I would be interested in the example LDIF to add the RFC2307 Schema to 2003 SP1.
BTW I was working on a patch to include the kinit into the nss_ldap code instead
of running a cronjob. You can find it at
>
>
>
>
>
>
>This is a short set of notes on what I have had to do to get nssldap
>working with SASL/GSSAPI/Kerberos accessing Windows 2003 R2 as the
>authentication store.
>
>
>
>First get a Windows 200x environment with the RFC2307 extensions added
>to the Schema. The easiest way to do this is to use Windows 2003 R2.
>However, it is also possible to do this by using LDIF's from the wider
>community to add this to a 2003 or a 2000 schema. I can dig out an
>example of this is anybody is interested. This step is scary as in
>a production environment if you get this wrong in the right way you
>have an unrecoverable Windows environment so I recommend either a new
>forest using Windows 2003 R2 or back everything up. Note I have done
>this for a very big global domain and will hold anybodies hand if they
>are thinking of doing this in a production domain.
>
>
>
>Next assign all of your real Unix users with AD accounts - make
>the user names conform to the Posix rules (Windows samAccountName) i.e.
>8 characters starting with a letter, all in lower case. Give them
>uidNumber's and gidNumber's, loginShell and unixHomeDirectory
>attributes. I use displayName for the GECOS field.
>
>
>
>Create relevant groups in the AD I have used samAccountName for the
>groupName, you can also use CN but you have to be careful about the
>names and make sure they are valid in the Unix and Windows world I
>stick to lower case starting with a letter and no spaces in the
>samAccountName.
>
>
>
>For example: I declare a superusers group to which I add users I would
>have added to wheel and use this in sudo - you can only add users
>declared in AD to groups declared in AD. superusers is a member of
>"Domain Admins" and "Enterprise Admins" in our systems.
>
>
>
>With this you are now ready to set up the unix side of the fence. I use
>pam_krb5 to authenticate and nss_ldap to handle the maps. The pam stack
>looks like this
>
>
>
>#%PAM-1.0
>
># This file is auto-generated.
>
># User changes will be destroyed the next time authconfig is run.
>
>auth required /lib/security/$ISA/pam_env.so
>
>auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
>
>auth sufficient /lib/security/$ISA/pam_krb5.so use_first_pass
>
>auth required /lib/security/$ISA/pam_deny.so
>
>
>
>account required /lib/security/$ISA/pam_unix.so broken_shadow
>
>account sufficient /lib/security/$ISA/pam_succeed_if.so uid <
>100 quiet
>
>account [default=bad success=ok user_unknown=ignore]
>/lib/security/$ISA/pam_krb5.so
>
>account required /lib/security/$ISA/pam_permit.so
>
>
>
>password requisite /lib/security/$ISA/pam_cracklib.so retry=3
>
>password sufficient /lib/security/$ISA/pam_unix.so nullok
>use_authtok md5 shadow
>
>password sufficient /lib/security/$ISA/pam_krb5.so use_authtok
>
>password required /lib/security/$ISA/pam_deny.so
>
>
>
>session required /lib/security/$ISA/pam_limits.so
>
>session required /lib/security/$ISA/pam_unix.so
>
>session optional /lib/security/$ISA/pam_krb5.so
>
>
>I set up kerberos to access the active directory as follows.
