Monday, January 23, 2012

likewise, ms sfu + 2307 attributes & ldap

disgusting.

so, as you're probably aware, likewise-open is a nifty tool for getting authentication of linux and linuxesque boxes to active directory. likewise-open is placed in the ecosystem where admins simply need authentication and home directories mounted. it uses an internal hash mechanism to auto-generate uids and gids from user sids in active directory; so, in essence, all across an enterprise, the likewise-open uids and gids will be the same. okay. sure.

but what about mixed el-cheapo shops?

my problem was the following:
i have a windows active directory domain and i have a linux-based openldap system. i've invested heavily in both, so, i'm really not in the mood to retire or re-tool the linux side of the house. windows, sure. the end goal is to have a linux machine join active directory and be able to authenticate windows users preserving openldap uid and gids.

i do not want to use samba, i do not want to use winbind, i do not want to use likewise-open weird hash mechanisms. i do want to use RFC 2307 attributes.

microsoft ad's nice, as there's actually a schema extension that enables an admin to have unix uids and gids. this is accessible once idmu extensions are rendered visible and server for nis is installed. oh yes.

here's what i did:
1. on ms server 2003 ad controller, installed ms sfu 3.5 server for nis.
2. ditto, installed ms idmu extensions.
3. opened my ldap db and took note of my user uids and gids.
4. i now have something called, "services for unix authentication"
the domain is the short nt-namr for my ad domain. nice.
5. my ad entries now have the nifty tab, "UNIX Attributes"
6. added the proper uid & gid information as gleaned from ldap to each of my ad records.
i don't have many users to think about, so doing this by hand is a piece of cake.
7. on a linux box, i did the usual likewise-open installation.
we really just want the kerberos ticket generation stuff, so we don't have to
go to an ad server and run kerberos ticket utilities and the like. turn-key is
the name of the game.
8. edited several key files... ldap.conf, nsswitch.conf, krb5.conf

ldap.conf: we're pointing to the ad controller. we have cool rfc 2307 attributes defined here, too.
nsswitch.conf: remove lsass entries, it'll only prove to confuse things.
krb5.conf: get the ad controller in there.

just for fun, do an ldap search against your ad controller with a bind account. you
know and i know that ad will not allow searches by anonymous users. having ntp have its
time source set by the ad controller would be awesome, too.

here's a nice search:
# ldapsearch -x -D "notme@not.there.com" -w badpassword -h 10.0.0.1

you should see:
# extended LDIF
#
# LDAPv3
# base <> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 10 Referral
text: 0000202B: RefErr: DSID-031006E0, data 0, 1 access points
        ref 1: 'not.here.com'

ref: ldap://not.there.com/dc=not,dc=there,dc=com

# numResponses: 1

here's what my conf files look like:

ldap.conf

host 10.0.0.1
base dc=not,dc=there,dc=com
uri ldap://10.0.0.1/
binddn notme@not.there.com <--- ad doesn't like the whole cn dn deal all the time.
bindpw badpassword
scope sub
bind_timelimit 15
timelimit 15
ssl no
referrals no
nss_base_passwd cn=Users,dc=not,dc=there,dc=com?sub
nss_base_shadow cn=Users,dc=not,dc=there,dc=com?sub
nss_base_group cn=Users,dc=not,dc=there,dc=com?sub?&(objectCategory=group)(gidnumber=*)
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_objectclass posixGroup group
nss_map_attribute gecos cn
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute uniqueMember member
nss_initgroups_ignoreusers ldap


nsswitch.conf

passwd: compat ldap lsass <---- remove
group:  compat ldap lsass <---- remove

hosts:  files dns
networks:       files dns

services:       files ldap
protocols:      files
rpc:    files
ethers: files
netmasks:       files
netgroup:       files ldap
publickey:      files

bootparams:     files
automount:      files nis
aliases:        files ldap
#passwd_compat: ldap
#group_compat:  ldap


krb5.conf

[libdefaults]
        default_realm = NOT.THERE.COM 
        default_keytab_name = /etc/krb5.keytab 
        default_tgs_enctypes = RC4-HMAC DES-CBC-MD5 DES-CBC-CRC 
        default_tkt_enctypes = RC4-HMAC DES-CBC-MD5 DES-CBC-CRC 
        preferred_enctypes = RC4-HMAC DES-CBC-MD5 DES-CBC-CRC 
        dns_lookup_kdc = true 
        pkinit_kdc_hostname =  
        pkinit_anchors = DIR:/var/lib/likewise/trusted_certs 
        pkinit_cert_match = &&msScLogin 
        pkinit_eku_checking = kpServerAuth 
        pkinit_win2k_require_binding = false 
        pkinit_identities = PKCS11:/opt/likewise/lib/libpkcs11.so 

[realms]
        NOT.THERE.COM = {
                auth_to_local = RULE:[1:$0\$1](^NOT\.THERE\.COM\\.*)s/^NOT\.THERE\.COM/NOT/
                auth_to_local = DEFAULT
                kdc = adserver.not.there.com
                admin_server = adserver.not.there.com
        }

[logging]
    kdc = FILE:/var/log/krb5/krb5kdc.log
    admin_server = FILE:/var/log/krb5/kadmind.log
    default = SYSLOG:NOTICE:DAEMON
[domain_realm]
  .not.there.com = NOT.THERE.COM 
[appdefaults]
        pam = {
   mappings = NOT\\(.*) $1@NOT.THERE.COM 
   forwardable = true
   validate = true
        }
        httpd = {
   mappings = NOT\\(.*) $1@NOT.THERE.COM 
   reverse_mappings = (.*)@NOT\.THERE\.COM NOT\$1
        }


No comments: