|
|
Re: Re: nss_ldap using sasl with gssapi. Kerberos credentials cache prob: msg#00029ldap.padl.nss
Howard, I would be interested in the example LDIF to add the RFC2307 Schema to 2003 SP1. Thanks Markus BTW I was working on a patch to include the kinit into the nss_ldap code instead of running a cronjob. You can find it at http://netjoin.sf.net/nss_ldap-250-keytab.patch On Thu Sep 14 7:23 , Howard Wilkinson <howard@xxxxxxxxxxx> sent: > > > > > > >This is a short set of notes on what I have had to do to get nssldap >working with SASL/GSSAPI/Kerberos accessing Windows 2003 R2 as the >authentication store. > > > >First get a Windows 200x environment with the RFC2307 extensions added >to the Schema. The easiest way to do this is to use Windows 2003 R2. >However, it is also possible to do this by using LDIF's from the wider >community to add this to a 2003 or a 2000 schema. I can dig out an >example of this is anybody is interested. This step is scary as in >a production environment if you get this wrong in the right way you >have an unrecoverable Windows environment so I recommend either a new >forest using Windows 2003 R2 or back everything up. Note I have done >this for a very big global domain and will hold anybodies hand if they >are thinking of doing this in a production domain. > > > >Next assign all of your real Unix users with AD accounts - make >the user names conform to the Posix rules (Windows samAccountName) i.e. >8 characters starting with a letter, all in lower case. Give them >uidNumber's and gidNumber's, loginShell and unixHomeDirectory >attributes. I use displayName for the GECOS field. > > > >Create relevant groups in the AD I have used samAccountName for the >groupName, you can also use CN but you have to be careful about the >names and make sure they are valid in the Unix and Windows world I >stick to lower case starting with a letter and no spaces in the >samAccountName. > > > >For example: I declare a superusers group to which I add users I would >have added to wheel and use this in sudo - you can only add users >declared in AD to groups declared in AD. superusers is a member of >"Domain Admins" and "Enterprise Admins" in our systems. > > > >With this you are now ready to set up the unix side of the fence. I use >pam_krb5 to authenticate and nss_ldap to handle the maps. The pam stack >looks like this > > > >#%PAM-1.0 > ># This file is auto-generated. > ># User changes will be destroyed the next time authconfig is run. > >auth required /lib/security/$ISA/pam_env.so > >auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok > >auth sufficient /lib/security/$ISA/pam_krb5.so use_first_pass > >auth required /lib/security/$ISA/pam_deny.so > > > >account required /lib/security/$ISA/pam_unix.so broken_shadow > >account sufficient /lib/security/$ISA/pam_succeed_if.so uid < >100 quiet > >account [default=bad success=ok user_unknown=ignore] >/lib/security/$ISA/pam_krb5.so > >account required /lib/security/$ISA/pam_permit.so > > > >password requisite /lib/security/$ISA/pam_cracklib.so retry=3 > >password sufficient /lib/security/$ISA/pam_unix.so nullok >use_authtok md5 shadow > >password sufficient /lib/security/$ISA/pam_krb5.so use_authtok > >password required /lib/security/$ISA/pam_deny.so > > > >session required /lib/security/$ISA/pam_limits.so > >session required /lib/security/$ISA/pam_unix.so > >session optional /lib/security/$ISA/pam_krb5.so > > >I set up kerberos to access the active directory as follows. > > > >[logging] > >default = FILE:/var/log/krb5libs.log > >kdc = FILE:/var/log/krb5kdc.log > >admin_server = FILE:/var/log/kadmind.log > > > >[libdefaults] > > default_realm = COHERENT.COHTECH.CO.UK > > dns_lookup_realm = true > > dns_lookup_kdc = true > > forwardable = false > > > >[realms] > >COHERENT.COHTECH.CO.UK = { > > kdc = coherent.cohtech.co.uk > >} > > > >[domain_realm] > >city.cohtech.co.uk = COHERENT.COHTECH.CO.UK > >.city.cohtech.co.uk = COHERENT.COHTECH.CO.UK > >coherent.cohtech.co.uk = COHERENT.COHTECH.CO.UK > >.coherent.cohtech.co.uk = COHERENT.COHTECH.CO.UK > >finsbury.cohtech.co.uk = COHERENT.COHTECH.CO.UK > >.finsbury.cohtech.co.uk = COHERENT.COHTECH.CO.UK > >stokie.cohtech.co.uk = COHERENT.COHTECH.CO.UK > >.stokie.cohtech.co.uk = COHERENT.COHTECH.CO.UK > >cohtech.co.uk = COHERENT.COHTECH.CO.UK > >.cohtech.co.uk = COHERENT.COHTECH.CO.UK > > > >[kdc] > >profile = /var/kerberos/krb5kdc/kdc.conf > > > >[appdefaults] > >pam = { > > debug = false > > ticket_lifetime = 36000 > > renew_lifetime = 36000 > > forwardable = true > > krb4_convert = false > >} > > > > >And create a machine keytab using Samba - currently samba-3.0.23a. Note >my machines are in the finsbury.cohtech.co.uk zone, while the AD is >domain coherent.cohtech.co.uk. > > > >The nsswitch.conf file contains ... > > > >passwd: files ldap > >shadow: files ldap > >group: files ldap > > > > >statements. > > > >ldap.conf contains ... > > > ># Set to some high number to get debug output - >very useful if kerberos is failing > > >debug 0 > > > >#base set to default container inside AD for Users - have not got this >working with multiple containers > >base cn=Users,dc=coherent,dc=cohtech,dc=co,dc=uk > > > ># Our servers have certificates and therefore are available over ssl > ># Otherwise use > >#uri ldap://coherent.cohtech.co.uk > >uri ldaps://coherent.cohtech.co.uk > > > ># The LDAP version to use (defaults to 3 > ># if supported by client library) > >#ldap_version 3 > >ldap_version 3 > > > ># The distinguished name to bind to the server with. > ># NEVER NEVER NEVER define this if using SASL it breaks the bind >operation > >#binddn cn=proxyuser,dc=example,dc=com > > > ># The credentials to bind with. > ># NEVER NEVER NEVER define this if using SASL it breaks the bind >operation > >#bindpw secret > > > ># The distinguished name to bind to the server with > ># if the effective user ID is root. Password is > ># stored in /etc/ldap.secret (mode 600) > >#rootbinddn cn=manager,dc=example,dc=com > > > ># The port. > ># Optional: default is 389. > >#port 389 > > > ># The search scope. > >#scope sub > >#scope one > >#scope base > >scope sub > > > ># Search timelimit > >#timelimit 30 > >timelimit 120 > > > ># Bind/connect timelimit > >#bind_timelimit 30 > >bind_timelimit 120 > > > ># Reconnect policy: hard (default) will retry connecting to > ># the software with exponential backoff, soft will fail > ># immediately. > >bind_policy soft > > > ># Idle timelimit; client will close connections > ># (nss_ldap only) if the server has not been contacted > ># for the number of seconds specified below. > >#idle_timelimit 3600 > >idle_timelimit 3600 > > > >....... > ># Just assume that there are no supplemental groups for these named >users > >nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon > > > ># attribute/objectclass mapping > ># Syntax: > >#nss_map_attribute rfc2307attribute mapped_attribute > >#nss_map_objectclass rfc2307objectclass mapped_objectclass > > > ># RFC 2307 (AD) mappings > >#nss_map_objectclass posixAccount user > >#nss_map_objectclass shadowAccount user > >#nss_map_attribute uid sAMAccountName > >#nss_map_attribute homeDirectory unixHomeDirectory > >#nss_map_attribute shadowLastChange pwdLastSet > >#nss_map_objectclass posixGroup group > >#nss_map_attribute uniqueMember member > >#pam_login_attribute sAMAccountName > >#pam_filter objectclass=User > >#pam_password ad > >nss_base_passwd