>
>
>
>[logging]
>
>default = FILE:/var/log/krb5libs.log
>
>kdc = FILE:/var/log/krb5kdc.log
>
>admin_server = FILE:/var/log/kadmind.log
>
>
>
>[libdefaults]
>
> default_realm = COHERENT.COHTECH.CO.UK
>
> dns_lookup_realm = true
>
> dns_lookup_kdc = true
>
> forwardable = false
>
>
>
>[realms]
>
>COHERENT.COHTECH.CO.UK = {
>
> kdc = coherent.cohtech.co.uk
>
>}
>
>
>
>[domain_realm]
>
>city.cohtech.co.uk = COHERENT.COHTECH.CO.UK
>
>.city.cohtech.co.uk = COHERENT.COHTECH.CO.UK
>
>coherent.cohtech.co.uk = COHERENT.COHTECH.CO.UK
>
>.coherent.cohtech.co.uk = COHERENT.COHTECH.CO.UK
>
>finsbury.cohtech.co.uk = COHERENT.COHTECH.CO.UK
>
>.finsbury.cohtech.co.uk = COHERENT.COHTECH.CO.UK
>
>stokie.cohtech.co.uk = COHERENT.COHTECH.CO.UK
>
>.stokie.cohtech.co.uk = COHERENT.COHTECH.CO.UK
>
>cohtech.co.uk = COHERENT.COHTECH.CO.UK
>
>.cohtech.co.uk = COHERENT.COHTECH.CO.UK
>
>
>
>[kdc]
>
>profile = /var/kerberos/krb5kdc/kdc.conf
>
>
>
>[appdefaults]
>
>pam = {
>
> debug = false
>
> ticket_lifetime = 36000
>
> renew_lifetime = 36000
>
> forwardable = true
>
> krb4_convert = false
>
>}
>
>
>
>
>And create a machine keytab using Samba - currently samba-3.0.23a. Note
>my machines are in the finsbury.cohtech.co.uk zone, while the AD is
>domain coherent.cohtech.co.uk.
>
>
>
>The nsswitch.conf file contains ...
>
>
>
>passwd: files ldap
>
>shadow: files ldap
>
>group: files ldap
>
>
>
>
>statements.
>
>
>
>ldap.conf contains ...
>
>
>
># Set to some high number to get debug output -
>very useful if kerberos is failing
>
>
>debug 0
>
>
>
>#base set to default container inside AD for Users - have not got this
>working with multiple containers
>
>base cn=Users,dc=coherent,dc=cohtech,dc=co,dc=uk
>
>
>
># Our servers have certificates and therefore are available over ssl
>
># Otherwise use
>
>#uri ldap://coherent.cohtech.co.uk
>
>uri ldaps://coherent.cohtech.co.uk
>
>
>
># The LDAP version to use (defaults to 3
>
># if supported by client library)
>
>#ldap_version 3
>
>ldap_version 3
>
>
>
># The distinguished name to bind to the server with.
>
># NEVER NEVER NEVER define this if using SASL it breaks the bind
>operation
>
>#binddn cn=proxyuser,dc=example,dc=com
>
>
>
># The credentials to bind with.
>
># NEVER NEVER NEVER define this if using SASL it breaks the bind
>operation
>
>#bindpw secret
>
>
>
># The distinguished name to bind to the server with
>
># if the effective user ID is root. Password is
>
># stored in /etc/ldap.secret (mode 600)
>
>#rootbinddn cn=manager,dc=example,dc=com
>
>
>
># The port.
>
># Optional: default is 389.
>
>#port 389
>
>
>
># The search scope.
>
>#scope sub
>
>#scope one
>
>#scope base
>
>scope sub
>
>
>
># Search timelimit
>
>#timelimit 30
>
>timelimit 120
>
>
>
># Bind/connect timelimit
>
>#bind_timelimit 30
>
>bind_timelimit 120
>
>
>
># Reconnect policy: hard (default) will retry connecting to
>
># the software with exponential backoff, soft will fail
>
># immediately.
>
>bind_policy soft
>
>
>
># Idle timelimit; client will close connections
>
># (nss_ldap only) if the server has not been contacted
>
># for the number of seconds specified below.
>
>#idle_timelimit 3600
>
>idle_timelimit 3600
>
>
>
>.......
