NSS query against OpenLDAP server using GSSAPI with proxy authorization

Question

SASL/GSSAPI needs Kerberos authentication against the LDAP server with proxy authorization if using LDAP authentication with nss-pam-ldapd on a Debian Buster operating system. I try to configure this on my Raspberry Pis to have single sign on but cannot get it to work.

I have my ldap server configured with How to setup SASL Proxy Authorization with an OpenLDAP server on Debian. I named the proxy user proxyuser so its distinguished name is uid=proxyuser,ou=people,ou=home,dc=hoeft-online,dc=de.

According to LDAP authentication with nss-pam-ldapd on a Debian system I have to install packages libnss-ldapd and libpam-ldapd in addition to the GSSAPI plugin libsasl2-modules-gssapi-mit. But I will use libpam-krb5 instead of libpam-ldapd:

rpi ~$ sudo apt install libsasl2-modules-gssapi-mit libnss-ldapd ldap-utils

On installation it was presented a configuration dialog that settings are stored in /etc/nslcd.conf and /etc/nsswitch.conf. I have to configure again with

rpi ~$ sudo dpkg-reconfigure nslcd
rpi ~$ sudo dpkg-reconfigure libnss-ldapd

My settings given from the dialogs are:

rpi ~$ sudo cat /etc/nslcd.conf
# /etc/nslcd.conf
# nslcd configuration file. See nslcd.conf(5)
# for details.

# The user and group nslcd should run as.
uid nslcd
gid nslcd

# The location at which the LDAP server(s) should be reachable.
uri ldap://kdc-master.home.hoeft-online.de

# The search base that will be used for all queries.
base ou=home,dc=hoeft-online,dc=de

# The LDAP protocol version to use.
#ldap_version 3

# The DN to bind with for normal lookups.
#binddn cn=annonymous,dc=example,dc=net
#bindpw secret

# The DN used for password modifications by root.
#rootpwmoddn cn=admin,dc=example,dc=com

# SSL options
#ssl off
#tls_reqcert never
tls_cacertfile /etc/ssl/certs/ca-certificates.crt

# The search scope.
#scope sub

sasl_mech GSSAPI
krb5_ccname /var/run/nslcd/nslcd.tkt
sasl_authzid dn:uid=proxyuser,ou=people,ou=home,dc=hoeft-online,dc=de

~$ cat /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         files ldap
group:          files ldap
shadow:         files ldap
gshadow:        files

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

Now with getent passwd I expect to get the credentials of ingo from the LDAP server. It isn't stored in local /etc/passwd. But I only get the local entries from /etc/passwd. In the logs of the LDAP server I can see that there is no attempt to BIND to proxyuser. What I'm missing here?
Why getent does not get credentials from the LDAP server?

Answer 1

The short answer

Be sure you have a valid /etc/krb5.keytab with your host/* principal, e.g. doing:

rpi ~$ sudo kadmin -p user/admin
kadmin:  addprinc -policy host -randkey host/<hostname>.home.hoeft-online.de
kadmin:  ktadd -k /etc/krb5.keytab host/<hostname>.home.hoeft-online.de
kadmin:  q

Disable caching daemon nscd if available with sudo systemctl disable --now nscd.service. Don't confuse it with nslcd. Then check Proxy Authorization:

rpi ~$ sudo apt install libsasl2-modules-gssapi-mit ldap-utils
rpi ~$ kinit -p ingo
rpi ~$ ldapwhoami -Y GSSAPI -H ldap://kdc-master.home.hoeft-online.de -D "uid=proxyuser,ou=people,ou=home,dc=hoeft-online,dc=de"
SASL/GSSAPI authentication started
SASL username: ingo@HOME.HOEFT-ONLINE.DE
SASL SSF: 256
SASL data security layer installed.
dn:uid=ingo,ou=people,ou=home,dc=hoeft-online,dc=de

Then install:

rpi ~$ sudo apt install libnss-ldapd kstart

Just accept the default settings in the installation dialog. We overwrite them with these configuration files. Use them with your settings:
nslcd.conf

~$ sudo cat /etc/nslcd.conf
# /etc/nslcd.conf
# nslcd configuration file. See nslcd.conf(5)
# for details.

# The user and group nslcd should run as.
uid nslcd
gid nslcd

# Logging options, default is info
#log syslog debug

# The location at which the LDAP server(s) should be reachable.
uri ldap://kdc-master.home.hoeft-online.de

# The search base that will be used for all queries.
base ou=home,dc=hoeft-online,dc=de

# The DN to bind with for normal lookups.
binddn uid=proxyuser,ou=people,ou=home,dc=hoeft-online,dc=de

# Timing/reconnect options
# You may optimize this for your environment
#bind_timelimit 10
timelimit 30
idle_timelimit 3600
reconnect_sleeptime 2
#reconnect_retrytime 10

# SSL options
#ssl off
#tls_reqcert never
tls_cacertfile /etc/ssl/certs/ca-certificates.crt

# SASL options
sasl_mech GSSAPI
krb5_ccname /var/run/nslcd/nslcd.tkt

# Other options
nss_initgroups_ignoreusers ALLLOCAL

nsswitch.conf

~$ cat /etc/nsswitch.conf
passwd:         files ldap
group:          files ldap
shadow:         files
gshadow:        files

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

Restart the service and check. Be sure ingo has no local unix account in /etc/passwd.

rpi ~$ sudo systemctl restart nslcd.service
rpi ~$ getent passwd | grep ingo

setup PAM login with Kerberos authentication:

rpi ~$ sudo apt install libpam-krb5
rpi ~$ sudo pam-auth-update
# select what you need
[*] Kerberos authentication
[*] Unix authentication
[*] Create home directory on login

# check
rpi ~$ kdestroy
rpi ~$ su -l ingo
password:
ingo@rpi ~$ klist
ingo@rpi ~$ logout
rpi ~$

Install nscd caching daemon (or enable it if already available):

rpi ~$ sudo apt install nscd

That's it.

