Re: nss_ldap using sasl with gssapi. Kerberos credentials cache problem[Scanned]

Chris et al,

I intended to put an experiences note out to the nss_ldap forum's but have not found one suitable yet. So here is the short canned version of how I made this all work.

First get a Windows 200x environment with the RFC2307 extensions added to the Schema. The easiest way to do this is to use Windows 2003 R2. However, it is also possible to do this by using LDIF's from the wider community to add this to a 2003 or a 2000 schema. I can dig out an example of this is anybody is interested. *This step is scary as in a production environment if you get this wrong in the right way you have an unrecoverable Windows environment so I recommend either a new forest using Windows 2003 R2 or back everything up. Note I have done this for a very big global domain and will hold anybodies hand if they are thinking of doing this in a production domain.
Next assign all of your *real* Unix users with AD accounts - make the user names conform to the Posix rules (Windows samAccountName) i.e. 8 characters starting with a letter, all in lower case. Give them uidNumber's and gidNumber's, loginShell and unixHomeDirectory attributes. I use displayName for the GECOS field.

Create relevant groups in the AD I have used samAccountName for the groupName, you can also use CN but you have to be careful about the names and make sure they are valid in the Unix and Windows world I stick to lower case starting with a letter and no spaces in the samAccountName.

For example: I declare a superusers group to which I add users I would have added to wheel and use this in sudo - you can only add users declared in AD to groups declared in AD. superusers is a member of "Domain Admins" and "Enterprise Admins" in our systems.

With this you are now ready to set up the unix side of the fence. I use pam_krb5 to authenticate and nss_ldap to handle the maps. The pam stack looks like this

# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/$ISA/
auth sufficient /lib/security/$ISA/ likeauth nullok
auth sufficient /lib/security/$ISA/ use_first_pass
auth required /lib/security/$ISA/

account required /lib/security/$ISA/ broken_shadow
account sufficient /lib/security/$ISA/ uid < 100 quiet
account [default=bad success=ok user_unknown=ignore] /lib/security/$ISA/
account required /lib/security/$ISA/

password requisite /lib/security/$ISA/ retry=3
password sufficient /lib/security/$ISA/ nullok use_authtok md5 shadow
password sufficient /lib/security/$ISA/ use_authtok
password required /lib/security/$ISA/

session required /lib/security/$ISA/
session required /lib/security/$ISA/
session optional /lib/security/$ISA/
I set up kerberos to access the active directory as follows.

default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

default_realm = COHERENT.COHTECH.CO.UK
dns_lookup_realm = true
dns_lookup_kdc = true
forwardable = false

kdc =


profile = /var/kerberos/krb5kdc/kdc.conf

pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false

And create a machine keytab using Samba - currently samba-3.0.23a. Note my machines are in the zone, while the AD is domain

The nsswitch.conf file contains ...

passwd: files ldap
shadow: files ldap
group: files ldap


ldap.conf contains ...

# Set to some high number to get debug output - very useful if kerberos is failing
debug 0

#base set to default container inside AD for Users - have not got this working with multiple containers
base cn=Users,dc=coherent,dc=cohtech,dc=co,dc=uk

# Our servers have certificates and therefore are available over ssl
# Otherwise use
#uri ldap://
uri ldaps://

# The LDAP version to use (defaults to 3
# if supported by client library)
#ldap_version 3
ldap_version 3

# The distinguished name to bind to the server with.
# NEVER NEVER NEVER defined this if using SASL it breaks the bind operation
#binddn cn=proxyuser,dc=example,dc=com

# The credentials to bind with.
# NEVER NEVER NEVER define this if using SASL it breaks the bind operation
#bindpw secret

# The distinguished name to bind to the server with
# if the effective user ID is root. Password is
# stored in /etc/ldap.secret (mode 600)
#rootbinddn cn=manager,dc=example,dc=com

# The port.
# Optional: default is 389.
#port 389

# The search scope.
#scope sub
#scope one
#scope base
scope sub

# Search timelimit
#timelimit 30
timelimit 120

# Bind/connect timelimit
#bind_timelimit 30
bind_timelimit 120

# Reconnect policy: hard (default) will retry connecting to
# the software with exponential backoff, soft will fail
# immediately.
bind_policy soft

# Idle timelimit; client will close connections
# (nss_ldap only) if the server has not been contacted
# for the number of seconds specified below.
#idle_timelimit 3600
idle_timelimit 3600

# Just assume that there are no supplemental groups for these named users
nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon

# attribute/objectclass mapping
# Syntax:
#nss_map_attribute rfc2307attribute mapped_attribute
#nss_map_objectclass rfc2307objectclass mapped_objectclass

