1

Here's the scenario:

I have two machine:

Ubuntu, running ldap to authencticate users

CentOs, uses winbind to authenticate users

to mount homedirs I use fstab and nfs shares.

The problem is this:

on Ubuntu, in getent passwd a user look like this:

john:x:3000052:1901:John Doe:/home/john:/bin/bash

but on CentOs the same user use like this in getent passwd:

john:*:16777228:16777218:John Doe:/home/john:/bin/bash

as you can see the UID and GID aren't matching which resolves to permissions are denied when a user try to access there homefoler on CentOS. I want CentOS to have the exact same UID and GID as Ubuntu has, for the AD users.

I managed to find out something about idmap in smb.conf, but I haven't got it working.

[global]
idmap workgroup = MOSEK
idmap config MOSEK:backend  = rid
idmap config MOSEK:base_rid = 0
idmap config MOSEK:range    = 3000040 - 4999999

#--authconfig--start-line--

# Generated by authconfig on 2014/09/30 08:26:52
# DO NOT EDIT THIS SECTION (delimited by --start-line--/--end-line--)
# Any modification may be deleted or altered by authconfig in future

workgroup = MOSEK
...autogenerated stuff
#--authconfig--end-line--

But this isn't working.

I hope I am clear in what I'm trying to do

EDIT:

okay so here's what authconfig has generated for me. Because of your answer, I think this could be relevant.

#--authconfig--start-line--

# Generated by authconfig on 2014/09/30 08:26:52
# DO NOT EDIT THIS SECTION (delimited by --start-line--/--end-line--)
# Any modification may be deleted or altered by authconfig in future

workgroup = MOSEK
password server = nyborg.mosek.zentyal
realm = MOSEK.ZENTYAL
security = ads
idmap config * : range = 1000-999999
template homedir = /home/%U
template shell = /bin/bash
kerberos method = secrets only
winbind use default domain = true
winbind offline logon = false
winbind enum users = true
winbind enum groups = true
winbind cache time = 5
winbind nested groups = true
winbind enum users = true
winbind enum groups = true
winbind cache time = 5
winbind nested groups = true
winbind enum groups = true
winbind cache time = 5
winbind nested groups = true
winbind cache time = 5
winbind nested groups = true
winbind nested groups = true
winbind enum users = true
winbind enum groups = true
winbind cache time = 5
winbind nested groups = true
winbind enum groups = true
winbind cache time = 5
winbind nested groups = true
winbind cache time = 5
winbind nested groups = true
winbind nested groups = true
winbind enum groups = true
winbind cache time = 5
winbind nested groups = true
winbind cache time = 5
winbind nested groups = true
winbind nested groups = true
winbind cache time = 5
winbind nested groups = true
winbind nested groups = true
winbind nested groups = true
winbind enum users = true
winbind enum groups = true
winbind cache time = 5
winbind nested groups = true
winbind enum groups = true
winbind cache time = 5
winbind nested groups = true
winbind cache time = 5
winbind nested groups = true
winbind nested groups = true
winbind enum groups = true
winbind cache time = 5
winbind nested groups = true
winbind cache time = 5
winbind nested groups = true
winbind nested groups = true
winbind cache time = 5
winbind nested groups = true
winbind nested groups = true
winbind nested groups = true
winbind enum groups = true
winbind cache time = 5
winbind nested groups = true
winbind cache time = 5
winbind nested groups = true
winbind nested groups = true
winbind cache time = 5
winbind nested groups = true
winbind nested groups = true
winbind nested groups = true
winbind cache time = 5
winbind nested groups = true
winbind nested groups = true
winbind nested groups = true
winbind nested groups = true
winbind enum users = true
winbind enum groups = true
winbind cache time = 5
winbind nested groups = true
winbind enum groups = true
winbind cache time = 5
winbind nested groups = true
winbind cache time = 5
winbind nested groups = true
winbind nested groups = true
winbind enum groups = true
winbind cache time = 5
winbind nested groups = true
winbind cache time = 5
winbind nested groups = true
winbind nested groups = true
winbind cache time = 5
winbind nested groups = true
winbind nested groups = true
winbind nested groups = true
winbind enum groups = true
winbind cache time = 5
winbind nested groups = true
winbind cache time = 5
winbind nested groups = true
winbind nested groups = true
winbind cache time = 5
winbind nested groups = true
winbind nested groups = true
winbind nested groups = true
winbind cache time = 5
winbind nested groups = true
winbind nested groups = true
winbind nested groups = true
winbind nested groups = true
winbind enum groups = true
winbind cache time = 5
winbind nested groups = true
winbind cache time = 5
winbind nested groups = true
winbind nested groups = true
winbind cache time = 5
winbind nested groups = true
winbind nested groups = true
winbind nested groups = true
winbind cache time = 5
winbind nested groups = true
winbind nested groups = true
winbind nested groups = true
winbind nested groups = true
winbind cache time = 5
winbind nested groups = true
winbind nested groups = true
winbind nested groups = true
winbind nested groups = true
winbind nested groups = true