cn=Users,dc=coherent,dc=cohtech,dc=co,dc=uk > >nss_base_shadow cn=Users,dc=coherent,dc=cohtech,dc=co,dc=uk > >nss_base_group cn=Users,dc=coherent,dc=cohtech,dc=co,dc=uk > > > >nss_map_objectclass posixAccount User > >nss_map_objectclass shadowAccount User > >nss_map_attribute uid samAccountName > >nss_map_attribute homeDirectory unixHomeDirectory > >nss_map_attribute shadowLastChange pwdLastSet > > > >nss_map_attribute uidNumber uidNumber > >nss_map_attribute gidNumber gidNumber > >nss_map_attribute loginShell loginShell > >nss_map_attribute gecos displayName > >nss_map_objectclass posixGroup Group > >nss_map_attribute uniqueMember Member > >nss_map_attribute cn samAccountName > >nss_paged_results on > > > >pam_login_attribute samAccountName > >pam_filter objectclass=user > >pam_member_attribute member > >#pam_groupdn cn=unixusergroup,dc=coherent,dc=cohtech,dc=co,dc=uk > >pam_passwd ad > > > > > ># Disable SASL security layers. This is needed for AD. > >#sasl_secprops maxssf=0 > >sasl_secprops maxssf=0 > > > ># Override the default Kerberos ticket cache location. > >#krb5_ccname FILE:/etc/.ldapcache > >krb5_ccname FILE:/etc/.ldapcache > > > ># SASL mechanism for PAM authentication - use is experimental > ># at present and does not support password policy control > >#pam_sasl_mech DIGEST-MD5 > > > >use_sasl on > > > >sasl_authid nssldap/beastie.finsbury.cohtech.co.uk > > > >rootsasl_auth_id nssldap/beastie.finsbury.cohtech.co.uk > > > >rootuse_sasl yes > > > > >The key feature here is the krb5_ccname which is used to override the >credentials passed in to the user. At present this file must have 0644 >access as the nss_ldap code always overrides with this file. I intend >to supply a patch that will check for read access to this file and use >it only in this circumstance. A further enhancement would be to try to >access the directory using this file if readable, and if that fails or >if the file is not readable then use the KRB5CCNAME environment >variable if set and if that fails use the users credentials cache if >that exists. > > > >The authentication ID needs to be created in the AD and exported. This >is done by creating a user with a never expires password and then using >the ktpass command on Windows 200x to export the key. I use > > > >ktpass -princ nssldap/<hostname>@DOMAIN -mapuser >nss<host>@domain -crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL >-mapo- set +desonly -pass <somepassword> -out <keytabfile> > > >The resulting file is copied to the target host, and I add it to the >system keytab file. It could equally be put in a separate file and used >from there. > > > >The final pieces of magic are setting up the openldap ldap.conf file. > > > ># $OpenLDAP: >pkg/ldap/libraries/libldap/ldap.conf,v 1.9 2000/09/04 19:57:01 kurt > > Exp $ > ># > ># LDAP Defaults > ># > > > ># See ldap.conf(5) for details > ># This file should be world readable but not world writable. > > > >#BASE dc=example, dc=com > >#URI ldap://ldap.example.com > ldap://ldap-master.example.com:666 > > > >#SIZELIMIT 12 > >#TIMELIMIT 15 > >#DEREF never > >URI ldaps://coherent.cohtech.co.uk > >#HOST coherent.cohtech.co.uk > >BASE dc=coherent,dc=cohtech,dc=co,dc=uk > >TLS_CACERTDIR /etc/openldap/cacerts > >TLS_REQCERT never > > >And setting up nscd to cache requests, running nscd - I set the >environment with KRB5CCNAME=/etc/.ldapcache as a bit of belt and braces. > > > >The following script is executed every 6 hours to keep the credentials >cache current. > >#!