In our test environment, AD's LDAP server doesn't allow Simple Bind any more.
I.e. this doesn't work:
ldapsearch -LLL -H ldap://adsv01.tspace.mydomain.com -x -D testLookup -w 'tstJOINpwd' -E pr=1000/noprompt -b 'ou=mydomain,dc=tspace,dc=mydomain,dc=com' ldapsearch -LLL -H ldap://adsv01.tspace.mydomain.com -U testLookup -w 'tstJOINpwd' -E pr=1000/noprompt -b 'ou=mydomain,dc=tspace,dc=mydomain,dc=com'
But this works:
The client must use SASL. But sssd, according to its docs (and my experiments), doesn't support any other SASL mechanisms than GSSAPI. So sssd has to use a Kerberos ticket to authenticate to the LDAP server. (The AD servers are Windows Server 2008, btw.)
It took me the better part of a week to get sssd working in this situation, so I'm doing a separate section on it here, with two options for authentication.
Note | |
---|---|
In this section, nfsserv-pc (192.168.3.163) is not the NFS server as it is in the rest of the chapter, it's just a test client. |
Configure Kerberos
Edit krb5.conf
Note | |
---|---|
Contrary to what the manpages say, the |
[libdefaults] default_realm = TSPACE.MYDOMAIN.NL kdc_timesync = 1 forwardable = true proxiable = true # Without these settings, sssd will fail, although kinit may still work permitted_enctypes = arcfour-hmac-md5 aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 default_tkt_enctypes = arcfour-hmac-md5 aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 # The following libdefaults parameters are only for Heimdal Kerberos. v4_instance_resolve = false v4_name_convert = { host = { rcmd = host ftp = ftp } plain = { something = something-else } } fcc-mit-ticketflags = true [realms] TSPACE.MYDOMAIN.NL = { kdc = adsv01.tspace.mydomain.com:88 kdc = adsv02.tspace.mydomain.com:88 kdc = adsv03.tspace.mydomain.com:88 default_domain = mydomain.com } ATHENA.MIT.EDU = { kdc = kerberos.mit.edu:88 kdc = kerberos-1.mit.edu:88 kdc = kerberos-2.mit.edu:88 admin_server = kerberos.mit.edu default_domain = mit.edu } [domain_realm] .mydomain.com = TSPACE.MYDOMAIN.NL mydomain.com = TSPACE.MYDOMAIN.NL .mit.edu = ATHENA.MIT.EDU mit.edu = ATHENA.MIT.EDU .media.mit.edu = MEDIA-LAB.MIT.EDU media.mit.edu = MEDIA-LAB.MIT.EDU .csail.mit.edu = CSAIL.MIT.EDU csail.mit.edu = CSAIL.MIT.EDU .whoi.edu = ATHENA.MIT.EDU whoi.edu = ATHENA.MIT.EDU .stanford.edu = stanford.edu .slac.stanford.edu = SLAC.STANFORD.EDU [login] krb4_convert = true krb4_get_tickets = false
Configure SSSD, option 1
This is option 1: the administrative account 'testLookup' authenticates against Kerberos to bind to LDAP.
Put a key for the administrative account in the keytab
This also serves to test whether Kerberos works.
root@nfsserv-pc:~# ktutil add --principal=testLookup --enctype=arcfour-hmac-md5 -w 'tstJOINpwd' --kvno=0
root@nfsserv-pc:~# kinit -k testLookup
These commands should work without error, and ktutil list and klist should show you the appropriate keys and tickets.