#--authconfig--end-line--

EDIT2: when i tried giving sssd.conf the right permissions, it got me a new error:

[root@centosy sssd]# journalctl -xn
-- Logs begin at Mon 2014-10-06 10:14:59 CEST, end at Tue 2014-10-07 10:28:42 CEST. --
Oct 07 10:28:36 centosy.mosek.zentyal sssd[be[5567]: Starting up
Oct 07 10:28:38 centosy.mosek.zentyal sssd[be[5568]: Starting up
Oct 07 10:28:41 centosy.mosek.zentyal sssd[5570]: Starting up
Oct 07 10:28:41 centosy.mosek.zentyal sssd[5569]: Starting up
Oct 07 10:28:41 centosy.mosek.zentyal sssd[5571]: Starting up
Oct 07 10:28:41 centosy.mosek.zentyal sssd[5572]: Starting up
Oct 07 10:28:42 centosy.mosek.zentyal sssd[be[5573]: Starting up
Oct 07 10:28:42 centosy.mosek.zentyal systemd[1]: sssd.service: control process exited,  code=exited status=1
Oct 07 10:28:42 centosy.mosek.zentyal systemd[1]: Failed to start System Security Services    Daemon.
-- Subject: Unit sssd.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit sssd.service has failed.
-- 
-- The result is failed.
Oct 07 10:28:42 centosy.mosek.zentyal systemd[1]: Unit sssd.service entered failed state.

EDIT3:

okay i followed your guide and here's what i did from start to finish:

[root@centosy sssd]# authconfig --update --disableldap --ldapbasedn="dc=mosek,dc=zentyal" --ldapserver="ldap://172.16.0.5" --enablerfc2307bis --disablekrb5 --enablekrb5kdcdns --krb5realm=mosek.zentyal --enablesssd --enablesssdauth --enablemkhomedir --enablepamaccess --enablelocauthorize --smbrealm=mosek.zentyal --smbservers=nyborg.mosek.zentyal --smbworkgroup=MOSEK --smbsecurity=ads
getsebool:  SELinux is disabled

[root@centosy sssd]# net ads join createupn=host/`hostname -f`@MOSEK.ZENTYAL -U tomas
Ignoring unknown parameter "idmap workgroup"
Ignoring unknown parameter "idmap workgroup"
Enter tomas's password:
Using short domain name -- MOSEK
Joined 'CENTOSY' to dns domain 'mosek.zentyal'

and here's my sssd.conf:

[sssd]
 config_file_version = 2
 domains = mosek.zentyal
 services = nss, pam
 debug_level = 0

[nss]

[pam]

[domain/mosek.zentyal]
 debug_level = 5
 cache_credentials = false
 enumerate = false
 id_provider = ldap
 auth_provider = krb5
 chpass_provider = krb5
 access_provider = ldap

 ldap_sasl_mech = GSSAPI
 ldap_sasl_authid = host/nyborg.mosek.zentyal@MOSEK.ZENTYAL
 ldap_sasl_canonicalize = false

 ldap_user_search_base = ou=Users,dc=mosek,dc=zentyal
 ldap_user_object_class = user
 ldap_user_home_directory = unixHomeDirectory
 ldap_user_name = sAMAccountName
 ldap_user_shell = loginShell

 ldap_group_name = msSFU30Name
 ldap_group_object_class = group
 ldap_group_search_base = ou=Groups,dc=mosek,dc=zentyal

 ldap_access_order = expire
 ldap_account_expire_policy = ad
 ldap_force_upper_case_realm = true
 ldap_disable_referrals = true
 ldap_id_mapping = false
 ldap_schema = rfc2307bis

 krb5_realm = MOSEK.ZENTYAL
 krb5_canonicalize = false
 krb5_server = mosek.zentyal

so now I restart sssd:

