# OpenLDAP and Active Directory - What I have so far!

## msalerno

Here are the steps I took to get my Gentoo system to see the users on my MS AD Server.  I am posting them here for feedback and archival purposes.  I did not use LDAP with SSL because I want to get everything working first.  This is not really a HOW-TO since I am still in the process of making it work, so if you choose to follow these steps, be careful and keep a backup of everything since the process makes changes to the MS AD schema.  I am also not sure if running the slapd service and the changes I make to the slapd.conf are necessary.

The Windows 2000 AD name is foo.bar

1. Configuration of Windows 2000 AD Server

Update AD Schema for linux attributes on AD Server I installed Windows Services for UNIX

Download From: http://www.microsoft.com/windows/sfu/downloads/default.asp

(I used version 3.5)

 I installed only "Server for NIS"

 For everything else I selected "Entier Feature will not be available"

 I set the "Server for NIS" to disabled in the Control Panel under Services.

 Rebooted and waited for the schema changes to replicate to other ad servers.

2. Configuration of Gentoo System Added "kerberos ldap" as USE flags in the make.conf

 Emerged the following packages:

       - net-nds/openldap

       - app-crypt/mit-krb5 

       - dev-libs/nss

       - net-libs/nss_ldap

       - app-crypt/pam_krb5 (note)

      -  net-libs/pam_ldapConfigure Kerberos

Make sure your Windows AD server is listed in your /etc/resolv.conf

My /etc/krb5.conf contains:

 [libdefaults]

         ticket_lifetime = 300

         default_realm = FOO.BAR

         default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc

         default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc

 [domain_realm]

         .foo.bar = foo.bar

         foo.bar  = foo.bar

 [logging]

         kdc = FILE:/var/log/krb5kdc.log

         admin_server = FILE:/var/log/kadmin.log

         default = FILE:/var/log/krb5lib.log Sync the time with the AD server and the Gentoo Server.  I use ntp to make sure the time is the same on both servers.

 Test Kerberos config with the administrator account on the AD Server:

            # kinit -V administrator

     Enter the administrator's password

     Should return: 

          Password for administrator@FOO.BAR:

          Authenticated to Kerberos v5

 You can view the krb ticket with the following command:

# klist

 Setup the Name Service Switch /etc/nsswitch.conf

 append "ldap" after "compat for "passwd", "shadow" and "group"

ex.  

passwd:      compat ldap

shadow:      compat ldap

group:         compat ldap

Configuring LDAP rename or remove the /etc/ldap.conf

 Set the LDAP service to start on reboot

# rc-update add slapd default

 My /etc/openldap/ldap.conf contains:

host 10.10.10.1  # ip of ad server

base dc=foo,dc=bar

binddn cn=ldap,cn=users,dc=foo,dc=bar

bindpw ldap

scope sub

nss_map_objectclass posixAccount User

nss_map_attribute uid msSFUName

nss_map_attribute uniqueMember posixMember

nss_map_attribute userPassword msSFUPassword

nss_map_attribute homeDirectory msSFUHomeDirectory

nss_map_objectclass posixGroup Group

nss_map_attribute cn msSFUName

pam_login_attribute msSFUName

pam_filter objectclass=User

pam_password ad

At this point, you should be able to view your AD schema using ldapsearch.

More to come ( but first lunch )Last edited by msalerno on Fri Nov 12, 2004 7:25 pm; edited 3 times in total

----------

## dvc5

I'm just curious if you ever finished this project? I'm currently trying to get AD syncing working with openldap and found this thread extremely useful. Have you tried "acctcync"? I tried but couldn't get it to work.

----------

## gmichels

wow I am really interested in this. bookmarking this thread *now*  :Very Happy: 

----------

## rinacabj

shoot this would be awesome if it were all finished. I NEED it.

----------

## stream

 *Quote:*   

> More to come ( but first lunch )

 

When you are finished with your lunch, please post the next steps  :Wink: 

----------

## msalerno

I keep getting stuck, whenever I do a 'getent passwd' I still only see the local users.  I got side tracked from this, and I was kinda hoping that somebody would be able to contribute.  One of these days, i'll pick it up.

----------

## Leethal

I've got my Gentoo box Authenticating against my AD server.  I've even got SSL working (what a pain), and I was even able to change the password....  ONCE.   I get an error if I try to change it again.

I've been working at this so long, I can't remember what steps I took, but I can post configs if it will help.

*EDIT:  I didn't notice this thread was so old, has everyone just given up on getting MS to play nice with Gentoo?

----------

## msalerno

I'm still here.  Like I said, it's on the back burner, but if you post your configs, I might just have to figure out how you did it, then I'll update my original post.

----------

## stream

 *Leethal wrote:*   

> 
> 
> I've been working at this so long, I can't remember what steps I took, but I can post configs if it will help.

 

yes, yes, yes please post your configs   :Very Happy: 

----------

## nobspangle

How come you don't just do this with samba and winbind?

----------

## frilled

 *nobspangle wrote:*   

> How come you don't just do this with samba and winbind?

 

Because he's probably very smart. winbind(d) is a major PITA. I can not recommend it to anyone with a production environment. Versions up to and including 3.0.14a have massive memory leaks/hangs when used in "ADS" mode. I have my production servers currently set up to authenticate against windbindd and it is horrible to say the least. I resorted to stopping Samba and killing winbindd processses with "-9" during the night (luckily I have that window of opportunity) that may have gone rampant. I had several boxes die all of a sudden because of kernel OOM wreaking havoc when winbindd decides it wants to consume 4 gigs of memory :/

So now I will be migrating to LDAP queries instead of winbind (I'll give Samba 3.0.20 another shot, but I doubt it's ever going to work). Trade one PITA against the other, so to say (I *hate* LDAP).

Why can't friggin' M$ just do things the open way? For once?

 :Evil or Very Mad: 

----------

## converter

If ADS/DNS and DNS client are configured correctly you shouldn't need /etc/krb5.conf. In my experience things work better without it.

----------

## thinknot

 *wgi wrote:*   

>  *nobspangle wrote:*   How come you don't just do this with samba and winbind? 
> 
> So now I will be migrating to LDAP queries instead of winbind (I'll give Samba 3.0.20 another shot, but I doubt it's ever going to work). Trade one PITA against the other, so to say (I *hate* LDAP).
> 
> 

 

3.0.20a seems to have a fully reworked implementation, with only one winbind bug fixed in 3.0.20b:

http://us5.samba.org/samba/history/samba-3.0.20b.html

----------

## frilled

 *Quote:*   

> 3.0.20a seems to have a fully reworked implementation, with only one winbind bug fixed in 3.0.20b:
> 
> http://us5.samba.org/samba/history/samba-3.0.20b.html

 

Yes, and it still doesn't work. For long, at least. I had to shut down all Samba daemons to keep my servers healthy. 3.20b is out now, but I don't think I'm going to care. Too much fuss and too little rewards. Sad story. Now what I'm going to do is install an sshd on the windoze servers and get auth_ldap or auth_kerb working, since I won't get rid of that frigging Actively Annoying Directory.

----------

