binding linux to active directory

Continuing with the last few posts regarding my company's migration to Active Directory, I wanted to jot down my solution for getting our Linux systems onto AD. Our previous directory server was Apple's Open Directory which was basically a bundle of OpenLDAP, Kerberos, a password database, and a GUI. I won't get into the rationale behind migrating off of OD, suffice to say OD wasn't cutting it. That said, our previous binding (I'm using the term binding loosely here) was done with LDAP/Kerb. There were a couple of options for binding to AD including winbind but I've had issues with that in the past; it mostly worked, but it hiccuped enough and in different ways that it was just a pain. It also relied on more obscure pieces of the directory server to work compared to LDAP/Kerb. So I wound up just modifying two config files, nslcd.conf and krb5.conf, to get everything working.

nslcd

We're using LDAP for user/group information and Kerberos for authentication. The tutorials and forum posts I found with solutions all differed slightly for everyone's environment so a simple copy/paste didn't work out of the box. I wound up using a combination of "tcpdump -X host host -w /tmp/tcpdump.pcap" + wireshark and "nslcd -d" to debug. The former helped me figure out the the filter settings I needed. The latter helped me get the schema<->POSIX user/group info mapping sorted out. Below is something that got us up and running. There's still a few things we'll likely tweak before we call it done. We're mostly a CentOS shop at this point, though we have a couple of Ubuntu systems. They're similar for the most part, but the two vendors use different GIDs to run the nslcd daemon and the mapping was a little different. Kerberos was identical between the two vendors.

CentOS

uid nslcd gid ldap uri ldap://host base CN=Users,DC=domain,DC=tld binddn domain\user bindpw password scope group sub scope hosts sub pagesize 1000 referrals off filter passwd (objectCategory=user) filter group (objectCategory=group) map passwd uid sAMAccountName map passwd gecos displayName map passwd gidNumber primaryGroupID map group uniqueMember member ssl no tls_cacertdir /etc/openldap/cacerts

Ubuntu

uid nslcd gid nslcd uri ldap://host base CN=Users,DC=domain,DC=tld binddn domain\user bindpw password scope group sub scope hosts sub pagesize 1000 referrals off filter passwd (objectCategory=user) filter group (objectCategory=group) map passwd uid sAMAccountName map passwd gecos displayName map passwd gidNumber primaryGroupID ssl no tls_cacertdir /etc/openldap/cacerts
Don't forget to restart both nslcd and ncsd as needed

Kerberos

[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = DOMAIN.TLD dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true [realms] DOMAIN = { kdc = host admin_server = host } [domain_realm] domain.tld = DOMAIN.TLD .domain.tld = DOMAIN.TLD

Conclusion

With all of that sorted out, a simple push of these config files via one's favorite Configuration Management System makes for a relatively painless migration of server authentication from OD to AD.