[root@centosy sssd]# service sssd restart
Redirecting to /bin/systemctl restart  sssd.service

EDIT 4:

this is my nsswitch.conf:

passwd:     files sss
shadow:     files sss
group:      files sss

hosts:      files dns


bootparams: nisplus [NOTFOUND=return] files

ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files sss

netgroup:   files sss

publickey:  nisplus

automount:  files sss
aliases:    files nisplus
Tomas
  • 259
  • 3
  • 7
  • 16

1 Answers1

2

The problem you have is using rid idmap.
This uses an algorithm to generate a random number for the UID between the limits that you set in the range, which will always be different between hosts.

What you need is the ads idmap, however, this means that the id's need to exist in AD and ldap.
If you are only concerned about accessing the UNIX groups and basic attributes and not all the AD groups then winbind is not necessary.
Configure kerberos populating /etc/krb5.conf and have an smb.conf similar to the following:

[global] workgroup = ADIRE client signing = yes client use spnego = yes kerberos method = secrets and keytab log file = /var/log/samba/%m.log password server = adire.XXX.XX.uk realm = ADIRE.XXX.XXX.UK security = ads client ldap sasl wrapping = sign

To make this easier, you could let sssd control it all, but get this working first!

A good general idea of what options you have is HERE.

To configure a CentOS host to use AD authentication with LDAP attributes, you can use the following authconfig command (substitute the domain details):

authconfig  --update --disableldap --ldapbasedn="dc=adire,dc=domain,dc=co,dc=uk" --ldapserver="ldap://ad1.adire.domain.co.uk:ldap://ad2.adire.domain.co.uk" --enablerfc2307bis --disablekrb5 --enablekrb5kdcdns --krb5realm=ADIRE.DOMAIN.CO.UK --enablesssd --enablesssdauth --enablemkhomedir --enablepamaccess --enablelocauthorize --smbrealm=ADIRE.DOMAIN.CO.UK --smbservers="ad1.adire.domain.co.uk ad2.adire.domain.co.uk" --smbworkgroup=ADIRE --smbsecurity=ads

Then join the host to the domain and create a kerberos /etc/krb5.keytab file:

net ads join createupn=host/`hostname -f`@ADIRE.DOMAIN.CO.UK -U priviledged_user
kinit @ADIRE.DOMAIN.CO.UK
net ads keytab create
net ads keytab add host/`hostname -f`@ADIRE.DOMAIN.CO.UK

This will enable sssd which you can have all the mapping in (/etc/sssd/sssd.conf):

[sssd]
 config_file_version = 2
 domains = adire.domain.co.uk
 services = nss, pam
 debug_level = 0

[nss]

[pam]

[domain/adire.domain.co.uk]
 debug_level = 5
 cache_credentials = false
 enumerate = false
 id_provider = ldap
 auth_provider = krb5
 chpass_provider = krb5
 access_provider = ldap

 ldap_sasl_mech = GSSAPI
 ldap_sasl_authid = host/servername.domain.co.uk@ADIRE.DOMAIN.CO.UK
 ldap_sasl_canonicalize = false

 ldap_user_search_base = OU=User Accounts,DC=adire,DC=domain,DC=co,DC=uk
 ldap_user_object_class = user
 ldap_user_home_directory = unixHomeDirectory
 ldap_user_name = sAMAccountName
 ldap_user_shell = loginShell

 ldap_group_name = msSFU30Name
 ldap_group_object_class = group
 ldap_group_search_base = OU=Groups,DC=adire,DC=domain,DC=co,DC=uk

 ldap_access_order = expire
 ldap_account_expire_policy = ad
 ldap_force_upper_case_realm = true
 ldap_disable_referrals = true
 ldap_id_mapping = false
 ldap_schema = rfc2307bis

 krb5_realm = ADIRE.DOMAIN.CO.UK
 krb5_canonicalize = false
 krb5_server = adire.domain.co.uk

