mappings 
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_attribute uid sAMAccountName
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute shadowLastChange pwdLastSet
nss_map_objectclass posixGroup group
nss_map_attribute uniqueMember member
pam_login_attribute sAMAccountName
pam_filter objectclass=User
pam_password ad

	I didn't verify whether these options are actually necessary, or even useful. The documentation of libnss-ldap seems to be incomplete and lag behind a bit. I found this nice page at CERN to be helpful.
	The “attribute=” limits the search results to those records for which the attribute is actually set. For the AD I'm currently working with, that's just three for the users, and zero for the groups. Without this setting, getent passwd* breaks, but getent passwd U1234567 still works. OTOH, I don't know (yet) whether the settings as given here will work with thousands of accounts.
	The RFC2307 mappings work. The Services for UNIX 3.5 mappings (not shown) almost work: no homedir is listed.

Testing libnss

apprentice@clnt-3-53:~$ getent passwd U1234567 U1234567:*:41234567:41234567:A. Prentice:/home/U1234567:/bin/sh
I can even do getent passwd, and I'll get the listing of both local and LDAP accounts.
Installing libpam-heimdal

apprentice@clnt-3-53:~$ sudo apt-get install -y libpam-heimdal apprentice@clnt-3-53:~$ echo libpam-runtime libpam-runtime/profiles multiselect krb5, unix, capability|sudo debconf-set-selections apprentice@clnt-3-53:~$ sudo pam-auth-update --package # abuse --package option a bit

Try logging in

apprentice@remotehost:~$ ssh -o StrictHostKeyChecking=false U1234567@clnt-3-53.ict.mydomain.com Warning: the RSA host key for 'clnt-3-53.ict.mydomain.com' differs from the key for the IP address '192.168.3.53' U1234567@clnt-3-53.ict.mydomain.com's password: Welcome to Ubuntu 12.04 LTS (GNU/Linux 3.2.0-23-generic x86_64) <snip> Last login: Wed May 2 09:38:36 2012 from remotehost.ict.mydomain.com Could not chdir to home directory : No such file or directory

It works! (The home directories for LDAP accounts don't exist, but nsswitch and Kerberos work perfectly.)

Note

To get around the nonexistent homedir, put the following in /etc/pam.d/common-session:

<snip>
# end of pam-auth-update config
session    required   pam_mkhomedir.so skel=/etc/skel/ umask=0022

	Note
	In order to speed up lookups, `nscd` can be used to cache for libnsswitch. But installation of nscd without further tweaking doesn't speed things up. For each 'getent passwd', an LDAP query still crosses the wire. I'm not very fond of nscd anyway, so I won't investigate.


Querying AD with ldapsearch		UIDs from AD LDAP in Debian/Ubuntu Linux, with sssd