Test with ldapsearch
If you put in /etc/ldap/ldap.conf
:
<snip> # use invalid certs anyway TLS_REQCERT allow
... then this should succeed (and give some useful output):
root@nfsserv-pc:~# ldapsearch -H ldap://adsv01.tspace.mydomain.com -Y GSSAPI -U testLookup@TSPACE.MYDOMAIN.NL -E pr=1000/noprompt -b 'ou=mydomain,dc=tspace,dc=mydomain,dc=com' '(&(objectClass=person)(uidNumber=*))' SAMAccountName uid uidNumber
sssd.conf
Edit /etc/sssd/sssd.conf
(chmod 600!):
[sssd] config_file_version = 2 domains = tspace.mydomain.com services = nss, pam [nss] # These are settings to reduce traffic. Will remove them on production system. enum_cache_timeout = 7200 entry_cache_nowait_percentage = 50 # default is 15 entry_negative_timeout = 5 # Remove this on production system. debug_level = 0x04f0 [pam] # default = 5, 300 is for calm testing. Will remove them on production system. pam_id_timeout = 300 # Remove this on production system. debug_level = 0x04f0 [domain/tspace.mydomain.com] description = LDAP domain with AD server # Remove this on production system. debug_level = 0x04f0 min_id = 10000000 cache_credentials = true enumerate = true id_provider = ldap auth_provider = krb5 chpass_provider = none #access_provider = ldap access_provider = permit #dns_discovery_domain = tspace.mydomain.com # Use only one ldap server. Comment out to use service discovery on production system. (Needs DNS SRV entries.) ldap_uri = ldap://adsv01.tspace.mydomain.com #ldap_uri = ldap://adsv01.tspace.mydomain.com,ldap://adsv02.tspace.mydomain.com,ldap://adsv03.tspace.mydomain.com ldap_tls_reqcert = allow # Uncomment if using SASL/GSSAPI to bind and a valid /etc/krb5.keytab exists ldap_sasl_mech = GSSAPI # Uncomment and adjust if the default principal host/fqdn@REALM is not available ldap_sasl_authid = testLookup # These 3 needed against pre-authentication failure. krb5_fast_principal = testLookup krb5_use_fast = try krb5_canonicalize = false #These are don't cares: #krb5_renewable_lifetime = 3600 #krb5_lifetime = 3600 #krb5_validate = true ldap_schema = rfc2307bis ldap_search_base = dc=tspace,dc=mydomain,dc=com # It looks like the ?sub?search notation is also accepted: ldap_user_search_base = ou=users,ou=mydomain,dc=tspace,dc=mydomain,dc=com?sub?uidNumber=* #ldap_user_search_base = ou=users,ou=mydomain,dc=tspace,dc=mydomain,dc=com ldap_user_object_class = person #msSFU30Name? Needed because not all POSIX attributes set (admins still working on that) ldap_user_name = sAMAccountName ldap_user_home_directory = unixHomeDirectory ldap_user_principal = userPrincipalName # Below an ugly kludge to work around the group database still missing from AD. # FixMe: add posix groups to AD ldap_group_search_base = ou=groups,ou=mydomain,dc=tspace,dc=mydomain,dc=com?sub?gidNumber=* ldap_group_object_class = person ldap_group_name = sAMAccountName ldap_group_gid_number = gidNumber ldap_group_member = sAMAccountName ldap_access_order = expire ldap_account_expire_policy = ad ldap_force_upper_case_realm = true ldap_pwd_policy = none # Service detection works here krb5_realm = TSPACE.MYDOMAIN.NL #krb5_server = adsv01.tspace.mydomain.com adsv02.tspace.mydomain.com adsv03.tspace.mydomain.com # Don't forget the trailing newline
Restarting sssd and tailing /var/log/sssd/sssd_tspace.mydomain.com.log
should show you succesful communication between sssd and the LDAP server.
Configure SSSD, option 2
This is the alternative to the previous step: the machine is joined to the AD domain, it gets its own Kerberos host key, and that host key authenticates for the LDAP bind.
Join the AD domain
Get a key for the administrative account that you need to have:
root@nfsserv-pc:~# ktutil add --principal=unixJOINer@TSPACE.MYDOMAIN.NL --enctype=AES256-CTS-HMAC-SHA1-96 -w 'tstJOINpwd' --kvno=0
Be aware that ktutil doesn't test anything. If you provide the wrong password, it won't complain.