Ensure the sssd is set to start at boot and is restarted after running the authconfig command and joining the domain.

geedoubleya
  • 672
  • 4
  • 10
  • I just edited the question so you can see the autogenerated code. It seems that it is already using ads idmap. Also I'm trying to use ads because I'm pretty sure that th AD and ldap uses the same UID and GID. – Tomas Oct 06 '14 at 08:36
  • I investigated a bit further, and ldap uses the UNIX basic attributes only. how will I be able to make centos do the same? I need to configure krb5.conf and smb.conf, but how? – Tomas Oct 06 '14 at 08:52
  • I have added the `authconfig` steps and `sssd` configuration. – geedoubleya Oct 06 '14 at 13:43
  • When trying to run the authconfig command I get: authconfig: Authentication module /lib64/security/pam_sss.so is missing. Authentication process might not work correctly. – Tomas Oct 07 '14 at 07:47
  • I installed the sssd package and the error disappeared although the sssd.conf doesn't exist in /etc/sssd/ and when i try to create it and start SSSD service: [root@centosy sssd]# service sssd start Redirecting to /bin/systemctl start sssd.service Job for sssd.service failed. See 'systemctl status sssd.service' and 'journalctl -xn' for details. [root@centosy sssd]# /etc/init.d/ iprdump iprinit iprupdate netconsole network [root@centosy sssd]# systemctl status ssd.service ssd.service Loaded: not-found (Reason: No such file or directory) Active: inactive (dead) – Tomas Oct 07 '14 at 08:05
  • I looked in journalctl as the error suggested and i found this: -- Unit sssd.service has begun starting up. Oct 07 10:13:45 centosy.mosek.zentyal sssd[5526]: NSCD socket was detected and seems to be configured to cache some of the data Oct 07 10:13:45 centosy.mosek.zentyal sssd[5526]: Cannot read config file /etc/sssd/sssd.conf. Please check if permissions are Oct 07 10:13:45 centosy.mosek.zentyal systemd[1]: sssd.service: control process exited, code=exited status=4 Oct 07 10:13:45 centosy.mosek.zentyal systemd[1]: Failed to start System Security Services Daemon. – Tomas Oct 07 '14 at 08:21
  • `/etc/sssd/sssd.conf` should be mode 600 (rw-------). – geedoubleya Oct 07 '14 at 08:25
  • I editted my question with a new error – Tomas Oct 07 '14 at 08:33
  • I tried deleting and remaking the sssd.conf and I got it running, but even though i followed your guide, now when i look at getent passwd, non of the AD users are there. – Tomas Oct 07 '14 at 09:02
  • Did it joing the domain ok? Check the sssd logs (`/var/log/sssd/*`). – geedoubleya Oct 07 '14 at 09:11
  • I added all the configs and sssd log in my question – Tomas Oct 07 '14 at 09:35
  • Missed the creation of the `keytab` file, so added it in after the domain `join` command. See if that helps. – geedoubleya Oct 07 '14 at 11:09
  • kinit throws this error: [root@centosy ~]# kinit @MOSEK.ZENTYAL kinit: Client not found in Kerberos database while getting initial credentials I had to install krb5-workstation to get kinit installed, and when i install the workstation package I ran the authconfig and join commands again to be sure. – Tomas Oct 14 '14 at 10:58
  • @Tomas - Leave that command out and go ahead and create the keytab file (assuming you have just run the `net ads join` command)? – geedoubleya Oct 14 '14 at 11:07
  • okay I tried the command kinit tomas@MOSEK.ZENTYAL and it got me trough, now when I try to create a keytab it ask for root's password, and then say that root@MOSEK.ZENTYAL doesn't exist. how can I get it to ask for the Domain Admin Tomas's password? – Tomas Oct 14 '14 at 11:35
  • I fixed my keytab problems with adding the U flag to both commands. but although i made the keytab, and added the host. although i got a kerberos ticket form the AD, it still doesn't have any of the users in getent passwd – Tomas Oct 14 '14 at 11:57
  • Have you used the `net ads keytab` name in `/etc/sssd/sssd.conf`: e.g. `ldap_sasl_authid = host/tomas@MOSEK.ZENTYAL` and restarted sssd? Is /etc/nsswitch.conf correctly populated? – geedoubleya Oct 14 '14 at 12:01