/bin/sh > ># > > > >/usr/kerberos/bin/kinit -k -t /etc/krb5.keytab -c /etc/.ldapcache >nssldap/beastie.finsbury.cohtech.co.uk \ > > && chown nscd:nscd /etc/.ldapcache \ > > && chmod 0644 /etc/.ldapcache > > > >exit 0 > > >The 0644 will change to 0640 once I have a patch into nss_ldap. A point >to note nscd only provide caches for individual lookups so running >getent passwd will not work unless kerberos credentials are supplied >some other way - hence the need for 0644 at present. > > > >Hope this all makes sense. Will try to produce a more comprehensive >guide later when I have fixed the niggles. > > > >By the by.. This all required the latest version of openldap, >cyrus-sasl, nss_ldap as previous versions failed to talk to Windows >2003. These are currently drawn from fedora-development and are: >openldap-2.3.27-2, cyrus-sasl-2.1.22-3, & nss_ldap-251-1 (with the >enable-configurable-krb5-ccname-gssapi configuration flag turned on at >build time). > > > > > > > >Chris Bradford wrote: >Howard >Wilkinson wrote: > > I have been installing nss_Ldap for sasl >connections to a Windows 2003 R2 infrastructure and run into some >problems. It turns out that the package distributed with FC5 and in >development have an incorrect option set with the configuration for the >configuration file feature krb5_ccname to work. > > > >The configure line currently uses --enable-configurable-krb5-ccname >which does not do anything useful. It should either read >--enable-configurable-krb5-ccname-env or >--enable-configurable-krb5-ccname-gssapi to make this work. I have >chosen the second as the first does not confer any advantage in >allowing the environment to override in the current implementation. > > > >Without this setting then the calling environment must have a >credential cache set up for the code to work - the behaviour of both >the nscd and the general calling environment give local errors when >there is not credentials cache defined. > >-- > > > >Howard Wilkinson > > > > > > > >Phone: > > > > > > > >+44(20)76907075 > > > >Coherent Technology Limited > > > > > > > >Fax: > > > > > > > > > > > >23 Northampton Square, > > > > > > > >Mobile: > > > > > > > >+44(7980)639379 > > > >London, United Kingdom, EC1V 0HL > > > > > > > >Email: > > > > > > > > howard@xxxxxxxxxxx > > > > > > > > > > > > >Click here > <https://www.mailcontrol.com/sr/wQw0zmjPoHdJTZGyOCrrhg==> >to >report this email as spam. > > > > >Howard, > > > >Could you please post details on you you have used sasl to connect to >AD? I am using nss_ldap to connect but not using sasl. Further details >on this can be seen here: > http://cb-net.co.uk/readarticle.php?article_id=5 > > > > >-Chris > > > > > > >-- > > > > > > >Signature > > > > > Howard Wilkinson > Normal > Howard Wilkinson > 6 > 1 > 2005-03-12T10:10:00Z > 2006-05-26T11:28:00Z > 1 > 38 > 220 > Coherent Technology Limited > 1 > 1 > 257 > 11.6568 > > > > BestFit > Clean > Clean > > false > false > false > MicrosoftInternetExplorer4 > > > > > > > > > > > > > > > > Howard Wilkinson > > > Phone: > > > +44(20)76907075 > > > > > Coherent Technology Limited > > > Fax: > > > > > > > > 23 >Northampton Square, > > > Mobile: > > > +44(7980)639379 > > > > > London, > United Kingdom, >EC1V 0HL > > > Email: > > > howard@xxxxxxxxxxx > > > > > > > > > |
|
| <Prev in Thread] | Current Thread | [Next in Thread> |
|---|---|---|
| Previous by Date: | Re: -bash: [: : integer expression expected: 00029, Daniel Cross |
|---|---|
| Next by Date: | Performance issues with large groups on eDirectory: 00029, Erik Forsberg |
| Previous by Thread: | Re: nss_ldap using sasl with gssapi. Kerberos credentials cache problem[Scanned]i: 00029, Howard Wilkinson |
| Next by Thread: | Re: Re: nss_ldap using sasl with gssapi. Kerberos credentials cache problem[Scanned]: 00029, Howard Wilkinson |
| Indexes: | [Date] [Thread] [Top] [All Lists] |
| News | FAQ | advertise |