Now use that key to authenticate:
root@nfsserv-pc:~# kinit -k unixJOINer
And finally, join the domain by having msktutil create an LDAP entry and keys for it:
root@nfsserv-pc:~# msktutil --create --computer-name $(hostname) --base "ou=extra workstations,ou=computers,ou=mydomain" --user-creds-only --verbose
If you don't have msktutil, see my note on msktutil and the next section, .
sssd.conf
Put in /etc/sssd/sssd.conf
(chmod 600!):
[sssd] config_file_version = 2 domains = tspace.mydomain.com services = nss, pam [nss] # These are settings to reduce traffic. Will remove them on production system. enum_cache_timeout = 7200 entry_cache_nowait_percentage = 50 # default is 15 entry_negative_timeout = 5 # Remove this on production system. debug_level = 0x04f0 [pam] # default = 5, 300 is for calm testing. Will remove them on production system. pam_id_timeout = 300 # Remove this on production system. debug_level = 0x04f0 [domain/tspace.mydomain.com] description = LDAP domain with AD server # Remove this on production system. debug_level = 0x04f0 min_id = 10000000 cache_credentials = true enumerate = true id_provider = ldap auth_provider = krb5 chpass_provider = none #access_provider = ldap access_provider = permit #dns_discovery_domain = tspace.mydomain.com # Use only one ldap server. Comment out to use service discovery on production system. (Needs DNS SRV entries.) ldap_uri = ldap://adsv01.tspace.mydomain.com #ldap_uri = ldap://adsv01.tspace.mydomain.com,ldap://adsv02.tspace.mydomain.com,ldap://adsv03.tspace.mydomain.com ldap_tls_reqcert = allow # Uncomment if using SASL/GSSAPI to bind and a valid /etc/krb5.keytab exists ldap_sasl_mech = GSSAPI #These are don't cares: #krb5_renewable_lifetime = 3600 #krb5_lifetime = 3600 #krb5_validate = true ldap_schema = rfc2307bis ldap_search_base = dc=tspace,dc=mydomain,dc=com # It looks like the ?sub?search notation is also accepted: ldap_user_search_base = ou=users,ou=mydomain,dc=tspace,dc=mydomain,dc=com?sub?uidNumber=* #ldap_user_search_base = ou=users,ou=mydomain,dc=tspace,dc=mydomain,dc=com ldap_user_object_class = person #msSFU30Name? Needed because not all POSIX attributes set (admins still working on that) ldap_user_name = sAMAccountName ldap_user_home_directory = unixHomeDirectory ldap_user_principal = userPrincipalName # Below an ugly kludge to work around the group database still missing from AD. # FixMe: add posix groups to AD ldap_group_search_base = ou=groups,ou=mydomain,dc=tspace,dc=mydomain,dc=com?sub?gidNumber=* ldap_group_object_class = person ldap_group_name = sAMAccountName ldap_group_gid_number = gidNumber ldap_group_member = sAMAccountName ldap_access_order = expire ldap_account_expire_policy = ad ldap_force_upper_case_realm = true ldap_pwd_policy = none # Service detection works here krb5_realm = TSPACE.MYDOMAIN.NL #krb5_server = adsv01.tspace.mydomain.com adsv02.tspace.mydomain.com adsv03.tspace.mydomain.com # Don't forget the trailing newline
Restart the sssd daemon
root@nfsserv-pc:~# service sssd restart
If you tail /var/log/sssd/sssd_tspace.mydomain.com.log
, you should see lots of activity.
Configure nss
As above, put in /etc/nsswitch.conf
:
passwd: compat sss group: compat sss shadow: compat sss hosts: files dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis sss
More testing
root@nfsserv-pc:~# getent passwd U1234567
U1234567:*:41234567:41234567:A. Prentice:/home/u1234567:/bin/bash
Logging in using AD accounts should also work.