>
># Just assume that there are no supplemental groups for these named
>users
>
>nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon
>
>
>
># attribute/objectclass mapping
>
># Syntax:
>
>#nss_map_attribute rfc2307attribute mapped_attribute
>
>#nss_map_objectclass rfc2307objectclass mapped_objectclass
>
>
>
># RFC 2307 (AD) mappings
>
>#nss_map_objectclass posixAccount user
>
>#nss_map_objectclass shadowAccount user
>
>#nss_map_attribute uid sAMAccountName
>
>#nss_map_attribute homeDirectory unixHomeDirectory
>
>#nss_map_attribute shadowLastChange pwdLastSet
>
>#nss_map_objectclass posixGroup group
>
>#nss_map_attribute uniqueMember member
>
>#pam_login_attribute sAMAccountName
>
>#pam_filter objectclass=User
>
>#pam_password ad
>
>nss_base_passwd cn=Users,dc=coherent,dc=cohtech,dc=co,dc=uk
>
>nss_base_shadow cn=Users,dc=coherent,dc=cohtech,dc=co,dc=uk
>
>nss_base_group cn=Users,dc=coherent,dc=cohtech,dc=co,dc=uk
>
>
>
>nss_map_objectclass posixAccount User
>
>nss_map_objectclass shadowAccount User
>
>nss_map_attribute uid samAccountName
>
>nss_map_attribute homeDirectory unixHomeDirectory
>
>nss_map_attribute shadowLastChange pwdLastSet
>
>
>
>nss_map_attribute uidNumber uidNumber
>
>nss_map_attribute gidNumber gidNumber
>
>nss_map_attribute loginShell loginShell
>
>nss_map_attribute gecos displayName
>
>nss_map_objectclass posixGroup Group
>
>nss_map_attribute uniqueMember Member
>
>nss_map_attribute cn samAccountName
>
>nss_paged_results on
>
>
>
>pam_login_attribute samAccountName
>
>pam_filter objectclass=user
>
>pam_member_attribute member
>
>#pam_groupdn cn=unixusergroup,dc=coherent,dc=cohtech,dc=co,dc=uk
>
>pam_passwd ad
>
>
>
>
>
># Disable SASL security layers. This is needed for AD.
>
>#sasl_secprops maxssf=0
>
>sasl_secprops maxssf=0
>
>
>
># Override the default Kerberos ticket cache location.
>
>#krb5_ccname FILE:/etc/.ldapcache
>
>krb5_ccname FILE:/etc/.ldapcache
>
>
>
># SASL mechanism for PAM authentication - use is experimental
>
># at present and does not support password policy control
>
>#pam_sasl_mech DIGEST-MD5
>
>
>
>use_sasl on
>
>
>
>sasl_authid nssldap/beastie.finsbury.cohtech.co.uk
>
>
>
>rootsasl_auth_id nssldap/beastie.finsbury.cohtech.co.uk
>
>
>
>rootuse_sasl yes
>
>
>
>
>The key feature here is the krb5_ccname which is used to override the
>credentials passed in to the user. At present this file must have 0644
>access as the nss_ldap code always overrides with this file. I intend
>to supply a patch that will check for read access to this file and use
>it only in this circumstance. A further enhancement would be to try to
>access the directory using this file if readable, and if that fails or
>if the file is not readable then use the KRB5CCNAME environment
>variable if set and if that fails use the users credentials cache if
>that exists.
>
>
>
>The authentication ID needs to be created in the AD and exported. This
>is done by creating a user with a never expires password and then using
>the ktpass command on Windows 200x to export the key. I use
>
>
>
>ktpass -princ nssldap/<hostname>@DOMAIN -mapuser
>nss<host>@domain -crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL
>-mapo- set +desonly -pass <somepassword> -out <keytabfile>
>
>
>The resulting file is copied to the target host, and I add it to the
>system keytab file. It could equally be put in a separate file and used
>from there.
>
>
>
>The final pieces of magic are setting up the openldap ldap.conf file.
>
>
>
># $OpenLDAP:
>pkg/ldap/libraries/libldap/ldap.conf,v 1.9 2000/09/04 19:57:01 kurt
>
> Exp $
>
>#
>
># LDAP Defaults
>
>#
>
>
>
># See ldap.conf(5) for details
>
># This file should be world readable but not world writable.
>
>
>
>#BASE dc=example, dc=com
>
>#URI ldap://ldap.example.com
> ldap://ldap-master.example.com:666
>
>
>
>#SIZELIMIT 12
>
>#TIMELIMIT 15
>
>#DEREF never
>
>URI ldaps://coherent.cohtech.co.uk
>
>#HOST coherent.cohtech.co.uk
>
>BASE dc=coherent,dc=cohtech,dc=co,dc=uk
>
>TLS_CACERTDIR /etc/openldap/cacerts
>
>TLS_REQCERT never
>
>
>And setting up nscd to cache requests, running nscd - I set the
>environment with KRB5CCNAME=/etc/.ldapcache as a bit of belt and braces.
>
>
>
>The following script is executed every 6 hours to keep the credentials
>cache current.
>
>#!/bin/sh
>
>#
>
>
>
>/usr/kerberos/bin/kinit -k -t /etc/krb5.keytab -c /etc/.ldapcache
>nssldap/beastie.finsbury.cohtech.co.uk \
>
> && chown nscd:nscd /etc/.ldapcache \
>
> && chmod 0644 /etc/.ldapcache
>
>
>
>exit 0
>
>
>The 0644 will change to 0640 once I have a patch into nss_ldap. A point
>to note nscd only provide caches for individual lookups so running
>getent passwd will not work unless kerberos credentials are supplied
>some other way - hence the need for 0644 at present.
>
>
>
>Hope this all makes sense. Will try to produce a more comprehensive
>guide later when I have fixed the niggles.
>
>
>
>By the by.. This all required the latest version of openldap,
>cyrus-sasl, nss_ldap as previous versions failed to talk to Windows
>2003. These are currently drawn from fedora-development and are:
>openldap-2.3.27-2, cyrus-sasl-2.1.22-3, & nss_ldap-251-1 (with the
>enable-configurable-krb5-ccname-gssapi configuration flag turned on at
>build time).
>
>
>
>
>
>
>
>Chris Bradford wrote:
>Howard
>Wilkinson wrote:
>
> I have been installing nss_Ldap for sasl
>connections to a Windows 2003 R2 infrastructure and run into some
>problems. It turns out that the package distributed with FC5 and in
>development have an incorrect option set with the configuration for the
>configuration file feature krb5_ccname to work.
>
>
>
>The configure line currently uses --enable-configurable-krb5-ccname
>which does not do anything useful. It should either read
>--enable-configurable-krb5-ccname-env or
>--enable-configurable-krb5-ccname-gssapi to make this work. I have
>chosen the second as the first does not confer any advantage in
>allowing the environment to override in the current implementation.
>
>
>
>Without this setting then the calling environment must have a
>credential cache set up for the code to work - the behaviour of both
>the nscd and the general calling environment give local errors when
>there is not credentials cache defined.
>
>--
>
>
>
>Howard Wilkinson
>
>
>
>
>
>
>
>Phone:
>
>
>
>
>
>
>
>+44(20)76907075
>
>
>
>Coherent Technology Limited
>
>
>
>
>
>
>
>Fax:
>
>
>
>
>
>
>
>
>
>
>
>23 Northampton Square,
>
>
>
>
>
>
>
>Mobile:
>
>
>
>
>
>
>
>+44(7980)639379
>
>
>
>London, United Kingdom, EC1V 0HL
>
>
>
>
>
>
>
>Email:
>
>
>
>
>
>
>
>
howard@...
>
>
>
>
>
>
>
>
>
>
>
>
>Click here
> <
https://www.mailcontrol.com/sr/wQw0zmjPoHdJTZGyOCrrhg==>
>to
>report this email as spam.
>
>
>
>
>Howard,
>
>
>
>Could you please post details on you you have used sasl to connect to
>AD? I am using nss_ldap to connect but not using sasl. Further details
>on this can be seen here:
>
http://cb-net.co.uk/readarticle.php?article_id=5>
>
>
>
>-Chris
>
>
>
>
>
>
>--
>
>
>
>
>
>
>Signature
>
>
>
>
> Howard Wilkinson
> Normal
> Howard Wilkinson
> 6
> 1
> 2005-03-12T10:10:00Z
> 2006-05-26T11:28:00Z
> 1
> 38
> 220
> Coherent Technology Limited
> 1
> 1
> 257
> 11.6568
>
>
>
> BestFit
> Clean
> Clean
>
> false
> false
> false
> MicrosoftInternetExplorer4
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> Howard Wilkinson
>
>
> Phone:
>
>
> +44(20)76907075
>
>
>
>
> Coherent Technology Limited
>
>
> Fax:
>
>
>
>
>
>
>
> 23
>Northampton Square,
>
>
> Mobile:
>
>
> +44(7980)639379
>
>
>
>
> London,
> United Kingdom,
>EC1V 0HL
>
>
> Email:
>
>
>
howard@...
>
>
>
>
>
>
>
>
>
Re: Re: nss_ldap using sasl with gssapi. Kerberos credentials cache problem[Scanned]
Some parts of this message have been removed.
Learn more about Nabble's security policy.