Some more details

It took me several days to examine what's wrong with the setup. For troubleshooting you can increase logging to debug output, on the LDAP server to olcLogLevel: any:

slapd ~$ echo 'dn: cn=config
changetype: modify
replace: olcLogLevel
olcLogLevel: any' > /tmp/in.ldif

slapd ~$ sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/in.ldif

On the client device just uncomment the debug log line in /etc/nslcd.conf.

Restart the service and disable caching daemon nscd (don't mix up with nslcd) because nscd may confuse testing:

rpi ~$ sudo systemctl restart nslcd.service
rpi ~$ sudo systemctl disable --now nscd.service

Don't forget to revert debug logging and enable nscd when finished. Executing getent passwd you will see in the client log that it not even starts with GSSAPI client step 1, nothing. I realized that the nslcd.service does not get any credentials in /var/run/nslcd/nslcd.tkt for its authentication. Poking around I found in /etc/default/nslcd that there has to start /usr/bin/k5start but that isn't installed and nowhere documented. So just install it with:

rpi ~$ sudo apt install kstart

Now the log shows that GSSAPI starts with step 1 but then aborts.

Most confusing is the presented setup dialog on installing libnss-ldapd. It's asking for entries that are wrong for my setup with GSSAPI in particular the distinguished name for the proxy user (sasl_authzid). This is not usable. Instead you have to use the normal binddn. Just accept the default settings in the dialog setup and afterwards use the config files from the short answer.

I use systemd-networkd together with systemd-resolved. With the systemd resolver I got an annoying delay of 60 seconds on login that wasn't acceptable. The journal -b shows me that querying the ldap server for group membership timed out after 60 seconds:

Feb 26 01:25:45 titan systemd[1]: Reached target Network is Online.
Feb 26 01:25:45 titan systemd[1]: Starting LSB: LDAP connection daemon...
Feb 26 01:25:45 titan nslcd[441]: Starting Keep alive Kerberos ticket: k5start.
Feb 26 01:25:45 titan nslcd[455]: version 0.9.10 starting
Feb 26 01:25:45 titan nslcd[455]: accepting connections
Feb 26 01:25:45 titan nslcd[441]: Starting LDAP connection daemon: nslcd.
Feb 26 01:25:45 titan systemd[1]: Started LSB: LDAP connection daemon.
Feb 26 01:25:46 titan login[435]: pam_krb5(login:auth): authentication failure; logname=local uid=0 euid=0 tty=/dev/tty1 ruser= rhost=
Feb 26 01:25:46 titan login[435]: pam_unix(login:session): session opened for user local by LOGIN(uid=0)
Feb 26 01:25:46 titan systemd[1]: Created slice User Slice of UID 65533.
Feb 26 01:25:46 titan systemd[1]: Starting User Runtime Directory /run/user/65533...
Feb 26 01:25:46 titan systemd-logind[428]: New session 1 of user local.
Feb 26 01:25:46 titan systemd[1]: Started User Runtime Directory /run/user/65533.
Feb 26 01:25:46 titan systemd[1]: Starting User Manager for UID 65533...

Feb 26 01:26:11 titan login[435]: pam_systemd(login:session): Failed to create session: Connection timed out
Feb 26 01:26:46 titan dbus-daemon[426]: [system] Connection has not authenticated soon enough, closing it (auth_timeout=30000ms, elapsed: 60060ms)
Feb 26 01:26:46 titan nslcd[455]: [8b4567] <group/member="local"> failed to bind to LDAP server ldap://kdc-master.home.hoeft-online.de: Can't contact LDAP server: Invalid argument
Feb 26 01:26:46 titan nslcd[455]: [8b4567] <group/member="local"> no available LDAP server found: Can't contact LDAP server: Invalid argument

Feb 26 01:26:46 titan nslcd[455]: GSSAPI client step 1
Feb 26 01:26:46 titan systemd[468]: pam_unix(systemd-user:session): session opened for user local by (uid=0)
Feb 26 01:26:46 titan nslcd[455]: [3c9869] <group/member="local"> connected to LDAP server ldap://kdc-master.home.hoeft-online.de
Feb 26 01:26:46 titan systemd[1]: Started User Manager for UID 65533.
Feb 26 01:26:46 titan systemd[1]: Started Session 1 of user local.

After days of error hunting I found that option nss_initgroups_ignoreusers ALLLOCAL in /etc/nslcd.conf fixed this error. This option prevents group membership lookups through LDAP of non-LDAP users. It means that local registered users like system accounts will not have a lookup to the LDAP server.