  • I change `/etc/sssd/sssd.conf` to have `ldap_sasl_authid = host/tomas@MOSEK.ZENTYAL`. What should `/etc/nsswitch.conf` look like when correctly populated? – Tomas Oct 14 '14 at 12:12
  • I added my nsswitch.conf, so you can see, if something's wrong with it – Tomas Oct 14 '14 at 13:17
  • @Tomas `nsswitch.conf` is fine. Try kinit -k host/tomas@MOSEK.ZENTYAL, then run `getent ...` while checking the logs: `/var/log/sssd/*.logs` Failing that then install ldapsearch and run a query against your LDAP server. – geedoubleya Oct 14 '14 at 13:30
  • I try running the kinit command, and get the error: `kinit: Keytab contains no suitable keys for host/tomas@MOSEK.ZENTYAL while getting initial credentials` – Tomas Oct 16 '14 at 06:01
  • Also in `/var/log/sssd/ldap_child.log` i keep getting these: `(Thu Oct 16 07:01:01 2014) [[sssd[ldap_child[6554]]]] [sss_krb5_verify_keytab_ex] (0x0010): Principal [host/tomas@MOSEK.ZENTYAL] not found in keytab [default] (Thu Oct 16 07:01:01 2014) [[sssd[ldap_child[6554]]]] [ldap_child_get_tgt_sync] (0x0040): Unable to verify principal is present in the keytab (Thu Oct 16 07:01:01 2014) [[sssd[ldap_child[6554]]]] [main] (0x0020): ldap_child_get_tgt_sync failed.` – Tomas Oct 16 '14 at 06:05
  • okay I found out, that although the user isn't in `getent passwd` they can stil log in, which is great, but the UID still seems to be incorrect – Tomas Oct 16 '14 at 12:57
  • Good news, what is the AD UID and the currently assigned UID? – geedoubleya Oct 16 '14 at 13:01
  • bad news again. it was some other configurations i tried that made it possible to log in. configurations with winbind. I tried reinstalling and run through your configurations again, and I was unable to log in, unfurtunately :( I really appreciate you helping me by thew way – Tomas Oct 16 '14 at 13:25
  • also when I try the command `kinit tomas` i get to right the password, and then it returns the error `kinit: KDC reply did not match expectations while getting initial credentials` – Tomas Oct 16 '14 at 13:29
  • Does the user you are using to join to the domain have permissions to view sAMAccountName attribute? – geedoubleya Oct 17 '14 at 09:13
  • Don't know, what those attributes are, but the user I use to join to the domain is a domain administrator, so I think it should have access to everything – Tomas Oct 21 '14 at 11:03
  • That is the `SFU` attribute for Windows AD that maps the unix LDAP equivalent for uid. So in LDAP, does the UID just have the windows username? – geedoubleya Oct 21 '14 at 11:28
  • My AD server is not windows. It is something called zentyal, which runs on top of ubuntu, and works as a windows AD server – Tomas Oct 21 '14 at 12:16
  • So in LDAP, is the UID attribute the same as the zentyal AD username? – geedoubleya Oct 21 '14 at 12:18
  • I'm unclear on what you mean? you can see on my ubuntu client that uses purely ldap authentication that the UID is the right one, which means that the UID that ldap retrieves is the same as on the zentyal AD – Tomas Nov 13 '14 at 11:21
  • "This uses an algorithm to generate a random number for the UID between the limits that you set in the range, which will always be different between hosts." rid should, if set up identically on both machines (same range and base_rid), always give you the same UID for the same user. I suspect one server using winbind and the other using LDAP might be a problem though – frymaster Apr 17 '15 at 09:58
  • `The problem you have is using rid idmap. This uses an algorithm to generate a random number for the UID between the limits that you set in the range, which will always be different between hosts.` RID is Relative ID. Winbind takes the last four digits from the SID in AD, increments them by the lower bound in the idmap config range from the `/etc/samba/smb.conf` file. This provides consistency across Linux hosts which use the same LDAP authentication source. See: https://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/idmapper.html#id2606596 – Jeter-work Nov 30 '17 at 16:58