# RFC 2307 (AD) mappings
#nss_map_objectclass posixAccount user
#nss_map_objectclass shadowAccount user
#nss_map_attribute uid sAMAccountName
#nss_map_attribute homeDirectory unixHomeDirectory
#nss_map_attribute shadowLastChange pwdLastSet
#nss_map_objectclass posixGroup group
#nss_map_attribute uniqueMember member
#pam_login_attribute sAMAccountName
#pam_filter objectclass=User
#pam_password ad
nss_base_passwd cn=Users,dc=coherent,dc=cohtech,dc=co,dc=uk
nss_base_shadow cn=Users,dc=coherent,dc=cohtech,dc=co,dc=uk
nss_base_group cn=Users,dc=coherent,dc=cohtech,dc=co,dc=uk

nss_map_objectclass posixAccount User
nss_map_objectclass shadowAccount User
nss_map_attribute uid samAccountName
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute shadowLastChange pwdLastSet

nss_map_attribute uidNumber uidNumber
nss_map_attribute gidNumber gidNumber
nss_map_attribute loginShell loginShell
nss_map_attribute gecos displayName
nss_map_objectclass posixGroup Group
nss_map_attribute uniqueMember Member
nss_map_attribute cn samAccountName
nss_paged_results on

pam_login_attribute samAccountName
pam_filter objectclass=user
pam_member_attribute member
#pam_groupdn cn=unixusergroup,dc=coherent,dc=cohtech,dc=co,dc=uk
pam_passwd ad

# Disable SASL security layers. This is needed for AD.
#sasl_secprops maxssf=0
sasl_secprops maxssf=0

# Override the default Kerberos ticket cache location.
#krb5_ccname FILE:/etc/.ldapcache
krb5_ccname FILE:/etc/.ldapcache

# SASL mechanism for PAM authentication - use is experimental
# at present and does not support password policy control
#pam_sasl_mech DIGEST-MD5

use_sasl on

sasl_authid nssldap/

rootsasl_auth_id nssldap/

rootuse_sasl yes

The key feature here is the krb5_ccname which is used to override the credentials passed in to the user. At present this file must have 0644 access as the nss_ldap code always overrides with this file. I intend to supply a patch that will check for read access to this file and use it only in this circumstance. A further enhancement would be to try to access the directory using this file if readable, and if that fails or if the file is not readable then use the KRB5CCNAME environment variable if set and if that fails use the users credentials cache if that exists.

The authentication ID needs to be created in the AD and exported. This is done by creating a user with a never expires password and then using the ktpass command on Windows 200x to export the key. I use

ktpass -princ nssldap/<hostname>@DOMAIN -mapuser nss<host>@domain
-crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -mapo- set +desonly
-pass <somepassword> -out <keytabfile>

The resulting file is copied to the target host, and I add it to the system keytab file. It could equally be put in a separate file and used from there.

The final pieces of magic are setting up the openldap ldap.conf file.

# $OpenLDAP: pkg/ldap/libraries/libldap/ldap.conf,v 1.9 2000/09/04 19:57:01 kurt
Exp $
# LDAP Defaults

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

#BASE dc=example, dc=com
#URI ldap:// ldap://

#DEREF never
URI ldaps://
BASE dc=coherent,dc=cohtech,dc=co,dc=uk
TLS_CACERTDIR /etc/openldap/cacerts
And setting up nscd to cache requests, running nscd - I set the environment with KRB5CCNAME=/etc/.ldapcache as a bit of belt and braces.

The following script is executed every 6 hours to keep the credentials cache current.

/usr/kerberos/bin/kinit -k -t /etc/krb5.keytab -c /etc/.ldapcache nssldap/ \
&& chown nscd:nscd /etc/.ldapcache \
&& chmod 0644 /etc/.ldapcache

exit 0
The 0644 will change to 0640 once I have a patch into nss_ldap. A point to note nscd only provide caches for individual lookups so running getent passwd will not work unless kerberos credentials are supplied some other way - hence the need for 0644 at present.

Hope this all makes sense. Will try to produce a more comprehensive guide later when I have fixed the niggles.

By the by.. This all required the latest version of openldap, cyrus-sasl, nss_ldap as previous versions failed to talk to Windows 2003. These are currently drawn from fedora-development and are: openldap-2.3.27-2, cyrus-sasl-2.1.22-3, & nss_ldap-251-1 (with the enable-configurable-krb5-ccname-gssapi configuration flag turned on at build time).

Chris Bradford wrote:
Howard Wilkinson wrote:
I have been installing nss_Ldap for sasl connections to a Windows 2003 R2 infrastructure and run into some problems. It turns out that the package distributed with FC5 and in development have an incorrect option set with the configuration for the configuration file feature krb5_ccname to work.

The configure line currently uses --enable-configurable-krb5-ccname which does not do anything useful. It should either read --enable-configurable-krb5-ccname-env or --enable-configurable-krb5-ccname-gssapi to make this work. I have chosen the second as the first does not confer any advantage in allowing the environment to override in the current implementation.

Without this setting then the calling environment must have a credential cache set up for the code to work - the behaviour of both the nscd and the general calling environment give local errors when there is not credentials cache defined.

Howard Wilkinson



Coherent Technology Limited


23 Northampton Square,



London, United Kingdom, EC1V 0HL



Click here <> to report this email as spam.


Could you please post details on you you have used sasl to connect to AD? I am using nss_ldap to connect but not using sasl. Further details on this can be seen here:



Howard Wilkinson



Coherent Technology Limited


23 Northampton Square,



London, United Kingdom, EC1V 0HL



fedora-list mailing list
To unsubscribe: