so, as you're probably aware, likewise-open is a nifty tool for getting authentication of linux and linuxesque boxes to active directory. likewise-open is placed in the ecosystem where admins simply need authentication and home directories mounted. it uses an internal hash mechanism to auto-generate uids and gids from user sids in active directory; so, in essence, all across an enterprise, the likewise-open uids and gids will be the same. okay. sure.
but what about mixed el-cheapo shops?
my problem was the following:
i have a windows active directory domain and i have a linux-based openldap system. i've invested heavily in both, so, i'm really not in the mood to retire or re-tool the linux side of the house. windows, sure. the end goal is to have a linux machine join active directory and be able to authenticate windows users preserving openldap uid and gids.
i do not want to use samba, i do not want to use winbind, i do not want to use likewise-open weird hash mechanisms. i do want to use RFC 2307 attributes.
microsoft ad's nice, as there's actually a schema extension that enables an admin to have unix uids and gids. this is accessible once idmu extensions are rendered visible and server for nis is installed. oh yes.
here's what i did:
1. on ms server 2003 ad controller, installed ms sfu 3.5 server for nis.
2. ditto, installed ms idmu extensions.
3. opened my ldap db and took note of my user uids and gids.
4. i now have something called, "services for unix authentication"
the domain is the short nt-namr for my ad domain. nice.
5. my ad entries now have the nifty tab, "UNIX Attributes"
6. added the proper uid & gid information as gleaned from ldap to each of my ad records.
i don't have many users to think about, so doing this by hand is a piece of cake.
7. on a linux box, i did the usual likewise-open installation.
we really just want the kerberos ticket generation stuff, so we don't have to
go to an ad server and run kerberos ticket utilities and the like. turn-key is
the name of the game.
8. edited several key files... ldap.conf, nsswitch.conf, krb5.conf
ldap.conf: we're pointing to the ad controller. we have cool rfc 2307 attributes defined here, too.
nsswitch.conf: remove lsass entries, it'll only prove to confuse things.
krb5.conf: get the ad controller in there.
just for fun, do an ldap search against your ad controller with a bind account. you
know and i know that ad will not allow searches by anonymous users. having ntp have its
time source set by the ad controller would be awesome, too.
here's a nice search:
# ldapsearch -x -D "notme@not.there.com" -w badpassword -h 10.0.0.1
you should see:
# extended LDIF
#
# LDAPv3
# base <> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 2
result: 10 Referral
text: 0000202B: RefErr: DSID-031006E0, data 0, 1 access points
ref 1: 'not.here.com'
ref: ldap://not.there.com/dc=not,dc=there,dc=com
# numResponses: 1
here's what my conf files look like:
ldap.conf host 10.0.0.1 base dc=not,dc=there,dc=com uri ldap://10.0.0.1/ binddn notme@not.there.com <--- ad doesn't like the whole cn dn deal all the time. bindpw badpassword scope sub bind_timelimit 15 timelimit 15 ssl no referrals no nss_base_passwd cn=Users,dc=not,dc=there,dc=com?sub nss_base_shadow cn=Users,dc=not,dc=there,dc=com?sub nss_base_group cn=Users,dc=not,dc=there,dc=com?sub?&(objectCategory=group)(gidnumber=*) nss_map_objectclass posixAccount user nss_map_objectclass shadowAccount user nss_map_objectclass posixGroup group nss_map_attribute gecos cn nss_map_attribute homeDirectory unixHomeDirectory nss_map_attribute uniqueMember member nss_initgroups_ignoreusers ldap
nsswitch.conf passwd: compat ldap lsass <---- remove group: compat ldap lsass <---- remove hosts: files dns networks: files dns services: files ldap protocols: files rpc: files ethers: files netmasks: files netgroup: files ldap publickey: files bootparams: files automount: files nis aliases: files ldap #passwd_compat: ldap #group_compat: ldap
krb5.conf
[libdefaults]
default_realm = NOT.THERE.COM
default_keytab_name = /etc/krb5.keytab
default_tgs_enctypes = RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
default_tkt_enctypes = RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
preferred_enctypes = RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
dns_lookup_kdc = true
pkinit_kdc_hostname =
pkinit_anchors = DIR:/var/lib/likewise/trusted_certs
pkinit_cert_match = &&msScLogin
pkinit_eku_checking = kpServerAuth
pkinit_win2k_require_binding = false
pkinit_identities = PKCS11:/opt/likewise/lib/libpkcs11.so
[realms]
NOT.THERE.COM = {
auth_to_local = RULE:[1:$0\$1](^NOT\.THERE\.COM\\.*)s/^NOT\.THERE\.COM/NOT/
auth_to_local = DEFAULT
kdc = adserver.not.there.com
admin_server = adserver.not.there.com
}
[logging]
kdc = FILE:/var/log/krb5/krb5kdc.log
admin_server = FILE:/var/log/krb5/kadmind.log
default = SYSLOG:NOTICE:DAEMON
[domain_realm]
.not.there.com = NOT.THERE.COM
[appdefaults]
pam = {
mappings = NOT\\(.*) $1@NOT.THERE.COM
forwardable = true
validate = true
}
httpd = {
mappings = NOT\\(.*) $1@NOT.THERE.COM
reverse_mappings = (.*)@NOT\.THERE\.COM NOT\$1
}
No comments:
Post a Comment