Kerberos and nss_ldap alternative to winbind

[treesleaves]

Kerberos for authentication and nss_ldap can work in situations where winbind doesn't.

1. Openldap for uid/gid etc and Kerberos (possibly from AD) for authentication. This is the situation I have. Our unix group provides nss information through open ldap that is compatible with the usernames in AD. The only part of samba needed is "net ads join..." to put the machine on the domain.

2. Non-MS shops with Kerb/LDAP setups.

3. Other cases where winbind fails. My own experience with FreeBSD and AD is that the Kerberos and nss_ldap combo works in cases where idiosyncrasies in the AD or ldap setup will stop winbind.

Every time I build a zfs file server I try to use FreeNAS and give up because I can't get the authenticaion/authorization parts to work in the gui that are fairly simple on vanilla FreeBSD with regular Kerberos and LDAP. FreeNAS loses a supporter and I lose the web gui.

 

[dlavigne]

Have you created a bug report? It can't get fixed if noone reports the issue.

 

[treesleaves]

I'm not sure how to frame this as a bug. Maybe "multiple directory services don't work" ?
I'm really asking for an alternative implementation of AD/Kerberos/LDAP integration.
My underlying bias is that I've never been happy with winbind. I've succeeded with other tools when winbind left me frustrated. The number of actively developed and promoted alternatives to winbind (centrify, sssd, likewise) makes me think I'm not alone.

If there's interest I could provide some example configs, and would be willing to take a stab at some ix.rc.d scripts.

 

[Chris Hoefler]

What you are asking for is the "unix extensions" feature. Look under "Advanced Mode" in the Active Directory tab. This will authenticate via Kerberos and retrieve user/group information via nss_ldap. I believe it can now also support keytab binding, so you no longer need a bind user with AD.

That said, there are rumors of sssd support coming in 9.2.2, which should in principal support a wide array of configuration possibilities.

 

[treesleaves]

Thanks for the response.

I'm looking at the AD advanced settings, and I'm not sure how to configure things.

My AD domain is ad.group.domain.edu
and my ldap server is unixauth.here.domain.edu

The ldap server is an openldap rig. It's user database is populated from the same Oracle database as the AD domain.

Can I specify a separate ldap nss server?

I also have some custom mappings in my libnss-ldap.conf file:

nss_base_passwd ou=People,o=GROUP?one?objectClass=hereAccount
nss_base_shadow ou=People,o=GROUP
nss_base_group ou=Group,o=GROUP?one?objectClass=hereGroup
nss_base_netgroup ou=Netgroup,o=GROUP
nss_map_attribute homeDirectory homeDirectory-home

Is there a way to include those in the AD config?

BTW I am able to get ldap authentication and authorization(nss) to work with freeNAS. The problem is that the experience is poor for windows cifs clients since they can not use domain/kerberos authentication.

I'm also able from the command line to configure freeNAS to join the domain using libnss-ldap and kerberos. I just use the same krb5.conf and smb.conf as I have on my vanilla FreeBSD servers. Of course it all goes away on reboot.

 

[Chris Hoefler]

Right, so is there a reason why you need to pull user information from a separate ldap server? Does the AD not have the unix attributes? That is a more complicated situation. There are several potential workarounds depending on what you need.

 

[Chris Hoefler]

Is your ldap server used for other services, or does it just provide uid/gid for Samba?

 

[treesleaves]

AD does not have unix attributes.

 

[treesleaves]

The ldap server does have some other attributes, but I mostly use it for the uid/gid part.

And it's the uid/gid across a lot of *nix boxes. So I really can't use the winbind trick of generating uid/gid from the windows sid.

 

[Chris Hoefler]

Ok, in your case here is what I would do. Unfortunately you have to go a bit manual. Check "unix attributes" in the Active Directory dialog. This will give you the Kerberos authentication and a basic nss_ldap setup. Then you will have to manually edit the nss_ldap.conf file to put in your custom settings. To get this to stick between reboots, you will have to edit /conf/base/etc/local/nss_ldap.conf. This is the permanent copy that is used to generate the active copy when you boot FreeNAS.

I know sssd is being actively worked on for 9.2.2, so you could also wait for that. It will provide a much more flexible backend for this sort of thing.